e_aes.c revision 284295
1/* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core@openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51#include <openssl/opensslconf.h> 52#ifndef OPENSSL_NO_AES 53#include <openssl/crypto.h> 54#include <openssl/evp.h> 55#include <openssl/err.h> 56#include <string.h> 57#include <assert.h> 58#include <openssl/aes.h> 59#include "evp_locl.h" 60#ifndef OPENSSL_FIPS 61#include "modes_lcl.h" 62#include <openssl/rand.h> 63 64typedef struct 65 { 66 AES_KEY ks; 67 block128_f block; 68 union { 69 cbc128_f cbc; 70 ctr128_f ctr; 71 } stream; 72 } EVP_AES_KEY; 73 74typedef struct 75 { 76 AES_KEY ks; /* AES key schedule to use */ 77 int key_set; /* Set if key initialised */ 78 int iv_set; /* Set if an iv is set */ 79 GCM128_CONTEXT gcm; 80 unsigned char *iv; /* Temporary IV store */ 81 int ivlen; /* IV length */ 82 int taglen; 83 int iv_gen; /* It is OK to generate IVs */ 84 int tls_aad_len; /* TLS AAD length */ 85 ctr128_f ctr; 86 } EVP_AES_GCM_CTX; 87 88typedef struct 89 { 90 AES_KEY ks1, ks2; /* AES key schedules to use */ 91 XTS128_CONTEXT xts; 92 void (*stream)(const unsigned char *in, 93 unsigned char *out, size_t length, 94 const AES_KEY *key1, const AES_KEY *key2, 95 const unsigned char iv[16]); 96 } EVP_AES_XTS_CTX; 97 98typedef struct 99 { 100 AES_KEY ks; /* AES key schedule to use */ 101 int key_set; /* Set if key initialised */ 102 int iv_set; /* Set if an iv is set */ 103 int tag_set; /* Set if tag is valid */ 104 int len_set; /* Set if message length set */ 105 int L, M; /* L and M parameters from RFC3610 */ 106 CCM128_CONTEXT ccm; 107 ccm128_f str; 108 } EVP_AES_CCM_CTX; 109 110#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 111 112#ifdef VPAES_ASM 113int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 114 AES_KEY *key); 115int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 116 AES_KEY *key); 117 118void vpaes_encrypt(const unsigned char *in, unsigned char *out, 119 const AES_KEY *key); 120void vpaes_decrypt(const unsigned char *in, unsigned char *out, 121 const AES_KEY *key); 122 123void vpaes_cbc_encrypt(const unsigned char *in, 124 unsigned char *out, 125 size_t length, 126 const AES_KEY *key, 127 unsigned char *ivec, int enc); 128#endif 129#ifdef BSAES_ASM 130void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 131 size_t length, const AES_KEY *key, 132 unsigned char ivec[16], int enc); 133void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 134 size_t len, const AES_KEY *key, 135 const unsigned char ivec[16]); 136void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 137 size_t len, const AES_KEY *key1, 138 const AES_KEY *key2, const unsigned char iv[16]); 139void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 140 size_t len, const AES_KEY *key1, 141 const AES_KEY *key2, const unsigned char iv[16]); 142#endif 143#ifdef AES_CTR_ASM 144void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 145 size_t blocks, const AES_KEY *key, 146 const unsigned char ivec[AES_BLOCK_SIZE]); 147#endif 148#ifdef AES_XTS_ASM 149void AES_xts_encrypt(const char *inp,char *out,size_t len, 150 const AES_KEY *key1, const AES_KEY *key2, 151 const unsigned char iv[16]); 152void AES_xts_decrypt(const char *inp,char *out,size_t len, 153 const AES_KEY *key1, const AES_KEY *key2, 154 const unsigned char iv[16]); 155#endif 156 157#if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 158 ((defined(__i386) || defined(__i386__) || \ 159 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 160 defined(__x86_64) || defined(__x86_64__) || \ 161 defined(_M_AMD64) || defined(_M_X64) || \ 162 defined(__INTEL__) ) 163 164extern unsigned int OPENSSL_ia32cap_P[2]; 165 166#ifdef VPAES_ASM 167#define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 168#endif 169#ifdef BSAES_ASM 170#define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 171#endif 172/* 173 * AES-NI section 174 */ 175#define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 176 177int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 178 AES_KEY *key); 179int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 180 AES_KEY *key); 181 182void aesni_encrypt(const unsigned char *in, unsigned char *out, 183 const AES_KEY *key); 184void aesni_decrypt(const unsigned char *in, unsigned char *out, 185 const AES_KEY *key); 186 187void aesni_ecb_encrypt(const unsigned char *in, 188 unsigned char *out, 189 size_t length, 190 const AES_KEY *key, 191 int enc); 192void aesni_cbc_encrypt(const unsigned char *in, 193 unsigned char *out, 194 size_t length, 195 const