Line data Source code
1 : /* ====================================================================
2 : * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
3 : *
4 : * Redistribution and use in source and binary forms, with or without
5 : * modification, are permitted provided that the following conditions
6 : * are met:
7 : *
8 : * 1. Redistributions of source code must retain the above copyright
9 : * notice, this list of conditions and the following disclaimer.
10 : *
11 : * 2. Redistributions in binary form must reproduce the above copyright
12 : * notice, this list of conditions and the following disclaimer in
13 : * the documentation and/or other materials provided with the
14 : * distribution.
15 : *
16 : * 3. All advertising materials mentioning features or use of this
17 : * software must display the following acknowledgment:
18 : * "This product includes software developed by the OpenSSL Project
19 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 : *
21 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 : * endorse or promote products derived from this software without
23 : * prior written permission. For written permission, please contact
24 : * openssl-core@openssl.org.
25 : *
26 : * 5. Products derived from this software may not be called "OpenSSL"
27 : * nor may "OpenSSL" appear in their names without prior written
28 : * permission of the OpenSSL Project.
29 : *
30 : * 6. Redistributions of any form whatsoever must retain the following
31 : * acknowledgment:
32 : * "This product includes software developed by the OpenSSL Project
33 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 : *
35 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 : * OF THE POSSIBILITY OF SUCH DAMAGE.
47 : * ====================================================================
48 : *
49 : */
50 :
51 : #include <openssl/opensslconf.h>
52 : #ifndef OPENSSL_NO_AES
53 : #include <openssl/crypto.h>
54 : # include <openssl/evp.h>
55 : # include <openssl/err.h>
56 : # include <string.h>
57 : # include <assert.h>
58 : # include <openssl/aes.h>
59 : # include "evp_locl.h"
60 : # include "modes_lcl.h"
61 : # include <openssl/rand.h>
62 :
63 : # undef EVP_CIPH_FLAG_FIPS
64 : # define EVP_CIPH_FLAG_FIPS 0
65 :
66 : typedef struct {
67 : union {
68 : double align;
69 : AES_KEY ks;
70 : } ks;
71 : block128_f block;
72 : union {
73 : cbc128_f cbc;
74 : ctr128_f ctr;
75 : } stream;
76 : } EVP_AES_KEY;
77 :
78 : typedef struct {
79 : union {
80 : double align;
81 : AES_KEY ks;
82 : } ks; /* AES key schedule to use */
83 : int key_set; /* Set if key initialised */
84 : int iv_set; /* Set if an iv is set */
85 : GCM128_CONTEXT gcm;
86 : unsigned char *iv; /* Temporary IV store */
87 : int ivlen; /* IV length */
88 : int taglen;
89 : int iv_gen; /* It is OK to generate IVs */
90 : int tls_aad_len; /* TLS AAD length */
91 : ctr128_f ctr;
92 : } EVP_AES_GCM_CTX;
93 :
94 : typedef struct {
95 : union {
96 : double align;
97 : AES_KEY ks;
98 : } ks1, ks2; /* AES key schedules to use */
99 : XTS128_CONTEXT xts;
100 : void (*stream) (const unsigned char *in,
101 : unsigned char *out, size_t length,
102 : const AES_KEY *key1, const AES_KEY *key2,
103 : const unsigned char iv[16]);
104 : } EVP_AES_XTS_CTX;
105 :
106 : typedef struct {
107 : union {
108 : double align;
109 : AES_KEY ks;
110 : } ks; /* AES key schedule to use */
111 : int key_set; /* Set if key initialised */
112 : int iv_set; /* Set if an iv is set */
113 : int tag_set; /* Set if tag is valid */
114 : int len_set; /* Set if message length set */
115 : int L, M; /* L and M parameters from RFC3610 */
116 : CCM128_CONTEXT ccm;
117 : ccm128_f str;
118 : } EVP_AES_CCM_CTX;
119 :
120 : # define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
121 :
122 : # ifdef VPAES_ASM
123 : int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
124 : AES_KEY *key);
125 : int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
126 : AES_KEY *key);
127 :
128 : void vpaes_encrypt(const unsigned char *in, unsigned char *out,
129 : const AES_KEY *key);
130 : void vpaes_decrypt(const unsigned char *in, unsigned char *out,
131 : const AES_KEY *key);
132 :
133 : void vpaes_cbc_encrypt(const unsigned char *in,
134 : unsigned char *out,
135 : size_t length,
136 : const AES_KEY *key, unsigned char *ivec, int enc);
137 : # endif
138 : # ifdef BSAES_ASM
139 : void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
140 : size_t length, const AES_KEY *key,
141 : unsigned char ivec[16], int enc);
142 : void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
143 : size_t len, const AES_KEY *key,
144 : const unsigned char ivec[16]);
145 : void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
146 : size_t len, const AES_KEY *key1,
147 : const AES_KEY *key2, const unsigned char iv[16]);
148 : void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
149 : size_t len, const AES_KEY *key1,
150 : const AES_KEY *key2, const unsigned char iv[16]);
151 : # endif
152 : # ifdef AES_CTR_ASM
153 : void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
154 : size_t blocks, const AES_KEY *key,
155 : const unsigned char ivec[AES_BLOCK_SIZE]);
156 : # endif
157 : # ifdef AES_XTS_ASM
158 : void AES_xts_encrypt(const char *inp, char *out, size_t len,
159 : const AES_KEY *key1, const AES_KEY *key2,
160 : const unsigned char iv[16]);
161 : void AES_xts_decrypt(const char *inp, char *out, size_t len,
162 : const AES_KEY *key1, const AES_KEY *key2,
163 : const unsigned char iv[16]);
164 : # endif
165 :
166 : # if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
167 : # include "ppc_arch.h"
168 : # ifdef VPAES_ASM
169 : # define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
170 : # endif
171 : # define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
172 : # define HWAES_set_encrypt_key aes_p8_set_encrypt_key
173 : # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
174 : # define HWAES_encrypt aes_p8_encrypt
175 : # define HWAES_decrypt aes_p8_decrypt
176 : # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
177 : # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
178 : # endif
179 :
180 : # if defined(AES_ASM) && !defined(I386_ONLY) && ( \
181 : ((defined(__i386) || defined(__i386__) || \
182 : defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
183 : defined(__x86_64) || defined(__x86_64__) || \
184 : defined(_M_AMD64) || defined(_M_X64) || \
185 : defined(__INTEL__) )
186 :
187 : extern unsigned int OPENSSL_ia32cap_P[];
188 :
189 : # ifdef VPAES_ASM
190 : # define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
191 : # endif
192 : # ifdef BSAES_ASM
193 : # define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
194 : # endif
195 : /*
196 : * AES-NI section
197 : */
198 : # define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
199 :
200 : int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
201 : AES_KEY *key);
202 : int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
203 : AES_KEY *key);
204 :
205 : void aesni_encrypt(const unsigned char *in, unsigned char *out,
206 : const AES_KEY *key);
207 : void aesni_decrypt(const unsigned char *in, unsigned char *out,
208 : const AES_KEY *key);
209 :
210 : void aesni_ecb_encrypt(const unsigned char *in,
211 : unsigned char *out,
212 : size_t length, const AES_KEY *key, int enc);
213 : void aesni_cbc_encrypt(const unsigned char *in,
214 : unsigned char *out,
215 : size_t length,
216 : const AES_KEY *key, unsigned char *ivec, int enc);
217 :
218 : void aesni_ctr32_encrypt_blocks(const unsigned char *in,
219 : unsigned char *out,
220 : size_t blocks,
221 : const void *key, const unsigned char *ivec);
222 :
223 : void aesni_xts_encrypt(const unsigned char *in,
224 : unsigned char *out,
225 : size_t length,
226 : const AES_KEY *key1, const AES_KEY *key2,
227 : const unsigned char iv[16]);
228 :
229 : void aesni_xts_decrypt(const unsigned char *in,
230 : unsigned char *out,
231 : size_t length,
232 : const AES_KEY *key1, const AES_KEY *key2,
233 : const unsigned char iv[16]);
234 :
235 : void aesni_ccm64_encrypt_blocks(const unsigned char *in,
236 : unsigned char *out,
237 : size_t blocks,
238 : const void *key,
239 : const unsigned char ivec[16],
240 : unsigned char cmac[16]);
241 :
242 : void aesni_ccm64_decrypt_blocks(const unsigned char *in,
243 : unsigned char *out,
244 : size_t blocks,
245 : const void *key,
246 : const unsigned char ivec[16],
247 : unsigned char cmac[16]);
248 :
249 : # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
250 : size_t aesni_gcm_encrypt(const unsigned char *in,
251 : unsigned char *out,
252 : size_t len,
253 : const void *key, unsigned char ivec[16], u64 *Xi);
254 : # define AES_gcm_encrypt aesni_gcm_encrypt
255 : size_t aesni_gcm_decrypt(const unsigned char *in,
256 : unsigned char *out,
257 : size_t len,
