]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move 'shared_sigalgs' from cert_st to ssl_st
[thirdparty/openssl.git] / crypto / evp / e_aes.c
CommitLineData
aa6bb135 1/*
5516c19b 2 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
deb2c1a1 3 *
4a8b0c55 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
aa6bb135
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
deb2c1a1
DSH		 8 */
9
8c84b677 10#include <openssl/opensslconf.h>
5158c763
MC		 11#include <openssl/crypto.h>
12#include <openssl/evp.h>
13#include <openssl/err.h>
14#include <string.h>
15#include <assert.h>
16#include <openssl/aes.h>
17#include "internal/evp_int.h"
39147079 18#include "internal/cryptlib.h"
5158c763
MC		 19#include "modes_lcl.h"
20#include <openssl/rand.h>
b1ceb439 21#include <openssl/cmac.h>
7141ba31 22#include "evp_locl.h"
0f113f3e
MC		 23
24typedef struct {
25 union {
39147079 26 OSSL_UNION_ALIGN;
0f113f3e
MC		 27 AES_KEY ks;
28 } ks;
29 block128_f block;
30 union {
31 cbc128_f cbc;
32 ctr128_f ctr;
33 } stream;
34} EVP_AES_KEY;
35
36typedef struct {
37 union {
39147079 38 OSSL_UNION_ALIGN;
0f113f3e
MC		 39 AES_KEY ks;
40 } ks; /* AES key schedule to use */
41 int key_set; /* Set if key initialised */
42 int iv_set; /* Set if an iv is set */
43 GCM128_CONTEXT gcm;
44 unsigned char *iv; /* Temporary IV store */
45 int ivlen; /* IV length */
46 int taglen;
47 int iv_gen; /* It is OK to generate IVs */
bcf082d1 48 int iv_gen_rand; /* No IV was specified, so generate a rand IV */
0f113f3e 49 int tls_aad_len; /* TLS AAD length */
d6b34570 50 uint64_t tls_enc_records; /* Number of TLS records encrypted */
0f113f3e
MC		 51 ctr128_f ctr;
52} EVP_AES_GCM_CTX;
53
54typedef struct {
55 union {
39147079 56 OSSL_UNION_ALIGN;
0f113f3e
MC		 57 AES_KEY ks;
58 } ks1, ks2; /* AES key schedules to use */
59 XTS128_CONTEXT xts;
60 void (*stream) (const unsigned char *in,
61 unsigned char *out, size_t length,
62 const AES_KEY *key1, const AES_KEY *key2,
63 const unsigned char iv[16]);
64} EVP_AES_XTS_CTX;
65
2c840201
P		 66#ifdef FIPS_MODE
67static const int allow_insecure_decrypt = 0;
68#else
69static const int allow_insecure_decrypt = 1;
70#endif
71
0f113f3e
MC		 72typedef struct {
73 union {
39147079 74 OSSL_UNION_ALIGN;
0f113f3e
MC		 75 AES_KEY ks;
76 } ks; /* AES key schedule to use */
77 int key_set; /* Set if key initialised */
78 int iv_set; /* Set if an iv is set */
79 int tag_set; /* Set if tag is valid */
80 int len_set; /* Set if message length set */
81 int L, M; /* L and M parameters from RFC3610 */
e75c5a79 82 int tls_aad_len; /* TLS AAD length */
0f113f3e
MC		 83 CCM128_CONTEXT ccm;
84 ccm128_f str;
85} EVP_AES_CCM_CTX;
86
5158c763 87#ifndef OPENSSL_NO_OCB
0f113f3e 88typedef struct {
bdc985b1 89 union {
39147079 90 OSSL_UNION_ALIGN;
bdc985b1
AP		 91 AES_KEY ks;
92 } ksenc; /* AES key schedule to use for encryption */
93 union {
39147079 94 OSSL_UNION_ALIGN;
bdc985b1
AP		 95 AES_KEY ks;
96 } ksdec; /* AES key schedule to use for decryption */
0f113f3e
MC		 97 int key_set; /* Set if key initialised */
98 int iv_set; /* Set if an iv is set */
99 OCB128_CONTEXT ocb;
100 unsigned char *iv; /* Temporary IV store */
101 unsigned char tag[16];
102 unsigned char data_buf[16]; /* Store partial data blocks */
103 unsigned char aad_buf[16]; /* Store partial AAD blocks */
104 int data_buf_len;
105 int aad_buf_len;
106 int ivlen; /* IV length */
107 int taglen;
108} EVP_AES_OCB_CTX;
5158c763 109#endif
e6b336ef 110
5158c763 111#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
17f121de 112
5158c763 113#ifdef VPAES_ASM
8ca28da0 114int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 115 AES_KEY *key);
8ca28da0 116int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 117 AES_KEY *key);
8ca28da0
AP		 118
119void vpaes_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 120 const AES_KEY *key);
8ca28da0 121void vpaes_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 122 const AES_KEY *key);
8ca28da0
AP		 123
124void vpaes_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 125 unsigned char *out,
126 size_t length,
127 const AES_KEY *key, unsigned char *ivec, int enc);
5158c763
MC		 128#endif
129#ifdef BSAES_ASM
a75a52a4 130void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 131 size_t length, const AES_KEY *key,
132 unsigned char ivec[16], int enc);
993adc05 133void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 134 size_t len, const AES_KEY *key,
135 const unsigned char ivec[16]);
60d4e99c 136void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 137 size_t len, const AES_KEY *key1,
138 const AES_KEY *key2, const unsigned char iv[16]);
60d4e99c 139void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 140 size_t len, const AES_KEY *key1,
141 const AES_KEY *key2, const unsigned char iv[16]);
5158c763
MC		 142#endif
143#ifdef AES_CTR_ASM
07904e0c 144void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 145 size_t blocks, const AES_KEY *key,
146 const unsigned char ivec[AES_BLOCK_SIZE]);
5158c763
MC		 147#endif
148#ifdef AES_XTS_ASM
96cce820 149void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 150 const AES_KEY *key1, const AES_KEY *key2,
151 const unsigned char iv[16]);
96cce820 152void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 153 const AES_KEY *key1, const AES_KEY *key2,
154 const unsigned char iv[16]);
5158c763 155#endif
8ca28da0 156
03a5e5ae
PS		 157/* increment counter (64-bit int) by 1 */
158static void ctr64_inc(unsigned char *counter)
159{
160 int n = 8;
161 unsigned char c;
162
163 do {
164 --n;
165 c = counter[n];
166 ++c;
167 counter[n] = c;
168 if (c)
169 return;
170 } while (n);
171}
172
6944565b 173#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
5158c763
MC		 174# include "ppc_arch.h"
175# ifdef VPAES_ASM
176# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
de51e830 177# endif
5158c763
MC		 178# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
179# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
180# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
181# define HWAES_encrypt aes_p8_encrypt
182# define HWAES_decrypt aes_p8_decrypt
183# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
184# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
46f047d7
AP		 185# define HWAES_xts_encrypt aes_p8_xts_encrypt
186# define HWAES_xts_decrypt aes_p8_xts_decrypt
5158c763 187#endif
07f3e4f3 188
5158c763 189#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
0f113f3e
MC		 190 ((defined(__i386) || defined(__i386__) || \
191 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
192 defined(__x86_64) || defined(__x86_64__) || \
b1a07c38 193 defined(_M_AMD64) || defined(_M_X64) )
8ca28da0 194
c5f6da54 195extern unsigned int OPENSSL_ia32cap_P[];
8ca28da0 196
5158c763
MC		 197# ifdef VPAES_ASM
198# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
199# endif
200# ifdef BSAES_ASM
201# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
202# endif
17f121de
AP		 203/*
204 * AES-NI section
205 */
5158c763 206# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
d1fff483
AP		 207
208int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 209 AES_KEY *key);
d1fff483 210int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 211 AES_KEY *key);
d1fff483
AP		 212
213void aesni_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 214 const AES_KEY *key);
d1fff483 215void aesni_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 216 const AES_KEY *key);
d1fff483
AP		 217
218void aesni_ecb_encrypt(const unsigned char *in,
0f113f3e
MC		 219 unsigned char *out,
220 size_t length, const AES_KEY *key, int enc);
d1fff483 221void aesni_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 222 unsigned char *out,
223 size_t length,
224 const AES_KEY *key, unsigned char *ivec, int enc);
d1fff483
AP		 225
226void aesni_ctr32_encrypt_blocks(const unsigned char *in,
0f113f3e
MC		 227 unsigned char *out,
228 size_t blocks,
229 const void *key, const unsigned char *ivec);
17f121de
AP		 230
231void aesni_xts_encrypt(const unsigned char *in,
0f113f3e
MC		 232 unsigned char *out,
233 size_t length,
234 const AES_KEY *key1, const AES_KEY *key2,
235 const unsigned char iv[16]);
17f121de
AP		 236
237void aesni_xts_decrypt(const unsigned char *in,
0f113f3e
MC		 238 unsigned char *out,
239 size_t length,
240 const AES_KEY *key1, const AES_KEY *key2,
241 const unsigned char iv[16]);
242
243void aesni_ccm64_encrypt_blocks(const unsigned char *in,
244 unsigned char *out,
245 size_t blocks,
246 const void *key,
247 const unsigned char ivec[16],
248 unsigned char cmac[16]);
249
250void aesni_ccm64_decrypt_blocks(const unsigned char *in,
251 unsigned char *out,
252 size_t blocks,
253 const void *key,
254 const unsigned char ivec[16],
255 unsigned char cmac[16]);
256
5158c763 257# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
4e049c52 258size_t aesni_gcm_encrypt(const unsigned char *in,
0f113f3e
MC		 259 unsigned char *out,
260 size_t len,
261 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 262# define AES_gcm_encrypt aesni_gcm_encrypt
4e049c52 263size_t aesni_gcm_decrypt(const unsigned char *in,
0f113f3e
MC		 264 unsigned char *out,
265 size_t len,
266 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 267# define AES_gcm_decrypt aesni_gcm_decrypt
0f113f3e
MC		 268void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
269 size_t len);
5158c763 270# define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
0f113f3e 271 gctx->gcm.ghash==gcm_ghash_avx)
5158c763 272# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
0f113f3e 273 gctx->gcm.ghash==gcm_ghash_avx)
5158c763
MC		 274# undef AES_GCM_ASM2 /* minor size optimization */
275# endif
4e049c52 276
17f121de 277static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 278 const unsigned char *iv, int enc)
279{
280 int ret, mode;
6435f0f6 281 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 282
6435f0f6 283 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 284 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
285 && !enc) {
6435f0f6
RL		 286 ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
287 &dat->ks.ks);
0f113f3e
MC		 288 dat->block = (block128_f) aesni_decrypt;
289 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
290 (cbc128_f) aesni_cbc_encrypt : NULL;
291 } else {
6435f0f6
RL		 292 ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
293 &dat->ks.ks);
0f113f3e
MC		 294 dat->block = (block128_f) aesni_encrypt;
295 if (mode == EVP_CIPH_CBC_MODE)
296 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
297 else if (mode == EVP_CIPH_CTR_MODE)
298 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
299 else
300 dat->stream.cbc = NULL;
301 }
302
303 if (ret < 0) {
304 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
305 return 0;
306 }
307
308 return 1;
309}
310
311static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
312 const unsigned char *in, size_t len)
d1fff483 313{
6435f0f6
RL		 314 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
315 EVP_CIPHER_CTX_iv_noconst(ctx),
316 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 317
0f113f3e 318 return 1;
d1fff483
AP		 319}
320
0f113f3e
MC		 321static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
322 const unsigned char *in, size_t len)
d1fff483 323{
6435f0f6 324 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
d1fff483 325
0f113f3e
MC		 326 if (len < bl)
327 return 1;
d1fff483 328
6435f0f6
RL		 329 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
330 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 331
0f113f3e 332 return 1;
d1fff483
AP		 333}
334
5158c763 335# define aesni_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 336static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
337 const unsigned char *in, size_t len);
d1fff483 338
5158c763 339# define aesni_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 340static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
341 const unsigned char *in, size_t len);
d1fff483 342
5158c763 343# define aesni_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 344static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
345 const unsigned char *in, size_t len);
d1fff483 346
5158c763 347# define aesni_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 348static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
349 const unsigned char *in, size_t len);
d1fff483 350
5158c763 351# define aesni_ctr_cipher aes_ctr_cipher
17f121de 352static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 353 const unsigned char *in, size_t len);
d1fff483 354
17f121de 355static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 356 const unsigned char *iv, int enc)
357{
6435f0f6 358 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 359 if (!iv && !key)
360 return 1;
361 if (key) {
6435f0f6
RL		 362 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
363 &gctx->ks.ks);
0f113f3e
MC		 364 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
365 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
366 /*
367 * If we have an iv can set it directly, otherwise use saved IV.
368 */
369 if (iv == NULL && gctx->iv_set)
370 iv = gctx->iv;
371 if (iv) {
372 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
373 gctx->iv_set = 1;
374 }
375 gctx->key_set = 1;
376 } else {
377 /* If key set use IV, otherwise copy */
378 if (gctx->key_set)
379 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
380 else
381 memcpy(gctx->iv, iv, gctx->ivlen);
382 gctx->iv_set = 1;
383 gctx->iv_gen = 0;
384 }
385 return 1;
386}
387
5158c763 388# define aesni_gcm_cipher aes_gcm_cipher
17f121de 389static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 390 const unsigned char *in, size_t len);
17f121de
AP		 391
392static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 393 const unsigned char *iv, int enc)
394{
6435f0f6 395 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
2c840201 396
0f113f3e
MC		 397 if (!iv && !key)
398 return 1;
399
400 if (key) {
3538b0f7
P		 401 /* The key is two half length keys in reality */
402 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
403 const int bits = bytes * 8;
404
405 /*
406 * Verify that the two keys are different.
407 *
408 * This addresses Rogaway's vulnerability.
409 * See comment in aes_xts_init_key() below.
410 */
2c840201
P		 411 if ((!allow_insecure_decrypt || enc)
412 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
3538b0f7
P		 413 EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
414 return 0;
415 }
416
0f113f3e
MC		 417 /* key_len is two AES keys */
418 if (enc) {
3538b0f7 419 aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 420 xctx->xts.block1 = (block128_f) aesni_encrypt;
421 xctx->stream = aesni_xts_encrypt;
422 } else {
3538b0f7 423 aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 424 xctx->xts.block1 = (block128_f) aesni_decrypt;
425 xctx->stream = aesni_xts_decrypt;
426 }
427
3538b0f7 428 aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 429 xctx->xts.block2 = (block128_f) aesni_encrypt;
430
431 xctx->xts.key1 = &xctx->ks1;
432 }
433
434 if (iv) {
435 xctx->xts.key2 = &xctx->ks2;
6435f0f6 436 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 437 }
438
439 return 1;
440}
441
5158c763 442# define aesni_xts_cipher aes_xts_cipher
17f121de 443static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 444 const unsigned char *in, size_t len);
17f121de
AP		 445
446static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 447 const unsigned char *iv, int enc)
448{
6435f0f6 449 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 450 if (!iv && !key)
451 return 1;
452 if (key) {
6435f0f6
RL		 453 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
454 &cctx->ks.ks);
0f113f3e
MC		 455 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
456 &cctx->ks, (block128_f) aesni_encrypt);
457 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
458 (ccm128_f) aesni_ccm64_decrypt_blocks;
459 cctx->key_set = 1;
460 }
461 if (iv) {
6435f0f6 462 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 463 cctx->iv_set = 1;
464 }
465 return 1;
466}
467
5158c763 468# define aesni_ccm_cipher aes_ccm_cipher
17f121de 469static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 470 const unsigned char *in, size_t len);
17f121de 471
5158c763 472# ifndef OPENSSL_NO_OCB
bd30091c
AP		 473void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
474 size_t blocks, const void *key,
475 size_t start_block_num,
476 unsigned char offset_i[16],
477 const unsigned char L_[][16],
478 unsigned char checksum[16]);
479void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
480 size_t blocks, const void *key,
481 size_t start_block_num,
482 unsigned char offset_i[16],
483 const unsigned char L_[][16],
484 unsigned char checksum[16]);
485
e6b336ef 486static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 487 const unsigned char *iv, int enc)
488{
6435f0f6 489 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 490 if (!iv && !key)
491 return 1;
492 if (key) {
493 do {
494 /*
495 * We set both the encrypt and decrypt key here because decrypt
496 * needs both. We could possibly optimise to remove setting the
497 * decrypt for an encryption operation.
498 */
6435f0f6
RL		 499 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
500 &octx->ksenc.ks);
501 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
502 &octx->ksdec.ks);
bdc985b1
AP		 503 if (!CRYPTO_ocb128_init(&octx->ocb,
504 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 505 (block128_f) aesni_encrypt,
bd30091c
AP		 506 (block128_f) aesni_decrypt,
507 enc ? aesni_ocb_encrypt
508 : aesni_ocb_decrypt))
0f113f3e
MC		 509 return 0;
510 }
511 while (0);
512
513 /*
514 * If we have an iv we can set it directly, otherwise use saved IV.