AES_KEY *key, 196 unsigned char *ivec, int enc); 197 198void aesni_ctr32_encrypt_blocks(const unsigned char *in, 199 unsigned char *out, 200 size_t blocks, 201 const void *key, 202 const unsigned char *ivec); 203 204void aesni_xts_encrypt(const unsigned char *in, 205 unsigned char *out, 206 size_t length, 207 const AES_KEY *key1, const AES_KEY *key2, 208 const unsigned char iv[16]); 209 210void aesni_xts_decrypt(const unsigned char *in, 211 unsigned char *out, 212 size_t length, 213 const AES_KEY *key1, const AES_KEY *key2, 214 const unsigned char iv[16]); 215 216void aesni_ccm64_encrypt_blocks (const unsigned char *in, 217 unsigned char *out, 218 size_t blocks, 219 const void *key, 220 const unsigned char ivec[16], 221 unsigned char cmac[16]); 222 223void aesni_ccm64_decrypt_blocks (const unsigned char *in, 224 unsigned char *out, 225 size_t blocks, 226 const void *key, 227 const unsigned char ivec[16], 228 unsigned char cmac[16]); 229 230static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 231 const unsigned char *iv, int enc) 232 { 233 int ret, mode; 234 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 235 236 mode = ctx->cipher->flags & EVP_CIPH_MODE; 237 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 238 && !enc) 239 { 240 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data); 241 dat->block = (block128_f)aesni_decrypt; 242 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 243 (cbc128_f)aesni_cbc_encrypt : 244 NULL; 245 } 246 else { 247 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data); 248 dat->block = (block128_f)aesni_encrypt; 249 if (mode==EVP_CIPH_CBC_MODE) 250 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 251 else if (mode==EVP_CIPH_CTR_MODE) 252 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 253 else 254 dat->stream.cbc = NULL; 255 } 256 257 if(ret < 0) 258 { 259 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 260 return 0; 261 } 262 263 return 1; 264 } 265 266static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 267 const unsigned char *in, size_t len) 268{ 269 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); 270 271 return 1; 272} 273 274static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 275 const unsigned char *in, size_t len) 276{ 277 size_t bl = ctx->cipher->block_size; 278 279 if (len<bl) return 1; 280 281 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); 282 283 return 1; 284} 285 286#define aesni_ofb_cipher aes_ofb_cipher 287static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 288 const unsigned char *in,size_t len); 289 290#define aesni_cfb_cipher aes_cfb_cipher 291static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 292 const unsigned char *in,size_t len); 293 294#define aesni_cfb8_cipher aes_cfb8_cipher 295static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 296 const unsigned char *in,size_t len); 297 298#define aesni_cfb1_cipher aes_cfb1_cipher 299static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 300 const unsigned char *in,size_t len); 301 302#define aesni_ctr_cipher aes_ctr_cipher 303static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 304 const unsigned char *in, size_t len); 305 306static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 307 const unsigned char *iv, int enc) 308 { 309 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 310 if (!iv && !key) 311 return 1; 312 if (key) 313 { 314 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 315 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 316 (block128_f)aesni_encrypt); 317 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 318 /* If we have an iv can set it directly, otherwise use 319 * saved IV. 320 */ 321 if (iv == NULL && gctx->iv_set) 322 iv = gctx->iv; 323 if (iv) 324 { 325 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 326 gctx->iv_set = 1; 327 } 328 gctx->key_set = 1; 329 } 330 else 331 { 332 /* If key set use IV, otherwise copy */ 333 if (gctx->key_set) 334 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 335 else 336 memcpy(gctx->iv, iv, gctx->ivlen); 337 gctx->iv_set = 1; 338 gctx->iv_gen = 0; 339 } 340 return 1; 341 } 342 343#define aesni_gcm_cipher aes_gcm_cipher 344static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 345 const unsigned char *in, size_t len); 346 347static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 348 const unsigned char *iv, int enc) 349 { 350 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 351 if (!iv && !key) 352 return 1; 353 354 if (key) 355 { 356 /* key_len is two AES keys */ 357 if (enc) 358 { 359 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 360 xctx->xts.block1 = (block128_f)aesni_encrypt; 361 xctx->stream = aesni_xts_encrypt; 362 } 363 else 364 { 365 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 366 xctx->xts.block1 = (block128_f)aesni_decrypt; 367 xctx->stream = aesni_xts_decrypt; 368 } 369 370 aesni_set_encrypt_key(key + ctx->key_len/2, 371 ctx->key_len * 4, &xctx->ks2); 372 xctx->xts.block2 = (block128_f)aesni_encrypt; 373 374 xctx->xts.key1 = &xctx->ks1; 375 } 376 377 if (iv) 378 { 379 xctx->xts.key2 = &xctx->ks2; 380 memcpy(ctx->iv, iv, 16); 381 } 382 383 return 1; 384 } 385 386#define aesni_xts_cipher aes_xts_cipher 387static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 388 const unsigned char *in, size_t len); 389 390static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 391 const unsigned char *iv, int enc) 392 { 393 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 394 if (!iv && !key) 395 return 1; 396 if (key) 397 { 398 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 399 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 400 &cctx->ks, (block128_f)aesni_encrypt); 401 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : 402 (ccm128_f)aesni_ccm64_decrypt_blocks; 403 cctx->key_set = 1; 404 } 405 if (iv) 406 { 407 memcpy(ctx->iv, iv, 15 - cctx->L); 408 cctx->iv_set = 1; 409 } 410 return 1; 411 } 412 413#define aesni_ccm_cipher aes_ccm_cipher 414static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 415 const unsigned char *in, size_t len); 416 417#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 418static const EVP_CIPHER aesni_##keylen##_##mode = { \ 419 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 420 flags|EVP_CIPH_##MODE##_MODE, \ 421 aesni_init_key, \ 422 aesni_##mode##_cipher, \ 423 NULL, \ 424 sizeof(EVP_AES_KEY), \ 425 NULL,NULL,NULL,NULL }; \ 426static const EVP_CIPHER aes_##keylen##_##mode = { \ 427 nid##_##keylen##_##nmode,blocksize, \ 428 keylen/8,ivlen, \ 429 flags|EVP_CIPH_##MODE##_MODE, \ 430 aes_init_key, \ 431 aes_##mode##_cipher, \ 432 NULL, \ 433 sizeof(EVP_AES_KEY), \ 434 NULL,NULL,NULL,NULL }; \ 435const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 436{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 437 438#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 439static const EVP_CIPHER aesni_##keylen##_##mode = { \ 440 nid##_##keylen##_##mode,blocksize, \ 441 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 442 flags|EVP_CIPH_##MODE##_MODE, \ 443 aesni_##mode##_init_key, \ 444 aesni_##mode##_cipher, \ 445 aes_##mode##_cleanup, \ 446 sizeof(EVP_AES_##MODE##_CTX), \ 447 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 448static const EVP_CIPHER aes_##keylen##_##mode = { \ 449 nid##_##keylen##_##mode,blocksize, \ 450 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 451 flags|EVP_CIPH_##MODE##_MODE, \ 452 aes_##mode##_init_key, \ 453 aes_##mode##_cipher, \ 454 aes_##mode##_cleanup, \ 455 sizeof(EVP_AES_##MODE##_CTX), \ 456 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 457const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 458{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 459 460#else 461 462#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 463static const EVP_CIPHER aes_##keylen##_##mode = { \ 464 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 465 flags|EVP_CIPH_##MODE##_MODE, \ 466 aes_init_key, \ 467 aes_##mode##_cipher, \ 468 NULL, \ 469 sizeof(EVP_AES_KEY), \ 470 NULL,NULL,NULL,NULL }; \ 471const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 472{ return &aes_##keylen##_##mode; } 473 474#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 475static const EVP_CIPHER aes_##keylen##_##mode = { \ 476 nid##_##keylen##_##mode,blocksize, \ 477 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 478 flags|EVP_CIPH_##MODE##_MODE, \ 479 aes_##mode##_init_key, \ 480 aes_##mode##_cipher, \ 481 aes_##mode##_cleanup, \ 482 sizeof(EVP_AES_##MODE##_CTX), \ 483 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 484const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 485{ return &aes_##keylen##_##mode; } 486#endif 487 488#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 489 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 490 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 491 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 494 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 495 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 496 497static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 