]>
Commit | Line | Data |
---|---|---|
aa6bb135 RS |
1 | /* |
2 | * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. | |
deb2c1a1 | 3 | * |
aa6bb135 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
deb2c1a1 DSH |
8 | */ |
9 | ||
8c84b677 | 10 | #include <openssl/opensslconf.h> |
5158c763 MC |
11 | #include <openssl/crypto.h> |
12 | #include <openssl/evp.h> | |
13 | #include <openssl/err.h> | |
14 | #include <string.h> | |
15 | #include <assert.h> | |
16 | #include <openssl/aes.h> | |
17 | #include "internal/evp_int.h" | |
18 | #include "modes_lcl.h" | |
19 | #include <openssl/rand.h> | |
0f113f3e MC |
20 | |
21 | typedef struct { | |
22 | union { | |
23 | double align; | |
24 | AES_KEY ks; | |
25 | } ks; | |
26 | block128_f block; | |
27 | union { | |
28 | cbc128_f cbc; | |
29 | ctr128_f ctr; | |
30 | } stream; | |
31 | } EVP_AES_KEY; | |
32 | ||
33 | typedef struct { | |
34 | union { | |
35 | double align; | |
36 | AES_KEY ks; | |
37 | } ks; /* AES key schedule to use */ | |
38 | int key_set; /* Set if key initialised */ | |
39 | int iv_set; /* Set if an iv is set */ | |
40 | GCM128_CONTEXT gcm; | |
41 | unsigned char *iv; /* Temporary IV store */ | |
42 | int ivlen; /* IV length */ | |
43 | int taglen; | |
44 | int iv_gen; /* It is OK to generate IVs */ | |
45 | int tls_aad_len; /* TLS AAD length */ | |
46 | ctr128_f ctr; | |
47 | } EVP_AES_GCM_CTX; | |
48 | ||
49 | typedef struct { | |
50 | union { | |
51 | double align; | |
52 | AES_KEY ks; | |
53 | } ks1, ks2; /* AES key schedules to use */ | |
54 | XTS128_CONTEXT xts; | |
55 | void (*stream) (const unsigned char *in, | |
56 | unsigned char *out, size_t length, | |
57 | const AES_KEY *key1, const AES_KEY *key2, | |
58 | const unsigned char iv[16]); | |
59 | } EVP_AES_XTS_CTX; | |
60 | ||
61 | typedef struct { | |
62 | union { | |
63 | double align; | |
64 | AES_KEY ks; | |
65 | } ks; /* AES key schedule to use */ | |
66 | int key_set; /* Set if key initialised */ | |
67 | int iv_set; /* Set if an iv is set */ | |
68 | int tag_set; /* Set if tag is valid */ | |
69 | int len_set; /* Set if message length set */ | |
70 | int L, M; /* L and M parameters from RFC3610 */ | |
e75c5a79 | 71 | int tls_aad_len; /* TLS AAD length */ |
0f113f3e MC |
72 | CCM128_CONTEXT ccm; |
73 | ccm128_f str; | |
74 | } EVP_AES_CCM_CTX; | |
75 | ||
5158c763 | 76 | #ifndef OPENSSL_NO_OCB |
0f113f3e | 77 | typedef struct { |
bdc985b1 AP |
78 | union { |
79 | double align; | |
80 | AES_KEY ks; | |
81 | } ksenc; /* AES key schedule to use for encryption */ | |
82 | union { | |
83 | double align; | |
84 | AES_KEY ks; | |
85 | } ksdec; /* AES key schedule to use for decryption */ | |
0f113f3e MC |
86 | int key_set; /* Set if key initialised */ |
87 | int iv_set; /* Set if an iv is set */ | |
88 | OCB128_CONTEXT ocb; | |
89 | unsigned char *iv; /* Temporary IV store */ | |
90 | unsigned char tag[16]; | |
91 | unsigned char data_buf[16]; /* Store partial data blocks */ | |
92 | unsigned char aad_buf[16]; /* Store partial AAD blocks */ | |
93 | int data_buf_len; | |
94 | int aad_buf_len; | |
95 | int ivlen; /* IV length */ | |
96 | int taglen; | |
97 | } EVP_AES_OCB_CTX; | |
5158c763 | 98 | #endif |
e6b336ef | 99 | |
5158c763 | 100 | #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) |
17f121de | 101 | |
5158c763 | 102 | #ifdef VPAES_ASM |
8ca28da0 | 103 | int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, |
0f113f3e | 104 | AES_KEY *key); |
8ca28da0 | 105 | int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, |
0f113f3e | 106 | AES_KEY *key); |
8ca28da0 AP |
107 | |
108 | void vpaes_encrypt(const unsigned char *in, unsigned char *out, | |
0f113f3e | 109 | const AES_KEY *key); |
8ca28da0 | 110 | void vpaes_decrypt(const unsigned char *in, unsigned char *out, |
0f113f3e | 111 | const AES_KEY *key); |
8ca28da0 AP |
112 | |
113 | void vpaes_cbc_encrypt(const unsigned char *in, | |
0f113f3e MC |
114 | unsigned char *out, |
115 | size_t length, | |
116 | const AES_KEY *key, unsigned char *ivec, int enc); | |
5158c763 MC |
117 | #endif |
118 | #ifdef BSAES_ASM | |
a75a52a4 | 119 | void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, |
0f113f3e MC |
120 | size_t length, const AES_KEY *key, |
121 | unsigned char ivec[16], int enc); | |
993adc05 | 122 | void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, |
0f113f3e MC |
123 | size_t len, const AES_KEY *key, |
124 | const unsigned char ivec[16]); | |
60d4e99c | 125 | void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, |
0f113f3e MC |
126 | size_t len, const AES_KEY *key1, |
127 | const AES_KEY *key2, const unsigned char iv[16]); | |
60d4e99c | 128 | void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, |
0f113f3e MC |
129 | size_t len, const AES_KEY *key1, |
130 | const AES_KEY *key2, const unsigned char iv[16]); | |
5158c763 MC |
131 | #endif |
132 | #ifdef AES_CTR_ASM | |
07904e0c | 133 | void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, |
0f113f3e MC |
134 | size_t blocks, const AES_KEY *key, |
135 | const unsigned char ivec[AES_BLOCK_SIZE]); | |
5158c763 MC |
136 | #endif |
137 | #ifdef AES_XTS_ASM | |
0f113f3e MC |
138 | void AES_xts_encrypt(const char *inp, char *out, size_t len, |
139 | const AES_KEY *key1, const AES_KEY *key2, | |
140 | const unsigned char iv[16]); | |
141 | void AES_xts_decrypt(const char *inp, char *out, size_t len, | |
142 | const AES_KEY *key1, const AES_KEY *key2, | |
143 | const unsigned char iv[16]); | |
5158c763 | 144 | #endif |
8ca28da0 | 145 | |
6944565b | 146 | #if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) |
5158c763 MC |
147 | # include "ppc_arch.h" |
148 | # ifdef VPAES_ASM | |
149 | # define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC) | |
de51e830 | 150 | # endif |
5158c763 MC |
151 | # define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207) |
152 | # define HWAES_set_encrypt_key aes_p8_set_encrypt_key | |
153 | # define HWAES_set_decrypt_key aes_p8_set_decrypt_key | |
154 | # define HWAES_encrypt aes_p8_encrypt | |
155 | # define HWAES_decrypt aes_p8_decrypt | |
156 | # define HWAES_cbc_encrypt aes_p8_cbc_encrypt | |
157 | # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks | |
158 | #endif | |
07f3e4f3 | 159 | |
5158c763 | 160 | #if defined(AES_ASM) && !defined(I386_ONLY) && ( \ |
0f113f3e MC |
