e_aes.c revision 280304
1/* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core@openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51#include <openssl/opensslconf.h> 52#ifndef OPENSSL_NO_AES 53# include <openssl/evp.h> 54# include <openssl/err.h> 55# include <string.h> 56# include <assert.h> 57# include <openssl/aes.h> 58# include "evp_locl.h" 59# ifndef OPENSSL_FIPS 60# include "modes_lcl.h" 61# include <openssl/rand.h> 62 63typedef struct { 64 AES_KEY ks; 65 block128_f block; 66 union { 67 cbc128_f cbc; 68 ctr128_f ctr; 69 } stream; 70} EVP_AES_KEY; 71 72typedef struct { 73 AES_KEY ks; /* AES key schedule to use */ 74 int key_set; /* Set if key initialised */ 75 int iv_set; /* Set if an iv is set */ 76 GCM128_CONTEXT gcm; 77 unsigned char *iv; /* Temporary IV store */ 78 int ivlen; /* IV length */ 79 int taglen; 80 int iv_gen; /* It is OK to generate IVs */ 81 int tls_aad_len; /* TLS AAD length */ 82 ctr128_f ctr; 83} EVP_AES_GCM_CTX; 84 85typedef struct { 86 AES_KEY ks1, ks2; /* AES key schedules to use */ 87 XTS128_CONTEXT xts; 88 void (*stream) (const unsigned char *in, 89 unsigned char *out, size_t length, 90 const AES_KEY *key1, const AES_KEY *key2, 91 const unsigned char iv[16]); 92} EVP_AES_XTS_CTX; 93 94typedef struct { 95 AES_KEY ks; /* AES key schedule to use */ 96 int key_set; /* Set if key initialised */ 97 int iv_set; /* Set if an iv is set */ 98 int tag_set; /* Set if tag is valid */ 99 int len_set; /* Set if message length set */ 100 int L, M; /* L and M parameters from RFC3610 */ 101 CCM128_CONTEXT ccm; 102 ccm128_f str; 103} EVP_AES_CCM_CTX; 104 105# define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 106 107# ifdef VPAES_ASM 108int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 109 AES_KEY *key); 110int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 111 AES_KEY *key); 112 113void vpaes_encrypt(const unsigned char *in, unsigned char *out, 114 const AES_KEY *key); 115void vpaes_decrypt(const unsigned char *in, unsigned char *out, 116 const AES_KEY *key); 117 118void vpaes_cbc_encrypt(const unsigned char *in, 119 unsigned char *out, 120 size_t length, 121 const AES_KEY *key, unsigned char *ivec, int enc); 122# endif 123# ifdef BSAES_ASM 124void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 125 size_t length, const AES_KEY *key, 126 unsigned char ivec[16], int enc); 127void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 128 size_t len, const AES_KEY *key, 129 const unsigned char ivec[16]); 130void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 131 size_t len, const AES_KEY *key1, 132 const AES_KEY *key2, const unsigned char iv[16]); 133void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 134 size_t len, const AES_KEY *key1, 135 const AES_KEY *key2, const unsigned char iv[16]); 136# endif 137# ifdef AES_CTR_ASM 138void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 139 size_t blocks, const AES_KEY *key, 140 const unsigned char ivec[AES_BLOCK_SIZE]); 141# endif 142# ifdef AES_XTS_ASM 143void AES_xts_encrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, 145 const unsigned char iv[16]); 146void AES_xts_decrypt(const char *inp, char *out, size_t len, 147 const AES_KEY *key1, const AES_KEY *key2, 148 const unsigned char iv[16]); 149# endif 150 151# if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 152 ((defined(__i386) || defined(__i386__) || \ 153 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 154 defined(__x86_64) || defined(__x86_64__) || \ 155 defined(_M_AMD64) || defined(_M_X64) || \ 156 defined(__INTEL__) ) 157 158extern unsigned int OPENSSL_ia32cap_P[2]; 159 160# ifdef VPAES_ASM 161# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 162# endif 163# ifdef BSAES_ASM 164# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 165# endif 166/* 167 * AES-NI section 168 */ 169# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 170 171int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 172 AES_KEY *key); 173int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 174 AES_KEY *key); 175 176void aesni_encrypt(const unsigned char *in, unsigned char *out, 177 const AES_KEY *key); 178void aesni_decrypt(const unsigned char *in, unsigned char *out, 179 const AES_KEY *key); 180 181void aesni_ecb_encrypt(const unsigned char *in, 182 unsigned char *out, 183 size_t length, const AES_KEY *key, int enc); 184void aesni_cbc_encrypt(const unsigned char *in, 185 unsigned char *out, 186 size_t length, 187 const AES_KEY *key, unsigned char *ivec, int enc); 188 189void aesni_ctr32_encrypt_blocks(const