498 const unsigned char *iv, int enc) 499 { 500 int ret, mode; 501 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 502 503 mode = ctx->cipher->flags & EVP_CIPH_MODE; 504 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 505 && !enc) 506#ifdef BSAES_CAPABLE 507 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) 508 { 509 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 510 dat->block = (block128_f)AES_decrypt; 511 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 512 } 513 else 514#endif 515#ifdef VPAES_CAPABLE 516 if (VPAES_CAPABLE) 517 { 518 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 519 dat->block = (block128_f)vpaes_decrypt; 520 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 521 (cbc128_f)vpaes_cbc_encrypt : 522 NULL; 523 } 524 else 525#endif 526 { 527 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 528 dat->block = (block128_f)AES_decrypt; 529 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 530 (cbc128_f)AES_cbc_encrypt : 531 NULL; 532 } 533 else 534#ifdef BSAES_CAPABLE 535 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) 536 { 537 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 538 dat->block = (block128_f)AES_encrypt; 539 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 540 } 541 else 542#endif 543#ifdef VPAES_CAPABLE 544 if (VPAES_CAPABLE) 545 { 546 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 547 dat->block = (block128_f)vpaes_encrypt; 548 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 549 (cbc128_f)vpaes_cbc_encrypt : 550 NULL; 551 } 552 else 553#endif 554 { 555 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 556 dat->block = (block128_f)AES_encrypt; 557 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 558 (cbc128_f)AES_cbc_encrypt : 559 NULL; 560#ifdef AES_CTR_ASM 561 if (mode==EVP_CIPH_CTR_MODE) 562 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 563#endif 564 } 565 566 if(ret < 0) 567 { 568 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 569 return 0; 570 } 571 572 return 1; 573 } 574 575static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 576 const unsigned char *in, size_t len) 577{ 578 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 579 580 if (dat->stream.cbc) 581 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); 582 else if (ctx->encrypt) 583 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 584 else 585 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 586 587 return 1; 588} 589 590static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 591 const unsigned char *in, size_t len) 592{ 593 size_t bl = ctx->cipher->block_size; 594 size_t i; 595 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 596 597 if (len<bl) return 1; 598 599 for (i=0,len-=bl;i<=len;i+=bl) 600 (*dat->block)(in+i,out+i,&dat->ks); 601 602 return 1; 603} 604 605static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 606 const unsigned char *in,size_t len) 607{ 608 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 609 610 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, 611 ctx->iv,&ctx->num,dat->block); 612 return 1; 613} 614 615static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 616 const unsigned char *in,size_t len) 617{ 618 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 619 620 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, 621 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 622 return 1; 623} 624 625static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 626 const unsigned char *in,size_t len) 627{ 628 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 629 630 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, 631 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 632 return 1; 633} 634 635static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 636 const unsigned char *in,size_t len) 637{ 638 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 639 640 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 641 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, 642 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 643 return 1; 644 } 645 646 while (len>=MAXBITCHUNK) { 647 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, 648 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 649 len-=MAXBITCHUNK; 650 } 651 if (len) 652 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, 653 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 654 655 return 1; 656} 657 658static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, 659 const unsigned char *in, size_t len) 660{ 661 unsigned int num = ctx->num; 662 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 663 664 if (dat->stream.ctr) 665 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, 666 ctx->iv,ctx->buf,&num,dat->stream.ctr); 667 else 668 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, 669 ctx->iv,ctx->buf,&num,dat->block); 670 ctx->num = (size_t)num; 671 return 1; 672} 673 674BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) 675BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) 676BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) 677 678static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 679 { 680 EVP_AES_GCM_CTX *gctx = c->cipher_data; 681 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 682 if (gctx->iv != c->iv) 683 OPENSSL_free(gctx->iv); 684 return 1; 685 } 686 687/* increment counter (64-bit int) by 1 */ 688static void ctr64_inc(unsigned char *counter) { 689 int n=8; 690 unsigned char c; 691 692 do { 693 --n; 694 c = counter[n]; 695 ++c; 696 counter[n] = c; 697 if (c) return; 698 } while (n); 699} 700 701static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 702 { 703 EVP_AES_GCM_CTX *gctx = c->cipher_data; 704 switch (type) 705 { 706 case EVP_CTRL_INIT: 707 gctx->key_set = 0; 708 gctx->iv_set = 0; 709 gctx->ivlen = c->cipher->iv_len; 710 gctx->iv = c->iv; 711 gctx->taglen = -1; 712 gctx->iv_gen = 0; 713 gctx->tls_aad_len = -1; 714 return 1; 715 716 case EVP_CTRL_GCM_SET_IVLEN: 717 if (arg <= 0) 718 return 0; 719#ifdef OPENSSL_FIPS 720 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 721 && arg < 12) 722 return 0; 723#endif 724 /* Allocate memory for IV if needed */ 725 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) 726 { 727 if (gctx->iv != c->iv) 728 OPENSSL_free(gctx->iv); 729 gctx->iv = OPENSSL_malloc(arg); 730 if (!gctx->iv) 731 return 0; 732 } 733 gctx->ivlen = arg; 734 return 1; 735 736 case EVP_CTRL_GCM_SET_TAG: 737 if (arg <= 0 || arg > 16 || c->encrypt) 738 return 0; 739 memcpy(c->buf, ptr, arg); 740 gctx->taglen = arg; 741 return 1; 742 743 case EVP_CTRL_GCM_GET_TAG: 744 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 745 return 0; 746 memcpy(ptr, c->buf, arg); 747 return 1; 748 749 case EVP_CTRL_GCM_SET_IV_FIXED: 750 /* Special case: -1 length restores whole IV */ 751 if (arg == -1) 752 { 753 memcpy(gctx->iv, ptr, gctx->ivlen); 754 gctx->iv_gen = 1; 755 return 1; 756 } 757 /* Fixed field must be at least 4 bytes and invocation field 758 * at least 8. 759 */ 760 if ((arg < 4) || (gctx->ivlen - arg) < 8) 761 return 0; 762 if (arg) 763 memcpy(gctx->iv, ptr, arg); 764 if (c->encrypt && 765 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 766 return 0; 767 gctx->iv_gen = 1; 768 return 1; 769 770 case EVP_CTRL_GCM_IV_GEN: 771 if (gctx->iv_gen == 0 || gctx->key_set == 0) 772 return 0; 773 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 774 if (arg <= 0 || arg > gctx->ivlen) 775 arg = gctx->ivlen; 776 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 777 /* Invocation field will be at least 8 bytes in size and 778 * so no need to check wrap around or increment more than 779 * last 8 bytes. 780 */ 781 ctr64_inc(gctx->iv + gctx->ivlen - 8); 782 gctx->iv_set = 1; 783 return 1; 784 785 case EVP_CTRL_GCM_SET_IV_INV: 786 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 787 return 0; 788 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 789 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 790 gctx->iv_set = 1; 791 return 1; 792 793 case EVP_CTRL_AEAD_TLS1_AAD: 794 /* Save the AAD for later use */ 795 if (arg != 13) 796 return 0; 797 memcpy(c->buf, ptr, arg); 798 gctx->tls_aad_len = arg; 799 { 800 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; 801 /* Correct length for explicit IV */ 802 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 803 /* If decrypting correct for tag too */ 804 if (!c->encrypt) 805 len -= EVP_GCM_TLS_TAG_LEN; 806 c->buf[arg-2] = len>>8; 807 c->buf[arg-1] = len & 0xff; 808 } 809 /* Extra padding: tag appended to record */ 810 return EVP_GCM_TLS_TAG_LEN; 811 812 case EVP_CTRL_COPY: 813 { 814 EVP_CIPHER_CTX *out = ptr; 815 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 816 if (gctx->gcm.key) 817 { 818 if (gctx->gcm.key != &gctx->ks) 819 return 0; 820 gctx_out->gcm.key = &gctx_out->ks; 821 } 822 if (gctx->iv == c->iv) 823 gctx_out->iv = out->iv; 824 else 825 { 826 gctx_out->iv = OPENSSL_malloc(gctx->ivlen); 827 if (!gctx_out->iv) 828 return 0; 829 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 830 } 831 return 1; 832 } 833 