161 | ((defined(__i386) || defined(__i386__) || \ |
162 | defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ | |
163 | defined(__x86_64) || defined(__x86_64__) || \ | |
b1a07c38 | 164 | defined(_M_AMD64) || defined(_M_X64) ) |
8ca28da0 | 165 | |
c5f6da54 | 166 | extern unsigned int OPENSSL_ia32cap_P[]; |
8ca28da0 | 167 | |
5158c763 MC |
168 | # ifdef VPAES_ASM |
169 | # define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) | |
170 | # endif | |
171 | # ifdef BSAES_ASM | |
172 | # define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) | |
173 | # endif | |
17f121de AP |
174 | /* |
175 | * AES-NI section | |
176 | */ | |
5158c763 | 177 | # define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) |
d1fff483 AP |
178 | |
179 | int aesni_set_encrypt_key(const unsigned char *userKey, int bits, | |
0f113f3e | 180 | AES_KEY *key); |
d1fff483 | 181 | int aesni_set_decrypt_key(const unsigned char *userKey, int bits, |
0f113f3e | 182 | AES_KEY *key); |
d1fff483 AP |
183 | |
184 | void aesni_encrypt(const unsigned char *in, unsigned char *out, | |
0f113f3e | 185 | const AES_KEY *key); |
d1fff483 | 186 | void aesni_decrypt(const unsigned char *in, unsigned char *out, |
0f113f3e | 187 | const AES_KEY *key); |
d1fff483 AP |
188 | |
189 | void aesni_ecb_encrypt(const unsigned char *in, | |
0f113f3e MC |
190 | unsigned char *out, |
191 | size_t length, const AES_KEY *key, int enc); | |
d1fff483 | 192 | void aesni_cbc_encrypt(const unsigned char *in, |
0f113f3e MC |
193 | unsigned char *out, |
194 | size_t length, | |
195 | const AES_KEY *key, unsigned char *ivec, int enc); | |
d1fff483 AP |
196 | |
197 | void aesni_ctr32_encrypt_blocks(const unsigned char *in, | |
0f113f3e MC |
198 | unsigned char *out, |
199 | size_t blocks, | |
200 | const void *key, const unsigned char *ivec); | |
17f121de AP |
201 | |
202 | void aesni_xts_encrypt(const unsigned char *in, | |
0f113f3e MC |
203 | unsigned char *out, |
204 | size_t length, | |
205 | const AES_KEY *key1, const AES_KEY *key2, | |
206 | const unsigned char iv[16]); | |
17f121de AP |
207 | |
208 | void aesni_xts_decrypt(const unsigned char *in, | |
0f113f3e MC |
209 | unsigned char *out, |
210 | size_t length, | |
211 | const AES_KEY *key1, const AES_KEY *key2, | |
212 | const unsigned char iv[16]); | |
213 | ||
214 | void aesni_ccm64_encrypt_blocks(const unsigned char *in, | |
215 | unsigned char *out, | |
216 | size_t blocks, | |
217 | const void *key, | |
218 | const unsigned char ivec[16], | |
219 | unsigned char cmac[16]); | |
220 | ||
221 | void aesni_ccm64_decrypt_blocks(const unsigned char *in, | |
222 | unsigned char *out, | |
223 | size_t blocks, | |
224 | const void *key, | |
225 | const unsigned char ivec[16], | |
226 | unsigned char cmac[16]); | |
227 | ||
5158c763 | 228 | # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64) |
4e049c52 | 229 | size_t aesni_gcm_encrypt(const unsigned char *in, |
0f113f3e MC |
230 | unsigned char *out, |
231 | size_t len, | |
232 | const void *key, unsigned char ivec[16], u64 *Xi); | |
5158c763 | 233 | # define AES_gcm_encrypt aesni_gcm_encrypt |
4e049c52 | 234 | size_t aesni_gcm_decrypt(const unsigned char *in, |
0f113f3e MC |
235 | unsigned char *out, |
236 | size_t len, | |
237 | const void *key, unsigned char ivec[16], u64 *Xi); | |
5158c763 | 238 | # define AES_gcm_decrypt aesni_gcm_decrypt |
0f113f3e MC |
239 | void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, |
240 | size_t len); | |
5158c763 | 241 | # define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \ |
0f113f3e | 242 | gctx->gcm.ghash==gcm_ghash_avx) |
5158c763 | 243 | # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \ |
0f113f3e | 244 | gctx->gcm.ghash==gcm_ghash_avx) |
5158c763 MC |
245 | # undef AES_GCM_ASM2 /* minor size optimization */ |
246 | # endif | |
4e049c52 | 247 | |
17f121de | 248 | static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
0f113f3e MC |
249 | const unsigned char *iv, int enc) |
250 | { | |
251 | int ret, mode; | |
6435f0f6 | 252 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
0f113f3e | 253 | |
6435f0f6 | 254 | mode = EVP_CIPHER_CTX_mode(ctx); |
0f113f3e MC |
255 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) |
256 | && !enc) { | |
6435f0f6 RL |
257 | ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
258 | &dat->ks.ks); | |
0f113f3e MC |
259 | dat->block = (block128_f) aesni_decrypt; |
260 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
261 | (cbc128_f) aesni_cbc_encrypt : NULL; | |
262 | } else { | |
6435f0f6 RL |
263 | ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
264 | &dat->ks.ks); | |
0f113f3e MC |
265 | dat->block = (block128_f) aesni_encrypt; |
266 | if (mode == EVP_CIPH_CBC_MODE) | |
267 | dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt; | |
268 | else if (mode == EVP_CIPH_CTR_MODE) | |
269 | dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; | |
270 | else | |
271 | dat->stream.cbc = NULL; | |
272 | } | |
273 | ||
274 | if (ret < 0) { | |
275 | EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED); | |
276 | return 0; | |
277 | } | |
278 | ||
279 | return 1; | |
280 | } | |
281 | ||
282 | static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
283 | const unsigned char *in, size_t len) | |
d1fff483 | 284 | { |
6435f0f6 RL |
285 | aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks, |
286 | EVP_CIPHER_CTX_iv_noconst(ctx), | |
287 | EVP_CIPHER_CTX_encrypting(ctx)); | |
d1fff483 | 288 | |
0f113f3e | 289 | return 1; |
d1fff483 AP |
290 | } |
291 | ||
0f113f3e MC |
292 | static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
293 | const unsigned char *in, size_t len) | |
d1fff483 | 294 | { |
6435f0f6 | 295 | size_t bl = EVP_CIPHER_CTX_block_size(ctx); |
d1fff483 | 296 | |
0f113f3e MC |
297 | if (len < bl) |
298 | return 1; | |
d1fff483 | 299 | |
6435f0f6 RL |
300 | aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks, |
301 | EVP_CIPHER_CTX_encrypting(ctx)); | |
d1fff483 | 302 | |
0f113f3e | 303 | return 1; |
d1fff483 AP |
304 | } |
305 | ||
5158c763 | 306 | # define aesni_ofb_cipher aes_ofb_cipher |
0f113f3e MC |
307 | static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
308 | const unsigned char *in, size_t len); | |
d1fff483 | 309 | |
5158c763 | 310 | # define aesni_cfb_cipher aes_cfb_cipher |