unsigned char *in, 190 unsigned char *out, 191 size_t blocks, 192 const void *key, const unsigned char *ivec); 193 194void aesni_xts_encrypt(const unsigned char *in, 195 unsigned char *out, 196 size_t length, 197 const AES_KEY *key1, const AES_KEY *key2, 198 const unsigned char iv[16]); 199 200void aesni_xts_decrypt(const unsigned char *in, 201 unsigned char *out, 202 size_t length, 203 const AES_KEY *key1, const AES_KEY *key2, 204 const unsigned char iv[16]); 205 206void aesni_ccm64_encrypt_blocks(const unsigned char *in, 207 unsigned char *out, 208 size_t blocks, 209 const void *key, 210 const unsigned char ivec[16], 211 unsigned char cmac[16]); 212 213void aesni_ccm64_decrypt_blocks(const unsigned char *in, 214 unsigned char *out, 215 size_t blocks, 216 const void *key, 217 const unsigned char ivec[16], 218 unsigned char cmac[16]); 219 220static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 221 const unsigned char *iv, int enc) 222{ 223 int ret, mode; 224 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 225 226 mode = ctx->cipher->flags & EVP_CIPH_MODE; 227 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 228 && !enc) { 229 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 230 dat->block = (block128_f) aesni_decrypt; 231 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 232 (cbc128_f) aesni_cbc_encrypt : NULL; 233 } else { 234 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 235 dat->block = (block128_f) aesni_encrypt; 236 if (mode == EVP_CIPH_CBC_MODE) 237 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt; 238 else if (mode == EVP_CIPH_CTR_MODE) 239 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 240 else 241 dat->stream.cbc = NULL; 242 } 243 244 if (ret < 0) { 245 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED); 246 return 0; 247 } 248 249 return 1; 250} 251 252static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 253 const unsigned char *in, size_t len) 254{ 255 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt); 256 257 return 1; 258} 259 260static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 261 const unsigned char *in, size_t len) 262{ 263 size_t bl = ctx->cipher->block_size; 264 265 if (len < bl) 266 return 1; 267 268 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 269 270 return 1; 271} 272 273# define aesni_ofb_cipher aes_ofb_cipher 274static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 275 const unsigned char *in, size_t len); 276 277# define aesni_cfb_cipher aes_cfb_cipher 278static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 279 const unsigned char *in, size_t len); 280 281# define aesni_cfb8_cipher aes_cfb8_cipher 282static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 283 const unsigned char *in, size_t len); 284 285# define aesni_cfb1_cipher aes_cfb1_cipher 286static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 287 const unsigned char *in, size_t len); 288 289# define aesni_ctr_cipher aes_ctr_cipher 290static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 291 const unsigned char *in, size_t len); 292 293static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 294 const unsigned char *iv, int enc) 295{ 296 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 297 if (!iv && !key) 298 return 1; 299 if (key) { 300 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 301 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt); 302 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 303 /* 304 * If we have an iv can set it directly, otherwise use saved IV. 305 */ 306 if (iv == NULL && gctx->iv_set) 307 iv = gctx->iv; 308 if (iv) { 309 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 310 gctx->iv_set = 1; 311 } 312 gctx->key_set = 1; 313 } else { 314 /* If key set use IV, otherwise copy */ 315 if (gctx->key_set) 316 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 317 else 318 memcpy(gctx->iv, iv, gctx->ivlen); 319 gctx->iv_set = 1; 320 gctx->iv_gen = 0; 321 } 322 return 1; 323} 324 325# define aesni_gcm_cipher aes_gcm_cipher 326static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 327 const unsigned char *in, size_t len); 328 329static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 330 const unsigned char *iv, int enc) 331{ 332 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 333 if (!iv && !key) 334 return 1; 335 336 if (key) { 337 /* key_len is two AES keys */ 338 if (enc) { 339 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 340 xctx->xts.block1 = (block128_f) aesni_encrypt; 341 xctx->stream = aesni_xts_encrypt; 