515 */
516 if (iv == NULL && octx->iv_set)
517 iv = octx->iv;
518 if (iv) {
519 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
520 != 1)
521 return 0;
522 octx->iv_set = 1;
523 }
524 octx->key_set = 1;
525 } else {
526 /* If key set use IV, otherwise copy */
527 if (octx->key_set)
528 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
529 else
530 memcpy(octx->iv, iv, octx->ivlen);
531 octx->iv_set = 1;
532 }
533 return 1;
534}
535
5158c763 536# define aesni_ocb_cipher aes_ocb_cipher
e6b336ef 537static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 538 const unsigned char *in, size_t len);
5158c763 539# endif /* OPENSSL_NO_OCB */
e6b336ef 540
5158c763 541# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 542static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 543 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
544 flags|EVP_CIPH_##MODE##_MODE, \
545 aesni_init_key, \
546 aesni_##mode##_cipher, \
547 NULL, \
548 sizeof(EVP_AES_KEY), \
549 NULL,NULL,NULL,NULL }; \
17f121de 550static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 551 nid##_##keylen##_##nmode,blocksize, \
552 keylen/8,ivlen, \
553 flags|EVP_CIPH_##MODE##_MODE, \
554 aes_init_key, \
555 aes_##mode##_cipher, \
556 NULL, \
557 sizeof(EVP_AES_KEY), \
558 NULL,NULL,NULL,NULL }; \
17f121de 559const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 560{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
17f121de 561
5158c763 562# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 563static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e 564 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 565 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
566 ivlen, \
0f113f3e
MC		 567 flags|EVP_CIPH_##MODE##_MODE, \
568 aesni_##mode##_init_key, \
569 aesni_##mode##_cipher, \
570 aes_##mode##_cleanup, \
571 sizeof(EVP_AES_##MODE##_CTX), \
572 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 573static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 574 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 575 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
576 ivlen, \
0f113f3e
MC		 577 flags|EVP_CIPH_##MODE##_MODE, \
578 aes_##mode##_init_key, \
579 aes_##mode##_cipher, \
580 aes_##mode##_cleanup, \
581 sizeof(EVP_AES_##MODE##_CTX), \
582 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 583const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 584{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
d1fff483 585
5158c763 586#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
c5f6da54 587
5158c763 588# include "sparc_arch.h"
c5f6da54
AP		 589
590extern unsigned int OPENSSL_sparcv9cap_P[];
591
6944565b
AP		 592/*
593 * Initial Fujitsu SPARC64 X support
594 */
595# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
596# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
597# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
598# define HWAES_encrypt aes_fx_encrypt
599# define HWAES_decrypt aes_fx_decrypt
365f95ad
AP		 600# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
601# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
6944565b 602
5158c763 603# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
c5f6da54 604
0f113f3e
MC		 605void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
606void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
607void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
608 const AES_KEY *key);
609void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
610 const AES_KEY *key);
c5f6da54
AP		 611/*
612 * Key-length specific subroutines were chosen for following reason.
613 * Each SPARC T4 core can execute up to 8 threads which share core's
614 * resources. Loading as much key material to registers allows to
615 * minimize references to shared memory interface, as well as amount
616 * of instructions in inner loops [much needed on T4]. But then having
617 * non-key-length specific routines would require conditional branches
618 * either in inner loops or on subroutines' entries. Former is hardly
619 * acceptable, while latter means code size increase to size occupied
0d4fb843 620 * by multiple key-length specific subroutines, so why fight?
c5f6da54 621 */
0f113f3e
MC		 622void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
623 size_t len, const AES_KEY *key,
624 unsigned char *ivec);
625void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
626 size_t len, const AES_KEY *key,
627 unsigned char *ivec);
628void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
629 size_t len, const AES_KEY *key,
630 unsigned char *ivec);
631void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
632 size_t len, const AES_KEY *key,
633 unsigned char *ivec);
634void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
635 size_t len, const AES_KEY *key,
636 unsigned char *ivec);
637void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
638 size_t len, const AES_KEY *key,
639 unsigned char *ivec);
640void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
641 size_t blocks, const AES_KEY *key,
642 unsigned char *ivec);
643void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
644 size_t blocks, const AES_KEY *key,
645 unsigned char *ivec);
646void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
647 size_t blocks, const AES_KEY *key,
648 unsigned char *ivec);
649void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
650 size_t blocks, const AES_KEY *key1,
651 const AES_KEY *key2, const unsigned char *ivec);
652void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
653 size_t blocks, const AES_KEY *key1,
654 const AES_KEY *key2, const unsigned char *ivec);
655void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
656 size_t blocks, const AES_KEY *key1,
657 const AES_KEY *key2, const unsigned char *ivec);
658void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
659 size_t blocks, const AES_KEY *key1,
660 const AES_KEY *key2, const unsigned char *ivec);
c5f6da54
AP		 661
662static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 663 const unsigned char *iv, int enc)
664{
665 int ret, mode, bits;
6435f0f6 666 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 667
6435f0f6
RL		 668 mode = EVP_CIPHER_CTX_mode(ctx);
669 bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 670 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
671 && !enc) {
672 ret = 0;
6435f0f6 673 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 674 dat->block = (block128_f) aes_t4_decrypt;
675 switch (bits) {
676 case 128:
677 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
678 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
679 break;
680 case 192:
681 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
682 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
683 break;
684 case 256:
685 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
686 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
687 break;
688 default:
689 ret = -1;
690 }
691 } else {
692 ret = 0;
6435f0f6 693 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 694 dat->block = (block128_f) aes_t4_encrypt;
695 switch (bits) {
696 case 128:
697 if (mode == EVP_CIPH_CBC_MODE)
698 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
699 else if (mode == EVP_CIPH_CTR_MODE)
700 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
701 else
702 dat->stream.cbc = NULL;
703 break;
704 case 192:
705 if (mode == EVP_CIPH_CBC_MODE)
706 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
707 else if (mode == EVP_CIPH_CTR_MODE)
708 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
709 else
710 dat->stream.cbc = NULL;
711 break;
712 case 256:
713 if (mode == EVP_CIPH_CBC_MODE)
714 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
715 else if (mode == EVP_CIPH_CTR_MODE)
716 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
717 else
718 dat->stream.cbc = NULL;
719 break;
720 default:
721 ret = -1;
722 }
723 }
724
725 if (ret < 0) {
726 EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
727 return 0;
728 }
729
730 return 1;
731}
732
5158c763 733# define aes_t4_cbc_cipher aes_cbc_cipher
0f113f3e
MC		 734static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
735 const unsigned char *in, size_t len);
736
5158c763 737# define aes_t4_ecb_cipher aes_ecb_cipher
0f113f3e
MC		 738static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
739 const unsigned char *in, size_t len);
740
5158c763 741# define aes_t4_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 742static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
743 const unsigned char *in, size_t len);
744
5158c763 745# define aes_t4_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 746static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
747 const unsigned char *in, size_t len);
748
5158c763 749# define aes_t4_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 750static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
751 const unsigned char *in, size_t len);
752
5158c763 753# define aes_t4_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 754static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
755 const unsigned char *in, size_t len);
756
5158c763 757# define aes_t4_ctr_cipher aes_ctr_cipher
c5f6da54 758static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 759 const unsigned char *in, size_t len);
c5f6da54
AP		 760
761static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 762 const unsigned char *iv, int enc)
763{
6435f0f6 764 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 765 if (!iv && !key)
766 return 1;
767 if (key) {
6435f0f6 768 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 769 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
770 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
771 (block128_f) aes_t4_encrypt);
772 switch (bits) {
773 case 128:
774 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
775 break;
776 case 192:
777 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
778 break;
779 case 256:
780 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
781 break;
782 default:
783 return 0;
784 }
785 /*
786 * If we have an iv can set it directly, otherwise use saved IV.
787 */
788 if (iv == NULL && gctx->iv_set)
789 iv = gctx->iv;
790 if (iv) {
791 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
792 gctx->iv_set = 1;
793 }
794 gctx->key_set = 1;
795 } else {
796 /* If key set use IV, otherwise copy */
797 if (gctx->key_set)
798 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
799 else
800 memcpy(gctx->iv, iv, gctx->ivlen);
801 gctx->iv_set = 1;
802 gctx->iv_gen = 0;
803 }
804 return 1;
805}
806
5158c763 807# define aes_t4_gcm_cipher aes_gcm_cipher
c5f6da54 808static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 809 const unsigned char *in, size_t len);
c5f6da54
AP		 810
811static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 812 const unsigned char *iv, int enc)
813{
6435f0f6 814 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
2c840201 815
0f113f3e
MC		 816 if (!iv && !key)
817 return 1;
818
819 if (key) {
3538b0f7
P		 820 /* The key is two half length keys in reality */
821 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
822 const int bits = bytes * 8;
823
824 /*
825 * Verify that the two keys are different.
826 *
827 * This addresses Rogaway's vulnerability.
828 * See comment in aes_xts_init_key() below.
829 */
2c840201
P		 830 if ((!allow_insecure_decrypt || enc)
831 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
3538b0f7
P		 832 EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
833 return 0;
834 }
835
0f113f3e
MC		 836 xctx->stream = NULL;
837 /* key_len is two AES keys */
838 if (enc) {
839 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
840 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
841 switch (bits) {
842 case 128:
843 xctx->stream = aes128_t4_xts_encrypt;
844 break;
0f113f3e
MC		 845 case 256:
846 xctx->stream = aes256_t4_xts_encrypt;
847 break;
848 default:
849 return 0;
850 }
851 } else {
3538b0f7 852 aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 853 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
854 switch (bits) {
855 case 128:
856 xctx->stream = aes128_t4_xts_decrypt;
857 break;
0f113f3e
MC		 858 case 256:
859 xctx->stream = aes256_t4_xts_decrypt;
860 break;
861 default:
862 return 0;
863 }
864 }
865
3538b0f7 866 aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 867 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
868
869 xctx->xts.key1 = &xctx->ks1;
870 }
871
872 if (iv) {
873 xctx->xts.key2 = &xctx->ks2;
6435f0f6 874 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 875 }
876
877 return 1;
878}
879
5158c763 880# define aes_t4_xts_cipher aes_xts_cipher
c5f6da54 881static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 882 const unsigned char *in, size_t len);
c5f6da54
AP		 883
884static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 885 const unsigned char *iv, int enc)
886{
6435f0f6 887 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 888 if (!iv && !key)
889 return 1;
890 if (key) {
6435f0f6 891 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 892 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
893 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
894 &cctx->ks, (block128_f) aes_t4_encrypt);
bdc985b1 895 cctx->str = NULL;
0f113f3e
MC		 896 cctx->key_set = 1;
897 }
898 if (iv) {
6435f0f6 899 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 900 cctx->iv_set = 1;
901 }
902 return 1;
903}
904
5158c763 905# define aes_t4_ccm_cipher aes_ccm_cipher
c5f6da54 906static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 907 const unsigned char *in, size_t len);
c5f6da54 908
5158c763 909# ifndef OPENSSL_NO_OCB
e6b336ef 910static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 911 const unsigned char *iv, int enc)
912{
6435f0f6 913 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 914 if (!iv && !key)
915 return 1;
916 if (key) {
917 do {
918 /*
919 * We set both the encrypt and decrypt key here because decrypt
920 * needs both. We could possibly optimise to remove setting the
921 * decrypt for an encryption operation.
922 */
6435f0f6
RL		 923 aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
924 &octx->ksenc.ks);
925 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
926 &octx->ksdec.ks);
bdc985b1
AP		 927 if (!CRYPTO_ocb128_init(&octx->ocb,
928 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 929 (block128_f) aes_t4_encrypt,
02dc0b82
AP		 930 (block128_f) aes_t4_decrypt,
931 NULL))
0f113f3e
MC		 932 return 0;
933 }
934 while (0);
935
936 /*
937 * If we have an iv we can set it directly, otherwise use saved IV.
938 */
939 if (iv == NULL && octx->iv_set)
940 iv = octx->iv;
941 if (iv) {
942 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
943 != 1)
944 return 0;
945 octx->iv_set = 1;
946 }
947 octx->key_set = 1;
948 } else {
949 /* If key set use IV, otherwise copy */
950 if (octx->key_set)
951 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
952 else
953 memcpy(octx->iv, iv, octx->ivlen);
954 octx->iv_set = 1;
955 }
956 return 1;
957}
958
5158c763 959# define aes_t4_ocb_cipher aes_ocb_cipher
e6b336ef 960static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 961 const unsigned char *in, size_t len);
5158c763 962# endif /* OPENSSL_NO_OCB */
e6b336ef 963
87d06aed
MC		 964# ifndef OPENSSL_NO_SIV
965# define aes_t4_siv_init_key aes_siv_init_key
966# define aes_t4_siv_cipher aes_siv_cipher
967# endif /* OPENSSL_NO_SIV */
968
5158c763 969# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
c5f6da54 970static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 971 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
972 flags|EVP_CIPH_##MODE##_MODE, \
973 aes_t4_init_key, \
974 aes_t4_##mode##_cipher, \
975 NULL, \
976 sizeof(EVP_AES_KEY), \
977 NULL,NULL,NULL,NULL }; \
c5f6da54 978static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 979 nid##_##keylen##_##nmode,blocksize, \
980 keylen/8,ivlen, \
981 flags|EVP_CIPH_##MODE##_MODE, \
982 aes_init_key, \
983 aes_##mode##_cipher, \
984 NULL, \
985 sizeof(EVP_AES_KEY), \
986 NULL,NULL,NULL,NULL }; \
c5f6da54
AP		 987const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
988{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
989
5158c763 990# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
c5f6da54 991static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e 992 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 993 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
994 ivlen, \
0f113f3e
MC		 995 flags|EVP_CIPH_##MODE##_MODE, \
996 aes_t4_##mode##_init_key, \
997 aes_t4_##mode##_cipher, \
998 aes_##mode##_cleanup, \
999 sizeof(EVP_AES_##MODE##_CTX), \
1000 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54 1001static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 1002 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 1003 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
1004 ivlen, \
0f113f3e
MC		 1005 flags|EVP_CIPH_##MODE##_MODE, \
1006 aes_##mode##_init_key, \
1007 aes_##mode##_cipher, \
1008 aes_##mode##_cleanup, \
1009 sizeof(EVP_AES_##MODE##_CTX), \
1010 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54
AP		 1011const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
1012{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
1013
96530eea
PS		 1014#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
1015/*
1016 * IBM S390X support
1017 */
1018# include "s390x_arch.h"
1019
55bd169f
PS		 1020typedef struct {
1021 union {
39147079 1022 OSSL_UNION_ALIGN;
55bd169f
PS		 1023 /*-
1024 * KM-AES parameter block - begin
1025 * (see z/Architecture Principles of Operation >= SA22-7832-06)
1026 */
1027 struct {
1028 unsigned char k[32];
1029 } param;
1030 /* KM-AES parameter block - end */
1031 } km;
1032 unsigned int fc;
1033} S390X_AES_ECB_CTX;
1034
dacd2a87
PS		 1035typedef struct {
1036 union {
39147079 1037 OSSL_UNION_ALIGN;
dacd2a87
PS		 1038 /*-
1039 * KMO-AES parameter block - begin
1040 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1041 */
1042 struct {
1043 unsigned char cv[16];
1044 unsigned char k[32];
1045 } param;
1046 /* KMO-AES parameter block - end */
1047 } kmo;
1048 unsigned int fc;
1049
1050 int res;
1051} S390X_AES_OFB_CTX;
1052
74d38a86
PS		 1053typedef struct {
1054 union {
39147079 1055 OSSL_UNION_ALIGN;
74d38a86
PS		 1056 /*-
1057 * KMF-AES parameter block - begin
1058 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1059 */
1060 struct {
1061 unsigned char cv[16];
1062 unsigned char k[32];
1063 } param;
1064 /* KMF-AES parameter block - end */
1065 } kmf;
1066 unsigned int fc;
1067
1068 int res;
1069} S390X_AES_CFB_CTX;
1070
96530eea
PS		 1071typedef struct {
1072 union {
39147079 1073 OSSL_UNION_ALIGN;
96530eea 1074 /*-
5d2a6f4b
PS		 1075 * KMA-GCM-AES parameter block - begin
1076 * (see z/Architecture Principles of Operation >= SA22-7832-11)
96530eea
PS		 1077 */
1078 struct {
1079 unsigned char reserved[12];
1080 union {
1081 unsigned int w;
1082 unsigned char b[4];
1083 } cv;
1084 union {
1085 unsigned long long g[2];
1086 unsigned char b[16];
1087 } t;
1088 unsigned char h[16];
1089 unsigned long long taadl;
1090 unsigned long long tpcl;
1091 union {
1092 unsigned long long g[2];
1093 unsigned int w[4];
1094 } j0;
1095 unsigned char k[32];
1096 } param;
5d2a6f4b 1097 /* KMA-GCM-AES parameter block - end */
96530eea
PS		 1098 } kma;
1099 unsigned int fc;
1100 int key_set;
1101
1102 unsigned char *iv;
1103 int ivlen;
1104 int iv_set;
1105 int iv_gen;
1106
1107 int taglen;
1108
1109 unsigned char ares[16];
1110 unsigned char mres[16];
1111 unsigned char kres[16];
1112 int areslen;
1113 int mreslen;
1114 int kreslen;
1115
1116 int tls_aad_len;
d6b34570 1117 uint64_t tls_enc_records; /* Number of TLS records encrypted */
96530eea
PS		 1118} S390X_AES_GCM_CTX;
1119
39f5b069
PS		 1120typedef struct {
1121 union {
39147079 1122 OSSL_UNION_ALIGN;
39f5b069
PS		 1123 /*-
1124 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
1125 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
1126 * rounds field is used to store the function code and that the key
1127 * schedule is not stored (if aes hardware support is detected).