0f113f3e MC |
311 | static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
312 | const unsigned char *in, size_t len); | |
d1fff483 | 313 | |
5158c763 | 314 | # define aesni_cfb8_cipher aes_cfb8_cipher |
0f113f3e MC |
315 | static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
316 | const unsigned char *in, size_t len); | |
d1fff483 | 317 | |
5158c763 | 318 | # define aesni_cfb1_cipher aes_cfb1_cipher |
0f113f3e MC |
319 | static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
320 | const unsigned char *in, size_t len); | |
d1fff483 | 321 | |
5158c763 | 322 | # define aesni_ctr_cipher aes_ctr_cipher |
17f121de | 323 | static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 324 | const unsigned char *in, size_t len); |
d1fff483 | 325 | |
17f121de | 326 | static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
0f113f3e MC |
327 | const unsigned char *iv, int enc) |
328 | { | |
6435f0f6 | 329 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); |
0f113f3e MC |
330 | if (!iv && !key) |
331 | return 1; | |
332 | if (key) { | |
6435f0f6 RL |
333 | aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
334 | &gctx->ks.ks); | |
0f113f3e MC |
335 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt); |
336 | gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; | |
337 | /* | |
338 | * If we have an iv can set it directly, otherwise use saved IV. | |
339 | */ | |
340 | if (iv == NULL && gctx->iv_set) | |
341 | iv = gctx->iv; | |
342 | if (iv) { | |
343 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
344 | gctx->iv_set = 1; | |
345 | } | |
346 | gctx->key_set = 1; | |
347 | } else { | |
348 | /* If key set use IV, otherwise copy */ | |
349 | if (gctx->key_set) | |
350 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
351 | else | |
352 | memcpy(gctx->iv, iv, gctx->ivlen); | |
353 | gctx->iv_set = 1; | |
354 | gctx->iv_gen = 0; | |
355 | } | |
356 | return 1; | |
357 | } | |
358 | ||
5158c763 | 359 | # define aesni_gcm_cipher aes_gcm_cipher |
17f121de | 360 | static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 361 | const unsigned char *in, size_t len); |
17f121de AP |
362 | |
363 | static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
364 | const unsigned char *iv, int enc) |
365 | { | |
6435f0f6 | 366 | EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); |
0f113f3e MC |
367 | if (!iv && !key) |
368 | return 1; | |
369 | ||
370 | if (key) { | |
371 | /* key_len is two AES keys */ | |
372 | if (enc) { | |
6435f0f6 RL |
373 | aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, |
374 | &xctx->ks1.ks); | |
0f113f3e MC |
375 | xctx->xts.block1 = (block128_f) aesni_encrypt; |
376 | xctx->stream = aesni_xts_encrypt; | |
377 | } else { | |
6435f0f6 RL |
378 | aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, |
379 | &xctx->ks1.ks); | |
0f113f3e MC |
380 | xctx->xts.block1 = (block128_f) aesni_decrypt; |
381 | xctx->stream = aesni_xts_decrypt; | |
382 | } | |
383 | ||
6435f0f6 RL |
384 | aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, |
385 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
386 | &xctx->ks2.ks); | |
0f113f3e MC |
387 | xctx->xts.block2 = (block128_f) aesni_encrypt; |
388 | ||
389 | xctx->xts.key1 = &xctx->ks1; | |
390 | } | |
391 | ||
392 | if (iv) { | |
393 | xctx->xts.key2 = &xctx->ks2; | |
6435f0f6 | 394 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16); |
0f113f3e MC |
395 | } |
396 | ||
397 | return 1; | |
398 | } | |
399 | ||
5158c763 | 400 | # define aesni_xts_cipher aes_xts_cipher |
17f121de | 401 | static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 402 | const unsigned char *in, size_t len); |
17f121de AP |
403 | |
404 | static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
405 | const unsigned char *iv, int enc) |
406 | { | |
6435f0f6 | 407 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); |
0f113f3e MC |
408 | if (!iv && !key) |
409 | return 1; | |
410 | if (key) { | |
6435f0f6 RL |
411 | aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
412 | &cctx->ks.ks); | |
0f113f3e MC |
413 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
414 | &cctx->ks, (block128_f) aesni_encrypt); | |
415 | cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks : | |
416 | (ccm128_f) aesni_ccm64_decrypt_blocks; | |
417 | cctx->key_set = 1; | |
418 | } | |
419 | if (iv) { | |
6435f0f6 | 420 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L); |
0f113f3e MC |
421 | cctx->iv_set = 1; |
422 | } | |
423 | return 1; | |
424 | } | |
425 | ||
5158c763 | 426 | # define aesni_ccm_cipher aes_ccm_cipher |
17f121de | 427 | static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 428 | const unsigned char *in, size_t len); |
17f121de | 429 | |
5158c763 | 430 | # ifndef OPENSSL_NO_OCB |
bd30091c AP |
431 | void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out, |
432 | size_t blocks, const void *key, | |
433 | size_t start_block_num, | |
434 | unsigned char offset_i[16], | |
435 | const unsigned char L_[][16], | |
436 | unsigned char checksum[16]); | |
437 | void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out, | |
438 | size_t blocks, const void *key, | |
439 | size_t start_block_num, | |
440 | unsigned char offset_i[16], | |
441 | const unsigned char L_[][16], | |
442 | unsigned char checksum[16]); | |
443 | ||
e6b336ef | 444 | static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
0f113f3e MC |
445 | const unsigned char *iv, int enc) |
446 | { | |
6435f0f6 | 447 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); |
0f113f3e MC |
448 | if (!iv && !key) |
449 | return 1; | |
450 | if (key) { | |
451 | do { | |
452 | /* | |
453 | * We set both the encrypt and decrypt key here because decrypt | |
454 | * needs both. We could possibly optimise to remove setting the | |
455 | * decrypt for an encryption operation. | |
456 | */ | |
6435f0f6 RL |
457 | aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
458 | &octx->ksenc.ks); | |
459 | aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
460 | &octx->ksdec.ks); | |
bdc985b1 AP |
461 | if (!CRYPTO_ocb128_init(&octx->ocb, |
462 | &octx->ksenc.ks, &octx->ksdec.ks, | |
0f113f3e | 463 | (block128_f) aesni_encrypt, |
bd30091c AP |
464 | (block128_f) aesni_decrypt, |
465 | enc ? aesni_ocb_encrypt | |
466 | : aesni_ocb_decrypt)) | |