342 } else { 343 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 344 xctx->xts.block1 = (block128_f) aesni_decrypt; 345 xctx->stream = aesni_xts_decrypt; 346 } 347 348 aesni_set_encrypt_key(key + ctx->key_len / 2, 349 ctx->key_len * 4, &xctx->ks2); 350 xctx->xts.block2 = (block128_f) aesni_encrypt; 351 352 xctx->xts.key1 = &xctx->ks1; 353 } 354 355 if (iv) { 356 xctx->xts.key2 = &xctx->ks2; 357 memcpy(ctx->iv, iv, 16); 358 } 359 360 return 1; 361} 362 363# define aesni_xts_cipher aes_xts_cipher 364static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 365 const unsigned char *in, size_t len); 366 367static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 368 const unsigned char *iv, int enc) 369{ 370 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 371 if (!iv && !key) 372 return 1; 373 if (key) { 374 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 375 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 376 &cctx->ks, (block128_f) aesni_encrypt); 377 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks : 378 (ccm128_f) aesni_ccm64_decrypt_blocks; 379 cctx->key_set = 1; 380 } 381 if (iv) { 382 memcpy(ctx->iv, iv, 15 - cctx->L); 383 cctx->iv_set = 1; 384 } 385 return 1; 386} 387 388# define aesni_ccm_cipher aes_ccm_cipher 389static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 390 const unsigned char *in, size_t len); 391 392# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 393static const EVP_CIPHER aesni_##keylen##_##mode = { \ 394 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 395 flags|EVP_CIPH_##MODE##_MODE, \ 396 aesni_init_key, \ 397 aesni_##mode##_cipher, \ 398 NULL, \ 399 sizeof(EVP_AES_KEY), \ 400 NULL,NULL,NULL,NULL }; \ 401static const EVP_CIPHER aes_##keylen##_##mode = { \ 402 nid##_##keylen##_##nmode,blocksize, \ 403 keylen/8,ivlen, \ 404 flags|EVP_CIPH_##MODE##_MODE, \ 405 aes_init_key, \ 406 aes_##mode##_cipher, \ 407 NULL, \ 408 sizeof(EVP_AES_KEY), \ 409 NULL,NULL,NULL,NULL }; \ 410const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 411{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 412 413# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 414static const EVP_CIPHER aesni_##keylen##_##mode = { \ 415 nid##_##keylen##_##mode,blocksize, \ 416 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 417 flags|EVP_CIPH_##MODE##_MODE, \ 418 aesni_##mode##_init_key, \ 419 aesni_##mode##_cipher, \ 420 aes_##mode##_cleanup, \ 421 sizeof(EVP_AES_##MODE##_CTX), \ 422 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 423static const EVP_CIPHER aes_##keylen##_##mode = { \ 424 nid##_##keylen##_##mode,blocksize, \ 425 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 426 flags|EVP_CIPH_##MODE##_MODE, \ 427 aes_##mode##_init_key, \ 428 aes_##mode##_cipher, \ 429 aes_##mode##_cleanup, \ 430 sizeof(EVP_AES_##MODE##_CTX), \ 431 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 432const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 433{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 434 435# else 436 437# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 438static const EVP_CIPHER aes_##keylen##_##mode = { \ 439 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 440 flags|EVP_CIPH_##MODE##_MODE, \ 441 aes_init_key, \ 442 aes_##mode##_cipher, \ 443 NULL, \ 444 sizeof(EVP_AES_KEY), \ 445 NULL,NULL,NULL,NULL }; \ 446const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 447{ return &aes_##keylen##_##mode; } 448 449# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 450static const EVP_CIPHER aes_##keylen##_##mode = { \ 451 nid##_##keylen##_##mode,blocksize, \ 452 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 453 flags|EVP_CIPH_##MODE##_MODE, \ 454 aes_##mode##_init_key, \ 455 aes_##mode##_cipher, \ 456 aes_##mode##_cleanup, \ 457 sizeof(EVP_AES_##MODE##_CTX), \ 458 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 459const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 460{ return &aes_##keylen##_##mode; } 461# endif 462 463# define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 464 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 465 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 466 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 467 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 468 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 469 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 470 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 471 472static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 473 const unsigned