1128 */
1129 struct {
1130 unsigned char pad[16];
1131 AES_KEY k;
1132 } key;
1133
1134 struct {
1135 /*-
1136 * KMAC-AES parameter block - begin
1137 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1138 */
1139 struct {
1140 union {
1141 unsigned long long g[2];
1142 unsigned char b[16];
1143 } icv;
1144 unsigned char k[32];
1145 } kmac_param;
1146 /* KMAC-AES paramater block - end */
1147
1148 union {
1149 unsigned long long g[2];
1150 unsigned char b[16];
1151 } nonce;
1152 union {
1153 unsigned long long g[2];
1154 unsigned char b[16];
1155 } buf;
1156
1157 unsigned long long blocks;
1158 int l;
1159 int m;
1160 int tls_aad_len;
1161 int iv_set;
1162 int tag_set;
1163 int len_set;
1164 int key_set;
1165
1166 unsigned char pad[140];
1167 unsigned int fc;
1168 } ccm;
1169 } aes;
1170} S390X_AES_CCM_CTX;
1171
55bd169f
PS		 1172/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
1173# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
1174
1175/* Most modes of operation need km for partial block processing. */
1176# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1177 S390X_CAPBIT(S390X_AES_128))
1178# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1179 S390X_CAPBIT(S390X_AES_192))
1180# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1181 S390X_CAPBIT(S390X_AES_256))
96530eea
PS		 1182
1183# define s390x_aes_init_key aes_init_key
1184static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1185 const unsigned char *iv, int enc);
1186
1187# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
1188# define S390X_aes_192_cbc_CAPABLE 1
1189# define S390X_aes_256_cbc_CAPABLE 1
55bd169f
PS		 1190# define S390X_AES_CBC_CTX EVP_AES_KEY
1191
1192# define s390x_aes_cbc_init_key aes_init_key
96530eea
PS		 1193
1194# define s390x_aes_cbc_cipher aes_cbc_cipher
1195static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1196 const unsigned char *in, size_t len);
1197
55bd169f
PS		 1198# define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
1199# define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
1200# define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
1201
1202static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
1203 const unsigned char *key,
1204 const unsigned char *iv, int enc)
1205{
1206 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1207 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1208
1209 cctx->fc = S390X_AES_FC(keylen);
1210 if (!enc)
1211 cctx->fc |= S390X_DECRYPT;
1212
1213 memcpy(cctx->km.param.k, key, keylen);
1214 return 1;
1215}
96530eea 1216
96530eea 1217static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
55bd169f
PS		 1218 const unsigned char *in, size_t len)
1219{
1220 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1221
1222 s390x_km(in, len, out, cctx->fc, &cctx->km.param);
1223 return 1;
1224}
96530eea 1225
dacd2a87
PS		 1226# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
1227 (OPENSSL_s390xcap_P.kmo[0] & \
1228 S390X_CAPBIT(S390X_AES_128)))
1229# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
1230 (OPENSSL_s390xcap_P.kmo[0] & \
1231 S390X_CAPBIT(S390X_AES_192)))
1232# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
1233 (OPENSSL_s390xcap_P.kmo[0] & \
1234 S390X_CAPBIT(S390X_AES_256)))
1235
1236static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
1237 const unsigned char *key,
1238 const unsigned char *ivec, int enc)
1239{
1240 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1241 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1242 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1243 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
55bd169f 1244
dacd2a87
PS		 1245 memcpy(cctx->kmo.param.cv, iv, ivlen);
1246 memcpy(cctx->kmo.param.k, key, keylen);
1247 cctx->fc = S390X_AES_FC(keylen);
1248 cctx->res = 0;
1249 return 1;
1250}
96530eea 1251
96530eea 1252static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
dacd2a87
PS		 1253 const unsigned char *in, size_t len)
1254{
1255 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1256 int n = cctx->res;
1257 int rem;
1258
1259 while (n && len) {
1260 *out = *in ^ cctx->kmo.param.cv[n];
1261 n = (n + 1) & 0xf;
1262 --len;
1263 ++in;
1264 ++out;
1265 }
1266
1267 rem = len & 0xf;
1268
1269 len &= ~(size_t)0xf;
1270 if (len) {
1271 s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
1272
1273 out += len;
1274 in += len;
1275 }
1276
1277 if (rem) {
1278 s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
1279 cctx->kmo.param.k);
1280
1281 while (rem--) {
1282 out[n] = in[n] ^ cctx->kmo.param.cv[n];
1283 ++n;
1284 }
1285 }
1286
1287 cctx->res = n;
1288 return 1;
1289}
96530eea 1290
74d38a86
PS		 1291# define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE && \
1292 (OPENSSL_s390xcap_P.kmf[0] & \
1293 S390X_CAPBIT(S390X_AES_128)))
1294# define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE && \
1295 (OPENSSL_s390xcap_P.kmf[0] & \
1296 S390X_CAPBIT(S390X_AES_192)))
1297# define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE && \
1298 (OPENSSL_s390xcap_P.kmf[0] & \
1299 S390X_CAPBIT(S390X_AES_256)))
1300
1301static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
1302 const unsigned char *key,
1303 const unsigned char *ivec, int enc)
1304{
1305 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1306 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1307 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1308 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
1309
1310 cctx->fc = S390X_AES_FC(keylen);
1311 cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
1312 if (!enc)
1313 cctx->fc |= S390X_DECRYPT;
55bd169f 1314
74d38a86
PS		 1315 cctx->res = 0;
1316 memcpy(cctx->kmf.param.cv, iv, ivlen);
1317 memcpy(cctx->kmf.param.k, key, keylen);
1318 return 1;
1319}
96530eea 1320
96530eea 1321static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
74d38a86
PS		 1322 const unsigned char *in, size_t len)
1323{
1324 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1325 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1326 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1327 int n = cctx->res;
1328 int rem;
1329 unsigned char tmp;
1330
1331 while (n && len) {
1332 tmp = *in;
1333 *out = cctx->kmf.param.cv[n] ^ tmp;
1334 cctx->kmf.param.cv[n] = enc ? *out : tmp;
1335 n = (n + 1) & 0xf;
1336 --len;
1337 ++in;
1338 ++out;
1339 }
1340
1341 rem = len & 0xf;
1342
1343 len &= ~(size_t)0xf;
1344 if (len) {
1345 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1346
1347 out += len;
1348 in += len;
1349 }
1350
1351 if (rem) {
1352 s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
1353 S390X_AES_FC(keylen), cctx->kmf.param.k);
1354
1355 while (rem--) {
1356 tmp = in[n];
1357 out[n] = cctx->kmf.param.cv[n] ^ tmp;
1358 cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
1359 ++n;
1360 }
1361 }
96530eea 1362
74d38a86
PS		 1363 cctx->res = n;
1364 return 1;
1365}
1366
1367# define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1368 S390X_CAPBIT(S390X_AES_128))
1369# define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1370 S390X_CAPBIT(S390X_AES_192))
1371# define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1372 S390X_CAPBIT(S390X_AES_256))
1373
1374static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
1375 const unsigned char *key,
1376 const unsigned char *ivec, int enc)
1377{
1378 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1379 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1380 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1381 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
1382
1383 cctx->fc = S390X_AES_FC(keylen);
1384 cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
1385 if (!enc)
1386 cctx->fc |= S390X_DECRYPT;
96530eea 1387
74d38a86
PS		 1388 memcpy(cctx->kmf.param.cv, iv, ivlen);
1389 memcpy(cctx->kmf.param.k, key, keylen);
1390 return 1;
1391}
55bd169f 1392
96530eea 1393static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
74d38a86
PS		 1394 const unsigned char *in, size_t len)
1395{
1396 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1397
1398 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1399 return 1;
1400}
96530eea
PS		 1401
1402# define S390X_aes_128_cfb1_CAPABLE 0
1403# define S390X_aes_192_cfb1_CAPABLE 0
1404# define S390X_aes_256_cfb1_CAPABLE 0
1405
55bd169f
PS		 1406# define s390x_aes_cfb1_init_key aes_init_key
1407
96530eea
PS		 1408# define s390x_aes_cfb1_cipher aes_cfb1_cipher
1409static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1410 const unsigned char *in, size_t len);
1411
1412# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
1413# define S390X_aes_192_ctr_CAPABLE 1
1414# define S390X_aes_256_ctr_CAPABLE 1
55bd169f
PS		 1415# define S390X_AES_CTR_CTX EVP_AES_KEY
1416
1417# define s390x_aes_ctr_init_key aes_init_key
96530eea
PS		 1418
1419# define s390x_aes_ctr_cipher aes_ctr_cipher
1420static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1421 const unsigned char *in, size_t len);
1422
1423# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
1424 (OPENSSL_s390xcap_P.kma[0] & \
1425 S390X_CAPBIT(S390X_AES_128)))
1426# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
1427 (OPENSSL_s390xcap_P.kma[0] & \
1428 S390X_CAPBIT(S390X_AES_192)))
1429# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
1430 (OPENSSL_s390xcap_P.kma[0] & \
1431 S390X_CAPBIT(S390X_AES_256)))
1432
bcf082d1 1433/* iv + padding length for iv lengths != 12 */
96530eea
PS		 1434# define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1435
5d2a6f4b
PS		 1436/*-
1437 * Process additional authenticated data. Returns 0 on success. Code is
1438 * big-endian.
1439 */
96530eea
PS		 1440static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
1441 size_t len)
1442{
1443 unsigned long long alen;
1444 int n, rem;
1445
1446 if (ctx->kma.param.tpcl)
1447 return -2;
1448
1449 alen = ctx->kma.param.taadl + len;
1450 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
1451 return -1;
1452 ctx->kma.param.taadl = alen;
1453
1454 n = ctx->areslen;
1455 if (n) {
1456 while (n && len) {
1457 ctx->ares[n] = *aad;
1458 n = (n + 1) & 0xf;
1459 ++aad;
1460 --len;
1461 }
1462 /* ctx->ares contains a complete block if offset has wrapped around */
1463 if (!n) {
1464 s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1465 ctx->fc |= S390X_KMA_HS;
1466 }
1467 ctx->areslen = n;
1468 }
1469
1470 rem = len & 0xf;
1471
25868993 1472 len &= ~(size_t)0xf;
96530eea
PS		 1473 if (len) {
1474 s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1475 aad += len;
1476 ctx->fc |= S390X_KMA_HS;
1477 }
1478
1479 if (rem) {
1480 ctx->areslen = rem;
1481
1482 do {
1483 --rem;
1484 ctx->ares[rem] = aad[rem];
1485 } while (rem);
1486 }
1487 return 0;
1488}
1489
5d2a6f4b
PS		 1490/*-
1491 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1492 * success. Code is big-endian.
1493 */
96530eea
PS		 1494static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
1495 unsigned char *out, size_t len)
1496{
1497 const unsigned char *inptr;
1498 unsigned long long mlen;
1499 union {
1500 unsigned int w[4];
1501 unsigned char b[16];
1502 } buf;
1503 size_t inlen;
1504 int n, rem, i;
1505
1506 mlen = ctx->kma.param.tpcl + len;
1507 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1508 return -1;
1509 ctx->kma.param.tpcl = mlen;
1510
1511 n = ctx->mreslen;
1512 if (n) {
1513 inptr = in;
1514 inlen = len;
1515 while (n && inlen) {
1516 ctx->mres[n] = *inptr;
1517 n = (n + 1) & 0xf;
1518 ++inptr;
1519 --inlen;
1520 }
1521 /* ctx->mres contains a complete block if offset has wrapped around */
1522 if (!n) {
1523 s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
1524 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1525 ctx->fc |= S390X_KMA_HS;
1526 ctx->areslen = 0;
1527
1528 /* previous call already encrypted/decrypted its remainder,
1529 * see comment below */
1530 n = ctx->mreslen;
1531 while (n) {
1532 *out = buf.b[n];
1533 n = (n + 1) & 0xf;
1534 ++out;
1535 ++in;
1536 --len;
1537 }
1538 ctx->mreslen = 0;
1539 }
1540 }
1541
1542 rem = len & 0xf;
1543
25868993 1544 len &= ~(size_t)0xf;
96530eea
PS		 1545 if (len) {
1546 s390x_kma(ctx->ares, ctx->areslen, in, len, out,
1547 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1548 in += len;
1549 out += len;
1550 ctx->fc |= S390X_KMA_HS;
1551 ctx->areslen = 0;
1552 }
1553
1554 /*-
1555 * If there is a remainder, it has to be saved such that it can be
1556 * processed by kma later. However, we also have to do the for-now
1557 * unauthenticated encryption/decryption part here and now...
1558 */
1559 if (rem) {
1560 if (!ctx->mreslen) {
1561 buf.w[0] = ctx->kma.param.j0.w[0];
1562 buf.w[1] = ctx->kma.param.j0.w[1];
1563 buf.w[2] = ctx->kma.param.j0.w[2];
1564 buf.w[3] = ctx->kma.param.cv.w + 1;
1565 s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
1566 }
1567
1568 n = ctx->mreslen;
1569 for (i = 0; i < rem; i++) {
1570 ctx->mres[n + i] = in[i];
1571 out[i] = in[i] ^ ctx->kres[n + i];
1572 }
1573
1574 ctx->mreslen += rem;
1575 }
1576 return 0;
1577}
1578
5d2a6f4b
PS		 1579/*-
1580 * Initialize context structure. Code is big-endian.
1581 */
96530eea
PS		 1582static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
1583 const unsigned char *iv)
1584{
1585 ctx->kma.param.t.g[0] = 0;
1586 ctx->kma.param.t.g[1] = 0;
1587 ctx->kma.param.tpcl = 0;
1588 ctx->kma.param.taadl = 0;
1589 ctx->mreslen = 0;
1590 ctx->areslen = 0;
1591 ctx->kreslen = 0;
1592
1593 if (ctx->ivlen == 12) {
1594 memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
1595 ctx->kma.param.j0.w[3] = 1;
1596 ctx->kma.param.cv.w = 1;
1597 } else {
1598 /* ctx->iv has the right size and is already padded. */
1599 memcpy(ctx->iv, iv, ctx->ivlen);
1600 s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
1601 ctx->fc, &ctx->kma.param);
1602 ctx->fc |= S390X_KMA_HS;
1603
1604 ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
1605 ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
1606 ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
1607 ctx->kma.param.t.g[0] = 0;
1608 ctx->kma.param.t.g[1] = 0;
1609 }
1610}
1611
5d2a6f4b
PS		 1612/*-
1613 * Performs various operations on the context structure depending on control
1614 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1615 * Code is big-endian.
1616 */
96530eea
PS		 1617static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1618{
1619 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1620 S390X_AES_GCM_CTX *gctx_out;
1621 EVP_CIPHER_CTX *out;
1622 unsigned char *buf, *iv;
1623 int ivlen, enc, len;
1624
1625 switch (type) {
1626 case EVP_CTRL_INIT:
1627 ivlen = EVP_CIPHER_CTX_iv_length(c);
1628 iv = EVP_CIPHER_CTX_iv_noconst(c);
1629 gctx->key_set = 0;
1630 gctx->iv_set = 0;
1631 gctx->ivlen = ivlen;
1632 gctx->iv = iv;
1633 gctx->taglen = -1;
1634 gctx->iv_gen = 0;
1635 gctx->tls_aad_len = -1;
1636 return 1;
1637
1638 case EVP_CTRL_AEAD_SET_IVLEN:
1639 if (arg <= 0)
1640 return 0;
1641
1642 if (arg != 12) {
1643 iv = EVP_CIPHER_CTX_iv_noconst(c);
1644 len = S390X_gcm_ivpadlen(arg);
1645
1646 /* Allocate memory for iv if needed. */
1647 if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
1648 if (gctx->iv != iv)
1649 OPENSSL_free(gctx->iv);
1650
cdb10bae
RS		 1651 if ((gctx->iv = OPENSSL_malloc(len)) == NULL) {
1652 EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
96530eea 1653 return 0;
cdb10bae 1654 }
96530eea
PS		 1655 }
1656 /* Add padding. */
1657 memset(gctx->iv + arg, 0, len - arg - 8);
1658 *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
1659 }
1660 gctx->ivlen = arg;
1661 return 1;
1662
1663 case EVP_CTRL_AEAD_SET_TAG:
1664 buf = EVP_CIPHER_CTX_buf_noconst(c);
1665 enc = EVP_CIPHER_CTX_encrypting(c);
1666 if (arg <= 0 || arg > 16 || enc)
1667 return 0;
1668
1669 memcpy(buf, ptr, arg);
1670 gctx->taglen = arg;
1671 return 1;
1672
1673 case EVP_CTRL_AEAD_GET_TAG:
1674 enc = EVP_CIPHER_CTX_encrypting(c);
1675 if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
1676 return 0;
1677
1678 memcpy(ptr, gctx->kma.param.t.b, arg);
1679 return 1;
1680
1681 case EVP_CTRL_GCM_SET_IV_FIXED:
1682 /* Special case: -1 length restores whole iv */
1683 if (arg == -1) {
1684 memcpy(gctx->iv, ptr, gctx->ivlen);
1685 gctx->iv_gen = 1;
1686 return 1;
1687 }
1688 /*
1689 * Fixed field must be at least 4 bytes and invocation field at least
1690 * 8.
1691 */
1692 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1693 return 0;
1694
1695 if (arg)
1696 memcpy(gctx->iv, ptr, arg);
1697
1698 enc = EVP_CIPHER_CTX_encrypting(c);
16cfc2c9
KR		 1699 if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1700 return 0;
96530eea
PS		 1701
1702 gctx->iv_gen = 1;
1703 return 1;
1704
1705 case EVP_CTRL_GCM_IV_GEN:
1706 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1707 return 0;
1708
1709 s390x_aes_gcm_setiv(gctx, gctx->iv);
1710
1711 if (arg <= 0 || arg > gctx->ivlen)
1712 arg = gctx->ivlen;
1713
1714 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1715 /*
1716 * Invocation field will be at least 8 bytes in size and so no need
1717 * to check wrap around or increment more than last 8 bytes.