834 default: 835 return -1; 836 837 } 838 } 839 840static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 841 const unsigned char *iv, int enc) 842 { 843 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 844 if (!iv && !key) 845 return 1; 846 if (key) 847 { do { 848#ifdef BSAES_CAPABLE 849 if (BSAES_CAPABLE) 850 { 851 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 852 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 853 (block128_f)AES_encrypt); 854 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 855 break; 856 } 857 else 858#endif 859#ifdef VPAES_CAPABLE 860 if (VPAES_CAPABLE) 861 { 862 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 863 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 864 (block128_f)vpaes_encrypt); 865 gctx->ctr = NULL; 866 break; 867 } 868 else 869#endif 870 (void)0; /* terminate potentially open 'else' */ 871 872 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 873 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 874#ifdef AES_CTR_ASM 875 gctx->ctr = (ctr128_f)AES_ctr32_encrypt; 876#else 877 gctx->ctr = NULL; 878#endif 879 } while (0); 880 881 /* If we have an iv can set it directly, otherwise use 882 * saved IV. 883 */ 884 if (iv == NULL && gctx->iv_set) 885 iv = gctx->iv; 886 if (iv) 887 { 888 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 889 gctx->iv_set = 1; 890 } 891 gctx->key_set = 1; 892 } 893 else 894 { 895 /* If key set use IV, otherwise copy */ 896 if (gctx->key_set) 897 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 898 else 899 memcpy(gctx->iv, iv, gctx->ivlen); 900 gctx->iv_set = 1; 901 gctx->iv_gen = 0; 902 } 903 return 1; 904 } 905 906/* Handle TLS GCM packet format. This consists of the last portion of the IV 907 * followed by the payload and finally the tag. On encrypt generate IV, 908 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 909 * and verify tag. 910 */ 911 912static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 913 const unsigned char *in, size_t len) 914 { 915 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 916 int rv = -1; 917 /* Encrypt/decrypt must be performed in place */ 918 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)) 919 return -1; 920 /* Set IV from start of buffer or generate IV and write to start 921 * of buffer. 922 */ 923 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 924 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 925 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 926 goto err; 927 /* Use saved AAD */ 928 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 929 goto err; 930 /* Fix buffer and length to point to payload */ 931 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 932 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 933 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 934 if (ctx->encrypt) 935 { 936 /* Encrypt payload */ 937 if (gctx->ctr) 938 { 939 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 940 in, out, len, 941 gctx->ctr)) 942 goto err; 943 } 944 else { 945 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 946 goto err; 947 } 948 out += len; 949 /* Finally write tag */ 950 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 951 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 952 } 953 else 954 { 955 /* Decrypt */ 956 if (gctx->ctr) 957 { 958 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 959 in, out, len, 960 gctx->ctr)) 961 goto err; 962 } 963 else { 964 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 965 goto err; 966 } 967 /* Retrieve tag */ 968 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 969 EVP_GCM_TLS_TAG_LEN); 970 /* If tag mismatch wipe buffer */ 971 if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) 972 { 973 OPENSSL_cleanse(out, len); 974 goto err; 975 } 976 rv = len; 977 } 978 979 err: 980 gctx->iv_set = 0; 981 gctx->tls_aad_len = -1; 982 return rv; 983 } 984 985static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 986 const unsigned char *in, size_t len) 987 { 988 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 989 /* If not set up, return error */ 990 if (!gctx->key_set) 991 return -1; 992 993 if (gctx->tls_aad_len >= 0) 994 return aes_gcm_tls_cipher(ctx, out, in, len); 995 996 if (!gctx->iv_set) 997 return -1; 998 if (in) 999 { 1000 if (out == NULL) 1001 { 1002 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1003 return -1; 1004 } 1005 else if (ctx->encrypt) 1006 { 1007 if (gctx->ctr) 1008 { 1009 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1010 in, out, len, 1011 gctx->ctr)) 1012 