char *iv, int enc) 474{ 475 int ret, mode; 476 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 477 478 mode = ctx->cipher->flags & EVP_CIPH_MODE; 479 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 480 && !enc) 481# ifdef BSAES_CAPABLE 482 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 483 ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks); 484 dat->block = (block128_f) AES_decrypt; 485 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt; 486 } else 487# endif 488# ifdef VPAES_CAPABLE 489 if (VPAES_CAPABLE) { 490 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks); 491 dat->block = (block128_f) vpaes_decrypt; 492 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 493 (cbc128_f) vpaes_cbc_encrypt : NULL; 494 } else 495# endif 496 { 497 ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks); 498 dat->block = (block128_f) AES_decrypt; 499 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 500 (cbc128_f) AES_cbc_encrypt : NULL; 501 } else 502# ifdef BSAES_CAPABLE 503 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 504 ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks); 505 dat->block = (block128_f) AES_encrypt; 506 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks; 507 } else 508# endif 509# ifdef VPAES_CAPABLE 510 if (VPAES_CAPABLE) { 511 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks); 512 dat->block = (block128_f) vpaes_encrypt; 513 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 514 (cbc128_f) vpaes_cbc_encrypt : NULL; 515 } else 516# endif 517 { 518 ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks); 519 dat->block = (block128_f) AES_encrypt; 520 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 521 (cbc128_f) AES_cbc_encrypt : NULL; 522# ifdef AES_CTR_ASM 523 if (mode == EVP_CIPH_CTR_MODE) 524 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt; 525# endif 526 } 527 528 if (ret < 0) { 529 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED); 530 return 0; 531 } 532 533 return 1; 534} 535 536static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 537 const unsigned char *in, size_t len) 538{ 539 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 540 541 if (dat->stream.cbc) 542 (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt); 543 else if (ctx->encrypt) 544 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block); 545 else 546 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block); 547 548 return 1; 549} 550 551static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 552 const unsigned char *in, size_t len) 553{ 554 size_t bl = ctx->cipher->block_size; 555 size_t i; 556 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 557 558 if (len < bl) 559 return 1; 560 561 for (i = 0, len -= bl; i <= len; i += bl) 562 (*dat->block) (in + i, out + i, &dat->ks); 563 564 return 1; 565} 566 567static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 568 const unsigned char *in, size_t len) 569{ 570 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 571 572 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, 573 ctx->iv, &ctx->num, dat->block); 574 return 1; 575} 576 577static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 578 const unsigned char *in, size_t len) 579{ 580 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 581 582 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, 583 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 584 return 1; 585} 586 587static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 588 const unsigned char *in, size_t len) 589{ 590 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 591 592 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, 593 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 594 return 1; 595} 596 597static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 598 const unsigned char *in, size_t len) 599{ 600 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 601 602 if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) { 603 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, 604 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 605 return 1; 606 } 607 608 while (len >= MAXBITCHUNK) { 609 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks, 610 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 611 len -= MAXBITCHUNK; 612 } 613 if (len) 614 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, 615 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 616 617 return 1; 618} 619 620static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 621 const unsigned char *in, size_t len) 622{ 623 unsigned int num = ctx->num; 624 EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data; 625 626 if (dat->stream.ctr) 627 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 628 ctx->iv, ctx->buf, &num, dat->stream.ctr); 629 else 630 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 631 ctx->iv, ctx->buf, &num, dat->block); 632 ctx->num = (size_t)num; 633 return 1; 634} 635 636BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) 637 BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) 638 BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) 639 640static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 641{ 642 EVP_AES_GCM_CTX *gctx = c->cipher_data; 643 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 644 if (gctx->iv != c->iv) 645 OPENSSL_free(gctx->iv); 646 return 1; 647} 648 649/* increment counter (64-bit int) by 1 */ 650static void ctr64_inc(unsigned char *counter) 651{ 652 int n = 8; 653 unsigned char c; 654 655 do { 656 --n; 657 c = counter[n]; 658 ++c; 659 counter[n] = c; 660 if (c) 661 return; 662 } while (n); 663} 664 665static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 666{ 667 EVP_AES_GCM_CTX *gctx = c->cipher_data; 668 switch (type) { 669 case EVP_CTRL_INIT: 670 gctx->key_set = 0; 671 gctx->iv_set = 0; 672 gctx->ivlen = c->cipher->iv_len; 673 gctx->iv = c->iv; 674 gctx->taglen = -1; 675 gctx->iv_gen = 0; 676 gctx->tls_aad_len = -1; 677 return 1; 678 679 case EVP_CTRL_GCM_SET_IVLEN: 680 if (arg <= 0) 681 return 0; 682# ifdef OPENSSL_FIPS 683 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 684 && arg < 12) 685 return 0; 686# endif 687 /* Allocate memory for IV if needed */ 688 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 689 if (gctx->iv != c->iv) 690 OPENSSL_free(gctx->iv); 691 gctx->iv = OPENSSL_malloc(arg); 692 if (!gctx->iv) 693 return 0; 694 } 695 gctx->ivlen = arg; 696 return 1; 697 698 case EVP_CTRL_GCM_SET_TAG: 699 if (arg <= 0 || arg > 16 || c->encrypt) 700 return 0; 701 memcpy(c->buf, ptr, arg); 702 gctx->taglen = arg; 703 return 1; 704 705 case EVP_CTRL_GCM_GET_TAG: 706 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 707 return 0; 708 memcpy(ptr, c->buf, arg); 709 return 1; 710 711 case EVP_CTRL_GCM_SET_IV_FIXED: 712 /* Special case: -1 length restores whole IV */ 713 if (arg == -1) { 714 memcpy(gctx->iv, ptr, gctx->ivlen); 715 gctx->iv_gen = 1; 716 return 1; 717 } 718 /* 719 * Fixed field must be at least 4 bytes and invocation field at least 720 * 8. 721 */ 722 if ((arg < 4) || (gctx->ivlen - arg) < 8) 723 return 0; 724 if (arg) 725 memcpy(gctx->iv, ptr, arg); 726 if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 727 return 0; 728 gctx->iv_gen = 1; 729 return 1; 730 731 case EVP_CTRL_GCM_IV_GEN: 732 if (gctx->iv_gen == 0 || gctx->key_set == 0) 733 return 0; 734 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 735 if (arg <= 0 || arg > gctx->ivlen) 736 arg = gctx->ivlen; 737 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 738 /* 739 * Invocation field will be at least 8 bytes in size and so no need 740 * to check wrap around or increment more than last 8 bytes. 741 */ 742 ctr64_inc(gctx->iv + gctx->ivlen - 8); 743 gctx->iv_set = 1; 744 return 1; 745 746 case EVP_CTRL_GCM_SET_IV_INV: 747 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 748 return 0; 749 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 750 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 751 gctx->iv_set = 1; 752 return 1; 753 754 case EVP_CTRL_AEAD_TLS1_AAD: 755 /* Save the AAD for later use */ 756 if (arg != 13) 757 return 0; 758 memcpy(c->buf, ptr, arg); 759 gctx->tls_aad_len = arg; 760 { 761 unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; 762 /* Correct length for explicit IV */ 763 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 764 /* If decrypting correct for tag too */ 765 if (!c->encrypt) 766 len -= EVP_GCM_TLS_TAG_LEN; 767 c->buf[arg - 2] = len >> 8; 768 c->buf[arg - 1] = len & 0xff; 769 } 770 /* Extra padding: tag appended to record */ 771 return EVP_GCM_TLS_TAG_LEN; 772 773 case EVP_CTRL_COPY: 774 { 775 EVP_CIPHER_CTX *out = ptr; 776 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 777 if (gctx->gcm.key) { 778 if (gctx->gcm.key != &gctx->ks) 779 return 0; 780 gctx_out->gcm.key = &gctx_out->ks; 781 } 782 if (gctx->iv == c->iv) 783 gctx_out->iv = out->iv; 784 else { 785 gctx_out->iv = OPENSSL_malloc(gctx->ivlen); 786 if (!gctx_out->iv) 787 return 0; 788 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 789 } 790 return 1; 791 } 792 793 default: 