258 : const void *key, unsigned char ivec[16], u64 *Xi);
259 : # define AES_gcm_decrypt aesni_gcm_decrypt
260 : void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
261 : size_t len);
262 : # define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
263 : gctx->gcm.ghash==gcm_ghash_avx)
264 : # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
265 : gctx->gcm.ghash==gcm_ghash_avx)
266 : # undef AES_GCM_ASM2 /* minor size optimization */
267 : # endif
268 :
269 : static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
270 : const unsigned char *iv, int enc)
271 : {
272 : int ret, mode;
273 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
274 :
275 : mode = ctx->cipher->flags & EVP_CIPH_MODE;
276 : if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
277 : && !enc) {
278 : ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
279 : dat->block = (block128_f) aesni_decrypt;
280 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
281 : (cbc128_f) aesni_cbc_encrypt : NULL;
282 : } else {
283 : ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
284 : dat->block = (block128_f) aesni_encrypt;
285 : if (mode == EVP_CIPH_CBC_MODE)
286 : dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
287 : else if (mode == EVP_CIPH_CTR_MODE)
288 : dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
289 : else
290 : dat->stream.cbc = NULL;
291 : }
292 :
293 : if (ret < 0) {
294 : EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
295 : return 0;
296 : }
297 :
298 : return 1;
299 : }
300 :
301 : static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
302 : const unsigned char *in, size_t len)
303 : {
304 : aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt);
305 :
306 : return 1;
307 : }
308 :
309 : static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
310 : const unsigned char *in, size_t len)
311 : {
312 : size_t bl = ctx->cipher->block_size;
313 :
314 : if (len < bl)
315 : return 1;
316 :
317 : aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
318 :
319 : return 1;
320 : }
321 :
322 : # define aesni_ofb_cipher aes_ofb_cipher
323 : static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
324 : const unsigned char *in, size_t len);
325 :
326 : # define aesni_cfb_cipher aes_cfb_cipher
327 : static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
328 : const unsigned char *in, size_t len);
329 :
330 : # define aesni_cfb8_cipher aes_cfb8_cipher
331 : static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
332 : const unsigned char *in, size_t len);
333 :
334 : # define aesni_cfb1_cipher aes_cfb1_cipher
335 : static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
336 : const unsigned char *in, size_t len);
337 :
338 : # define aesni_ctr_cipher aes_ctr_cipher
339 : static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
340 : const unsigned char *in, size_t len);
341 :
342 : static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
343 : const unsigned char *iv, int enc)
344 : {
345 : EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
346 : if (!iv && !key)
347 : return 1;
348 : if (key) {
349 : aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
350 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
351 : gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
352 : /*
353 : * If we have an iv can set it directly, otherwise use saved IV.
354 : */
355 : if (iv == NULL && gctx->iv_set)
356 : iv = gctx->iv;
357 : if (iv) {
358 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
359 : gctx->iv_set = 1;
360 : }
361 : gctx->key_set = 1;
362 : } else {
363 : /* If key set use IV, otherwise copy */
364 : if (gctx->key_set)
365 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
366 : else
367 : memcpy(gctx->iv, iv, gctx->ivlen);
368 : gctx->iv_set = 1;
369 : gctx->iv_gen = 0;
370 : }
371 : return 1;
372 : }
373 :
374 : # define aesni_gcm_cipher aes_gcm_cipher
375 : static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
376 : const unsigned char *in, size_t len);
377 :
378 : static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
379 : const unsigned char *iv, int enc)
380 : {
381 : EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
382 : if (!iv && !key)
383 : return 1;
384 :
385 : if (key) {
386 : /* key_len is two AES keys */
387 : if (enc) {
388 : aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
389 : xctx->xts.block1 = (block128_f) aesni_encrypt;
390 : xctx->stream = aesni_xts_encrypt;
391 : } else {
392 : aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
393 : xctx->xts.block1 = (block128_f) aesni_decrypt;
394 : xctx->stream = aesni_xts_decrypt;
395 : }
396 :
397 : aesni_set_encrypt_key(key + ctx->key_len / 2,
398 : ctx->key_len * 4, &xctx->ks2.ks);
399 : xctx->xts.block2 = (block128_f) aesni_encrypt;
400 :
401 : xctx->xts.key1 = &xctx->ks1;
402 : }
403 :
404 : if (iv) {
405 : xctx->xts.key2 = &xctx->ks2;
406 : memcpy(ctx->iv, iv, 16);
407 : }
408 :
409 : return 1;
410 : }
411 :
412 : # define aesni_xts_cipher aes_xts_cipher
413 : static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414 : const unsigned char *in, size_t len);
415 :
416 : static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
417 : const unsigned char *iv, int enc)
418 : {
419 : EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
420 : if (!iv && !key)
421 : return 1;
422 : if (key) {
423 : aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
424 : CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
425 : &cctx->ks, (block128_f) aesni_encrypt);
426 : cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
427 : (ccm128_f) aesni_ccm64_decrypt_blocks;
428 : cctx->key_set = 1;
429 : }
430 : if (iv) {
431 : memcpy(ctx->iv, iv, 15 - cctx->L);
432 : cctx->iv_set = 1;
433 : }
434 : return 1;
435 : }
436 :
437 : # define aesni_ccm_cipher aes_ccm_cipher
438 : static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
439 : const unsigned char *in, size_t len);
440 :
441 : # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
442 : static const EVP_CIPHER aesni_##keylen##_##mode = { \
443 : nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
444 : flags|EVP_CIPH_##MODE##_MODE, \
445 : aesni_init_key, \
446 : aesni_##mode##_cipher, \
447 : NULL, \
448 : sizeof(EVP_AES_KEY), \
449 : NULL,NULL,NULL,NULL }; \
450 : static const EVP_CIPHER aes_##keylen##_##mode = { \
451 : nid##_##keylen##_##nmode,blocksize, \
452 : keylen/8,ivlen, \
453 : flags|EVP_CIPH_##MODE##_MODE, \
454 : aes_init_key, \
455 : aes_##mode##_cipher, \
456 : NULL, \
457 : sizeof(EVP_AES_KEY), \
458 : NULL,NULL,NULL,NULL }; \
459 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
460 : { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
461 :
462 : # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
463 : static const EVP_CIPHER aesni_##keylen##_##mode = { \
464 : nid##_##keylen##_##mode,blocksize, \
465 : (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
466 : flags|EVP_CIPH_##MODE##_MODE, \
467 : aesni_##mode##_init_key, \
468 : aesni_##mode##_cipher, \
469 : aes_##mode##_cleanup, \
470 : sizeof(EVP_AES_##MODE##_CTX), \
471 : NULL,NULL,aes_##mode##_ctrl,NULL }; \
472 : static const EVP_CIPHER aes_##keylen##_##mode = { \
473 : nid##_##keylen##_##mode,blocksize, \
474 : (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
475 : flags|EVP_CIPH_##MODE##_MODE, \
476 : aes_##mode##_init_key, \
477 : aes_##mode##_cipher, \
478 : aes_##mode##_cleanup, \
479 : sizeof(EVP_AES_##MODE##_CTX), \
480 : NULL,NULL,aes_##mode##_ctrl,NULL }; \
481 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
482 : { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
483 :
484 : # elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
485 :
486 : # include "sparc_arch.h"
487 :
488 : extern unsigned int OPENSSL_sparcv9cap_P[];
489 :
490 : # define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
491 :
492 : void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
493 : void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
494 : void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
495 : const AES_KEY *key);
496 : void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
497 : const AES_KEY *key);
498 : /*
499 : * Key-length specific subroutines were chosen for following reason.
500 : * Each SPARC T4 core can execute up to 8 threads which share core's
501 : * resources. Loading as much key material to registers allows to
502 : * minimize references to shared memory interface, as well as amount
503 : * of instructions in inner loops [much needed on T4]. But then having
504 : * non-key-length specific routines would require conditional branches
505 : * either in inner loops or on subroutines' entries. Former is hardly
506 : * acceptable, while latter means code size increase to size occupied
507 : * by multiple key-length specfic subroutines, so why fight?