1718 */
03a5e5ae 1719 ctr64_inc(gctx->iv + gctx->ivlen - 8);
96530eea
PS		 1720 gctx->iv_set = 1;
1721 return 1;
1722
1723 case EVP_CTRL_GCM_SET_IV_INV:
1724 enc = EVP_CIPHER_CTX_encrypting(c);
1725 if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
1726 return 0;
1727
1728 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1729 s390x_aes_gcm_setiv(gctx, gctx->iv);
1730 gctx->iv_set = 1;
1731 return 1;
1732
1733 case EVP_CTRL_AEAD_TLS1_AAD:
1734 /* Save the aad for later use. */
1735 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1736 return 0;
1737
1738 buf = EVP_CIPHER_CTX_buf_noconst(c);
1739 memcpy(buf, ptr, arg);
1740 gctx->tls_aad_len = arg;
d6b34570 1741 gctx->tls_enc_records = 0;
96530eea
PS		 1742
1743 len = buf[arg - 2] << 8 | buf[arg - 1];
1744 /* Correct length for explicit iv. */
1745 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1746 return 0;
1747 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1748
1749 /* If decrypting correct for tag too. */
1750 enc = EVP_CIPHER_CTX_encrypting(c);
1751 if (!enc) {
1752 if (len < EVP_GCM_TLS_TAG_LEN)
1753 return 0;
1754 len -= EVP_GCM_TLS_TAG_LEN;
1755 }
1756 buf[arg - 2] = len >> 8;
1757 buf[arg - 1] = len & 0xff;
1758 /* Extra padding: tag appended to record. */
1759 return EVP_GCM_TLS_TAG_LEN;
1760
1761 case EVP_CTRL_COPY:
1762 out = ptr;
1763 gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
1764 iv = EVP_CIPHER_CTX_iv_noconst(c);
1765
1766 if (gctx->iv == iv) {
1767 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
1768 } else {
1769 len = S390X_gcm_ivpadlen(gctx->ivlen);
1770
cdb10bae
RS		 1771 if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL) {
1772 EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
96530eea 1773 return 0;
cdb10bae 1774 }
96530eea
PS		 1775
1776 memcpy(gctx_out->iv, gctx->iv, len);
1777 }
1778 return 1;
1779
1780 default:
1781 return -1;
1782 }
1783}
1784
5d2a6f4b
PS		 1785/*-
1786 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1787 */
96530eea
PS		 1788static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
1789 const unsigned char *key,
1790 const unsigned char *iv, int enc)
1791{
1792 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1793 int keylen;
1794
1795 if (iv == NULL && key == NULL)
1796 return 1;
1797
1798 if (key != NULL) {
1799 keylen = EVP_CIPHER_CTX_key_length(ctx);
1800 memcpy(&gctx->kma.param.k, key, keylen);
1801
8eb399fb 1802 gctx->fc = S390X_AES_FC(keylen);
96530eea
PS		 1803 if (!enc)
1804 gctx->fc |= S390X_DECRYPT;
1805
1806 if (iv == NULL && gctx->iv_set)
1807 iv = gctx->iv;
1808
1809 if (iv != NULL) {
1810 s390x_aes_gcm_setiv(gctx, iv);
1811 gctx->iv_set = 1;
1812 }
1813 gctx->key_set = 1;
1814 } else {
1815 if (gctx->key_set)
1816 s390x_aes_gcm_setiv(gctx, iv);
1817 else
1818 memcpy(gctx->iv, iv, gctx->ivlen);
1819
1820 gctx->iv_set = 1;
1821 gctx->iv_gen = 0;
1822 }
1823 return 1;
1824}
1825
5d2a6f4b
PS		 1826/*-
1827 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1828 * if successful. Otherwise -1 is returned. Code is big-endian.
1829 */
96530eea
PS		 1830static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1831 const unsigned char *in, size_t len)
1832{
1833 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1834 const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1835 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1836 int rv = -1;
1837
1838 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1839 return -1;
1840
d6b34570
P		 1841 /*
1842 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
1843 * Requirements from SP 800-38D". The requirements is for one party to the
1844 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
1845 * side only.
1846 */
1847 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
1848 EVPerr(EVP_F_S390X_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
1849 goto err;
1850 }
1851
96530eea
PS		 1852 if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
1853 : EVP_CTRL_GCM_SET_IV_INV,
1854 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1855 goto err;
1856
1857 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1858 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1859 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1860
1861 gctx->kma.param.taadl = gctx->tls_aad_len << 3;
1862 gctx->kma.param.tpcl = len << 3;
1863 s390x_kma(buf, gctx->tls_aad_len, in, len, out,
1864 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1865
1866 if (enc) {
1867 memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
1868 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1869 } else {
1870 if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
1871 EVP_GCM_TLS_TAG_LEN)) {
1872 OPENSSL_cleanse(out, len);
1873 goto err;
1874 }
1875 rv = len;
1876 }
1877err:
1878 gctx->iv_set = 0;
1879 gctx->tls_aad_len = -1;
1880 return rv;
1881}
1882
5d2a6f4b
PS		 1883/*-
1884 * Called from EVP layer to initialize context, process additional
1885 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1886 * ciphertext or process a TLS packet, depending on context. Returns bytes
1887 * written on success. Otherwise -1 is returned. Code is big-endian.
1888 */
96530eea
PS		 1889static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1890 const unsigned char *in, size_t len)
1891{
1892 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1893 unsigned char *buf, tmp[16];
1894 int enc;
1895
1896 if (!gctx->key_set)
1897 return -1;
1898
1899 if (gctx->tls_aad_len >= 0)
1900 return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
1901
1902 if (!gctx->iv_set)
1903 return -1;
1904
1905 if (in != NULL) {
1906 if (out == NULL) {
1907 if (s390x_aes_gcm_aad(gctx, in, len))
1908 return -1;
1909 } else {
1910 if (s390x_aes_gcm(gctx, in, out, len))
1911 return -1;
1912 }
1913 return len;
1914 } else {
1915 gctx->kma.param.taadl <<= 3;
1916 gctx->kma.param.tpcl <<= 3;
1917 s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
1918 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1919 /* recall that we already did en-/decrypt gctx->mres
1920 * and returned it to caller... */
1921 OPENSSL_cleanse(tmp, gctx->mreslen);
1922 gctx->iv_set = 0;
1923
1924 enc = EVP_CIPHER_CTX_encrypting(ctx);
1925 if (enc) {
1926 gctx->taglen = 16;
1927 } else {
1928 if (gctx->taglen < 0)
1929 return -1;
1930
1931 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1932 if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
1933 return -1;
1934 }
1935 return 0;
1936 }
1937}
1938
1939static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1940{
1941 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1942 const unsigned char *iv;
1943
1944 if (gctx == NULL)
1945 return 0;
1946
1947 iv = EVP_CIPHER_CTX_iv(c);
1948 if (iv != gctx->iv)
1949 OPENSSL_free(gctx->iv);
1950
1951 OPENSSL_cleanse(gctx, sizeof(*gctx));
1952 return 1;
1953}
1954
1955# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1956# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
1957# define S390X_aes_256_xts_CAPABLE 1
1958
1959# define s390x_aes_xts_init_key aes_xts_init_key
1960static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
1961 const unsigned char *key,
1962 const unsigned char *iv, int enc);
1963# define s390x_aes_xts_cipher aes_xts_cipher
1964static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1965 const unsigned char *in, size_t len);
1966# define s390x_aes_xts_ctrl aes_xts_ctrl
1967static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
1968# define s390x_aes_xts_cleanup aes_xts_cleanup
1969
39f5b069
PS		 1970# define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
1971 (OPENSSL_s390xcap_P.kmac[0] & \
1972 S390X_CAPBIT(S390X_AES_128)))
1973# define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
1974 (OPENSSL_s390xcap_P.kmac[0] & \
1975 S390X_CAPBIT(S390X_AES_192)))
1976# define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
1977 (OPENSSL_s390xcap_P.kmac[0] & \
1978 S390X_CAPBIT(S390X_AES_256)))
1979
1980# define S390X_CCM_AAD_FLAG 0x40
1981
1982/*-
1983 * Set nonce and length fields. Code is big-endian.
1984 */
1985static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
1986 const unsigned char *nonce,
1987 size_t mlen)
1988{
1989 ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
1990 ctx->aes.ccm.nonce.g[1] = mlen;
1991 memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
1992}
1993
1994/*-
1995 * Process additional authenticated data. Code is big-endian.
1996 */
1997static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
1998 size_t alen)
1999{
2000 unsigned char *ptr;
2001 int i, rem;
2002
2003 if (!alen)
2004 return;
2005
2006 ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
2007
2008 /* Suppress 'type-punned pointer dereference' warning. */
2009 ptr = ctx->aes.ccm.buf.b;
2010
2011 if (alen < ((1 << 16) - (1 << 8))) {
2012 *(uint16_t *)ptr = alen;
2013 i = 2;
2014 } else if (sizeof(alen) == 8
2015 && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
2016 *(uint16_t *)ptr = 0xffff;
2017 *(uint64_t *)(ptr + 2) = alen;
2018 i = 10;
2019 } else {
2020 *(uint16_t *)ptr = 0xfffe;
2021 *(uint32_t *)(ptr + 2) = alen;
2022 i = 6;
2023 }
2024
2025 while (i < 16 && alen) {
2026 ctx->aes.ccm.buf.b[i] = *aad;
2027 ++aad;
2028 --alen;
2029 ++i;
2030 }
2031 while (i < 16) {
2032 ctx->aes.ccm.buf.b[i] = 0;
2033 ++i;
2034 }
2035
2036 ctx->aes.ccm.kmac_param.icv.g[0] = 0;
2037 ctx->aes.ccm.kmac_param.icv.g[1] = 0;
2038 s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
2039 &ctx->aes.ccm.kmac_param);
2040 ctx->aes.ccm.blocks += 2;
2041
2042 rem = alen & 0xf;
25868993 2043 alen &= ~(size_t)0xf;
39f5b069
PS		 2044 if (alen) {
2045 s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2046 ctx->aes.ccm.blocks += alen >> 4;
2047 aad += alen;
2048 }
2049 if (rem) {
2050 for (i = 0; i < rem; i++)
2051 ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
2052
2053 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2054 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2055 ctx->aes.ccm.kmac_param.k);
2056 ctx->aes.ccm.blocks++;
2057 }
2058}
2059
2060/*-
2061 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
2062 * success.
2063 */
2064static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
2065 unsigned char *out, size_t len, int enc)
2066{
2067 size_t n, rem;
2068 unsigned int i, l, num;
2069 unsigned char flags;
2070
2071 flags = ctx->aes.ccm.nonce.b[0];
2072 if (!(flags & S390X_CCM_AAD_FLAG)) {
2073 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
2074 ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
2075 ctx->aes.ccm.blocks++;
2076 }
2077 l = flags & 0x7;
2078 ctx->aes.ccm.nonce.b[0] = l;
2079
2080 /*-
2081 * Reconstruct length from encoded length field
2082 * and initialize it with counter value.
2083 */
2084 n = 0;
2085 for (i = 15 - l; i < 15; i++) {
2086 n |= ctx->aes.ccm.nonce.b[i];
2087 ctx->aes.ccm.nonce.b[i] = 0;
2088 n <<= 8;
2089 }
2090 n |= ctx->aes.ccm.nonce.b[15];
2091 ctx->aes.ccm.nonce.b[15] = 1;
2092
2093 if (n != len)
2094 return -1; /* length mismatch */
2095
2096 if (enc) {
2097 /* Two operations per block plus one for tag encryption */
2098 ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
2099 if (ctx->aes.ccm.blocks > (1ULL << 61))
2100 return -2; /* too much data */
2101 }
2102
2103 num = 0;
2104 rem = len & 0xf;
25868993 2105 len &= ~(size_t)0xf;
39f5b069
PS		 2106
2107 if (enc) {
2108 /* mac-then-encrypt */
2109 if (len)
2110 s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2111 if (rem) {
2112 for (i = 0; i < rem; i++)
2113 ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
2114
2115 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2116 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2117 ctx->aes.ccm.kmac_param.k);
2118 }
2119
2120 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
2121 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
2122 &num, (ctr128_f)AES_ctr32_encrypt);
2123 } else {
2124 /* decrypt-then-mac */
2125 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
2126 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
2127 &num, (ctr128_f)AES_ctr32_encrypt);
2128
2129 if (len)
2130 s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2131 if (rem) {
2132 for (i = 0; i < rem; i++)
2133 ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
2134
2135 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2136 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2137 ctx->aes.ccm.kmac_param.k);
2138 }
2139 }
2140 /* encrypt tag */
2141 for (i = 15 - l; i < 16; i++)
2142 ctx->aes.ccm.nonce.b[i] = 0;
2143
2144 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
2145 ctx->aes.ccm.kmac_param.k);
2146 ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
2147 ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
2148
2149 ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
2150 return 0;
2151}
2152
2153/*-
2154 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
2155 * if successful. Otherwise -1 is returned.
2156 */
2157static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2158 const unsigned char *in, size_t len)
2159{
2160 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2161 unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2162 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2163 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
2164
2165 if (out != in
2166 || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
2167 return -1;
2168
2169 if (enc) {
2170 /* Set explicit iv (sequence number). */
2171 memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
2172 }
2173
2174 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2175 /*-
2176 * Get explicit iv (sequence number). We already have fixed iv
2177 * (server/client_write_iv) here.
2178 */
2179 memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
2180 s390x_aes_ccm_setiv(cctx, ivec, len);
2181
2182 /* Process aad (sequence number|type|version|length) */
2183 s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
2184
2185 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2186 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
96530eea 2187
39f5b069
PS		 2188 if (enc) {
2189 if (s390x_aes_ccm(cctx, in, out, len, enc))
2190 return -1;
2191
2192 memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2193 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2194 } else {
2195 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2196 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
2197 cctx->aes.ccm.m))
2198 return len;
2199 }
2200
2201 OPENSSL_cleanse(out, len);
2202 return -1;
2203 }
2204}
2205
2206/*-
2207 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2208 * returned.
2209 */
96530eea
PS		 2210static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
2211 const unsigned char *key,
39f5b069
PS		 2212 const unsigned char *iv, int enc)
2213{
2214 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2215 unsigned char *ivec;
2216 int keylen;
2217
2218 if (iv == NULL && key == NULL)
2219 return 1;
2220
2221 if (key != NULL) {
2222 keylen = EVP_CIPHER_CTX_key_length(ctx);
8eb399fb 2223 cctx->aes.ccm.fc = S390X_AES_FC(keylen);
39f5b069
PS		 2224 memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
2225
2226 /* Store encoded m and l. */
2227 cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
2228 | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
2229 memset(cctx->aes.ccm.nonce.b + 1, 0,
2230 sizeof(cctx->aes.ccm.nonce.b));
2231 cctx->aes.ccm.blocks = 0;
2232
2233 cctx->aes.ccm.key_set = 1;
2234 }
2235
2236 if (iv != NULL) {
2237 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2238 memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
2239
2240 cctx->aes.ccm.iv_set = 1;
2241 }
2242
2243 return 1;
2244}
2245
2246/*-
2247 * Called from EVP layer to initialize context, process additional
2248 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2249 * plaintext or process a TLS packet, depending on context. Returns bytes
2250 * written on success. Otherwise -1 is returned.
2251 */
96530eea 2252static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
39f5b069
PS		 2253 const unsigned char *in, size_t len)
2254{
2255 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2256 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
2257 int rv;
2258 unsigned char *buf, *ivec;
2259
2260 if (!cctx->aes.ccm.key_set)
2261 return -1;
2262
2263 if (cctx->aes.ccm.tls_aad_len >= 0)
2264 return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
2265
2266 /*-
2267 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2268 * so integrity must be checked already at Update() i.e., before
2269 * potentially corrupted data is output.
2270 */
2271 if (in == NULL && out != NULL)
2272 return 0;
2273
2274 if (!cctx->aes.ccm.iv_set)
2275 return -1;
2276
39f5b069
PS		 2277 if (out == NULL) {
2278 /* Update(): Pass message length. */
2279 if (in == NULL) {
2280 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2281 s390x_aes_ccm_setiv(cctx, ivec, len);
2282
2283 cctx->aes.ccm.len_set = 1;
2284 return len;
2285 }
2286
2287 /* Update(): Process aad. */
2288 if (!cctx->aes.ccm.len_set && len)
2289 return -1;
2290
2291 s390x_aes_ccm_aad(cctx, in, len);
2292 return len;
2293 }
2294
887e22dd
PS		 2295 /* The tag must be set before actually decrypting data */
2296 if (!enc && !cctx->aes.ccm.tag_set)
2297 return -1;
2298
39f5b069
PS		 2299 /* Update(): Process message. */
2300
2301 if (!cctx->aes.ccm.len_set) {
2302 /*-
46d08509 2303 * In case message length was not previously set explicitly via
39f5b069
PS		 2304 * Update(), set it now.
2305 */
2306 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2307 s390x_aes_ccm_setiv(cctx, ivec, len);
2308
2309 cctx->aes.ccm.len_set = 1;
2310 }
2311
2312 if (enc) {
2313 if (s390x_aes_ccm(cctx, in, out, len, enc))
2314 return -1;
2315
2316 cctx->aes.ccm.tag_set = 1;
2317 return len;
2318 } else {
2319 rv = -1;
2320
2321 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2322 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2323 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
2324 cctx->aes.ccm.m))
2325 rv = len;
2326 }
2327
2328 if (rv == -1)
2329 OPENSSL_cleanse(out, len);
2330
2331 cctx->aes.ccm.iv_set = 0;
2332 cctx->aes.ccm.tag_set = 0;
2333 cctx->aes.ccm.len_set = 0;
2334 return rv;
2335 }
2336}
2337
2338/*-
2339 * Performs various operations on the context structure depending on control
2340 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2341 * Code is big-endian.