0f113f3e MC |
467 | return 0; |
468 | } | |
469 | while (0); | |
470 | ||
471 | /* | |
472 | * If we have an iv we can set it directly, otherwise use saved IV. | |
473 | */ | |
474 | if (iv == NULL && octx->iv_set) | |
475 | iv = octx->iv; | |
476 | if (iv) { | |
477 | if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen) | |
478 | != 1) | |
479 | return 0; | |
480 | octx->iv_set = 1; | |
481 | } | |
482 | octx->key_set = 1; | |
483 | } else { | |
484 | /* If key set use IV, otherwise copy */ | |
485 | if (octx->key_set) | |
486 | CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen); | |
487 | else | |
488 | memcpy(octx->iv, iv, octx->ivlen); | |
489 | octx->iv_set = 1; | |
490 | } | |
491 | return 1; | |
492 | } | |
493 | ||
5158c763 | 494 | # define aesni_ocb_cipher aes_ocb_cipher |
e6b336ef | 495 | static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 496 | const unsigned char *in, size_t len); |
5158c763 | 497 | # endif /* OPENSSL_NO_OCB */ |
e6b336ef | 498 | |
5158c763 | 499 | # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ |
17f121de | 500 | static const EVP_CIPHER aesni_##keylen##_##mode = { \ |
0f113f3e MC |
501 | nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ |
502 | flags|EVP_CIPH_##MODE##_MODE, \ | |
503 | aesni_init_key, \ | |
504 | aesni_##mode##_cipher, \ | |
505 | NULL, \ | |
506 | sizeof(EVP_AES_KEY), \ | |
507 | NULL,NULL,NULL,NULL }; \ | |
17f121de | 508 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
509 | nid##_##keylen##_##nmode,blocksize, \ |
510 | keylen/8,ivlen, \ | |
511 | flags|EVP_CIPH_##MODE##_MODE, \ | |
512 | aes_init_key, \ | |
513 | aes_##mode##_cipher, \ | |
514 | NULL, \ | |
515 | sizeof(EVP_AES_KEY), \ | |
516 | NULL,NULL,NULL,NULL }; \ | |
17f121de | 517 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
8ca28da0 | 518 | { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } |
17f121de | 519 | |
5158c763 | 520 | # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ |
17f121de | 521 | static const EVP_CIPHER aesni_##keylen##_##mode = { \ |
0f113f3e MC |
522 | nid##_##keylen##_##mode,blocksize, \ |
523 | (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
524 | flags|EVP_CIPH_##MODE##_MODE, \ | |
525 | aesni_##mode##_init_key, \ | |
526 | aesni_##mode##_cipher, \ | |
527 | aes_##mode##_cleanup, \ | |
528 | sizeof(EVP_AES_##MODE##_CTX), \ | |
529 | NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
17f121de | 530 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
531 | nid##_##keylen##_##mode,blocksize, \ |
532 | (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
533 | flags|EVP_CIPH_##MODE##_MODE, \ | |
534 | aes_##mode##_init_key, \ | |
535 | aes_##mode##_cipher, \ | |
536 | aes_##mode##_cleanup, \ | |
537 | sizeof(EVP_AES_##MODE##_CTX), \ | |
538 | NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
17f121de | 539 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
8ca28da0 | 540 | { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } |
d1fff483 | 541 | |
5158c763 | 542 | #elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) |
c5f6da54 | 543 | |
5158c763 | 544 | # include "sparc_arch.h" |
c5f6da54 AP |
545 | |
546 | extern unsigned int OPENSSL_sparcv9cap_P[]; | |
547 | ||
6944565b AP |
548 | /* |
549 | * Initial Fujitsu SPARC64 X support | |
550 | */ | |
551 | # define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX) | |
552 | # define HWAES_set_encrypt_key aes_fx_set_encrypt_key | |
553 | # define HWAES_set_decrypt_key aes_fx_set_decrypt_key | |
554 | # define HWAES_encrypt aes_fx_encrypt | |
555 | # define HWAES_decrypt aes_fx_decrypt | |
556 | ||
5158c763 | 557 | # define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES) |
c5f6da54 | 558 | |
0f113f3e MC |
559 | void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks); |
560 | void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks); | |
561 | void aes_t4_encrypt(const unsigned char *in, unsigned char *out, | |
562 | const AES_KEY *key); | |
563 | void aes_t4_decrypt(const unsigned char *in, unsigned char *out, | |
564 | const AES_KEY *key); | |
c5f6da54 AP |
565 | /* |
566 | * Key-length specific subroutines were chosen for following reason. | |
567 | * Each SPARC T4 core can execute up to 8 threads which share core's | |
568 | * resources. Loading as much key material to registers allows to | |
569 | * minimize references to shared memory interface, as well as amount | |
570 | * of instructions in inner loops [much needed on T4]. But then having | |
571 | * non-key-length specific routines would require conditional branches | |
572 | * either in inner loops or on subroutines' entries. Former is hardly | |
573 | * acceptable, while latter means code size increase to size occupied | |
0d4fb843 | 574 | * by multiple key-length specific subroutines, so why fight? |
c5f6da54 | 575 | */ |
0f113f3e MC |
576 | void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, |
577 | size_t len, const AES_KEY *key, | |
578 | unsigned char *ivec); | |
579 | void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, | |
580 | size_t len, const AES_KEY *key, | |
581 | unsigned char *ivec); | |
582 | void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, | |
583 | size_t len, const AES_KEY *key, | |
584 | unsigned char *ivec); | |
585 | void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, | |
586 | size_t len, const AES_KEY *key, | |
587 | unsigned char *ivec); | |
588 | void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, | |
589 | size_t len, const AES_KEY *key, | |
590 | unsigned char *ivec); | |
591 | void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, | |
592 | size_t len, const AES_KEY *key, | |
593 | unsigned char *ivec); | |
594 | void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out, | |
595 | size_t blocks, const AES_KEY *key, | |
596 | unsigned char *ivec); | |
597 | void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out, | |
598 | size_t blocks, const AES_KEY *key, | |
599 | unsigned char *ivec); | |
600 | void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out, | |
601 | size_t blocks, const AES_KEY *key, | |
602 | unsigned char *ivec); | |
603 | void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out, | |
604 | size_t blocks, const AES_KEY *key1, | |