return -1; 1013 } 1014 else { 1015 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1016 return -1; 1017 } 1018 } 1019 else 1020 { 1021 if (gctx->ctr) 1022 { 1023 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1024 in, out, len, 1025 gctx->ctr)) 1026 return -1; 1027 } 1028 else { 1029 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1030 return -1; 1031 } 1032 } 1033 return len; 1034 } 1035 else 1036 { 1037 if (!ctx->encrypt) 1038 { 1039 if (gctx->taglen < 0) 1040 return -1; 1041 if (CRYPTO_gcm128_finish(&gctx->gcm, 1042 ctx->buf, gctx->taglen) != 0) 1043 return -1; 1044 gctx->iv_set = 0; 1045 return 0; 1046 } 1047 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1048 gctx->taglen = 16; 1049 /* Don't reuse the IV */ 1050 gctx->iv_set = 0; 1051 return 0; 1052 } 1053 1054 } 1055 1056#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 1057 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 1058 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1059 | EVP_CIPH_CUSTOM_COPY) 1060 1061BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, 1062 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1063BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, 1064 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1065BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, 1066 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1067 1068static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1069 { 1070 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1071 if (type == EVP_CTRL_COPY) 1072 { 1073 EVP_CIPHER_CTX *out = ptr; 1074 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1075 if (xctx->xts.key1) 1076 { 1077 if (xctx->xts.key1 != &xctx->ks1) 1078 return 0; 1079 xctx_out->xts.key1 = &xctx_out->ks1; 1080 } 1081 if (xctx->xts.key2) 1082 { 1083 if (xctx->xts.key2 != &xctx->ks2) 1084 return 0; 1085 xctx_out->xts.key2 = &xctx_out->ks2; 1086 } 1087 return 1; 1088 } 1089 else if (type != EVP_CTRL_INIT) 1090 return -1; 1091 /* key1 and key2 are used as an indicator both key and IV are set */ 1092 xctx->xts.key1 = NULL; 1093 xctx->xts.key2 = NULL; 1094 return 1; 1095 } 1096 1097static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1098 const unsigned char *iv, int enc) 1099 { 1100 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1101 if (!iv && !key) 1102 return 1; 1103 1104 if (key) do 1105 { 1106#ifdef AES_XTS_ASM 1107 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1108#else 1109 xctx->stream = NULL; 1110#endif 1111 /* key_len is two AES keys */ 1112#ifdef BSAES_CAPABLE 1113 if (BSAES_CAPABLE) 1114 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1115 else 1116#endif 1117#ifdef VPAES_CAPABLE 1118 if (VPAES_CAPABLE) 1119 { 1120 if (enc) 1121 { 1122 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1123 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1124 } 1125 else 1126 { 1127 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1128 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1129 } 1130 1131 vpaes_set_encrypt_key(key + ctx->key_len/2, 1132 ctx->key_len * 4, &xctx->ks2); 1133 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1134 1135 xctx->xts.key1 = &xctx->ks1; 1136 break; 1137 } 1138 else 1139#endif 1140 (void)0; /* terminate potentially open 'else' */ 1141 1142 if (enc) 1143 { 1144 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1145 xctx->xts.block1 = (block128_f)AES_encrypt; 1146 } 1147 else 1148 { 1149 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1150 xctx->xts.block1 = (block128_f)AES_decrypt; 1151 } 1152 1153 AES_set_encrypt_key(key + ctx->key_len/2, 1154 ctx->key_len * 4, &xctx->ks2); 1155 xctx->xts.block2 = (block128_f)AES_encrypt; 1156 1157 xctx->xts.key1 = &xctx->ks1; 1158 } while (0); 1159 1160 if (iv) 1161 { 1162 xctx->xts.key2 = &xctx->ks2; 1163 memcpy(ctx->iv, iv, 16); 1164 } 1165 1166 return 1; 1167 } 1168 1169static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1170 const unsigned char *in, size_t len) 1171 { 1172 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1173 if (!xctx->xts.key1 || !xctx->xts.key2) 1174 return 0; 1175 if (!out || !in || len<AES_BLOCK_SIZE) 1176 return 0; 1177#ifdef OPENSSL_FIPS 1178 /* Requirement of SP800-38E */ 1179 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1180 (len > (1UL<<20)*16)) 1181 { 1182 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1183 return 0; 1184 } 1185#endif 1186 if (xctx->stream) 1187 (*xctx->stream)(in, out, len, 1188 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1189 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1190 