508 : */
509 : void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
510 : size_t len, const AES_KEY *key,
511 : unsigned char *ivec);
512 : void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
513 : size_t len, const AES_KEY *key,
514 : unsigned char *ivec);
515 : void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
516 : size_t len, const AES_KEY *key,
517 : unsigned char *ivec);
518 : void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
519 : size_t len, const AES_KEY *key,
520 : unsigned char *ivec);
521 : void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
522 : size_t len, const AES_KEY *key,
523 : unsigned char *ivec);
524 : void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
525 : size_t len, const AES_KEY *key,
526 : unsigned char *ivec);
527 : void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
528 : size_t blocks, const AES_KEY *key,
529 : unsigned char *ivec);
530 : void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
531 : size_t blocks, const AES_KEY *key,
532 : unsigned char *ivec);
533 : void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
534 : size_t blocks, const AES_KEY *key,
535 : unsigned char *ivec);
536 : void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
537 : size_t blocks, const AES_KEY *key1,
538 : const AES_KEY *key2, const unsigned char *ivec);
539 : void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
540 : size_t blocks, const AES_KEY *key1,
541 : const AES_KEY *key2, const unsigned char *ivec);
542 : void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
543 : size_t blocks, const AES_KEY *key1,
544 : const AES_KEY *key2, const unsigned char *ivec);
545 : void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
546 : size_t blocks, const AES_KEY *key1,
547 : const AES_KEY *key2, const unsigned char *ivec);
548 :
549 : static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
550 : const unsigned char *iv, int enc)
551 : {
552 : int ret, mode, bits;
553 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
554 :
555 : mode = ctx->cipher->flags & EVP_CIPH_MODE;
556 : bits = ctx->key_len * 8;
557 : if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
558 : && !enc) {
559 : ret = 0;
560 : aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
561 : dat->block = (block128_f) aes_t4_decrypt;
562 : switch (bits) {
563 : case 128:
564 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
565 : (cbc128_f) aes128_t4_cbc_decrypt : NULL;
566 : break;
567 : case 192:
568 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
569 : (cbc128_f) aes192_t4_cbc_decrypt : NULL;
570 : break;
571 : case 256:
572 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
573 : (cbc128_f) aes256_t4_cbc_decrypt : NULL;
574 : break;
575 : default:
576 : ret = -1;
577 : }
578 : } else {
579 : ret = 0;
580 : aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
581 : dat->block = (block128_f) aes_t4_encrypt;
582 : switch (bits) {
583 : case 128:
584 : if (mode == EVP_CIPH_CBC_MODE)
585 : dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
586 : else if (mode == EVP_CIPH_CTR_MODE)
587 : dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
588 : else
589 : dat->stream.cbc = NULL;
590 : break;
591 : case 192:
592 : if (mode == EVP_CIPH_CBC_MODE)
593 : dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
594 : else if (mode == EVP_CIPH_CTR_MODE)
595 : dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
596 : else
597 : dat->stream.cbc = NULL;
598 : break;
599 : case 256:
600 : if (mode == EVP_CIPH_CBC_MODE)
601 : dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
602 : else if (mode == EVP_CIPH_CTR_MODE)
603 : dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
604 : else
605 : dat->stream.cbc = NULL;
606 : break;
607 : default:
608 : ret = -1;
609 : }
610 : }
611 :
612 : if (ret < 0) {
613 : EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
614 : return 0;
615 : }
616 :
617 : return 1;
618 : }
619 :
620 : # define aes_t4_cbc_cipher aes_cbc_cipher
621 : static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
622 : const unsigned char *in, size_t len);
623 :
624 : # define aes_t4_ecb_cipher aes_ecb_cipher
625 : static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
626 : const unsigned char *in, size_t len);
627 :
628 : # define aes_t4_ofb_cipher aes_ofb_cipher
629 : static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
630 : const unsigned char *in, size_t len);
631 :
632 : # define aes_t4_cfb_cipher aes_cfb_cipher
633 : static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
634 : const unsigned char *in, size_t len);
635 :
636 : # define aes_t4_cfb8_cipher aes_cfb8_cipher
637 : static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
638 : const unsigned char *in, size_t len);
639 :
640 : # define aes_t4_cfb1_cipher aes_cfb1_cipher
641 : static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
642 : const unsigned char *in, size_t len);
643 :
644 : # define aes_t4_ctr_cipher aes_ctr_cipher
645 : static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
646 : const unsigned char *in, size_t len);
647 :
648 : static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
649 : const unsigned char *iv, int enc)
650 : {
651 : EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
652 : if (!iv && !key)
653 : return 1;
654 : if (key) {
655 : int bits = ctx->key_len * 8;
656 : aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
657 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
658 : (block128_f) aes_t4_encrypt);
659 : switch (bits) {
660 : case 128:
661 : gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
662 : break;
663 : case 192:
664 : gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
665 : break;
666 : case 256:
667 : gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
668 : break;
669 : default:
670 : return 0;
671 : }
672 : /*
673 : * If we have an iv can set it directly, otherwise use saved IV.
674 : */
675 : if (iv == NULL && gctx->iv_set)
676 : iv = gctx->iv;
677 : if (iv) {
678 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
679 : gctx->iv_set = 1;
680 : }
681 : gctx->key_set = 1;
682 : } else {
683 : /* If key set use IV, otherwise copy */
684 : if (gctx->key_set)
685 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
686 : else
687 : memcpy(gctx->iv, iv, gctx->ivlen);
688 : gctx->iv_set = 1;
689 : gctx->iv_gen = 0;
690 : }
691 : return 1;
692 : }
693 :
694 : # define aes_t4_gcm_cipher aes_gcm_cipher
695 : static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
696 : const unsigned char *in, size_t len);
697 :
698 : static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
699 : const unsigned char *iv, int enc)
700 : {
701 : EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
702 : if (!iv && !key)
703 : return 1;
704 :
705 : if (key) {
706 : int bits = ctx->key_len * 4;
707 : xctx->stream = NULL;
708 : /* key_len is two AES keys */
709 : if (enc) {
710 : aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
711 : xctx->xts.block1 = (block128_f) aes_t4_encrypt;
712 : switch (bits) {
713 : case 128:
714 : xctx->stream = aes128_t4_xts_encrypt;
715 : break;
716 : # if 0 /* not yet */
717 : case 192:
718 : xctx->stream = aes192_t4_xts_encrypt;
719 : break;
720 : # endif
721 : case 256:
722 : xctx->stream = aes256_t4_xts_encrypt;
723 : break;
724 : default:
725 : return 0;
726 : }
727 : } else {
728 : aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
729 : xctx->xts.block1 = (block128_f) aes_t4_decrypt;
730 : switch (bits) {
731 : case 128:
732 : xctx->stream = aes128_t4_xts_decrypt;
733 : break;
734 : # if 0 /* not yet */
735 : case 192:
736 : xctx->stream = aes192_t4_xts_decrypt;
737 : break;
738 : # endif
739 : case 256:
740 : xctx->stream = aes256_t4_xts_decrypt;
741 : break;
742 : default:
743 : return 0;
744 : }
745 : }
746 :
747 : aes_t4_set_encrypt_key(key + ctx->key_len / 2,
748 : ctx->key_len * 4, &xctx->ks2.ks);
749 : xctx->xts.block2 = (block128_f) aes_t4_encrypt;
750 :
751 : xctx->xts.key1 = &xctx->ks1;
752 : }
753 :
754 : if (iv) {
755 : xctx->xts.key2 = &xctx->ks2;
756 : memcpy(ctx->iv, iv, 16);
757 : }
758 :
759 : return 1;
760 : }
761 :
762 : # define aes_t4_xts_cipher aes_xts_cipher
763 : static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
764 : const unsigned char *in, size_t len);
765 :
766 : static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
767 : const unsigned char *iv, int enc)
768 : {
769 : EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
770 : if (!iv && !key)
771 : return 1;
772 : if (key) {
773 : int bits = ctx->key_len * 8;
774 : aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
775 : CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
776 : &cctx->ks, (block128_f) aes_t4_encrypt);
777 : # if 0 /* not yet */
778 : switch (bits) {
779 : case 128:
780 : cctx->str = enc ? (ccm128_f) aes128_t4_ccm64_encrypt :
781 : (ccm128_f) ae128_t4_ccm64_decrypt;
782 : break;
783 : case 192:
784 : cctx->str = enc ? (ccm128_f) aes192_t4_ccm64_encrypt :
785 : (ccm128_f) ae192_t4_ccm64_decrypt;
786 : break;
787 : case 256:
788 : cctx->str = enc ? (ccm128_f) aes256_t4_ccm64_encrypt :