2342 */
2343static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2344{
2345 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
2346 unsigned char *buf, *iv;
2347 int enc, len;
2348
2349 switch (type) {
2350 case EVP_CTRL_INIT:
2351 cctx->aes.ccm.key_set = 0;
2352 cctx->aes.ccm.iv_set = 0;
2353 cctx->aes.ccm.l = 8;
2354 cctx->aes.ccm.m = 12;
2355 cctx->aes.ccm.tag_set = 0;
2356 cctx->aes.ccm.len_set = 0;
2357 cctx->aes.ccm.tls_aad_len = -1;
2358 return 1;
2359
2360 case EVP_CTRL_AEAD_TLS1_AAD:
2361 if (arg != EVP_AEAD_TLS1_AAD_LEN)
2362 return 0;
2363
2364 /* Save the aad for later use. */
2365 buf = EVP_CIPHER_CTX_buf_noconst(c);
2366 memcpy(buf, ptr, arg);
2367 cctx->aes.ccm.tls_aad_len = arg;
2368
03a5e5ae 2369 len = buf[arg - 2] << 8 | buf[arg - 1];
39f5b069
PS		 2370 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
2371 return 0;
2372
2373 /* Correct length for explicit iv. */
2374 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
2375
2376 enc = EVP_CIPHER_CTX_encrypting(c);
2377 if (!enc) {
2378 if (len < cctx->aes.ccm.m)
2379 return 0;
2380
2381 /* Correct length for tag. */
2382 len -= cctx->aes.ccm.m;
2383 }
2384
03a5e5ae
PS		 2385 buf[arg - 2] = len >> 8;
2386 buf[arg - 1] = len & 0xff;
2387
39f5b069
PS		 2388 /* Extra padding: tag appended to record. */
2389 return cctx->aes.ccm.m;
2390
2391 case EVP_CTRL_CCM_SET_IV_FIXED:
2392 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
2393 return 0;
2394
2395 /* Copy to first part of the iv. */
2396 iv = EVP_CIPHER_CTX_iv_noconst(c);
2397 memcpy(iv, ptr, arg);
2398 return 1;
2399
2400 case EVP_CTRL_AEAD_SET_IVLEN:
2401 arg = 15 - arg;
2402 /* fall-through */
2403
2404 case EVP_CTRL_CCM_SET_L:
2405 if (arg < 2 || arg > 8)
2406 return 0;
2407
2408 cctx->aes.ccm.l = arg;
2409 return 1;
2410
2411 case EVP_CTRL_AEAD_SET_TAG:
2412 if ((arg & 1) || arg < 4 || arg > 16)
2413 return 0;
2414
2415 enc = EVP_CIPHER_CTX_encrypting(c);
2416 if (enc && ptr)
2417 return 0;
2418
2419 if (ptr) {
2420 cctx->aes.ccm.tag_set = 1;
2421 buf = EVP_CIPHER_CTX_buf_noconst(c);
2422 memcpy(buf, ptr, arg);
2423 }
2424
2425 cctx->aes.ccm.m = arg;
2426 return 1;
2427
2428 case EVP_CTRL_AEAD_GET_TAG:
2429 enc = EVP_CIPHER_CTX_encrypting(c);
2430 if (!enc || !cctx->aes.ccm.tag_set)
2431 return 0;
2432
2433 if(arg < cctx->aes.ccm.m)
2434 return 0;
2435
2436 memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2437 cctx->aes.ccm.tag_set = 0;
2438 cctx->aes.ccm.iv_set = 0;
2439 cctx->aes.ccm.len_set = 0;
2440 return 1;
2441
2442 case EVP_CTRL_COPY:
2443 return 1;
2444
2445 default:
2446 return -1;
2447 }
2448}
2449
96530eea
PS		 2450# define s390x_aes_ccm_cleanup aes_ccm_cleanup
2451
2452# ifndef OPENSSL_NO_OCB
2453# define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2454# define S390X_aes_128_ocb_CAPABLE 0
2455# define S390X_aes_192_ocb_CAPABLE 0
2456# define S390X_aes_256_ocb_CAPABLE 0
2457
2458# define s390x_aes_ocb_init_key aes_ocb_init_key
2459static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2460 const unsigned char *iv, int enc);
2461# define s390x_aes_ocb_cipher aes_ocb_cipher
2462static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2463 const unsigned char *in, size_t len);
2464# define s390x_aes_ocb_cleanup aes_ocb_cleanup
2465static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
2466# define s390x_aes_ocb_ctrl aes_ocb_ctrl
2467static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
2468# endif
2469
e74be3d4
RL		 2470# ifndef OPENSSL_NO_SIV
2471# define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
2472# define S390X_aes_128_siv_CAPABLE 0
2473# define S390X_aes_192_siv_CAPABLE 0
2474# define S390X_aes_256_siv_CAPABLE 0
2475
2476# define s390x_aes_siv_init_key aes_siv_init_key
2477# define s390x_aes_siv_cipher aes_siv_cipher
2478# define s390x_aes_siv_cleanup aes_siv_cleanup
2479# define s390x_aes_siv_ctrl aes_siv_ctrl
2480# endif
2481
96530eea
PS		 2482# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2483 MODE,flags) \
2484static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2485 nid##_##keylen##_##nmode,blocksize, \
2486 keylen / 8, \
2487 ivlen, \
2488 flags | EVP_CIPH_##MODE##_MODE, \
55bd169f 2489 s390x_aes_##mode##_init_key, \
96530eea
PS		 2490 s390x_aes_##mode##_cipher, \
2491 NULL, \
55bd169f 2492 sizeof(S390X_AES_##MODE##_CTX), \
96530eea
PS		 2493 NULL, \
2494 NULL, \
2495 NULL, \
2496 NULL \
2497}; \
2498static const EVP_CIPHER aes_##keylen##_##mode = { \
2499 nid##_##keylen##_##nmode, \
2500 blocksize, \
2501 keylen / 8, \
2502 ivlen, \
2503 flags | EVP_CIPH_##MODE##_MODE, \
2504 aes_init_key, \
2505 aes_##mode##_cipher, \
2506 NULL, \
2507 sizeof(EVP_AES_KEY), \
55bd169f
PS		 2508 NULL, \
2509 NULL, \
2510 NULL, \
2511 NULL \
96530eea
PS		 2512}; \
2513const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2514{ \
2515 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2516 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2517}
2518
2519# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2520static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2521 nid##_##keylen##_##mode, \
2522 blocksize, \
e74be3d4 2523 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
96530eea
PS		 2524 ivlen, \
2525 flags | EVP_CIPH_##MODE##_MODE, \
2526 s390x_aes_##mode##_init_key, \
2527 s390x_aes_##mode##_cipher, \
2528 s390x_aes_##mode##_cleanup, \
2529 sizeof(S390X_AES_##MODE##_CTX), \
2530 NULL, \
2531 NULL, \
2532 s390x_aes_##mode##_ctrl, \
2533 NULL \
2534}; \
2535static const EVP_CIPHER aes_##keylen##_##mode = { \
2536 nid##_##keylen##_##mode,blocksize, \
e74be3d4 2537 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
96530eea
PS		 2538 ivlen, \
2539 flags | EVP_CIPH_##MODE##_MODE, \
2540 aes_##mode##_init_key, \
2541 aes_##mode##_cipher, \
2542 aes_##mode##_cleanup, \
2543 sizeof(EVP_AES_##MODE##_CTX), \
2544 NULL, \
2545 NULL, \
2546 aes_##mode##_ctrl, \
2547 NULL \
2548}; \
2549const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2550{ \
2551 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2552 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2553}
2554
5158c763 2555#else
17f121de 2556
5158c763 2557# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 2558static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 2559 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2560 flags|EVP_CIPH_##MODE##_MODE, \
2561 aes_init_key, \
2562 aes_##mode##_cipher, \
2563 NULL, \
2564 sizeof(EVP_AES_KEY), \
2565 NULL,NULL,NULL,NULL }; \
17f121de
AP		 2566const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2567{ return &aes_##keylen##_##mode; }
d1fff483 2568
5158c763 2569# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 2570static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 2571 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 2572 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
2573 ivlen, \
0f113f3e
MC		 2574 flags|EVP_CIPH_##MODE##_MODE, \
2575 aes_##mode##_init_key, \
2576 aes_##mode##_cipher, \
2577 aes_##mode##_cleanup, \
2578 sizeof(EVP_AES_##MODE##_CTX), \
2579 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de
AP		 2580const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2581{ return &aes_##keylen##_##mode; }
9575d1a9 2582
5158c763 2583#endif
9575d1a9 2584
5158c763
MC		 2585#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
2586# include "arm_arch.h"
2587# if __ARM_MAX_ARCH__>=7
2588# if defined(BSAES_ASM)
2589# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
2590# endif
2591# if defined(VPAES_ASM)
2592# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
0f113f3e 2593# endif
5158c763
MC		 2594# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
2595# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
2596# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
2597# define HWAES_encrypt aes_v8_encrypt
2598# define HWAES_decrypt aes_v8_decrypt
2599# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
2600# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
ddacb8f2 2601# endif
5158c763 2602#endif
d1fff483 2603
5158c763 2604#if defined(HWAES_CAPABLE)
ddacb8f2 2605int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2606 AES_KEY *key);
ddacb8f2 2607int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2608 AES_KEY *key);
ddacb8f2 2609void HWAES_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2610 const AES_KEY *key);
ddacb8f2 2611void HWAES_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2612 const AES_KEY *key);
ddacb8f2 2613void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2614 size_t length, const AES_KEY *key,
2615 unsigned char *ivec, const int enc);
ddacb8f2 2616void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2617 size_t len, const AES_KEY *key,
2618 const unsigned char ivec[16]);
46f047d7
AP		 2619void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
2620 size_t len, const AES_KEY *key1,
2621 const AES_KEY *key2, const unsigned char iv[16]);
2622void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
2623 size_t len, const AES_KEY *key1,
2624 const AES_KEY *key2, const unsigned char iv[16]);
5158c763 2625#endif
ddacb8f2 2626
5158c763 2627#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
0f113f3e
MC		 2628 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2629 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2630 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2631 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2632 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2633 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2634 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
d1fff483
AP		 2635
2636static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2637 const unsigned char *iv, int enc)
2638{
2639 int ret, mode;
6435f0f6 2640 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2641
6435f0f6 2642 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e 2643 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
c01a3c6d 2644 && !enc) {
5158c763 2645#ifdef HWAES_CAPABLE
0f113f3e 2646 if (HWAES_CAPABLE) {
6435f0f6
RL		 2647 ret = HWAES_set_decrypt_key(key,
2648 EVP_CIPHER_CTX_key_length(ctx) * 8,
2649 &dat->ks.ks);
0f113f3e
MC		 2650 dat->block = (block128_f) HWAES_decrypt;
2651 dat->stream.cbc = NULL;
5158c763 2652# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2653 if (mode == EVP_CIPH_CBC_MODE)
2654 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
0f113f3e 2655# endif
5158c763
MC		 2656 } else
2657#endif
2658#ifdef BSAES_CAPABLE
0f113f3e 2659 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
6435f0f6
RL		 2660 ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2661 &dat->ks.ks);
0f113f3e
MC		 2662 dat->block = (block128_f) AES_decrypt;
2663 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
2664 } else
5158c763
MC		 2665#endif
2666#ifdef VPAES_CAPABLE
0f113f3e 2667 if (VPAES_CAPABLE) {
6435f0f6
RL		 2668 ret = vpaes_set_decrypt_key(key,
2669 EVP_CIPHER_CTX_key_length(ctx) * 8,
2670 &dat->ks.ks);
0f113f3e
MC		 2671 dat->block = (block128_f) vpaes_decrypt;
2672 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2673 (cbc128_f) vpaes_cbc_encrypt : NULL;
2674 } else
5158c763 2675#endif
0f113f3e 2676 {
6435f0f6
RL		 2677 ret = AES_set_decrypt_key(key,
2678 EVP_CIPHER_CTX_key_length(ctx) * 8,
2679 &dat->ks.ks);
0f113f3e
MC		 2680 dat->block = (block128_f) AES_decrypt;
2681 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2682 (cbc128_f) AES_cbc_encrypt : NULL;
c01a3c6d 2683 }
0f113f3e 2684 } else
5158c763 2685#ifdef HWAES_CAPABLE
0f113f3e 2686 if (HWAES_CAPABLE) {
6435f0f6
RL		 2687 ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2688 &dat->ks.ks);
0f113f3e
MC		 2689 dat->block = (block128_f) HWAES_encrypt;
2690 dat->stream.cbc = NULL;
5158c763 2691# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2692 if (mode == EVP_CIPH_CBC_MODE)
2693 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
2694 else
5158c763
MC		 2695# endif
2696# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e
MC		 2697 if (mode == EVP_CIPH_CTR_MODE)
2698 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
2699 else
5158c763 2700# endif
0f113f3e
MC		 2701 (void)0; /* terminate potentially open 'else' */
2702 } else
5158c763
MC		 2703#endif
2704#ifdef BSAES_CAPABLE
0f113f3e 2705 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
6435f0f6
RL		 2706 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2707 &dat->ks.ks);
0f113f3e
MC		 2708 dat->block = (block128_f) AES_encrypt;
2709 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
2710 } else
5158c763
MC		 2711#endif
2712#ifdef VPAES_CAPABLE
0f113f3e 2713 if (VPAES_CAPABLE) {
6435f0f6
RL		 2714 ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2715 &dat->ks.ks);
0f113f3e
MC		 2716 dat->block = (block128_f) vpaes_encrypt;
2717 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2718 (cbc128_f) vpaes_cbc_encrypt : NULL;
2719 } else
5158c763 2720#endif
0f113f3e 2721 {
6435f0f6
RL		 2722 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2723 &dat->ks.ks);
0f113f3e
MC		 2724 dat->block = (block128_f) AES_encrypt;
2725 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2726 (cbc128_f) AES_cbc_encrypt : NULL;
5158c763 2727#ifdef AES_CTR_ASM
0f113f3e
MC		 2728 if (mode == EVP_CIPH_CTR_MODE)
2729 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 2730#endif
0f113f3e 2731 }
d1fff483 2732
0f113f3e
MC		 2733 if (ret < 0) {
2734 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
2735 return 0;
2736 }
d1fff483 2737
0f113f3e
MC		 2738 return 1;
2739}
d1fff483 2740
0f113f3e
MC		 2741static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2742 const unsigned char *in, size_t len)
17f121de 2743{
6435f0f6 2744 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2745
0f113f3e 2746 if (dat->stream.cbc)
6435f0f6
RL		 2747 (*dat->stream.cbc) (in, out, len, &dat->ks,
2748 EVP_CIPHER_CTX_iv_noconst(ctx),
2749 EVP_CIPHER_CTX_encrypting(ctx));
2750 else if (EVP_CIPHER_CTX_encrypting(ctx))
2751 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
2752 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
0f113f3e 2753 else
6435f0f6
RL		 2754 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
2755 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
17f121de 2756
0f113f3e 2757 return 1;
17f121de
AP		 2758}
2759
0f113f3e
MC		 2760static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2761 const unsigned char *in, size_t len)
17f121de 2762{
6435f0f6 2763 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
0f113f3e 2764 size_t i;
6435f0f6 2765 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
17f121de 2766
0f113f3e
MC		 2767 if (len < bl)
2768 return 1;
17f121de 2769
0f113f3e
MC		 2770 for (i = 0, len -= bl; i <= len; i += bl)
2771 (*dat->block) (in + i, out + i, &dat->ks);
17f121de 2772
0f113f3e 2773 return 1;
17f121de 2774}
deb2c1a1 2775
0f113f3e
MC		 2776static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2777 const unsigned char *in, size_t len)
17f121de 2778{
6435f0f6 2779 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2780
6435f0f6 2781 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2782 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2783 EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
2784 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2785 return 1;
17f121de 2786}
deb2c1a1 2787
0f113f3e
MC		 2788static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2789 const unsigned char *in, size_t len)
17f121de 2790{
6435f0f6 2791 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2792
6435f0f6 2793 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2794 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2795 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2796 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2797 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2798 return 1;
17f121de
AP		 2799}
2800
0f113f3e
MC		 2801static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2802 const unsigned char *in, size_t len)
17f121de 2803{
6435f0f6 2804 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2805
6435f0f6 2806 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2807 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2808 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2809 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2810 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2811 return 1;
17f121de 2812}
8d1ebe0b 2813
0f113f3e
MC		 2814static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2815 const unsigned char *in, size_t len)
17f121de 2816{
6435f0f6 2817 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2818
6435f0f6
RL		 2819 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
2820 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2821 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2822 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2823 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2824 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 2825 return 1;
2826 }
2827
2828 while (len >= MAXBITCHUNK) {
6435f0f6 2829 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2830 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
6435f0f6
RL		 2831 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2832 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2833 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2834 len -= MAXBITCHUNK;
604e591e
BE		 2835 out += MAXBITCHUNK;
2836 in += MAXBITCHUNK;
0f113f3e 2837 }
6435f0f6
RL		 2838 if (len) {
2839 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2840 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
6435f0f6
RL		 2841 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2842 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2843 EVP_CIPHER_CTX_set_num(ctx, num);
2844 }
0f113f3e
MC		 2845
2846 return 1;
17f121de 2847}
8d1ebe0b 2848
0f113f3e
MC		 2849static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2850 const unsigned char *in, size_t len)
d976f992 2851{
6435f0f6
RL		 2852 unsigned int num = EVP_CIPHER_CTX_num(ctx);
2853 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e
MC		 2854
2855 if (dat->stream.ctr)
2856 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
6435f0f6
RL		 2857 EVP_CIPHER_CTX_iv_noconst(ctx),
2858 EVP_CIPHER_CTX_buf_noconst(ctx),
2859 &num, dat->stream.ctr);
0f113f3e
MC		 2860 else
2861 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2862 EVP_CIPHER_CTX_iv_noconst(ctx),
2863 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
2864 dat->block);
2865 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2866 return 1;
d976f992
AP		 2867}
2868
0f113f3e
MC		 2869BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
2870 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
2871 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
bdaa5415
DSH		 2872
2873static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 2874{
6435f0f6 2875 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
273a0218
BE		 2876 if (gctx == NULL)
2877 return 0;
0f113f3e 2878 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
6435f0f6 2879 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 2880 OPENSSL_free(gctx->iv);
2881 return 1;
2882}
bdaa5415
DSH		 2883
2884static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 2885{
6435f0f6 2886 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e
MC		 2887 switch (type) {
2888 case EVP_CTRL_INIT:
2889 gctx->key_set = 0;
2890 gctx->iv_set = 0;
c5307d9c
AP		 2891 gctx->ivlen = c->cipher->iv_len;
2892 gctx->iv = c->iv;
0f113f3e
MC		 2893 gctx->taglen = -1;
2894 gctx->iv_gen = 0;
2895 gctx->tls_aad_len = -1;
2896 return 1;
2897
e640fa02 2898 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 2899 if (arg <= 0)
2900 return 0;
2901 /* Allocate memory for IV if needed */
2902 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
c5307d9c 2903 if (gctx->iv != c->iv)
0f113f3e 2904 OPENSSL_free(gctx->iv);
cdb10bae
RS		 2905 if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) {
2906 EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
0f113f3e 2907 return 0;
cdb10bae 2908 }
0f113f3e
MC		 2909 }
2910 gctx->ivlen = arg;
2911 return 1;
2912
e640fa02 2913 case EVP_CTRL_AEAD_SET_TAG:
c5307d9c 2914 if (arg <= 0 || arg > 16 || c->encrypt)
0f113f3e 2915 return 0;
c5307d9c 2916 memcpy(c->buf, ptr, arg);
0f113f3e
MC		 2917 gctx->taglen = arg;
2918 return 1;
2919
e640fa02 2920 case EVP_CTRL_AEAD_GET_TAG:
c5307d9c 2921 if (arg <= 0 || arg > 16 || !c->encrypt
6435f0f6 2922 || gctx->taglen < 0)
0f113f3e 2923 return 0;
c5307d9c 2924 memcpy(ptr, c->buf, arg);
0f113f3e
MC		 2925 return 1;
2926
ecd1557f 2927 case EVP_CTRL_GET_IV:
bcf082d1 2928 if (gctx->iv_gen != 1 && gctx->iv_gen_rand != 1)
ecd1557f
BP		 2929 return 0;
2930 if (gctx->ivlen != arg)
2931 return 0;
2932 memcpy(ptr, gctx->iv, arg);
2933 return 1;
2934
0f113f3e
MC		 2935 case EVP_CTRL_GCM_SET_IV_FIXED:
2936 /* Special case: -1 length restores whole IV */
2937 if (arg == -1) {
2938 memcpy(gctx->iv, ptr, gctx->ivlen);
2939 gctx->iv_gen = 1;
2940 return 1;
2941 }
2942 /*
2943 * Fixed field must be at least 4 bytes and invocation field at least
2944 * 8.