605 | const AES_KEY *key2, const unsigned char *ivec); | |
606 | void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out, | |
607 | size_t blocks, const AES_KEY *key1, | |
608 | const AES_KEY *key2, const unsigned char *ivec); | |
609 | void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out, | |
610 | size_t blocks, const AES_KEY *key1, | |
611 | const AES_KEY *key2, const unsigned char *ivec); | |
612 | void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out, | |
613 | size_t blocks, const AES_KEY *key1, | |
614 | const AES_KEY *key2, const unsigned char *ivec); | |
c5f6da54 AP |
615 | |
616 | static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
617 | const unsigned char *iv, int enc) |
618 | { | |
619 | int ret, mode, bits; | |
6435f0f6 | 620 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
0f113f3e | 621 | |
6435f0f6 RL |
622 | mode = EVP_CIPHER_CTX_mode(ctx); |
623 | bits = EVP_CIPHER_CTX_key_length(ctx) * 8; | |
0f113f3e MC |
624 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) |
625 | && !enc) { | |
626 | ret = 0; | |
6435f0f6 | 627 | aes_t4_set_decrypt_key(key, bits, &dat->ks.ks); |
0f113f3e MC |
628 | dat->block = (block128_f) aes_t4_decrypt; |
629 | switch (bits) { | |
630 | case 128: | |
631 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
632 | (cbc128_f) aes128_t4_cbc_decrypt : NULL; | |
633 | break; | |
634 | case 192: | |
635 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
636 | (cbc128_f) aes192_t4_cbc_decrypt : NULL; | |
637 | break; | |
638 | case 256: | |
639 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
640 | (cbc128_f) aes256_t4_cbc_decrypt : NULL; | |
641 | break; | |
642 | default: | |
643 | ret = -1; | |
644 | } | |
645 | } else { | |
646 | ret = 0; | |
6435f0f6 | 647 | aes_t4_set_encrypt_key(key, bits, &dat->ks.ks); |
0f113f3e MC |
648 | dat->block = (block128_f) aes_t4_encrypt; |
649 | switch (bits) { | |
650 | case 128: | |
651 | if (mode == EVP_CIPH_CBC_MODE) | |
652 | dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt; | |
653 | else if (mode == EVP_CIPH_CTR_MODE) | |
654 | dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt; | |
655 | else | |
656 | dat->stream.cbc = NULL; | |
657 | break; | |
658 | case 192: | |
659 | if (mode == EVP_CIPH_CBC_MODE) | |
660 | dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt; | |
661 | else if (mode == EVP_CIPH_CTR_MODE) | |
662 | dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt; | |
663 | else | |
664 | dat->stream.cbc = NULL; | |
665 | break; | |
666 | case 256: | |
667 | if (mode == EVP_CIPH_CBC_MODE) | |
668 | dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt; | |
669 | else if (mode == EVP_CIPH_CTR_MODE) | |
670 | dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt; | |
671 | else | |
672 | dat->stream.cbc = NULL; | |
673 | break; | |
674 | default: | |
675 | ret = -1; | |
676 | } | |
677 | } | |
678 | ||
679 | if (ret < 0) { | |
680 | EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED); | |
681 | return 0; | |
682 | } | |
683 | ||
684 | return 1; | |
685 | } | |
686 | ||
5158c763 | 687 | # define aes_t4_cbc_cipher aes_cbc_cipher |
0f113f3e MC |
688 | static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
689 | const unsigned char *in, size_t len); | |
690 | ||
5158c763 | 691 | # define aes_t4_ecb_cipher aes_ecb_cipher |
0f113f3e MC |
692 | static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
693 | const unsigned char *in, size_t len); | |
694 | ||
5158c763 | 695 | # define aes_t4_ofb_cipher aes_ofb_cipher |
0f113f3e MC |
696 | static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
697 | const unsigned char *in, size_t len); | |
698 | ||
5158c763 | 699 | # define aes_t4_cfb_cipher aes_cfb_cipher |
0f113f3e MC |
700 | static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
701 | const unsigned char *in, size_t len); | |
702 | ||
5158c763 | 703 | # define aes_t4_cfb8_cipher aes_cfb8_cipher |
0f113f3e MC |
704 | static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
705 | const unsigned char *in, size_t len); | |
706 | ||
5158c763 | 707 | # define aes_t4_cfb1_cipher aes_cfb1_cipher |
0f113f3e MC |
708 | static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
709 | const unsigned char *in, size_t len); | |
710 | ||
5158c763 | 711 | # define aes_t4_ctr_cipher aes_ctr_cipher |
c5f6da54 | 712 | static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 713 | const unsigned char *in, size_t len); |
c5f6da54 AP |
714 | |
715 | static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
716 | const unsigned char *iv, int enc) |
717 | { | |
6435f0f6 | 718 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); |
0f113f3e MC |
719 | if (!iv && !key) |
720 | return 1; | |
721 | if (key) { | |
6435f0f6 | 722 | int bits = EVP_CIPHER_CTX_key_length(ctx) * 8; |
0f113f3e MC |
723 | aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks); |
724 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, | |
725 | (block128_f) aes_t4_encrypt); | |
726 | switch (bits) { | |
727 | case 128: | |
728 | gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt; | |
729 | break; | |
730 | case 192: | |
731 | gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt; | |
732 | break; | |
733 | case 256: | |
734 | gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt; | |
735 | break; | |
736 | default: | |
737 | return 0; | |
738 | } | |
739 | /* | |
740 | * If we have an iv can set it directly, otherwise use saved IV. | |
741 | */ | |
742 | if (iv == NULL && gctx->iv_set) | |
743 | iv = gctx->iv; | |
744 | if (iv) { | |
745 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
746 | gctx->iv_set = 1; | |
747 | } | |
748 | gctx->key_set = 1; | |
749 | } else { | |
750 | /* If key set use IV, otherwise copy */ | |
751 | if (gctx->key_set) | |
752 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
753 | else | |
754 | memcpy(gctx->iv, iv, gctx->ivlen); | |
755 | gctx->iv_set = 1; | |
756 | gctx->iv_gen = 0; | |
757 | } | |
758 | return 1; | |
759 | } | |
760 | ||
5158c763 | 761 | # define aes_t4_gcm_cipher aes_gcm_cipher |
c5f6da54 | 762 | static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 763 | const unsigned char *in, size_t len); |
c5f6da54 AP |
764 | |
765 | static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
766 | const unsigned char *iv, int enc) |