789 : (ccm128_f) ae256_t4_ccm64_decrypt;
790 : break;
791 : default:
792 : return 0;
793 : }
794 : # else
795 : cctx->str = NULL;
796 : # endif
797 : cctx->key_set = 1;
798 : }
799 : if (iv) {
800 : memcpy(ctx->iv, iv, 15 - cctx->L);
801 : cctx->iv_set = 1;
802 : }
803 : return 1;
804 : }
805 :
806 : # define aes_t4_ccm_cipher aes_ccm_cipher
807 : static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
808 : const unsigned char *in, size_t len);
809 :
810 : # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
811 : static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
812 : nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
813 : flags|EVP_CIPH_##MODE##_MODE, \
814 : aes_t4_init_key, \
815 : aes_t4_##mode##_cipher, \
816 : NULL, \
817 : sizeof(EVP_AES_KEY), \
818 : NULL,NULL,NULL,NULL }; \
819 : static const EVP_CIPHER aes_##keylen##_##mode = { \
820 : nid##_##keylen##_##nmode,blocksize, \
821 : keylen/8,ivlen, \
822 : flags|EVP_CIPH_##MODE##_MODE, \
823 : aes_init_key, \
824 : aes_##mode##_cipher, \
825 : NULL, \
826 : sizeof(EVP_AES_KEY), \
827 : NULL,NULL,NULL,NULL }; \
828 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
829 : { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
830 :
831 : # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
832 : static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
833 : nid##_##keylen##_##mode,blocksize, \
834 : (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
835 : flags|EVP_CIPH_##MODE##_MODE, \
836 : aes_t4_##mode##_init_key, \
837 : aes_t4_##mode##_cipher, \
838 : aes_##mode##_cleanup, \
839 : sizeof(EVP_AES_##MODE##_CTX), \
840 : NULL,NULL,aes_##mode##_ctrl,NULL }; \
841 : static const EVP_CIPHER aes_##keylen##_##mode = { \
842 : nid##_##keylen##_##mode,blocksize, \
843 : (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
844 : flags|EVP_CIPH_##MODE##_MODE, \
845 : aes_##mode##_init_key, \
846 : aes_##mode##_cipher, \
847 : aes_##mode##_cleanup, \
848 : sizeof(EVP_AES_##MODE##_CTX), \
849 : NULL,NULL,aes_##mode##_ctrl,NULL }; \
850 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
851 : { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
852 :
853 : # else
854 :
855 : # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
856 : static const EVP_CIPHER aes_##keylen##_##mode = { \
857 : nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
858 : flags|EVP_CIPH_##MODE##_MODE, \
859 : aes_init_key, \
860 : aes_##mode##_cipher, \
861 : NULL, \
862 : sizeof(EVP_AES_KEY), \
863 : NULL,NULL,NULL,NULL }; \
864 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
865 : { return &aes_##keylen##_##mode; }
866 :
867 : # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
868 : static const EVP_CIPHER aes_##keylen##_##mode = { \
869 : nid##_##keylen##_##mode,blocksize, \
870 : (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
871 : flags|EVP_CIPH_##MODE##_MODE, \
872 : aes_##mode##_init_key, \
873 : aes_##mode##_cipher, \
874 : aes_##mode##_cleanup, \
875 : sizeof(EVP_AES_##MODE##_CTX), \
876 : NULL,NULL,aes_##mode##_ctrl,NULL }; \
877 : const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
878 : { return &aes_##keylen##_##mode; }
879 : # endif
880 :
881 : # if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
882 : # include "arm_arch.h"
883 : # if __ARM_MAX_ARCH__>=7
884 : # if defined(BSAES_ASM)
885 : # define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
886 : # endif
887 : # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
888 : # define HWAES_set_encrypt_key aes_v8_set_encrypt_key
889 : # define HWAES_set_decrypt_key aes_v8_set_decrypt_key
890 : # define HWAES_encrypt aes_v8_encrypt
891 : # define HWAES_decrypt aes_v8_decrypt
892 : # define HWAES_cbc_encrypt aes_v8_cbc_encrypt
893 : # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
894 : # endif
895 : # endif
896 :
897 : # if defined(HWAES_CAPABLE)
898 : int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
899 : AES_KEY *key);
900 : int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
901 : AES_KEY *key);
902 : void HWAES_encrypt(const unsigned char *in, unsigned char *out,
903 : const AES_KEY *key);
904 : void HWAES_decrypt(const unsigned char *in, unsigned char *out,
905 : const AES_KEY *key);
906 : void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
907 : size_t length, const AES_KEY *key,
908 : unsigned char *ivec, const int enc);
909 : void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
910 : size_t len, const AES_KEY *key,
911 : const unsigned char ivec[16]);
912 : # endif
913 :
914 : # define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
915 : BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
916 : BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
917 : BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
918 : BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
919 : BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
920 : BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
921 : BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
922 :
923 367 : static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
924 : const unsigned char *iv, int enc)
925 : {
926 : int ret, mode;
927 367 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
928 :
929 367 : mode = ctx->cipher->flags & EVP_CIPH_MODE;
930 367 : if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
931 367 : && !enc)
932 : # ifdef HWAES_CAPABLE
933 : if (HWAES_CAPABLE) {
934 : ret = HWAES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
935 : dat->block = (block128_f) HWAES_decrypt;
936 : dat->stream.cbc = NULL;
937 : # ifdef HWAES_cbc_encrypt
938 : if (mode == EVP_CIPH_CBC_MODE)
939 : dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
940 : # endif
941 : } else
942 : # endif
943 : # ifdef BSAES_CAPABLE
944 : if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
945 : ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
946 : dat->block = (block128_f) AES_decrypt;
947 : dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
948 : } else
949 : # endif
950 : # ifdef VPAES_CAPABLE
951 : if (VPAES_CAPABLE) {
952 : ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
953 : dat->block = (block128_f) vpaes_decrypt;
954 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
955 : (cbc128_f) vpaes_cbc_encrypt : NULL;
956 : } else
957 : # endif
958 : {
959 0 : ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
960 0 : dat->block = (block128_f) AES_decrypt;
961 0 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
962 0 : (cbc128_f) AES_cbc_encrypt : NULL;
963 : } else
964 : # ifdef HWAES_CAPABLE
965 : if (HWAES_CAPABLE) {
966 : ret = HWAES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
967 : dat->block = (block128_f) HWAES_encrypt;
968 : dat->stream.cbc = NULL;
969 : # ifdef HWAES_cbc_encrypt
970 : if (mode == EVP_CIPH_CBC_MODE)
971 : dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
972 : else
973 : # endif
974 : # ifdef HWAES_ctr32_encrypt_blocks
975 : if (mode == EVP_CIPH_CTR_MODE)
976 : dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
977 : else
978 : # endif
979 : (void)0; /* terminate potentially open 'else' */
980 : } else
981 : # endif
982 : # ifdef BSAES_CAPABLE
983 : if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
984 : ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
985 : dat->block = (block128_f) AES_encrypt;
986 : dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
987 : } else
988 : # endif
989 : # ifdef VPAES_CAPABLE
990 : if (VPAES_CAPABLE) {
991 : ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
992 : dat->block = (block128_f) vpaes_encrypt;
993 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
994 : (cbc128_f) vpaes_cbc_encrypt : NULL;
995 : } else
996 : # endif
997 : {
998 367 : ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
999 367 : dat->block = (block128_f) AES_encrypt;
1000 367 : dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1001 367 : (cbc128_f) AES_cbc_encrypt : NULL;
1002 : # ifdef AES_CTR_ASM
1003 : if (mode == EVP_CIPH_CTR_MODE)
1004 : dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
1005 : # endif
1006 : }
1007 :
1008 367 : if (ret < 0) {
1009 0 : EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
1010 0 : return 0;
1011 : }
1012 :
1013 : return 1;
1014 : }
1015 :
1016 734 : static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1017 : const unsigned char *in, size_t len)
1018 : {
1019 734 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1020 :
1021 734 : if (dat->stream.cbc)
1022 734 : (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
1023 0 : else if (ctx->encrypt)
1024 0 : CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
1025 : else
1026 0 : CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
1027 :
1028 734 : return 1;
1029 : }
1030 :
1031 0 : static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1032 : const unsigned char *in, size_t len)
1033 : {
1034 0 : size_t bl = ctx->cipher->block_size;
1035 : size_t i;
1036 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1037 :
1038 0 : if (len < bl)
1039 : return 1;
1040 :
1041 0 : for (i = 0, len -= bl; i <= len; i += bl)