794 return -1; 795 796 } 797} 798 799static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 800 const unsigned char *iv, int enc) 801{ 802 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 803 if (!iv && !key) 804 return 1; 805 if (key) { 806 do { 807# ifdef BSAES_CAPABLE 808 if (BSAES_CAPABLE) { 809 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 810 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 811 (block128_f) AES_encrypt); 812 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks; 813 break; 814 } else 815# endif 816# ifdef VPAES_CAPABLE 817 if (VPAES_CAPABLE) { 818 vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 819 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 820 (block128_f) vpaes_encrypt); 821 gctx->ctr = NULL; 822 break; 823 } else 824# endif 825 (void)0; /* terminate potentially open 'else' */ 826 827 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 828 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 829 (block128_f) AES_encrypt); 830# ifdef AES_CTR_ASM 831 gctx->ctr = (ctr128_f) AES_ctr32_encrypt; 832# else 833 gctx->ctr = NULL; 834# endif 835 } while (0); 836 837 /* 838 * If we have an iv can set it directly, otherwise use saved IV. 839 */ 840 if (iv == NULL && gctx->iv_set) 841 iv = gctx->iv; 842 if (iv) { 843 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 844 gctx->iv_set = 1; 845 } 846 gctx->key_set = 1; 847 } else { 848 /* If key set use IV, otherwise copy */ 849 if (gctx->key_set) 850 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 851 else 852 memcpy(gctx->iv, iv, gctx->ivlen); 853 gctx->iv_set = 1; 854 gctx->iv_gen = 0; 855 } 856 return 1; 857} 858 859/* 860 * Handle TLS GCM packet format. This consists of the last portion of the IV 861 * followed by the payload and finally the tag. On encrypt generate IV, 862 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 863 * and verify tag. 864 */ 865 866static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 867 const unsigned char *in, size_t len) 868{ 869 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 870 int rv = -1; 871 /* Encrypt/decrypt must be performed in place */ 872 if (out != in 873 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 874 return -1; 875 /* 876 * Set IV from start of buffer or generate IV and write to start of 877 * buffer. 878 */ 879 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 880 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 881 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 882 goto err; 883 /* Use saved AAD */ 884 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 885 goto err; 886 /* Fix buffer and length to point to payload */ 887 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 888 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 889 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 890 if (ctx->encrypt) { 891 /* Encrypt payload */ 892 if (gctx->ctr) { 893 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 894 in, out, len, gctx->ctr)) 895 goto err; 896 } else { 897 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 898 goto err; 899 } 900 out += len; 901 /* Finally write tag */ 902 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 903 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 904 } else { 905 /* Decrypt */ 906 if (gctx->ctr) { 907 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 908 in, out, len, gctx->ctr)) 909 goto err; 910 } else { 911 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 912 goto err; 913 } 914 /* Retrieve tag */ 915 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 916 /* If tag mismatch wipe buffer */ 917 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 918 OPENSSL_cleanse(out, len); 919 goto err; 920 } 921 rv = len; 922 } 923 924 err: 925 gctx->iv_set = 0; 926 gctx->tls_aad_len = -1; 927 return rv; 928} 929 930static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 931 const unsigned char *in, size_t len) 932{ 933 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 934 /* If not set up, return error */ 935 if (!gctx->key_set) 936 return -1; 937 938 if (gctx->tls_aad_len >= 0) 939 return aes_gcm_tls_cipher(ctx, out, in, len); 940 941 if (!gctx->iv_set) 942 return -1; 943 if (in) { 944 if (out == NULL) { 945 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 946 return -1; 947 } else if (ctx->encrypt) { 948 if (gctx->ctr) { 949 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 950 in, out, len, gctx->ctr)) 951 return -1; 952 } else { 953 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 