767 | { | |
6435f0f6 | 768 | EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); |
0f113f3e MC |
769 | if (!iv && !key) |
770 | return 1; | |
771 | ||
772 | if (key) { | |
6435f0f6 | 773 | int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; |
0f113f3e MC |
774 | xctx->stream = NULL; |
775 | /* key_len is two AES keys */ | |
776 | if (enc) { | |
777 | aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks); | |
778 | xctx->xts.block1 = (block128_f) aes_t4_encrypt; | |
779 | switch (bits) { | |
780 | case 128: | |
781 | xctx->stream = aes128_t4_xts_encrypt; | |
782 | break; | |
0f113f3e MC |
783 | case 256: |
784 | xctx->stream = aes256_t4_xts_encrypt; | |
785 | break; | |
786 | default: | |
787 | return 0; | |
788 | } | |
789 | } else { | |
6435f0f6 RL |
790 | aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, |
791 | &xctx->ks1.ks); | |
0f113f3e MC |
792 | xctx->xts.block1 = (block128_f) aes_t4_decrypt; |
793 | switch (bits) { | |
794 | case 128: | |
795 | xctx->stream = aes128_t4_xts_decrypt; | |
796 | break; | |
0f113f3e MC |
797 | case 256: |
798 | xctx->stream = aes256_t4_xts_decrypt; | |
799 | break; | |
800 | default: | |
801 | return 0; | |
802 | } | |
803 | } | |
804 | ||
6435f0f6 RL |
805 | aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, |
806 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
807 | &xctx->ks2.ks); | |
0f113f3e MC |
808 | xctx->xts.block2 = (block128_f) aes_t4_encrypt; |
809 | ||
810 | xctx->xts.key1 = &xctx->ks1; | |
811 | } | |
812 | ||
813 | if (iv) { | |
814 | xctx->xts.key2 = &xctx->ks2; | |
6435f0f6 | 815 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16); |
0f113f3e MC |
816 | } |
817 | ||
818 | return 1; | |
819 | } | |
820 | ||
5158c763 | 821 | # define aes_t4_xts_cipher aes_xts_cipher |
c5f6da54 | 822 | static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 823 | const unsigned char *in, size_t len); |
c5f6da54 AP |
824 | |
825 | static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
826 | const unsigned char *iv, int enc) |
827 | { | |
6435f0f6 | 828 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); |
0f113f3e MC |
829 | if (!iv && !key) |
830 | return 1; | |
831 | if (key) { | |
6435f0f6 | 832 | int bits = EVP_CIPHER_CTX_key_length(ctx) * 8; |
0f113f3e MC |
833 | aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks); |
834 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | |
835 | &cctx->ks, (block128_f) aes_t4_encrypt); | |
bdc985b1 | 836 | cctx->str = NULL; |
0f113f3e MC |
837 | cctx->key_set = 1; |
838 | } | |
839 | if (iv) { | |
6435f0f6 | 840 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L); |
0f113f3e MC |
841 | cctx->iv_set = 1; |
842 | } | |
843 | return 1; | |
844 | } | |
845 | ||
5158c763 | 846 | # define aes_t4_ccm_cipher aes_ccm_cipher |
c5f6da54 | 847 | static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 848 | const unsigned char *in, size_t len); |
c5f6da54 | 849 | |
5158c763 | 850 | # ifndef OPENSSL_NO_OCB |
e6b336ef | 851 | static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
0f113f3e MC |
852 | const unsigned char *iv, int enc) |
853 | { | |
6435f0f6 | 854 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); |
0f113f3e MC |
855 | if (!iv && !key) |
856 | return 1; | |
857 | if (key) { | |
858 | do { | |
859 | /* | |
860 | * We set both the encrypt and decrypt key here because decrypt | |
861 | * needs both. We could possibly optimise to remove setting the | |
862 | * decrypt for an encryption operation. | |
863 | */ | |
6435f0f6 RL |
864 | aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
865 | &octx->ksenc.ks); | |
866 | aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
867 | &octx->ksdec.ks); | |
bdc985b1 AP |
868 | if (!CRYPTO_ocb128_init(&octx->ocb, |
869 | &octx->ksenc.ks, &octx->ksdec.ks, | |
0f113f3e | 870 | (block128_f) aes_t4_encrypt, |
02dc0b82 AP |
871 | (block128_f) aes_t4_decrypt, |
872 | NULL)) | |
0f113f3e MC |
873 | return 0; |
874 | } | |
875 | while (0); | |
876 | ||
877 | /* | |
878 | * If we have an iv we can set it directly, otherwise use saved IV. | |
879 | */ | |
880 | if (iv == NULL && octx->iv_set) | |
881 | iv = octx->iv; | |
882 | if (iv) { | |
883 | if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen) | |
884 | != 1) | |
885 | return 0; | |
886 | octx->iv_set = 1; | |
887 | } | |
888 | octx->key_set = 1; | |
889 | } else { | |
890 | /* If key set use IV, otherwise copy */ | |
891 | if (octx->key_set) | |
892 | CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen); | |
893 | else | |
894 | memcpy(octx->iv, iv, octx->ivlen); | |
895 | octx->iv_set = 1; | |
896 | } | |
897 | return 1; | |
898 | } | |
899 | ||
5158c763 | 900 | # define aes_t4_ocb_cipher aes_ocb_cipher |
e6b336ef | 901 | static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e | 902 | const unsigned char *in, size_t len); |
5158c763 | 903 | # endif /* OPENSSL_NO_OCB */ |
e6b336ef | 904 | |
5158c763 | 905 | # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ |
c5f6da54 | 906 | static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ |
0f113f3e MC |
907 | nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ |
908 | flags|EVP_CIPH_##MODE##_MODE, \ | |
909 | aes_t4_init_key, \ | |
910 | aes_t4_##mode##_cipher, \ | |
911 | NULL, \ | |
912 | sizeof(EVP_AES_KEY), \ | |
913 | NULL,NULL,NULL,NULL }; \ | |
c5f6da54 | 914 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
915 | nid##_##keylen##_##nmode,blocksize, \ |
916 | keylen/8,ivlen, \ | |
917 | flags|EVP_CIPH_##MODE##_MODE, \ | |
918 | aes_init_key, \ | |
919 | aes_##mode##_cipher, \ | |
920 | NULL, \ | |
921 | sizeof(EVP_AES_KEY), \ | |
922 | NULL,NULL,NULL,NULL }; \ | |
c5f6da54 AP |
923 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
924 | { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; } | |
925 | ||
5158c763 | 926 | # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ |
c5f6da54 | 927 | static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ |
0f113f3e MC |
928 | nid##_##keylen##_##mode,blocksize, \ |
929 | (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
930 | flags|EVP_CIPH_##MODE##_MODE, \ | |
931 | aes_t4_##mode##_init_key, \ | |
932 | aes_t4_##mode##_cipher, \ | |
933 | aes_##mode##_cleanup, \ | |
934 | sizeof(EVP_AES_##MODE##_CTX), \ | |