ctx->encrypt)) 1191 return 0; 1192 return 1; 1193 } 1194 1195#define aes_xts_cleanup NULL 1196 1197#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1198 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1199 | EVP_CIPH_CUSTOM_COPY) 1200 1201BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1202BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1203 1204static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1205 { 1206 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1207 switch (type) 1208 { 1209 case EVP_CTRL_INIT: 1210 cctx->key_set = 0; 1211 cctx->iv_set = 0; 1212 cctx->L = 8; 1213 cctx->M = 12; 1214 cctx->tag_set = 0; 1215 cctx->len_set = 0; 1216 return 1; 1217 1218 case EVP_CTRL_CCM_SET_IVLEN: 1219 arg = 15 - arg; 1220 case EVP_CTRL_CCM_SET_L: 1221 if (arg < 2 || arg > 8) 1222 return 0; 1223 cctx->L = arg; 1224 return 1; 1225 1226 case EVP_CTRL_CCM_SET_TAG: 1227 if ((arg & 1) || arg < 4 || arg > 16) 1228 return 0; 1229 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1230 return 0; 1231 if (ptr) 1232 { 1233 cctx->tag_set = 1; 1234 memcpy(c->buf, ptr, arg); 1235 } 1236 cctx->M = arg; 1237 return 1; 1238 1239 case EVP_CTRL_CCM_GET_TAG: 1240 if (!c->encrypt || !cctx->tag_set) 1241 return 0; 1242 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1243 return 0; 1244 cctx->tag_set = 0; 1245 cctx->iv_set = 0; 1246 cctx->len_set = 0; 1247 return 1; 1248 1249 case EVP_CTRL_COPY: 1250 { 1251 EVP_CIPHER_CTX *out = ptr; 1252 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 1253 if (cctx->ccm.key) 1254 { 1255 if (cctx->ccm.key != &cctx->ks) 1256 return 0; 1257 cctx_out->ccm.key = &cctx_out->ks; 1258 } 1259 return 1; 1260 } 1261 1262 default: 1263 return -1; 1264 1265 } 1266 } 1267 1268static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1269 const unsigned char *iv, int enc) 1270 { 1271 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1272 if (!iv && !key) 1273 return 1; 1274 if (key) do 1275 { 1276#ifdef VPAES_CAPABLE 1277 if (VPAES_CAPABLE) 1278 { 1279 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 1280 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1281 &cctx->ks, (block128_f)vpaes_encrypt); 1282 cctx->str = NULL; 1283 cctx->key_set = 1; 1284 break; 1285 } 1286#endif 1287 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1288 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1289 &cctx->ks, (block128_f)AES_encrypt); 1290 cctx->str = NULL; 1291 cctx->key_set = 1; 1292 } while (0); 1293 if (iv) 1294 { 1295 memcpy(ctx->iv, iv, 15 - cctx->L); 1296 cctx->iv_set = 1; 1297 } 1298 return 1; 1299 } 1300 1301static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1302 const unsigned char *in, size_t len) 1303 { 1304 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1305 CCM128_CONTEXT *ccm = &cctx->ccm; 1306 /* If not set up, return error */ 1307 if (!cctx->iv_set && !cctx->key_set) 1308 return -1; 1309 if (!ctx->encrypt && !cctx->tag_set) 1310 return -1; 1311 if (!out) 1312 { 1313 if (!in) 1314 { 1315 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) 1316 return -1; 1317 cctx->len_set = 1; 1318 return len; 1319 } 1320 /* If have AAD need message length */ 1321 if (!cctx->len_set && len) 1322 return -1; 1323 CRYPTO_ccm128_aad(ccm, in, len); 1324 return len; 1325 } 1326 /* EVP_*Final() doesn't return any data */ 1327 if (!in) 1328 return 0; 1329 /* If not set length yet do it */ 1330 if (!cctx->len_set) 1331 { 1332 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1333 return -1; 1334 cctx->len_set = 1; 1335 } 1336 if (ctx->encrypt) 1337 { 1338 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1339 cctx->str) : 1340 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1341 return -1; 1342 cctx->tag_set = 1; 1343 return len; 1344 } 1345 else 1346 { 1347 int rv = -1; 1348 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1349 cctx->str) : 1350 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) 1351 { 1352 unsigned char tag[16]; 1353 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) 1354 { 1355 if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M)) 1356 rv = len; 1357 } 1358 } 1359 if (rv == -1) 1360 OPENSSL_cleanse(out, len); 1361 cctx->iv_set = 0; 1362 cctx->tag_set = 0; 1363 cctx->len_set = 0; 1364 return rv; 1365 } 1366 1367 } 1368 1369#define aes_ccm_cleanup NULL 1370 1371BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1372BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1373BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1374 1375#endif 1376#endif 1377