954 return -1; 955 } 956 } else { 957 if (gctx->ctr) { 958 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 959 in, out, len, gctx->ctr)) 960 return -1; 961 } else { 962 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 963 return -1; 964 } 965 } 966 return len; 967 } else { 968 if (!ctx->encrypt) { 969 if (gctx->taglen < 0) 970 return -1; 971 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) 972 return -1; 973 gctx->iv_set = 0; 974 return 0; 975 } 976 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 977 gctx->taglen = 16; 978 /* Don't reuse the IV */ 979 gctx->iv_set = 0; 980 return 0; 981 } 982 983} 984 985# define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 986 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 987 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 988 | EVP_CIPH_CUSTOM_COPY) 989 990BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, 991 EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | 992 CUSTOM_FLAGS) 993 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, 994 EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | 995 CUSTOM_FLAGS) 996 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, 997 EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | 998 CUSTOM_FLAGS) 999 1000static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1001{ 1002 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1003 if (type == EVP_CTRL_COPY) { 1004 EVP_CIPHER_CTX *out = ptr; 1005 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1006 if (xctx->xts.key1) { 1007 if (xctx->xts.key1 != &xctx->ks1) 1008 return 0; 1009 xctx_out->xts.key1 = &xctx_out->ks1; 1010 } 1011 if (xctx->xts.key2) { 1012 if (xctx->xts.key2 != &xctx->ks2) 1013 return 0; 1014 xctx_out->xts.key2 = &xctx_out->ks2; 1015 } 1016 return 1; 1017 } else if (type != EVP_CTRL_INIT) 1018 return -1; 1019 /* key1 and key2 are used as an indicator both key and IV are set */ 1020 xctx->xts.key1 = NULL; 1021 xctx->xts.key2 = NULL; 1022 return 1; 1023} 1024 1025static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1026 const unsigned char *iv, int enc) 1027{ 1028 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1029 if (!iv && !key) 1030 return 1; 1031 1032 if (key) 1033 do { 1034# ifdef AES_XTS_ASM 1035 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1036# else 1037 xctx->stream = NULL; 1038# endif 1039 /* key_len is two AES keys */ 1040# ifdef BSAES_CAPABLE 1041 if (BSAES_CAPABLE) 1042 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1043 else 1044# endif 1045# ifdef VPAES_CAPABLE 1046 if (VPAES_CAPABLE) { 1047 if (enc) { 1048 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1049 xctx->xts.block1 = (block128_f) vpaes_encrypt; 1050 } else { 1051 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1052 xctx->xts.block1 = (block128_f) vpaes_decrypt; 1053 } 1054 1055 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1056 ctx->key_len * 4, &xctx->ks2); 1057 xctx->xts.block2 = (block128_f) vpaes_encrypt; 1058 1059 xctx->xts.key1 = &xctx->ks1; 1060 break; 1061 } else 1062# endif 1063 (void)0; /* terminate potentially open 'else' */ 1064 1065 if (enc) { 1066 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1067 xctx->xts.block1 = (block128_f) AES_encrypt; 1068 } else { 1069 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1070 xctx->xts.block1 = (block128_f) AES_decrypt; 1071 } 1072 1073 AES_set_encrypt_key(key + ctx->key_len / 2, 1074 ctx->key_len * 4, &xctx->ks2); 1075 xctx->xts.block2 = (block128_f) AES_encrypt; 1076 1077 xctx->xts.key1 = &xctx->ks1; 1078 } while (0); 1079 1080 if (iv) { 1081 xctx->xts.key2 = &xctx->ks2; 1082 memcpy(ctx->iv, iv, 16); 1083 } 1084 1085 return 1; 1086} 1087 1088static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1089 const unsigned char *in, size_t len) 1090{ 1091 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1092 if (!xctx->xts.key1 || !xctx->xts.key2) 1093 return 0; 1094 if (!out || !in || len < AES_BLOCK_SIZE) 1095 return 0; 1096# ifdef OPENSSL_FIPS 1097 /* Requirement of SP800-38E */ 1098 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1099 (len > (1UL << 20) * 16)) { 1100 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1101 return 0; 1102 } 1103# endif 1104 if (xctx->stream) 1105 (*xctx->stream) (in, out, len, 1106 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1107 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1108 ctx->encrypt)) 1109 return 0; 1110 return 1; 1111} 1112 1113# define aes_xts_cleanup NULL 1114 1115# define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1116 