935 | NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
c5f6da54 | 936 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
937 | nid##_##keylen##_##mode,blocksize, \ |
938 | (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
939 | flags|EVP_CIPH_##MODE##_MODE, \ | |
940 | aes_##mode##_init_key, \ | |
941 | aes_##mode##_cipher, \ | |
942 | aes_##mode##_cleanup, \ | |
943 | sizeof(EVP_AES_##MODE##_CTX), \ | |
944 | NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
c5f6da54 AP |
945 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
946 | { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; } | |
947 | ||
5158c763 | 948 | #else |
17f121de | 949 | |
5158c763 | 950 | # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ |
17f121de | 951 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
952 | nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ |
953 | flags|EVP_CIPH_##MODE##_MODE, \ | |
954 | aes_init_key, \ | |
955 | aes_##mode##_cipher, \ | |
956 | NULL, \ | |
957 | sizeof(EVP_AES_KEY), \ | |
958 | NULL,NULL,NULL,NULL }; \ | |
17f121de AP |
959 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
960 | { return &aes_##keylen##_##mode; } | |
d1fff483 | 961 | |
5158c763 | 962 | # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ |
17f121de | 963 | static const EVP_CIPHER aes_##keylen##_##mode = { \ |
0f113f3e MC |
964 | nid##_##keylen##_##mode,blocksize, \ |
965 | (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
966 | flags|EVP_CIPH_##MODE##_MODE, \ | |
967 | aes_##mode##_init_key, \ | |
968 | aes_##mode##_cipher, \ | |
969 | aes_##mode##_cleanup, \ | |
970 | sizeof(EVP_AES_##MODE##_CTX), \ | |
971 | NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
17f121de AP |
972 | const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ |
973 | { return &aes_##keylen##_##mode; } | |
9575d1a9 | 974 | |
5158c763 | 975 | #endif |
9575d1a9 | 976 | |
5158c763 MC |
977 | #if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__)) |
978 | # include "arm_arch.h" | |
979 | # if __ARM_MAX_ARCH__>=7 | |
980 | # if defined(BSAES_ASM) | |
981 | # define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON) | |
982 | # endif | |
983 | # if defined(VPAES_ASM) | |
984 | # define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON) | |
0f113f3e | 985 | # endif |
5158c763 MC |
986 | # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES) |
987 | # define HWAES_set_encrypt_key aes_v8_set_encrypt_key | |
988 | # define HWAES_set_decrypt_key aes_v8_set_decrypt_key | |
989 | # define HWAES_encrypt aes_v8_encrypt | |
990 | # define HWAES_decrypt aes_v8_decrypt | |
991 | # define HWAES_cbc_encrypt aes_v8_cbc_encrypt | |
992 | # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks | |
ddacb8f2 | 993 | # endif |
5158c763 | 994 | #endif |
d1fff483 | 995 | |
5158c763 | 996 | #if defined(HWAES_CAPABLE) |
ddacb8f2 | 997 | int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits, |
0f113f3e | 998 | AES_KEY *key); |
ddacb8f2 | 999 | int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits, |
0f113f3e | 1000 | AES_KEY *key); |
ddacb8f2 | 1001 | void HWAES_encrypt(const unsigned char *in, unsigned char *out, |
0f113f3e | 1002 | const AES_KEY *key); |
ddacb8f2 | 1003 | void HWAES_decrypt(const unsigned char *in, unsigned char *out, |
0f113f3e | 1004 | const AES_KEY *key); |
ddacb8f2 | 1005 | void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out, |
0f113f3e MC |
1006 | size_t length, const AES_KEY *key, |
1007 | unsigned char *ivec, const int enc); | |
ddacb8f2 | 1008 | void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, |
0f113f3e MC |
1009 | size_t len, const AES_KEY *key, |
1010 | const unsigned char ivec[16]); | |
5158c763 | 1011 | #endif |
ddacb8f2 | 1012 | |
5158c763 | 1013 | #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ |
0f113f3e MC |
1014 | BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ |
1015 | BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ | |
1016 | BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ | |
1017 | BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ | |
1018 | BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ | |
1019 | BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ | |
1020 | BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) | |
d1fff483 AP |
1021 | |
1022 | static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
1023 | const unsigned char *iv, int enc) |
1024 | { | |
1025 | int ret, mode; | |
6435f0f6 | 1026 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
0f113f3e | 1027 | |
6435f0f6 | 1028 | mode = EVP_CIPHER_CTX_mode(ctx); |
0f113f3e MC |
1029 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) |
1030 | && !enc) | |
5158c763 | 1031 | #ifdef HWAES_CAPABLE |
0f113f3e | 1032 | if (HWAES_CAPABLE) { |
6435f0f6 RL |
1033 | ret = HWAES_set_decrypt_key(key, |
1034 | EVP_CIPHER_CTX_key_length(ctx) * 8, | |
1035 | &dat->ks.ks); | |
0f113f3e MC |
1036 | dat->block = (block128_f) HWAES_decrypt; |
1037 | dat->stream.cbc = NULL; | |
5158c763 | 1038 | # ifdef HWAES_cbc_encrypt |
0f113f3e MC |
1039 | if (mode == EVP_CIPH_CBC_MODE) |
1040 | dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt; | |
0f113f3e | 1041 | # endif |
5158c763 MC |
1042 | } else |
1043 | #endif | |
1044 | #ifdef BSAES_CAPABLE | |
0f113f3e | 1045 | if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { |
6435f0f6 RL |
1046 | ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1047 | &dat->ks.ks); | |
0f113f3e MC |
1048 | dat->block = (block128_f) AES_decrypt; |
1049 | dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt; | |
1050 | } else | |
5158c763 MC |
1051 | #endif |
1052 | #ifdef VPAES_CAPABLE | |
0f113f3e | 1053 | if (VPAES_CAPABLE) { |
6435f0f6 RL |
1054 | ret = vpaes_set_decrypt_key(key, |
1055 | EVP_CIPHER_CTX_key_length(ctx) * 8, | |
1056 | &dat->ks.ks); | |
0f113f3e MC |
1057 | dat->block = (block128_f) vpaes_decrypt; |
1058 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
1059 | (cbc128_f) vpaes_cbc_encrypt : NULL; | |
1060 | } else | |
5158c763 | 1061 | #endif |
0f113f3e | 1062 | { |
6435f0f6 RL |
1063 | ret = AES_set_decrypt_key(key, |
1064 | EVP_CIPHER_CTX_key_length(ctx) * 8, | |
1065 | &dat->ks.ks); | |
0f113f3e MC |
1066 | dat->block = (block128_f) AES_decrypt; |