2945 */
2946 if ((arg < 4) || (gctx->ivlen - arg) < 8)
2947 return 0;
2948 if (arg)
2949 memcpy(gctx->iv, ptr, arg);
c5307d9c 2950 if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
16cfc2c9 2951 return 0;
0f113f3e
MC		 2952 gctx->iv_gen = 1;
2953 return 1;
2954
2955 case EVP_CTRL_GCM_IV_GEN:
2956 if (gctx->iv_gen == 0 || gctx->key_set == 0)
2957 return 0;
2958 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2959 if (arg <= 0 || arg > gctx->ivlen)
2960 arg = gctx->ivlen;
2961 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
2962 /*
2963 * Invocation field will be at least 8 bytes in size and so no need
2964 * to check wrap around or increment more than last 8 bytes.
2965 */
2966 ctr64_inc(gctx->iv + gctx->ivlen - 8);
2967 gctx->iv_set = 1;
2968 return 1;
2969
2970 case EVP_CTRL_GCM_SET_IV_INV:
c5307d9c 2971 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
0f113f3e
MC		 2972 return 0;
2973 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
2974 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2975 gctx->iv_set = 1;
2976 return 1;
2977
2978 case EVP_CTRL_AEAD_TLS1_AAD:
2979 /* Save the AAD for later use */
c8269881 2980 if (arg != EVP_AEAD_TLS1_AAD_LEN)
0f113f3e 2981 return 0;
c5307d9c 2982 memcpy(c->buf, ptr, arg);
0f113f3e 2983 gctx->tls_aad_len = arg;
d6b34570 2984 gctx->tls_enc_records = 0;
0f113f3e 2985 {
c5307d9c 2986 unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
0f113f3e 2987 /* Correct length for explicit IV */
2198b3a5
AP		 2988 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
2989 return 0;
0f113f3e
MC		 2990 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
2991 /* If decrypting correct for tag too */
c5307d9c 2992 if (!c->encrypt) {
2198b3a5
AP		 2993 if (len < EVP_GCM_TLS_TAG_LEN)
2994 return 0;
0f113f3e 2995 len -= EVP_GCM_TLS_TAG_LEN;
2198b3a5 2996 }
c5307d9c
AP		 2997 c->buf[arg - 2] = len >> 8;
2998 c->buf[arg - 1] = len & 0xff;
0f113f3e
MC		 2999 }
3000 /* Extra padding: tag appended to record */
3001 return EVP_GCM_TLS_TAG_LEN;
3002
3003 case EVP_CTRL_COPY:
3004 {
3005 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3006 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
0f113f3e
MC		 3007 if (gctx->gcm.key) {
3008 if (gctx->gcm.key != &gctx->ks)
3009 return 0;
3010 gctx_out->gcm.key = &gctx_out->ks;
3011 }
c5307d9c
AP		 3012 if (gctx->iv == c->iv)
3013 gctx_out->iv = out->iv;
0f113f3e 3014 else {
cdb10bae
RS		 3015 if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) {
3016 EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
0f113f3e 3017 return 0;
cdb10bae 3018 }
0f113f3e
MC		 3019 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
3020 }
3021 return 1;
3022 }
3023
3024 default:
3025 return -1;
3026
3027 }
3028}
bdaa5415
DSH		 3029
3030static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3031 const unsigned char *iv, int enc)
3032{
6435f0f6 3033 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 3034 if (!iv && !key)
3035 return 1;
3036 if (key) {
3037 do {
5158c763 3038#ifdef HWAES_CAPABLE
0f113f3e 3039 if (HWAES_CAPABLE) {
c5307d9c 3040 HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3041 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3042 (block128_f) HWAES_encrypt);
5158c763 3043# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e 3044 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
5158c763 3045# else
0f113f3e 3046 gctx->ctr = NULL;
5158c763 3047# endif
0f113f3e
MC		 3048 break;
3049 } else
5158c763
MC		 3050#endif
3051#ifdef BSAES_CAPABLE
0f113f3e 3052 if (BSAES_CAPABLE) {
c5307d9c 3053 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3054 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3055 (block128_f) AES_encrypt);
3056 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
3057 break;
3058 } else
5158c763
MC		 3059#endif
3060#ifdef VPAES_CAPABLE
0f113f3e 3061 if (VPAES_CAPABLE) {
c5307d9c 3062 vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3063 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3064 (block128_f) vpaes_encrypt);
3065 gctx->ctr = NULL;
3066 break;
3067 } else
5158c763 3068#endif
0f113f3e
MC		 3069 (void)0; /* terminate potentially open 'else' */
3070
c5307d9c 3071 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3072 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3073 (block128_f) AES_encrypt);
5158c763 3074#ifdef AES_CTR_ASM
0f113f3e 3075 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 3076#else
0f113f3e 3077 gctx->ctr = NULL;
5158c763 3078#endif
0f113f3e
MC		 3079 } while (0);
3080
3081 /*
3082 * If we have an iv can set it directly, otherwise use saved IV.
3083 */
3084 if (iv == NULL && gctx->iv_set)
3085 iv = gctx->iv;
3086 if (iv) {
3087 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
3088 gctx->iv_set = 1;
3089 }
3090 gctx->key_set = 1;
3091 } else {
3092 /* If key set use IV, otherwise copy */
3093 if (gctx->key_set)
3094 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
3095 else
3096 memcpy(gctx->iv, iv, gctx->ivlen);
3097 gctx->iv_set = 1;
3098 gctx->iv_gen = 0;
3099 }
3100 return 1;
3101}
3102
3103/*
3104 * Handle TLS GCM packet format. This consists of the last portion of the IV
28dd49fa
DSH		 3105 * followed by the payload and finally the tag. On encrypt generate IV,
3106 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
3107 * and verify tag.
3108 */
3109
3110static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3111 const unsigned char *in, size_t len)
3112{
6435f0f6 3113 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 3114 int rv = -1;
3115 /* Encrypt/decrypt must be performed in place */
3116 if (out != in
3117 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
3118 return -1;
df443918 3119
d6b34570
P		 3120 /*
3121 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
3122 * Requirements from SP 800-38D". The requirements is for one party to the
3123 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
3124 * side only.
3125 */
3126 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
3127 EVPerr(EVP_F_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
3128 goto err;
3129 }
3130
0f113f3e
MC		 3131 /*
3132 * Set IV from start of buffer or generate IV and write to start of
3133 * buffer.
3134 */
c5307d9c
AP		 3135 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? EVP_CTRL_GCM_IV_GEN
3136 : EVP_CTRL_GCM_SET_IV_INV,
0f113f3e
MC		 3137 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
3138 goto err;
3139 /* Use saved AAD */
c5307d9c 3140 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
0f113f3e
MC		 3141 goto err;
3142 /* Fix buffer and length to point to payload */
3143 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
3144 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
3145 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
c5307d9c 3146 if (ctx->encrypt) {
0f113f3e
MC		 3147 /* Encrypt payload */
3148 if (gctx->ctr) {
3149 size_t bulk = 0;
5158c763 3150#if defined(AES_GCM_ASM)
0f113f3e
MC		 3151 if (len >= 32 && AES_GCM_ASM(gctx)) {
3152 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
3153 return -1;
3154
3155 bulk = AES_gcm_encrypt(in, out, len,
3156 gctx->gcm.key,
3157 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3158 gctx->gcm.len.u[1] += bulk;
3159 }
5158c763 3160#endif
0f113f3e
MC		 3161 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3162 in + bulk,
3163 out + bulk,
3164 len - bulk, gctx->ctr))
3165 goto err;
3166 } else {
3167 size_t bulk = 0;
5158c763 3168#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3169 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3170 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
3171 return -1;
3172
3173 bulk = AES_gcm_encrypt(in, out, len,
3174 gctx->gcm.key,
3175 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3176 gctx->gcm.len.u[1] += bulk;
3177 }
5158c763 3178#endif
0f113f3e
MC		 3179 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3180 in + bulk, out + bulk, len - bulk))
3181 goto err;
3182 }
3183 out += len;
3184 /* Finally write tag */
3185 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
3186 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
3187 } else {
3188 /* Decrypt */
3189 if (gctx->ctr) {
3190 size_t bulk = 0;
5158c763 3191#if defined(AES_GCM_ASM)
0f113f3e
MC		 3192 if (len >= 16 && AES_GCM_ASM(gctx)) {
3193 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
3194 return -1;
3195
3196 bulk = AES_gcm_decrypt(in, out, len,
3197 gctx->gcm.key,
3198 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3199 gctx->gcm.len.u[1] += bulk;
3200 }
5158c763 3201#endif
0f113f3e
MC		 3202 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3203 in + bulk,
3204 out + bulk,
3205 len - bulk, gctx->ctr))
3206 goto err;
3207 } else {
3208 size_t bulk = 0;
5158c763 3209#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3210 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3211 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
3212 return -1;
3213
3214 bulk = AES_gcm_decrypt(in, out, len,
3215 gctx->gcm.key,
3216 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3217 gctx->gcm.len.u[1] += bulk;
3218 }
5158c763 3219#endif
0f113f3e
MC		 3220 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3221 in + bulk, out + bulk, len - bulk))
3222 goto err;
3223 }
3224 /* Retrieve tag */
c5307d9c 3225 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
0f113f3e 3226 /* If tag mismatch wipe buffer */
c5307d9c 3227 if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
0f113f3e
MC		 3228 OPENSSL_cleanse(out, len);
3229 goto err;
3230 }
3231 rv = len;
3232 }
3233
3234 err:
3235 gctx->iv_set = 0;
3236 gctx->tls_aad_len = -1;
3237 return rv;
3238}
28dd49fa 3239
bcf082d1
SL		 3240#ifdef FIPS_MODE
3241/*
3242 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
3243 *
3244 * See also 8.2.2 RBG-based construction.
3245 * Random construction consists of a free field (which can be NULL) and a
3246 * random field which will use a DRBG that can return at least 96 bits of
3247 * entropy strength. (The DRBG must be seeded by the FIPS module).
3248 */
3249static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
3250{
3251 int sz = gctx->ivlen - offset;
3252
3253 /* Must be at least 96 bits */
3254 if (sz <= 0 || gctx->ivlen < 12)
3255 return 0;
3256
3257 /* Use DRBG to generate random iv */
3258 if (RAND_bytes(gctx->iv + offset, sz) <= 0)
3259 return 0;
3260 return 1;
3261}
3262#endif /* FIPS_MODE */
3263
17f121de 3264static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3265 const unsigned char *in, size_t len)
3266{
6435f0f6 3267 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
bcf082d1 3268
0f113f3e
MC		 3269 /* If not set up, return error */
3270 if (!gctx->key_set)
3271 return -1;
3272
3273 if (gctx->tls_aad_len >= 0)
3274 return aes_gcm_tls_cipher(ctx, out, in, len);
3275
bcf082d1
SL		 3276#ifdef FIPS_MODE
3277 /*
3278 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
3279 * The IV can still be set externally (the security policy will state that
3280 * this is not FIPS compliant). There are some applications
3281 * where setting the IV externally is the only option available.
3282 */
3283 if (!gctx->iv_set) {
3284 if (!ctx->encrypt || !aes_gcm_iv_generate(gctx, 0))
3285 return -1;
3286 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
3287 gctx->iv_set = 1;
3288 gctx->iv_gen_rand = 1;
3289 }
3290#else
0f113f3e
MC		 3291 if (!gctx->iv_set)
3292 return -1;
bcf082d1
SL		 3293#endif /* FIPS_MODE */
3294
0f113f3e
MC		 3295 if (in) {
3296 if (out == NULL) {
3297 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
3298 return -1;
c5307d9c 3299 } else if (ctx->encrypt) {
0f113f3e
MC		 3300 if (gctx->ctr) {
3301 size_t bulk = 0;
5158c763 3302#if defined(AES_GCM_ASM)
0f113f3e
MC		 3303 if (len >= 32 && AES_GCM_ASM(gctx)) {
3304 size_t res = (16 - gctx->gcm.mres) % 16;
3305
3306 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3307 return -1;
3308
3309 bulk = AES_gcm_encrypt(in + res,
3310 out + res, len - res,
3311 gctx->gcm.key, gctx->gcm.Yi.c,
3312 gctx->gcm.Xi.u);
3313 gctx->gcm.len.u[1] += bulk;
3314 bulk += res;
3315 }
5158c763 3316#endif
0f113f3e
MC		 3317 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3318 in + bulk,
3319 out + bulk,
3320 len - bulk, gctx->ctr))
3321 return -1;
3322 } else {
3323 size_t bulk = 0;
5158c763 3324#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3325 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3326 size_t res = (16 - gctx->gcm.mres) % 16;
3327
3328 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3329 return -1;
3330
3331 bulk = AES_gcm_encrypt(in + res,
3332 out + res, len - res,
3333 gctx->gcm.key, gctx->gcm.Yi.c,
3334 gctx->gcm.Xi.u);
3335 gctx->gcm.len.u[1] += bulk;
3336 bulk += res;
3337 }
5158c763 3338#endif
0f113f3e
MC		 3339 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3340 in + bulk, out + bulk, len - bulk))
3341 return -1;
3342 }
3343 } else {
3344 if (gctx->ctr) {
3345 size_t bulk = 0;
5158c763 3346#if defined(AES_GCM_ASM)
0f113f3e
MC		 3347 if (len >= 16 && AES_GCM_ASM(gctx)) {
3348 size_t res = (16 - gctx->gcm.mres) % 16;
3349
3350 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3351 return -1;
3352
3353 bulk = AES_gcm_decrypt(in + res,
3354 out + res, len - res,
3355 gctx->gcm.key,
3356 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3357 gctx->gcm.len.u[1] += bulk;
3358 bulk += res;
3359 }
5158c763 3360#endif
0f113f3e
MC		 3361 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3362 in + bulk,
3363 out + bulk,
3364 len - bulk, gctx->ctr))
3365 return -1;
3366 } else {
3367 size_t bulk = 0;
5158c763 3368#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3369 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3370 size_t res = (16 - gctx->gcm.mres) % 16;
3371
3372 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3373 return -1;
3374
3375 bulk = AES_gcm_decrypt(in + res,
3376 out + res, len - res,
3377 gctx->gcm.key,
3378 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3379 gctx->gcm.len.u[1] += bulk;
3380 bulk += res;
3381 }
5158c763 3382#endif
0f113f3e
MC		 3383 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3384 in + bulk, out + bulk, len - bulk))
3385 return -1;
3386 }
3387 }
3388 return len;
3389 } else {
c5307d9c 3390 if (!ctx->encrypt) {
0f113f3e
MC		 3391 if (gctx->taglen < 0)
3392 return -1;
c5307d9c 3393 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
0f113f3e
MC		 3394 return -1;
3395 gctx->iv_set = 0;
3396 return 0;
3397 }
c5307d9c 3398 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
0f113f3e
MC		 3399 gctx->taglen = 16;
3400 /* Don't reuse the IV */
3401 gctx->iv_set = 0;
3402 return 0;
3403 }
3404
3405}
3406
5158c763 3407#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
0f113f3e
MC		 3408 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3409 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3410 | EVP_CIPH_CUSTOM_COPY)
3411
3412BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
3413 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3414 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
3415 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3416 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
3417 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
32a2d8dd
DSH		 3418
3419static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3420{
2c840201
P		 3421 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
3422
0f113f3e
MC		 3423 if (type == EVP_CTRL_COPY) {
3424 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3425 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
2c840201 3426
0f113f3e
MC		 3427 if (xctx->xts.key1) {
3428 if (xctx->xts.key1 != &xctx->ks1)
3429 return 0;
3430 xctx_out->xts.key1 = &xctx_out->ks1;
3431 }
3432 if (xctx->xts.key2) {
3433 if (xctx->xts.key2 != &xctx->ks2)
3434 return 0;
3435 xctx_out->xts.key2 = &xctx_out->ks2;
3436 }
3437 return 1;
3438 } else if (type != EVP_CTRL_INIT)
3439 return -1;
3440 /* key1 and key2 are used as an indicator both key and IV are set */
3441 xctx->xts.key1 = NULL;
3442 xctx->xts.key2 = NULL;
3443 return 1;
3444}
32a2d8dd
DSH		 3445
3446static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3447 const unsigned char *iv, int enc)
3448{
6435f0f6 3449 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
2c840201 3450
0f113f3e
MC		 3451 if (!iv && !key)
3452 return 1;
3453
3538b0f7 3454 if (key) {
0f113f3e 3455 do {
3538b0f7
P		 3456 /* The key is two half length keys in reality */
3457 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
3458 const int bits = bytes * 8;
3459
3460 /*
3461 * Verify that the two keys are different.