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1117 | EVP_CIPH_CUSTOM_COPY) 1118 1119BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, 1120 EVP_CIPH_FLAG_FIPS | XTS_FLAGS) 1121 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, 1122 EVP_CIPH_FLAG_FIPS | XTS_FLAGS) 1123 1124static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1125{ 1126 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1127 switch (type) { 1128 case EVP_CTRL_INIT: 1129 cctx->key_set = 0; 1130 cctx->iv_set = 0; 1131 cctx->L = 8; 1132 cctx->M = 12; 1133 cctx->tag_set = 0; 1134 cctx->len_set = 0; 1135 return 1; 1136 1137 case EVP_CTRL_CCM_SET_IVLEN: 1138 arg = 15 - arg; 1139 case EVP_CTRL_CCM_SET_L: 1140 if (arg < 2 || arg > 8) 1141 return 0; 1142 cctx->L = arg; 1143 return 1; 1144 1145 case EVP_CTRL_CCM_SET_TAG: 1146 if ((arg & 1) || arg < 4 || arg > 16) 1147 return 0; 1148 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1149 return 0; 1150 if (ptr) { 1151 cctx->tag_set = 1; 1152 memcpy(c->buf, ptr, arg); 1153 } 1154 cctx->M = arg; 1155 return 1; 1156 1157 case EVP_CTRL_CCM_GET_TAG: 1158 if (!c->encrypt || !cctx->tag_set) 1159 return 0; 1160 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1161 return 0; 1162 cctx->tag_set = 0; 1163 cctx->iv_set = 0; 1164 cctx->len_set = 0; 1165 return 1; 1166 1167 case EVP_CTRL_COPY: 1168 { 1169 EVP_CIPHER_CTX *out = ptr; 1170 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 1171 if (cctx->ccm.key) { 1172 if (cctx->ccm.key != &cctx->ks) 1173 return 0; 1174 cctx_out->ccm.key = &cctx_out->ks; 1175 } 1176 return 1; 1177 } 1178 1179 default: 1180 return -1; 1181 1182 } 1183} 1184 1185static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1186 const unsigned char *iv, int enc) 1187{ 1188 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1189 if (!iv && !key) 1190 return 1; 1191 if (key) 1192 do { 1193# ifdef VPAES_CAPABLE 1194 if (VPAES_CAPABLE) { 1195 vpaes_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1196 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1197 &cctx->ks, (block128_f) vpaes_encrypt); 1198 cctx->str = NULL; 1199 cctx->key_set = 1; 1200 break; 1201 } 1202# endif 1203 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1204 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1205 &cctx->ks, (block128_f) AES_encrypt); 1206 cctx->str = NULL; 1207 cctx->key_set = 1; 1208 } while (0); 1209 if (iv) { 1210 memcpy(ctx->iv, iv, 15 - cctx->L); 1211 cctx->iv_set = 1; 1212 } 1213 return 1; 1214} 1215 1216static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1217 const unsigned char *in, size_t len) 1218{ 1219 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1220 CCM128_CONTEXT *ccm = &cctx->ccm; 1221 /* If not set up, return error */ 1222 if (!cctx->iv_set && !cctx->key_set) 1223 return -1; 1224 if (!ctx->encrypt && !cctx->tag_set) 1225 return -1; 1226 if (!out) { 1227 if (!in) { 1228 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1229 return -1; 1230 cctx->len_set = 1; 1231 return len; 1232 } 1233 /* If have AAD need message length */ 1234 if (!cctx->len_set && len) 1235 return -1; 1236 CRYPTO_ccm128_aad(ccm, in, len); 1237 return len; 1238 } 1239 /* EVP_*Final() doesn't return any data */ 1240 if (!in) 1241 return 0; 1242 /* If not set length yet do it */ 1243 if (!cctx->len_set) { 1244 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1245 return -1; 1246 cctx->len_set = 1; 1247 } 1248 if (ctx->encrypt) { 1249 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1250 cctx->str) : 1251 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1252 return -1; 1253 cctx->tag_set = 1; 1254 return len; 1255 } else { 1256 int rv = -1; 1257 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1258 cctx->str) : 1259 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 1260 unsigned char tag[16]; 1261 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 1262 if (!memcmp(tag, ctx->buf, cctx->M)) 1263 rv = len; 1264 } 1265 } 1266 if (rv == -1) 1267 OPENSSL_cleanse(out, len); 1268 cctx->iv_set = 0; 1269 cctx->tag_set = 0; 1270 cctx->len_set = 0; 1271 return rv; 1272 } 1273 1274} 1275 1276# define aes_ccm_cleanup NULL 1277 1278BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, 1279 EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS) 1280 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, 1281 EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS) 1282 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, 1283 EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS) 1284# endif 1285#endif 1286