1042 0 : (*dat->block) (in + i, out + i, &dat->ks);
1043 :
1044 : return 1;
1045 : }
1046 :
1047 0 : static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1048 : const unsigned char *in, size_t len)
1049 : {
1050 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1051 :
1052 0 : CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
1053 0 : ctx->iv, &ctx->num, dat->block);
1054 0 : return 1;
1055 : }
1056 :
1057 0 : static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1058 : const unsigned char *in, size_t len)
1059 : {
1060 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1061 :
1062 0 : CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
1063 0 : ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1064 0 : return 1;
1065 : }
1066 :
1067 0 : static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1068 : const unsigned char *in, size_t len)
1069 : {
1070 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1071 :
1072 0 : CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
1073 0 : ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1074 0 : return 1;
1075 : }
1076 :
1077 0 : static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1078 : const unsigned char *in, size_t len)
1079 : {
1080 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1081 :
1082 0 : if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) {
1083 0 : CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
1084 0 : ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1085 0 : return 1;
1086 : }
1087 :
1088 0 : while (len >= MAXBITCHUNK) {
1089 0 : CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
1090 0 : ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1091 0 : len -= MAXBITCHUNK;
1092 : }
1093 0 : if (len)
1094 0 : CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
1095 0 : ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1096 :
1097 : return 1;
1098 : }
1099 :
1100 0 : static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1101 : const unsigned char *in, size_t len)
1102 : {
1103 0 : unsigned int num = ctx->num;
1104 0 : EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1105 :
1106 0 : if (dat->stream.ctr)
1107 0 : CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
1108 0 : ctx->iv, ctx->buf, &num, dat->stream.ctr);
1109 : else
1110 0 : CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
1111 0 : ctx->iv, ctx->buf, &num, dat->block);
1112 0 : ctx->num = (size_t)num;
1113 0 : return 1;
1114 : }
1115 :
1116 1335 : BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
1117 968 : BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
1118 968 : BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
1119 :
1120 1469 : static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1121 : {
1122 1469 : EVP_AES_GCM_CTX *gctx = c->cipher_data;
1123 1469 : OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1124 1469 : if (gctx->iv != c->iv)
1125 0 : OPENSSL_free(gctx->iv);
1126 1469 : return 1;
1127 : }
1128 :
1129 : /* increment counter (64-bit int) by 1 */
1130 : static void ctr64_inc(unsigned char *counter)
1131 : {
1132 : int n = 8;
1133 : unsigned char c;
1134 :
1135 : do {
1136 6381 : --n;
1137 6381 : c = counter[n];
1138 6381 : ++c;
1139 6381 : counter[n] = c;
1140 6381 : if (c)
1141 : return;
1142 18 : } while (n);
1143 : }
1144 :
1145 27607 : static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1146 : {
1147 27607 : EVP_AES_GCM_CTX *gctx = c->cipher_data;
1148 27607 : switch (type) {
1149 : case EVP_CTRL_INIT:
1150 1469 : gctx->key_set = 0;
1151 1469 : gctx->iv_set = 0;
1152 1469 : gctx->ivlen = c->cipher->iv_len;
1153 1469 : gctx->iv = c->iv;
1154 1469 : gctx->taglen = -1;
1155 1469 : gctx->iv_gen = 0;
1156 1469 : gctx->tls_aad_len = -1;
1157 1469 : return 1;
1158 :
1159 : case EVP_CTRL_GCM_SET_IVLEN:
1160 0 : if (arg <= 0)
1161 : return 0;
1162 : /* Allocate memory for IV if needed */
1163 0 : if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1164 0 : if (gctx->iv != c->iv)
1165 0 : OPENSSL_free(gctx->iv);
1166 0 : gctx->iv = OPENSSL_malloc(arg);
1167 0 : if (!gctx->iv)
1168 : return 0;
1169 : }
1170 0 : gctx->ivlen = arg;
1171 0 : return 1;
1172 :
1173 : case EVP_CTRL_GCM_SET_TAG:
1174 0 : if (arg <= 0 || arg > 16 || c->encrypt)
1175 : return 0;
1176 0 : memcpy(c->buf, ptr, arg);
1177 0 : gctx->taglen = arg;
1178 0 : return 1;
1179 :
1180 : case EVP_CTRL_GCM_GET_TAG:
1181 0 : if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1182 : return 0;
1183 0 : memcpy(ptr, c->buf, arg);
1184 0 : return 1;
1185 :
1186 : case EVP_CTRL_GCM_SET_IV_FIXED:
1187 : /* Special case: -1 length restores whole IV */
1188 1469 : if (arg == -1) {
1189 0 : memcpy(gctx->iv, ptr, gctx->ivlen);
1190 0 : gctx->iv_gen = 1;
1191 0 : return 1;
1192 : }
1193 : /*
1194 : * Fixed field must be at least 4 bytes and invocation field at least
1195 : * 8.
1196 : */
1197 1469 : if ((arg < 4) || (gctx->ivlen - arg) < 8)
1198 : return 0;
1199 1469 : if (arg)
1200 1469 : memcpy(gctx->iv, ptr, arg);
1201 1469 : if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1202 : return 0;
1203 1469 : gctx->iv_gen = 1;
1204 1469 : return 1;
1205 :
1206 : case EVP_CTRL_GCM_IV_GEN:
1207 6363 : if (gctx->iv_gen == 0 || gctx->key_set == 0)
1208 : return 0;
1209 6363 : CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1210 6363 : if (arg <= 0 || arg > gctx->ivlen)
1211 0 : arg = gctx->ivlen;
1212 6363 : memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1213 : /*
1214 : * Invocation field will be at least 8 bytes in size and so no need
1215 : * to check wrap around or increment more than last 8 bytes.
1216 : */
1217 6363 : ctr64_inc(gctx->iv + gctx->ivlen - 8);
1218 6363 : gctx->iv_set = 1;
1219 6363 : return 1;
1220 :
1221 : case EVP_CTRL_GCM_SET_IV_INV:
1222 5982 : if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1223 : return 0;
1224 5982 : memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1225 5982 : CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1226 5982 : gctx->iv_set = 1;
1227 5982 : return 1;
1228 :
1229 : case EVP_CTRL_AEAD_TLS1_AAD:
1230 : /* Save the AAD for later use */
1231 12343 : if (arg != EVP_AEAD_TLS1_AAD_LEN)
1232 : return 0;
1233 12342 : memcpy(c->buf, ptr, arg);
1234 12342 : gctx->tls_aad_len = arg;
1235 : {
1236 12342 : unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
1237 : /* Correct length for explicit IV */
1238 12342 : len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1239 : /* If decrypting correct for tag too */
1240 12342 : if (!c->encrypt)
1241 5982 : len -= EVP_GCM_TLS_TAG_LEN;
1242 12342 : c->buf[arg - 2] = len >> 8;
1243 12342 : c->buf[arg - 1] = len & 0xff;
1244 : }
1245 : /* Extra padding: tag appended to record */
1246 12342 : return EVP_GCM_TLS_TAG_LEN;
1247 :
1248 : case EVP_CTRL_COPY:
1249 : {
1250 : EVP_CIPHER_CTX *out = ptr;
1251 0 : EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1252 0 : if (gctx->gcm.key) {
1253 0 : if (gctx->gcm.key != &gctx->ks)
1254 : return 0;
1255 0 : gctx_out->gcm.key = &gctx_out->ks;
1256 : }
1257 0 : if (gctx->iv == c->iv)
1258 0 : gctx_out->iv = out->iv;
1259 : else {
1260 0 : gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
1261 0 : if (!gctx_out->iv)
1262 : return 0;
1263 0 : memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1264 : }
1265 : return 1;
1266 : }
1267 :
1268 : default:
1269 : return -1;
1270 :
1271 : }
1272 : }
1273 :
1274 1469 : static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1275 : const unsigned char *iv, int enc)
1276 : {
1277 1469 : EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1278 1469 : if (!iv && !key)
1279 : return 1;
1280 1469 : if (key) {
1281 : do {
1282 : # ifdef HWAES_CAPABLE
1283 : if (HWAES_CAPABLE) {
1284 : HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1285 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1286 : (block128_f) HWAES_encrypt);
1287 : # ifdef HWAES_ctr32_encrypt_blocks
1288 : gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
1289 : # else
1290 : gctx->ctr = NULL;
1291 : # endif
1292 : break;
1293 : } else
1294 : # endif
1295 : # ifdef BSAES_CAPABLE
1296 : if (BSAES_CAPABLE) {
1297 : AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1298 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1299 : (block128_f) AES_encrypt);
1300 : gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1301 : break;
1302 : } else
1303 : # endif
1304 : # ifdef VPAES_CAPABLE
1305 : if (VPAES_CAPABLE) {
1306 : vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1307 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1308 : (block128_f) vpaes_encrypt);
1309 : gctx->ctr = NULL;
1310 : break;
1311 : } else
1312 : # endif
1313 : (void)0; /* terminate potentially open 'else' */
1314 :
1315 1469 : AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1316 1469 : CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1317 : (block128_f) AES_encrypt);
1318 : # ifdef AES_CTR_ASM
1319 : gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
1320 : # else
1321 1469 : gctx->ctr = NULL;
1322 : # endif
1323 : } while (0);
1324 :
1325 : /*
1326 : * If we have an iv can set it directly, otherwise use saved IV.