3462 *
3463 * This addresses the vulnerability described in Rogaway's
3464 * September 2004 paper:
3465 *
3466 * "Efficient Instantiations of Tweakable Blockciphers and
3467 * Refinements to Modes OCB and PMAC".
3468 * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
3469 *
3470 * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
3471 * that:
3472 * "The check for Key_1 != Key_2 shall be done at any place
3473 * BEFORE using the keys in the XTS-AES algorithm to process
3474 * data with them."
3475 */
2c840201
P		 3476 if ((!allow_insecure_decrypt || enc)
3477 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
3538b0f7
P		 3478 EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
3479 return 0;
3480 }
3481
5158c763 3482#ifdef AES_XTS_ASM
0f113f3e 3483 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
5158c763 3484#else
0f113f3e 3485 xctx->stream = NULL;
5158c763 3486#endif
0f113f3e 3487 /* key_len is two AES keys */
5158c763 3488#ifdef HWAES_CAPABLE
0f113f3e
MC		 3489 if (HWAES_CAPABLE) {
3490 if (enc) {
3538b0f7 3491 HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e 3492 xctx->xts.block1 = (block128_f) HWAES_encrypt;
46f047d7
AP		 3493# ifdef HWAES_xts_encrypt
3494 xctx->stream = HWAES_xts_encrypt;
3495# endif
0f113f3e 3496 } else {
3538b0f7 3497 HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e 3498 xctx->xts.block1 = (block128_f) HWAES_decrypt;
46f047d7
AP		 3499# ifdef HWAES_xts_decrypt
3500 xctx->stream = HWAES_xts_decrypt;
3501#endif
0f113f3e
MC		 3502 }
3503
3538b0f7 3504 HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3505 xctx->xts.block2 = (block128_f) HWAES_encrypt;
3506
3507 xctx->xts.key1 = &xctx->ks1;
3508 break;
3509 } else
5158c763
MC		 3510#endif
3511#ifdef BSAES_CAPABLE
0f113f3e
MC		 3512 if (BSAES_CAPABLE)
3513 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
3514 else
5158c763
MC		 3515#endif
3516#ifdef VPAES_CAPABLE
0f113f3e
MC		 3517 if (VPAES_CAPABLE) {
3518 if (enc) {
3538b0f7 3519 vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3520 xctx->xts.block1 = (block128_f) vpaes_encrypt;
3521 } else {
3538b0f7 3522 vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3523 xctx->xts.block1 = (block128_f) vpaes_decrypt;
3524 }
3525
3538b0f7 3526 vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3527 xctx->xts.block2 = (block128_f) vpaes_encrypt;
3528
3529 xctx->xts.key1 = &xctx->ks1;
3530 break;
3531 } else
5158c763 3532#endif
0f113f3e
MC		 3533 (void)0; /* terminate potentially open 'else' */
3534
3535 if (enc) {
3538b0f7 3536 AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3537 xctx->xts.block1 = (block128_f) AES_encrypt;
3538 } else {
3538b0f7 3539 AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3540 xctx->xts.block1 = (block128_f) AES_decrypt;
3541 }
3542
3538b0f7 3543 AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3544 xctx->xts.block2 = (block128_f) AES_encrypt;
3545
3546 xctx->xts.key1 = &xctx->ks1;
3547 } while (0);
3538b0f7 3548 }
0f113f3e
MC		 3549
3550 if (iv) {
3551 xctx->xts.key2 = &xctx->ks2;
6435f0f6 3552 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 3553 }
3554
3555 return 1;
3556}
32a2d8dd 3557
17f121de 3558static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3559 const unsigned char *in, size_t len)
3560{
6435f0f6 3561 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
95eda4f0
P		 3562
3563 if (xctx->xts.key1 == NULL
3564 || xctx->xts.key2 == NULL
3565 || out == NULL
3566 || in == NULL
3567 || len < AES_BLOCK_SIZE)
0f113f3e 3568 return 0;
95eda4f0 3569
5516c19b
P		 3570 /*
3571 * Impose a limit of 2^20 blocks per data unit as specifed by
3572 * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
3573 * indicated that this was a SHOULD NOT rather than a MUST NOT.
3574 * NIST SP 800-38E mandates the same limit.
3575 */
3576 if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
3577 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
3578 return 0;
3579 }
3580
0f113f3e
MC		 3581 if (xctx->stream)
3582 (*xctx->stream) (in, out, len,
6435f0f6
RL		 3583 xctx->xts.key1, xctx->xts.key2,
3584 EVP_CIPHER_CTX_iv_noconst(ctx));
3585 else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
3586 in, out, len,
3587 EVP_CIPHER_CTX_encrypting(ctx)))
0f113f3e
MC		 3588 return 0;
3589 return 1;
3590}
3591
5158c763 3592#define aes_xts_cleanup NULL
0f113f3e 3593
5158c763 3594#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
0f113f3e
MC		 3595 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3596 | EVP_CIPH_CUSTOM_COPY)
3597
3598BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
3599 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
23916810
DSH		 3600
3601static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3602{
6435f0f6 3603 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
0f113f3e
MC		 3604 switch (type) {
3605 case EVP_CTRL_INIT:
3606 cctx->key_set = 0;
3607 cctx->iv_set = 0;
3608 cctx->L = 8;
3609 cctx->M = 12;
3610 cctx->tag_set = 0;
3611 cctx->len_set = 0;
e75c5a79
DSH		 3612 cctx->tls_aad_len = -1;
3613 return 1;
3614
3615 case EVP_CTRL_AEAD_TLS1_AAD:
3616 /* Save the AAD for later use */
3617 if (arg != EVP_AEAD_TLS1_AAD_LEN)
3618 return 0;
6435f0f6 3619 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
e75c5a79
DSH		 3620 cctx->tls_aad_len = arg;
3621 {
6435f0f6
RL		 3622 uint16_t len =
3623 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
3624 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
e75c5a79 3625 /* Correct length for explicit IV */
2198b3a5
AP		 3626 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
3627 return 0;
e75c5a79
DSH		 3628 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
3629 /* If decrypting correct for tag too */
2198b3a5
AP		 3630 if (!EVP_CIPHER_CTX_encrypting(c)) {
3631 if (len < cctx->M)
3632 return 0;
e75c5a79 3633 len -= cctx->M;
2198b3a5 3634 }
6435f0f6
RL		 3635 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
3636 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
e75c5a79
DSH		 3637 }
3638 /* Extra padding: tag appended to record */
3639 return cctx->M;
3640
3641 case EVP_CTRL_CCM_SET_IV_FIXED:
3642 /* Sanity check length */
3643 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
3644 return 0;
3645 /* Just copy to first part of IV */
6435f0f6 3646 memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
0f113f3e
MC		 3647 return 1;
3648
e640fa02 3649 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e 3650 arg = 15 - arg;
018fcbec 3651 /* fall thru */
0f113f3e
MC		 3652 case EVP_CTRL_CCM_SET_L:
3653 if (arg < 2 || arg > 8)
3654 return 0;
3655 cctx->L = arg;
3656 return 1;
3657
e640fa02 3658 case EVP_CTRL_AEAD_SET_TAG:
0f113f3e
MC		 3659 if ((arg & 1) || arg < 4 || arg > 16)
3660 return 0;
6435f0f6 3661 if (EVP_CIPHER_CTX_encrypting(c) && ptr)
0f113f3e
MC		 3662 return 0;
3663 if (ptr) {
3664 cctx->tag_set = 1;
6435f0f6 3665 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 3666 }
3667 cctx->M = arg;
3668 return 1;
3669
e640fa02 3670 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 3671 if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
0f113f3e
MC		 3672 return 0;
3673 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
3674 return 0;
3675 cctx->tag_set = 0;
3676 cctx->iv_set = 0;
3677 cctx->len_set = 0;
3678 return 1;
3679
3680 case EVP_CTRL_COPY:
3681 {
3682 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3683 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
0f113f3e
MC		 3684 if (cctx->ccm.key) {
3685 if (cctx->ccm.key != &cctx->ks)
3686 return 0;
3687 cctx_out->ccm.key = &cctx_out->ks;
3688 }
3689 return 1;
3690 }
3691
3692 default:
3693 return -1;
3694
3695 }
3696}
23916810
DSH		 3697
3698static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3699 const unsigned char *iv, int enc)
3700{
6435f0f6 3701 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3702 if (!iv && !key)
3703 return 1;
3704 if (key)
3705 do {
5158c763 3706#ifdef HWAES_CAPABLE
0f113f3e 3707 if (HWAES_CAPABLE) {
6435f0f6
RL		 3708 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3709 &cctx->ks.ks);
0f113f3e
MC		 3710
3711 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3712 &cctx->ks, (block128_f) HWAES_encrypt);
3713 cctx->str = NULL;
3714 cctx->key_set = 1;
3715 break;
3716 } else
5158c763
MC		 3717#endif
3718#ifdef VPAES_CAPABLE
0f113f3e 3719 if (VPAES_CAPABLE) {
6435f0f6
RL		 3720 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3721 &cctx->ks.ks);
0f113f3e
MC		 3722 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3723 &cctx->ks, (block128_f) vpaes_encrypt);
3724 cctx->str = NULL;
3725 cctx->key_set = 1;
3726 break;
3727 }
5158c763 3728#endif
6435f0f6
RL		 3729 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3730 &cctx->ks.ks);
0f113f3e
MC		 3731 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3732 &cctx->ks, (block128_f) AES_encrypt);
3733 cctx->str = NULL;
3734 cctx->key_set = 1;
3735 } while (0);
3736 if (iv) {
6435f0f6 3737 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 3738 cctx->iv_set = 1;
3739 }
3740 return 1;
3741}
23916810 3742
e75c5a79
DSH		 3743static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3744 const unsigned char *in, size_t len)
3745{
6435f0f6 3746 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
e75c5a79
DSH		 3747 CCM128_CONTEXT *ccm = &cctx->ccm;
3748 /* Encrypt/decrypt must be performed in place */
3749 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
3750 return -1;
3751 /* If encrypting set explicit IV from sequence number (start of AAD) */
6435f0f6
RL		 3752 if (EVP_CIPHER_CTX_encrypting(ctx))
3753 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
3754 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79 3755 /* Get rest of IV from explicit IV */
6435f0f6
RL		 3756 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
3757 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79
DSH		 3758 /* Correct length value */
3759 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
6435f0f6
RL		 3760 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
3761 len))
e75c5a79
DSH		 3762 return -1;
3763 /* Use saved AAD */
6435f0f6 3764 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
e75c5a79
DSH		 3765 /* Fix buffer to point to payload */
3766 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
3767 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
6435f0f6 3768 if (EVP_CIPHER_CTX_encrypting(ctx)) {
e75c5a79
DSH		 3769 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3770 cctx->str) :
3771 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3772 return -1;
3773 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
3774 return -1;
3775 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
3776 } else {
3777 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3778 cctx->str) :
3779 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3780 unsigned char tag[16];
3781 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
3782 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
3783 return len;
3784 }
3785 }
3786 OPENSSL_cleanse(out, len);
3787 return -1;
3788 }
3789}
3790
17f121de 3791static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3792 const unsigned char *in, size_t len)
3793{
6435f0f6 3794 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3795 CCM128_CONTEXT *ccm = &cctx->ccm;
3796 /* If not set up, return error */
e75c5a79
DSH		 3797 if (!cctx->key_set)
3798 return -1;
3799
3800 if (cctx->tls_aad_len >= 0)
3801 return aes_ccm_tls_cipher(ctx, out, in, len);
3802
197421b1
DSH		 3803 /* EVP_*Final() doesn't return any data */
3804 if (in == NULL && out != NULL)
3805 return 0;
3806
e75c5a79 3807 if (!cctx->iv_set)
0f113f3e 3808 return -1;
e75c5a79 3809
0f113f3e
MC		 3810 if (!out) {
3811 if (!in) {
6435f0f6
RL		 3812 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3813 15 - cctx->L, len))
0f113f3e
MC		 3814 return -1;
3815 cctx->len_set = 1;
3816 return len;
3817 }
3818 /* If have AAD need message length */
3819 if (!cctx->len_set && len)
3820 return -1;
3821 CRYPTO_ccm128_aad(ccm, in, len);
3822 return len;
3823 }
67c81ec3
TN		 3824
3825 /* The tag must be set before actually decrypting data */
3826 if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
3827 return -1;
3828
0f113f3e
MC		 3829 /* If not set length yet do it */
3830 if (!cctx->len_set) {
6435f0f6
RL		 3831 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3832 15 - cctx->L, len))
0f113f3e
MC		 3833 return -1;
3834 cctx->len_set = 1;
3835 }
6435f0f6 3836 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3837 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3838 cctx->str) :
3839 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3840 return -1;
3841 cctx->tag_set = 1;
3842 return len;
3843 } else {
3844 int rv = -1;
3845 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3846 cctx->str) :
3847 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3848 unsigned char tag[16];
3849 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
6435f0f6
RL		 3850 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
3851 cctx->M))
0f113f3e
MC		 3852 rv = len;
3853 }
3854 }
3855 if (rv == -1)
3856 OPENSSL_cleanse(out, len);
3857 cctx->iv_set = 0;
3858 cctx->tag_set = 0;
3859 cctx->len_set = 0;
3860 return rv;
3861 }
0f113f3e
MC		 3862}
3863
5158c763 3864#define aes_ccm_cleanup NULL
0f113f3e 3865
e75c5a79
DSH		 3866BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
3867 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3868 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
3869 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3870 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
3871 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
0f113f3e
MC		 3872
3873typedef struct {
3874 union {
39147079 3875 OSSL_UNION_ALIGN;
0f113f3e
MC		 3876 AES_KEY ks;
3877 } ks;
3878 /* Indicates if IV has been set */
3879 unsigned char *iv;
3880} EVP_AES_WRAP_CTX;
97cf1f6c
DSH		 3881
3882static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3883 const unsigned char *iv, int enc)
3884{
6435f0f6 3885 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3886 if (!iv && !key)
3887 return 1;
3888 if (key) {
6435f0f6
RL		 3889 if (EVP_CIPHER_CTX_encrypting(ctx))
3890 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3891 &wctx->ks.ks);
0f113f3e 3892 else
6435f0f6
RL		 3893 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3894 &wctx->ks.ks);
0f113f3e
MC		 3895 if (!iv)
3896 wctx->iv = NULL;
3897 }
3898 if (iv) {
6435f0f6
RL		 3899 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
3900 wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
0f113f3e
MC		 3901 }
3902 return 1;
3903}
97cf1f6c
DSH		 3904
3905static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3906 const unsigned char *in, size_t inlen)
3907{
6435f0f6 3908 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3909 size_t rv;
3910 /* AES wrap with padding has IV length of 4, without padding 8 */
3911 int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
3912 /* No final operation so always return zero length */
3913 if (!in)
3914 return 0;
3915 /* Input length must always be non-zero */
3916 if (!inlen)
3917 return -1;
3918 /* If decrypting need at least 16 bytes and multiple of 8 */
6435f0f6 3919 if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
0f113f3e
MC		 3920 return -1;
3921 /* If not padding input must be multiple of 8 */
3922 if (!pad && inlen & 0x7)
3923 return -1;
7141ba31
MC		 3924 if (is_partially_overlapping(out, in, inlen)) {
3925 EVPerr(EVP_F_AES_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
3926 return 0;
3927 }
0f113f3e 3928 if (!out) {
6435f0f6 3929 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3930 /* If padding round up to multiple of 8 */
3931 if (pad)
3932 inlen = (inlen + 7) / 8 * 8;
3933 /* 8 byte prefix */
3934 return inlen + 8;
3935 } else {
3936 /*
3937 * If not padding output will be exactly 8 bytes smaller than
3938 * input. If padding it will be at least 8 bytes smaller but we
3939 * don't know how much.