1327 : */
1328 1469 : if (iv == NULL && gctx->iv_set)
1329 0 : iv = gctx->iv;
1330 1469 : if (iv) {
1331 0 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1332 0 : gctx->iv_set = 1;
1333 : }
1334 1469 : gctx->key_set = 1;
1335 : } else {
1336 : /* If key set use IV, otherwise copy */
1337 0 : if (gctx->key_set)
1338 0 : CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1339 : else
1340 0 : memcpy(gctx->iv, iv, gctx->ivlen);
1341 0 : gctx->iv_set = 1;
1342 0 : gctx->iv_gen = 0;
1343 : }
1344 : return 1;
1345 : }
1346 :
1347 : /*
1348 : * Handle TLS GCM packet format. This consists of the last portion of the IV
1349 : * followed by the payload and finally the tag. On encrypt generate IV,
1350 : * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1351 : * and verify tag.
1352 : */
1353 :
1354 12340 : static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1355 : const unsigned char *in, size_t len)
1356 : {
1357 12340 : EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1358 : int rv = -1;
1359 : /* Encrypt/decrypt must be performed in place */
1360 24680 : if (out != in
1361 12340 : || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1362 : return -1;
1363 : /*
1364 : * Set IV from start of buffer or generate IV and write to start of
1365 : * buffer.
1366 : */
1367 12340 : if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1368 : EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1369 : EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1370 : goto err;
1371 : /* Use saved AAD */
1372 12341 : if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1373 : goto err;
1374 : /* Fix buffer and length to point to payload */
1375 12345 : in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1376 12345 : out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1377 12345 : len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1378 12345 : if (ctx->encrypt) {
1379 : /* Encrypt payload */
1380 6363 : if (gctx->ctr) {
1381 : size_t bulk = 0;
1382 : # if defined(AES_GCM_ASM)
1383 : if (len >= 32 && AES_GCM_ASM(gctx)) {
1384 : if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1385 : return -1;
1386 :
1387 : bulk = AES_gcm_encrypt(in, out, len,
1388 : gctx->gcm.key,
1389 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1390 : gctx->gcm.len.u[1] += bulk;
1391 : }
1392 : # endif
1393 0 : if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1394 : in + bulk,
1395 : out + bulk,
1396 : len - bulk, gctx->ctr))
1397 : goto err;
1398 : } else {
1399 : size_t bulk = 0;
1400 : # if defined(AES_GCM_ASM2)
1401 : if (len >= 32 && AES_GCM_ASM2(gctx)) {
1402 : if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1403 : return -1;
1404 :
1405 : bulk = AES_gcm_encrypt(in, out, len,
1406 : gctx->gcm.key,
1407 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1408 : gctx->gcm.len.u[1] += bulk;
1409 : }
1410 : # endif
1411 6363 : if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1412 : in + bulk, out + bulk, len - bulk))
1413 : goto err;
1414 : }
1415 6359 : out += len;
1416 : /* Finally write tag */
1417 6359 : CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1418 6363 : rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1419 : } else {
1420 : /* Decrypt */
1421 5982 : if (gctx->ctr) {
1422 : size_t bulk = 0;
1423 : # if defined(AES_GCM_ASM)
1424 : if (len >= 16 && AES_GCM_ASM(gctx)) {
1425 : if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1426 : return -1;
1427 :
1428 : bulk = AES_gcm_decrypt(in, out, len,
1429 : gctx->gcm.key,
1430 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1431 : gctx->gcm.len.u[1] += bulk;
1432 : }
1433 : # endif
1434 0 : if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1435 : in + bulk,
1436 : out + bulk,
1437 : len - bulk, gctx->ctr))
1438 : goto err;
1439 : } else {
1440 : size_t bulk = 0;
1441 : # if defined(AES_GCM_ASM2)
1442 : if (len >= 16 && AES_GCM_ASM2(gctx)) {
1443 : if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1444 : return -1;
1445 :
1446 : bulk = AES_gcm_decrypt(in, out, len,
1447 : gctx->gcm.key,
1448 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1449 : gctx->gcm.len.u[1] += bulk;
1450 : }
1451 : # endif
1452 5982 : if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1453 : in + bulk, out + bulk, len - bulk))
1454 : goto err;
1455 : }
1456 : /* Retrieve tag */
1457 5980 : CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1458 : /* If tag mismatch wipe buffer */
1459 5981 : if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1460 0 : OPENSSL_cleanse(out, len);
1461 0 : goto err;
1462 : }
1463 5981 : rv = len;
1464 : }
1465 :
1466 : err:
1467 12342 : gctx->iv_set = 0;
1468 12342 : gctx->tls_aad_len = -1;
1469 12342 : return rv;
1470 : }
1471 :
1472 12341 : static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1473 : const unsigned char *in, size_t len)
1474 : {
1475 12341 : EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1476 : /* If not set up, return error */
1477 12341 : if (!gctx->key_set)
1478 : return -1;
1479 :
1480 12340 : if (gctx->tls_aad_len >= 0)
1481 12340 : return aes_gcm_tls_cipher(ctx, out, in, len);
1482 :
1483 0 : if (!gctx->iv_set)
1484 : return -1;
1485 0 : if (in) {
1486 0 : if (out == NULL) {
1487 0 : if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1488 : return -1;
1489 0 : } else if (ctx->encrypt) {
1490 0 : if (gctx->ctr) {
1491 : size_t bulk = 0;
1492 : # if defined(AES_GCM_ASM)
1493 : if (len >= 32 && AES_GCM_ASM(gctx)) {
1494 : size_t res = (16 - gctx->gcm.mres) % 16;
1495 :
1496 : if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1497 : return -1;
1498 :
1499 : bulk = AES_gcm_encrypt(in + res,
1500 : out + res, len - res,
1501 : gctx->gcm.key, gctx->gcm.Yi.c,
1502 : gctx->gcm.Xi.u);
1503 : gctx->gcm.len.u[1] += bulk;
1504 : bulk += res;
1505 : }
1506 : # endif
1507 0 : if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1508 : in + bulk,
1509 : out + bulk,
1510 : len - bulk, gctx->ctr))
1511 : return -1;
1512 : } else {
1513 : size_t bulk = 0;
1514 : # if defined(AES_GCM_ASM2)
1515 : if (len >= 32 && AES_GCM_ASM2(gctx)) {
1516 : size_t res = (16 - gctx->gcm.mres) % 16;
1517 :
1518 : if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1519 : return -1;
1520 :
1521 : bulk = AES_gcm_encrypt(in + res,
1522 : out + res, len - res,
1523 : gctx->gcm.key, gctx->gcm.Yi.c,
1524 : gctx->gcm.Xi.u);
1525 : gctx->gcm.len.u[1] += bulk;
1526 : bulk += res;
1527 : }
1528 : # endif
1529 0 : if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1530 : in + bulk, out + bulk, len - bulk))
1531 : return -1;
1532 : }
1533 : } else {
1534 0 : if (gctx->ctr) {
1535 : size_t bulk = 0;
1536 : # if defined(AES_GCM_ASM)
1537 : if (len >= 16 && AES_GCM_ASM(gctx)) {
1538 : size_t res = (16 - gctx->gcm.mres) % 16;
1539 :
1540 : if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1541 : return -1;
1542 :
1543 : bulk = AES_gcm_decrypt(in + res,
1544 : out + res, len - res,
1545 : gctx->gcm.key,
1546 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1547 : gctx->gcm.len.u[1] += bulk;
1548 : bulk += res;
1549 : }