3940 */
3941 return inlen - 8;
3942 }
3943 }
3944 if (pad) {
6435f0f6 3945 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3946 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
3947 out, in, inlen,
3948 (block128_f) AES_encrypt);
3949 else
3950 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
3951 out, in, inlen,
3952 (block128_f) AES_decrypt);
3953 } else {
6435f0f6 3954 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3955 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
3956 out, in, inlen, (block128_f) AES_encrypt);
3957 else
3958 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
3959 out, in, inlen, (block128_f) AES_decrypt);
3960 }
3961 return rv ? (int)rv : -1;
3962}
3963
5158c763 3964#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
0f113f3e
MC		 3965 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3966 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
97cf1f6c
DSH		 3967
3968static const EVP_CIPHER aes_128_wrap = {
0f113f3e
MC		 3969 NID_id_aes128_wrap,
3970 8, 16, 8, WRAP_FLAGS,
3971 aes_wrap_init_key, aes_wrap_cipher,
3972 NULL,
3973 sizeof(EVP_AES_WRAP_CTX),
3974 NULL, NULL, NULL, NULL
3975};
97cf1f6c
DSH		 3976
3977const EVP_CIPHER *EVP_aes_128_wrap(void)
0f113f3e
MC		 3978{
3979 return &aes_128_wrap;
3980}
97cf1f6c
DSH		 3981
3982static const EVP_CIPHER aes_192_wrap = {
0f113f3e
MC		 3983 NID_id_aes192_wrap,
3984 8, 24, 8, WRAP_FLAGS,
3985 aes_wrap_init_key, aes_wrap_cipher,
3986 NULL,
3987 sizeof(EVP_AES_WRAP_CTX),
3988 NULL, NULL, NULL, NULL
3989};
97cf1f6c
DSH		 3990
3991const EVP_CIPHER *EVP_aes_192_wrap(void)
0f113f3e
MC		 3992{
3993 return &aes_192_wrap;
3994}
97cf1f6c
DSH		 3995
3996static const EVP_CIPHER aes_256_wrap = {
0f113f3e
MC		 3997 NID_id_aes256_wrap,
3998 8, 32, 8, WRAP_FLAGS,
3999 aes_wrap_init_key, aes_wrap_cipher,
4000 NULL,
4001 sizeof(EVP_AES_WRAP_CTX),
4002 NULL, NULL, NULL, NULL
4003};
97cf1f6c
DSH		 4004
4005const EVP_CIPHER *EVP_aes_256_wrap(void)
0f113f3e
MC		 4006{
4007 return &aes_256_wrap;
4008}
97cf1f6c 4009
d31fed73 4010static const EVP_CIPHER aes_128_wrap_pad = {
0f113f3e
MC		 4011 NID_id_aes128_wrap_pad,
4012 8, 16, 4, WRAP_FLAGS,
4013 aes_wrap_init_key, aes_wrap_cipher,
4014 NULL,
4015 sizeof(EVP_AES_WRAP_CTX),
4016 NULL, NULL, NULL, NULL
4017};
d31fed73
DSH		 4018
4019const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
0f113f3e
MC		 4020{
4021 return &aes_128_wrap_pad;
4022}
d31fed73
DSH		 4023
4024static const EVP_CIPHER aes_192_wrap_pad = {
0f113f3e
MC		 4025 NID_id_aes192_wrap_pad,
4026 8, 24, 4, WRAP_FLAGS,
4027 aes_wrap_init_key, aes_wrap_cipher,
4028 NULL,
4029 sizeof(EVP_AES_WRAP_CTX),
4030 NULL, NULL, NULL, NULL
4031};
d31fed73
DSH		 4032
4033const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
0f113f3e
MC		 4034{
4035 return &aes_192_wrap_pad;
4036}
d31fed73
DSH		 4037
4038static const EVP_CIPHER aes_256_wrap_pad = {
0f113f3e
MC		 4039 NID_id_aes256_wrap_pad,
4040 8, 32, 4, WRAP_FLAGS,
4041 aes_wrap_init_key, aes_wrap_cipher,
4042 NULL,
4043 sizeof(EVP_AES_WRAP_CTX),
4044 NULL, NULL, NULL, NULL
4045};
d31fed73
DSH		 4046
4047const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
0f113f3e
MC		 4048{
4049 return &aes_256_wrap_pad;
4050}
d31fed73 4051
5158c763 4052#ifndef OPENSSL_NO_OCB
e6b336ef 4053static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 4054{
6435f0f6 4055 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 4056 EVP_CIPHER_CTX *newc;
4057 EVP_AES_OCB_CTX *new_octx;
4058
4059 switch (type) {
4060 case EVP_CTRL_INIT:
4061 octx->key_set = 0;
4062 octx->iv_set = 0;
6435f0f6
RL		 4063 octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
4064 octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 4065 octx->taglen = 16;
4066 octx->data_buf_len = 0;
4067 octx->aad_buf_len = 0;
4068 return 1;
4069
e640fa02 4070 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 4071 /* IV len must be 1 to 15 */
4072 if (arg <= 0 || arg > 15)
4073 return 0;
4074
4075 octx->ivlen = arg;
4076 return 1;
4077
e640fa02 4078 case EVP_CTRL_AEAD_SET_TAG:
d57d135c
MC		 4079 if (!ptr) {
4080 /* Tag len must be 0 to 16 */
4081 if (arg < 0 || arg > 16)
4082 return 0;
4083
4084 octx->taglen = arg;
4085 return 1;
4086 }
6435f0f6 4087 if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 4088 return 0;
4089 memcpy(octx->tag, ptr, arg);
4090 return 1;
4091
e640fa02 4092 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 4093 if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 4094 return 0;
4095
4096 memcpy(ptr, octx->tag, arg);
4097 return 1;
4098
4099 case EVP_CTRL_COPY:
4100 newc = (EVP_CIPHER_CTX *)ptr;
6435f0f6 4101 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
0f113f3e 4102 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
bdc985b1
AP		 4103 &new_octx->ksenc.ks,
4104 &new_octx->ksdec.ks);
0f113f3e
MC		 4105
4106 default:
4107 return -1;
4108
4109 }
4110}
e6b336ef 4111
5158c763
MC		 4112# ifdef HWAES_CAPABLE
4113# ifdef HWAES_ocb_encrypt
02dc0b82
AP		 4114void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
4115 size_t blocks, const void *key,
4116 size_t start_block_num,
4117 unsigned char offset_i[16],
4118 const unsigned char L_[][16],
4119 unsigned char checksum[16]);
5158c763 4120# else
365f95ad 4121# define HWAES_ocb_encrypt ((ocb128_f)NULL)
5158c763
MC		 4122# endif
4123# ifdef HWAES_ocb_decrypt
02dc0b82
AP		 4124void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
4125 size_t blocks, const void *key,
4126 size_t start_block_num,
4127 unsigned char offset_i[16],
4128 const unsigned char L_[][16],
4129 unsigned char checksum[16]);
5158c763 4130# else
365f95ad 4131# define HWAES_ocb_decrypt ((ocb128_f)NULL)
02dc0b82 4132# endif
5158c763 4133# endif
02dc0b82 4134
e6b336ef 4135static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 4136 const unsigned char *iv, int enc)
4137{
6435f0f6 4138 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 4139 if (!iv && !key)
4140 return 1;
4141 if (key) {
4142 do {
4143 /*
4144 * We set both the encrypt and decrypt key here because decrypt
4145 * needs both. We could possibly optimise to remove setting the
4146 * decrypt for an encryption operation.
4147 */
5158c763 4148# ifdef HWAES_CAPABLE
02dc0b82 4149 if (HWAES_CAPABLE) {
6435f0f6
RL		 4150 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4151 &octx->ksenc.ks);
4152 HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4153 &octx->ksdec.ks);
02dc0b82
AP		 4154 if (!CRYPTO_ocb128_init(&octx->ocb,
4155 &octx->ksenc.ks, &octx->ksdec.ks,
4156 (block128_f) HWAES_encrypt,
4157 (block128_f) HWAES_decrypt,
4158 enc ? HWAES_ocb_encrypt
4159 : HWAES_ocb_decrypt))
4160 return 0;
4161 break;
4162 }
5158c763
MC		 4163# endif
4164# ifdef VPAES_CAPABLE
0f113f3e 4165 if (VPAES_CAPABLE) {
6435f0f6
RL		 4166 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4167 &octx->ksenc.ks);
4168 vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4169 &octx->ksdec.ks);
bdc985b1
AP		 4170 if (!CRYPTO_ocb128_init(&octx->ocb,
4171 &octx->ksenc.ks, &octx->ksdec.ks,
4172 (block128_f) vpaes_encrypt,
bd30091c
AP		 4173 (block128_f) vpaes_decrypt,
4174 NULL))
0f113f3e
MC		 4175 return 0;
4176 break;
4177 }
5158c763 4178# endif
6435f0f6
RL		 4179 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4180 &octx->ksenc.ks);
4181 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4182 &octx->ksdec.ks);
bdc985b1
AP		 4183 if (!CRYPTO_ocb128_init(&octx->ocb,
4184 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 4185 (block128_f) AES_encrypt,
bd30091c
AP		 4186 (block128_f) AES_decrypt,
4187 NULL))
0f113f3e
MC		 4188 return 0;
4189 }
4190 while (0);
4191
4192 /*
4193 * If we have an iv we can set it directly, otherwise use saved IV.
4194 */
4195 if (iv == NULL && octx->iv_set)
4196 iv = octx->iv;
4197 if (iv) {
4198 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
4199 != 1)
4200 return 0;
4201 octx->iv_set = 1;
4202 }
4203 octx->key_set = 1;
4204 } else {
4205 /* If key set use IV, otherwise copy */
4206 if (octx->key_set)
4207 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
4208 else
4209 memcpy(octx->iv, iv, octx->ivlen);
4210 octx->iv_set = 1;
4211 }
4212 return 1;
4213}
e6b336ef
MC		 4214
4215static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 4216 const unsigned char *in, size_t len)
4217{
4218 unsigned char *buf;
4219 int *buf_len;
4220 int written_len = 0;
4221 size_t trailing_len;
6435f0f6 4222 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 4223
4224 /* If IV or Key not set then return error */
4225 if (!octx->iv_set)
4226 return -1;
4227
4228 if (!octx->key_set)
4229 return -1;
4230
0ba5a9ea 4231 if (in != NULL) {
0f113f3e
MC		 4232 /*
4233 * Need to ensure we are only passing full blocks to low level OCB
4234 * routines. We do it here rather than in EVP_EncryptUpdate/
4235 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
4236 * and those routines don't support that
4237 */
4238
4239 /* Are we dealing with AAD or normal data here? */
4240 if (out == NULL) {
4241 buf = octx->aad_buf;
4242 buf_len = &(octx->aad_buf_len);
4243 } else {
4244 buf = octx->data_buf;
4245 buf_len = &(octx->data_buf_len);
7141ba31
MC		 4246
4247 if (is_partially_overlapping(out + *buf_len, in, len)) {
4248 EVPerr(EVP_F_AES_OCB_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
4249 return 0;
4250 }
0f113f3e
MC		 4251 }
4252
4253 /*
4254 * If we've got a partially filled buffer from a previous call then
4255 * use that data first
4256 */
0ba5a9ea 4257 if (*buf_len > 0) {
0f113f3e
MC		 4258 unsigned int remaining;
4259
0ba5a9ea 4260 remaining = AES_BLOCK_SIZE - (*buf_len);
0f113f3e
MC		 4261 if (remaining > len) {
4262 memcpy(buf + (*buf_len), in, len);
4263 *(buf_len) += len;
4264 return 0;
4265 }
4266 memcpy(buf + (*buf_len), in, remaining);
4267
4268 /*
4269 * If we get here we've filled the buffer, so process it
4270 */
4271 len -= remaining;
4272 in += remaining;
4273 if (out == NULL) {
0ba5a9ea 4274 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
0f113f3e 4275 return -1;
6435f0f6 4276 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0ba5a9ea
MC		 4277 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
4278 AES_BLOCK_SIZE))
0f113f3e
MC		 4279 return -1;
4280 } else {
0ba5a9ea
MC		 4281 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
4282 AES_BLOCK_SIZE))
0f113f3e
MC		 4283 return -1;
4284 }
0ba5a9ea 4285 written_len = AES_BLOCK_SIZE;
0f113f3e 4286 *buf_len = 0;
7c12c7b6
MC		 4287 if (out != NULL)
4288 out += AES_BLOCK_SIZE;
0f113f3e
MC		 4289 }
4290
4291 /* Do we have a partial block to handle at the end? */
0ba5a9ea 4292 trailing_len = len % AES_BLOCK_SIZE;
0f113f3e
MC		 4293
4294 /*
4295 * If we've got some full blocks to handle, then process these first
4296 */
4297 if (len != trailing_len) {
4298 if (out == NULL) {
4299 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
4300 return -1;
6435f0f6 4301 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4302 if (!CRYPTO_ocb128_encrypt
4303 (&octx->ocb, in, out, len - trailing_len))
4304 return -1;
4305 } else {
4306 if (!CRYPTO_ocb128_decrypt
4307 (&octx->ocb, in, out, len - trailing_len))
4308 return -1;
4309 }
4310 written_len += len - trailing_len;
4311 in += len - trailing_len;
4312 }
4313
4314 /* Handle any trailing partial block */
0ba5a9ea 4315 if (trailing_len > 0) {
0f113f3e
MC		 4316 memcpy(buf, in, trailing_len);
4317 *buf_len = trailing_len;
4318 }
4319
4320 return written_len;
4321 } else {
4322 /*
4323 * First of all empty the buffer of any partial block that we might
4324 * have been provided - both for data and AAD
4325 */
0ba5a9ea 4326 if (octx->data_buf_len > 0) {
6435f0f6 4327 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4328 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
4329 octx->data_buf_len))
4330 return -1;
4331 } else {
4332 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
4333 octx->data_buf_len))
4334 return -1;
4335 }
4336 written_len = octx->data_buf_len;
4337 octx->data_buf_len = 0;
4338 }
0ba5a9ea 4339 if (octx->aad_buf_len > 0) {
0f113f3e
MC		 4340 if (!CRYPTO_ocb128_aad
4341 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
4342 return -1;
4343 octx->aad_buf_len = 0;
4344 }
4345 /* If decrypting then verify */
6435f0f6 4346 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4347 if (octx->taglen < 0)
4348 return -1;
4349 if (CRYPTO_ocb128_finish(&octx->ocb,
4350 octx->tag, octx->taglen) != 0)
4351 return -1;
4352 octx->iv_set = 0;
4353 return written_len;
4354 }
4355 /* If encrypting then just get the tag */
4356 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
4357 return -1;
4358 /* Don't reuse the IV */
4359 octx->iv_set = 0;
4360 return written_len;
4361 }
4362}
e6b336ef
MC		 4363
4364static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 4365{
6435f0f6 4366 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 4367 CRYPTO_ocb128_cleanup(&octx->ocb);
4368 return 1;
4369}
e6b336ef 4370
c4aede20
MC		 4371BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
4372 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4373BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
4374 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4375BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
4376 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
5158c763 4377#endif /* OPENSSL_NO_OCB */
b1ceb439
TS		 4378
4379/* AES-SIV mode */
4380#ifndef OPENSSL_NO_SIV
4381
4382typedef SIV128_CONTEXT EVP_AES_SIV_CTX;
4383
4384#define aesni_siv_init_key aes_siv_init_key
4385static int aes_siv_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
4386 const unsigned char *iv, int enc)
4387{
4388 const EVP_CIPHER *ctr;
4389 const EVP_CIPHER *cbc;
4390 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
4391 int klen = EVP_CIPHER_CTX_key_length(ctx) / 2;
4392
4393 if (key == NULL)
4394 return 1;
4395
4396 switch (klen) {
4397 case 16:
4398 cbc = EVP_aes_128_cbc();
4399 ctr = EVP_aes_128_ctr();
4400 break;
4401 case 24:
4402 cbc = EVP_aes_192_cbc();
4403 ctr = EVP_aes_192_ctr();
4404 break;
4405 case 32:
4406 cbc = EVP_aes_256_cbc();
4407 ctr = EVP_aes_256_ctr();
4408 break;
4409 default:
4410 return 0;
4411 }
4412
4413 /* klen is the length of the underlying cipher, not the input key,
4414 which should be twice as long */
4415 return CRYPTO_siv128_init(sctx, key, klen, cbc, ctr);
4416}
4417
4418#define aesni_siv_cipher aes_siv_cipher
4419static int aes_siv_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
4420 const unsigned char *in, size_t len)
4421{
4422 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
4423
4424 /* EncryptFinal or DecryptFinal */
4425 if (in == NULL)
4426 return CRYPTO_siv128_finish(sctx);
4427
4428 /* Deal with associated data */
4429 if (out == NULL)
4430 return CRYPTO_siv128_aad(sctx, in, len);
4431
4432 if (EVP_CIPHER_CTX_encrypting(ctx))
4433 return CRYPTO_siv128_encrypt(sctx, in, out, len);
4434
4435 return CRYPTO_siv128_decrypt(sctx, in, out, len);
4436}
4437
4438#define aesni_siv_cleanup aes_siv_cleanup
4439static int aes_siv_cleanup(EVP_CIPHER_CTX *c)
4440{
4441 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
4442
4443 return CRYPTO_siv128_cleanup(sctx);
4444}
4445
4446
4447#define aesni_siv_ctrl aes_siv_ctrl
4448static int aes_siv_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
4449{
4450 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
4451 SIV128_CONTEXT *sctx_out;
4452
4453 switch (type) {
4454 case EVP_CTRL_INIT:
4455 return CRYPTO_siv128_cleanup(sctx);
4456
4457 case EVP_CTRL_SET_SPEED:
4458 return CRYPTO_siv128_speed(sctx, arg);
4459
4460 case EVP_CTRL_AEAD_SET_TAG:
4461 if (!EVP_CIPHER_CTX_encrypting(c))
4462 return CRYPTO_siv128_set_tag(sctx, ptr, arg);
4463 return 1;
4464
4465 case EVP_CTRL_AEAD_GET_TAG:
4466 if (!EVP_CIPHER_CTX_encrypting(c))
4467 return 0;
4468 return CRYPTO_siv128_get_tag(sctx, ptr, arg);
4469
4470 case EVP_CTRL_COPY:
4471 sctx_out = EVP_C_DATA(SIV128_CONTEXT, (EVP_CIPHER_CTX*)ptr);
4472 return CRYPTO_siv128_copy_ctx(sctx_out, sctx);
4473
4474 default:
4475 return -1;
4476
4477 }
4478}
4479
4480#define SIV_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
4481 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
4482 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_COPY \
4483 | EVP_CIPH_CTRL_INIT)
4484
4485BLOCK_CIPHER_custom(NID_aes, 128, 1, 0, siv, SIV, SIV_FLAGS)
4486BLOCK_CIPHER_custom(NID_aes, 192, 1, 0, siv, SIV, SIV_FLAGS)
4487BLOCK_CIPHER_custom(NID_aes, 256, 1, 0, siv, SIV, SIV_FLAGS)
4488#endif
A mirror of the official openssl repository