1550 : # endif
1551 0 : if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1552 : in + bulk,
1553 : out + bulk,
1554 : len - bulk, gctx->ctr))
1555 : return -1;
1556 : } else {
1557 : size_t bulk = 0;
1558 : # if defined(AES_GCM_ASM2)
1559 : if (len >= 16 && AES_GCM_ASM2(gctx)) {
1560 : size_t res = (16 - gctx->gcm.mres) % 16;
1561 :
1562 : if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1563 : return -1;
1564 :
1565 : bulk = AES_gcm_decrypt(in + res,
1566 : out + res, len - res,
1567 : gctx->gcm.key,
1568 : gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1569 : gctx->gcm.len.u[1] += bulk;
1570 : bulk += res;
1571 : }
1572 : # endif
1573 0 : if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1574 : in + bulk, out + bulk, len - bulk))
1575 : return -1;
1576 : }
1577 : }
1578 0 : return len;
1579 : } else {
1580 0 : if (!ctx->encrypt) {
1581 0 : if (gctx->taglen < 0)
1582 : return -1;
1583 0 : if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
1584 : return -1;
1585 0 : gctx->iv_set = 0;
1586 0 : return 0;
1587 : }
1588 0 : CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1589 0 : gctx->taglen = 16;
1590 : /* Don't reuse the IV */
1591 0 : gctx->iv_set = 0;
1592 0 : return 0;
1593 : }
1594 :
1595 : }
1596 :
1597 : # define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1598 : | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1599 : | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1600 : | EVP_CIPH_CUSTOM_COPY)
1601 :
1602 242 : BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
1603 : EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1604 : CUSTOM_FLAGS)
1605 121 : BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
1606 : EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1607 : CUSTOM_FLAGS)
1608 242 : BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
1609 : EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1610 : CUSTOM_FLAGS)
1611 :
1612 0 : static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1613 : {
1614 0 : EVP_AES_XTS_CTX *xctx = c->cipher_data;
1615 0 : if (type == EVP_CTRL_COPY) {
1616 : EVP_CIPHER_CTX *out = ptr;
1617 0 : EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1618 0 : if (xctx->xts.key1) {
1619 0 : if (xctx->xts.key1 != &xctx->ks1)
1620 : return 0;
1621 0 : xctx_out->xts.key1 = &xctx_out->ks1;
1622 : }
1623 0 : if (xctx->xts.key2) {
1624 0 : if (xctx->xts.key2 != &xctx->ks2)
1625 : return 0;
1626 0 : xctx_out->xts.key2 = &xctx_out->ks2;
1627 : }
1628 : return 1;
1629 0 : } else if (type != EVP_CTRL_INIT)
1630 : return -1;
1631 : /* key1 and key2 are used as an indicator both key and IV are set */
1632 0 : xctx->xts.key1 = NULL;
1633 0 : xctx->xts.key2 = NULL;
1634 0 : return 1;
1635 : }
1636 :
1637 0 : static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1638 : const unsigned char *iv, int enc)
1639 : {
1640 0 : EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1641 0 : if (!iv && !key)
1642 : return 1;
1643 :
1644 0 : if (key)
1645 : do {
1646 : # ifdef AES_XTS_ASM
1647 : xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1648 : # else
1649 0 : xctx->stream = NULL;
1650 : # endif
1651 : /* key_len is two AES keys */
1652 : # ifdef HWAES_CAPABLE
1653 : if (HWAES_CAPABLE) {
1654 : if (enc) {
1655 : HWAES_set_encrypt_key(key, ctx->key_len * 4,
1656 : &xctx->ks1.ks);
1657 : xctx->xts.block1 = (block128_f) HWAES_encrypt;
1658 : } else {
1659 : HWAES_set_decrypt_key(key, ctx->key_len * 4,
1660 : &xctx->ks1.ks);
1661 : xctx->xts.block1 = (block128_f) HWAES_decrypt;
1662 : }
1663 :
1664 : HWAES_set_encrypt_key(key + ctx->key_len / 2,
1665 : ctx->key_len * 4, &xctx->ks2.ks);
1666 : xctx->xts.block2 = (block128_f) HWAES_encrypt;
1667 :
1668 : xctx->xts.key1 = &xctx->ks1;
1669 : break;
1670 : } else
1671 : # endif
1672 : # ifdef BSAES_CAPABLE
1673 : if (BSAES_CAPABLE)
1674 : xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1675 : else
1676 : # endif
1677 : # ifdef VPAES_CAPABLE
1678 : if (VPAES_CAPABLE) {
1679 : if (enc) {
1680 : vpaes_set_encrypt_key(key, ctx->key_len * 4,
1681 : &xctx->ks1.ks);
1682 : xctx->xts.block1 = (block128_f) vpaes_encrypt;
1683 : } else {
1684 : vpaes_set_decrypt_key(key, ctx->key_len * 4,
1685 : &xctx->ks1.ks);
1686 : xctx->xts.block1 = (block128_f) vpaes_decrypt;
1687 : }
1688 :
1689 : vpaes_set_encrypt_key(key + ctx->key_len / 2,
1690 : ctx->key_len * 4, &xctx->ks2.ks);
1691 : xctx->xts.block2 = (block128_f) vpaes_encrypt;
1692 :
1693 : xctx->xts.key1 = &xctx->ks1;
1694 : break;
1695 : } else
1696 : # endif
1697 : (void)0; /* terminate potentially open 'else' */
1698 :
1699 0 : if (enc) {
1700 0 : AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1701 0 : xctx->xts.block1 = (block128_f) AES_encrypt;
1702 : } else {
1703 0 : AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1704 0 : xctx->xts.block1 = (block128_f) AES_decrypt;
1705 : }
1706 :
1707 0 : AES_set_encrypt_key(key + ctx->key_len / 2,
1708 0 : ctx->key_len * 4, &xctx->ks2.ks);
1709 0 : xctx->xts.block2 = (block128_f) AES_encrypt;
1710 :
1711 0 : xctx->xts.key1 = &xctx->ks1;
1712 : } while (0);
1713 :
1714 0 : if (iv) {
1715 0 : xctx->xts.key2 = &xctx->ks2;
1716 0 : memcpy(ctx->iv, iv, 16);
1717 : }
1718 :
1719 : return 1;
1720 : }
1721 :
1722 0 : static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1723 : const unsigned char *in, size_t len)
1724 : {
1725 0 : EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1726 0 : if (!xctx->xts.key1 || !xctx->xts.key2)
1727 : return 0;
1728 0 : if (!out || !in || len < AES_BLOCK_SIZE)
1729 : return 0;
1730 0 : if (xctx->stream)
1731 0 : (*xctx->stream) (in, out, len,
1732 0 : xctx->xts.key1, xctx->xts.key2, ctx->iv);
1733 0 : else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1734 : ctx->encrypt))
1735 : return 0;
1736 : return 1;
1737 : }
1738 :
1739 : # define aes_xts_cleanup NULL
1740 :
1741 : # define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1742 : | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1743 : | EVP_CIPH_CUSTOM_COPY)
1744 :
1745 121 : BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
1746 : EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
1747 121 : BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
1748 : EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
1749 :
1750 0 : static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1751 : {
1752 0 : EVP_AES_CCM_CTX *cctx = c->cipher_data;
1753 0 : switch (type) {
1754 : case EVP_CTRL_INIT:
1755 0 : cctx->key_set = 0;
1756 0 : cctx->iv_set = 0;
1757 0 : cctx->L = 8;
1758 0 : cctx->M = 12;
1759 0 : cctx->tag_set = 0;
1760 0 : cctx->len_set = 0;
1761 0 : return 1;
1762 :
1763 : case EVP_CTRL_CCM_SET_IVLEN:
1764 0 : arg = 15 - arg;
1765 : case EVP_CTRL_CCM_SET_L:
1766 0 : if (arg < 2 || arg > 8)
1767 : return 0;
1768 0 : cctx->L = arg;
1769 0 : return 1;
1770 :
1771 : case EVP_CTRL_CCM_SET_TAG:
1772 0 : if ((arg & 1) || arg < 4 || arg > 16)
1773 : return 0;
1774 0 : if (c->encrypt && ptr)
1775 : return 0;
1776 0 : if (ptr) {
1777 0 : cctx->tag_set = 1;
1778 0 : memcpy(c->buf, ptr, arg);
1779 : }
1780 0 : cctx->M = arg;
1781 0 : return 1;
1782 :
1783 : case EVP_CTRL_CCM_GET_TAG:
1784 0 : if (!c->encrypt || !cctx->tag_set)
1785 : return 0;
1786 0 : if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1787 : return 0;
1788 0 : cctx->tag_set = 0;
1789 0 : cctx->iv_set = 0;
1790 0 : cctx->len_set = 0;
1791 0 : return 1;
1792 :
1793 : case EVP_CTRL_COPY:
1794 : {
1795 : EVP_CIPHER_CTX *out = ptr;
1796 0 : EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
1797 0 : if (cctx->ccm.key) {
1798 0 : if (cctx->ccm.key != &cctx->ks)
1799 : return 0;
1800 0 : cctx_out->ccm.key = &cctx_out->ks;
1801 : }
1802 : return 1;
1803 : }
1804 :
1805 : default:
1806 : return -1;
1807 :
1808 : }
1809 : }
1810 :
1811 0 : static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1812 : const unsigned char *iv, int enc)
1813 : {
1814 0 : EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1815 0 : if (!iv && !key)
1816 : return 1;
1817 0 : if (key)
1818 : do {
1819 : # ifdef HWAES_CAPABLE
1820 : if (HWAES_CAPABLE) {
1821 : HWAES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1822 :
1823 : CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1824 : &cctx->ks, (block128_f) HWAES_encrypt);
1825 : cctx->str = NULL;
1826 : cctx->key_set = 1;
1827 : break;
1828 : } else
1829 : # endif
1830 : # ifdef VPAES_CAPABLE
1831 : if (VPAES_CAPABLE) {
1832 : vpaes_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1833 : CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1834 : &cctx->ks, (block128_f) vpaes_encrypt);
1835 : cctx->str = NULL;
1836 : cctx->key_set = 1;
1837 : break;
1838 : }
1839 : # endif
1840 0 : AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1841 0 : CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1842 0 : &cctx->ks, (block128_f) AES_encrypt);
1843 0 : cctx->str = NULL;
1844 0 : cctx->key_set = 1;
1845 : } while (0);
1846 0 : if (iv) {
1847 0 : memcpy(ctx->iv, iv, 15 - cctx->L);
1848 0 : cctx->iv_set = 1;
1849 : }
1850 : return 1;
1851 : }
1852 :
1853 0 : static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1854 : const unsigned char *in, size_t len)
1855 : {
1856 0 : EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1857 0 : CCM128_CONTEXT *ccm = &cctx->ccm;
1858 : /* If not set up, return error */
1859 0 : if (!cctx->iv_set && !cctx->key_set)
1860 : return -1;
1861 0 : if (!ctx->encrypt && !cctx->tag_set)
1862 : return -1;
1863 0 : if (!out) {
1864 0 : if (!in) {
1865 0 : if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1866 : return -1;
1867 0 : cctx->len_set = 1;
1868 0 : return len;
1869 : }
1870 : /* If have AAD need message length */
1871 0 : if (!cctx->len_set && len)
1872 : return -1;
1873 0 : CRYPTO_ccm128_aad(ccm, in, len);
1874 0 : return len;
1875 : }
1876 : /* EVP_*Final() doesn't return any data */
1877 0 : if (!in)
1878 : return 0;
1879 : /* If not set length yet do it */
1880 0 : if (!cctx->len_set) {
1881 0 : if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1882 : return -1;
1883 0 : cctx->len_set = 1;
1884 : }
1885 0 : if (ctx->encrypt) {
1886 0 : if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1887 : cctx->str) :
1888 0 : CRYPTO_ccm128_encrypt(ccm, in, out, len))
1889 : return -1;
1890 0 : cctx->tag_set = 1;
1891 0 : return len;
1892 : } else {
1893 : int rv = -1;
1894 0 : if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1895 : cctx->str) :
1896 0 : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
1897 : unsigned char tag[16];
1898 0 : if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
1899 0 : if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))
1900 0 : rv = len;
1901 : }
1902 : }
1903 0 : if (rv == -1)
1904 0 : OPENSSL_cleanse(out, len);
1905 0 : cctx->iv_set = 0;
1906 0 : cctx->tag_set = 0;
1907 0 : cctx->len_set = 0;
1908 0 : return rv;
1909 : }
1910 :
1911 : }
1912 :
1913 : # define aes_ccm_cleanup NULL
1914 :
1915 121 : BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
1916 : EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1917 121 : BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
1918 : EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1919 121 : BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
1920 : EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1921 : #endif
1922 : typedef struct {
1923 : union {
1924 : double align;
1925 : AES_KEY ks;
1926 : } ks;
1927 : /* Indicates if IV has been set */
1928 : unsigned char *iv;
1929 : } EVP_AES_WRAP_CTX;
1930 :
1931 0 : static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1932 : const unsigned char *iv, int enc)
1933 : {
1934 0 : EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1935 0 : if (!iv && !key)
1936 : return 1;
1937 0 : if (key) {
1938 0 : if (ctx->encrypt)
1939 0 : AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1940 : else
1941 0 : AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1942 0 : if (!iv)
1943 0 : wctx->iv = NULL;
1944 : }
1945 0 : if (iv) {
1946 0 : memcpy(ctx->iv, iv, 8);
1947 0 : wctx->iv = ctx->iv;
1948 : }
1949 : return 1;
1950 : }
1951 :
1952 0 : static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1953 : const unsigned char *in, size_t inlen)
1954 : {
1955 0 : EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1956 : size_t rv;
1957 0 : if (!in)
1958 : return 0;
1959 0 : if (inlen % 8)
1960 : return -1;
1961 0 : if (ctx->encrypt && inlen < 8)
1962 : return -1;
1963 0 : if (!ctx->encrypt && inlen < 16)
1964 : return -1;
1965 0 : if (!out) {
1966 0 : if (ctx->encrypt)
1967 0 : return inlen + 8;
1968 : else
1969 0 : return inlen - 8;
1970 : }
1971 0 : if (ctx->encrypt)
1972 0 : rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1973 : (block128_f) AES_encrypt);
1974 : else
1975 0 : rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1976 : (block128_f) AES_decrypt);
1977 0 : return rv ? (int)rv : -1;
1978 : }
1979 :
1980 : #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
1981 : | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1982 : | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
1983 :
1984 : static const EVP_CIPHER aes_128_wrap = {
1985 : NID_id_aes128_wrap,
1986 : 8, 16, 8, WRAP_FLAGS,
1987 : aes_wrap_init_key, aes_wrap_cipher,
1988 : NULL,
1989 : sizeof(EVP_AES_WRAP_CTX),
1990 : NULL, NULL, NULL, NULL
1991 : };
1992 :
1993 121 : const EVP_CIPHER *EVP_aes_128_wrap(void)
1994 : {
1995 121 : return &aes_128_wrap;
1996 : }
1997 :
1998 : static const EVP_CIPHER aes_192_wrap = {
1999 : NID_id_aes192_wrap,
2000 : 8, 24, 8, WRAP_FLAGS,
2001 : aes_wrap_init_key, aes_wrap_cipher,
2002 : NULL,
2003 : sizeof(EVP_AES_WRAP_CTX),
2004 : NULL, NULL, NULL, NULL
2005 : };
2006 :
2007 121 : const EVP_CIPHER *EVP_aes_192_wrap(void)
2008 : {
2009 121 : return &aes_192_wrap;
2010 : }
2011 :
2012 : static const EVP_CIPHER aes_256_wrap = {
2013 : NID_id_aes256_wrap,
2014 : 8, 32, 8, WRAP_FLAGS,
2015 : aes_wrap_init_key, aes_wrap_cipher,
2016 : NULL,
2017 : sizeof(EVP_AES_WRAP_CTX),
2018 : NULL, NULL, NULL, NULL
2019 : };
2020 :
2021 121 : const EVP_CIPHER *EVP_aes_256_wrap(void)
2022 : {
2023 121 : return &aes_256_wrap;
2024 : }
|