1067 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
1068 | (cbc128_f) AES_cbc_encrypt : NULL; | |
1069 | } else | |
5158c763 | 1070 | #ifdef HWAES_CAPABLE |
0f113f3e | 1071 | if (HWAES_CAPABLE) { |
6435f0f6 RL |
1072 | ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1073 | &dat->ks.ks); | |
0f113f3e MC |
1074 | dat->block = (block128_f) HWAES_encrypt; |
1075 | dat->stream.cbc = NULL; | |
5158c763 | 1076 | # ifdef HWAES_cbc_encrypt |
0f113f3e MC |
1077 | if (mode == EVP_CIPH_CBC_MODE) |
1078 | dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt; | |
1079 | else | |
5158c763 MC |
1080 | # endif |
1081 | # ifdef HWAES_ctr32_encrypt_blocks | |
0f113f3e MC |
1082 | if (mode == EVP_CIPH_CTR_MODE) |
1083 | dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks; | |
1084 | else | |
5158c763 | 1085 | # endif |
0f113f3e MC |
1086 | (void)0; /* terminate potentially open 'else' */ |
1087 | } else | |
5158c763 MC |
1088 | #endif |
1089 | #ifdef BSAES_CAPABLE | |
0f113f3e | 1090 | if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { |
6435f0f6 RL |
1091 | ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1092 | &dat->ks.ks); | |
0f113f3e MC |
1093 | dat->block = (block128_f) AES_encrypt; |
1094 | dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks; | |
1095 | } else | |
5158c763 MC |
1096 | #endif |
1097 | #ifdef VPAES_CAPABLE | |
0f113f3e | 1098 | if (VPAES_CAPABLE) { |
6435f0f6 RL |
1099 | ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1100 | &dat->ks.ks); | |
0f113f3e MC |
1101 | dat->block = (block128_f) vpaes_encrypt; |
1102 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
1103 | (cbc128_f) vpaes_cbc_encrypt : NULL; | |
1104 | } else | |
5158c763 | 1105 | #endif |
0f113f3e | 1106 | { |
6435f0f6 RL |
1107 | ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1108 | &dat->ks.ks); | |
0f113f3e MC |
1109 | dat->block = (block128_f) AES_encrypt; |
1110 | dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? | |
1111 | (cbc128_f) AES_cbc_encrypt : NULL; | |
5158c763 | 1112 | #ifdef AES_CTR_ASM |
0f113f3e MC |
1113 | if (mode == EVP_CIPH_CTR_MODE) |
1114 | dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt; | |
5158c763 | 1115 | #endif |
0f113f3e | 1116 | } |
d1fff483 | 1117 | |
0f113f3e MC |
1118 | if (ret < 0) { |
1119 | EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED); | |
1120 | return 0; | |
1121 | } | |
d1fff483 | 1122 | |
0f113f3e MC |
1123 | return 1; |
1124 | } | |
d1fff483 | 1125 | |
0f113f3e MC |
1126 | static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1127 | const unsigned char *in, size_t len) | |
17f121de | 1128 | { |
6435f0f6 | 1129 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
8ca28da0 | 1130 | |
0f113f3e | 1131 | if (dat->stream.cbc) |
6435f0f6 RL |
1132 | (*dat->stream.cbc) (in, out, len, &dat->ks, |
1133 | EVP_CIPHER_CTX_iv_noconst(ctx), | |
1134 | EVP_CIPHER_CTX_encrypting(ctx)); | |
1135 | else if (EVP_CIPHER_CTX_encrypting(ctx)) | |
1136 | CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, | |
1137 | EVP_CIPHER_CTX_iv_noconst(ctx), dat->block); | |
0f113f3e | 1138 | else |
6435f0f6 RL |
1139 | CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, |
1140 | EVP_CIPHER_CTX_iv_noconst(ctx), dat->block); | |
17f121de | 1141 | |
0f113f3e | 1142 | return 1; |
17f121de AP |
1143 | } |
1144 | ||
0f113f3e MC |
1145 | static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1146 | const unsigned char *in, size_t len) | |
17f121de | 1147 | { |
6435f0f6 | 1148 | size_t bl = EVP_CIPHER_CTX_block_size(ctx); |
0f113f3e | 1149 | size_t i; |
6435f0f6 | 1150 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
17f121de | 1151 | |
0f113f3e MC |
1152 | if (len < bl) |
1153 | return 1; | |
17f121de | 1154 | |
0f113f3e MC |
1155 | for (i = 0, len -= bl; i <= len; i += bl) |
1156 | (*dat->block) (in + i, out + i, &dat->ks); | |
17f121de | 1157 | |
0f113f3e | 1158 | return 1; |
17f121de | 1159 | } |
deb2c1a1 | 1160 | |
0f113f3e MC |
1161 | static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1162 | const unsigned char *in, size_t len) | |
17f121de | 1163 | { |
6435f0f6 | 1164 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
8ca28da0 | 1165 | |
6435f0f6 | 1166 | int num = EVP_CIPHER_CTX_num(ctx); |
0f113f3e | 1167 | CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, |
6435f0f6 RL |
1168 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block); |
1169 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e | 1170 | return 1; |
17f121de | 1171 | } |
deb2c1a1 | 1172 | |
0f113f3e MC |
1173 | static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1174 | const unsigned char *in, size_t len) | |
17f121de | 1175 | { |
6435f0f6 | 1176 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
8ca28da0 | 1177 | |
6435f0f6 | 1178 | int num = EVP_CIPHER_CTX_num(ctx); |
0f113f3e | 1179 | CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, |
6435f0f6 RL |
1180 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, |
1181 | EVP_CIPHER_CTX_encrypting(ctx), dat->block); | |
1182 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e | 1183 | return 1; |
17f121de AP |
1184 | } |
1185 | ||
0f113f3e MC |
1186 | static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1187 | const unsigned char *in, size_t len) | |
17f121de | 1188 | { |
6435f0f6 | 1189 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
8ca28da0 | 1190 | |
6435f0f6 | 1191 | int num = EVP_CIPHER_CTX_num(ctx); |
0f113f3e | 1192 | CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, |
6435f0f6 RL |
1193 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, |
1194 | EVP_CIPHER_CTX_encrypting(ctx), dat->block); | |
1195 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e | 1196 | return 1; |
17f121de | 1197 | } |
8d1ebe0b | 1198 | |
0f113f3e MC |
1199 | static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1200 | const unsigned char *in, size_t len) | |
17f121de | 1201 | { |
6435f0f6 | 1202 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); |
0f113f3e | 1203 | |
6435f0f6 RL |
1204 | if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) { |
1205 | int num = EVP_CIPHER_CTX_num(ctx); | |
0f113f3e | 1206 | CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, |
6435f0f6 RL |
1207 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, |
1208 | EVP_CIPHER_CTX_encrypting(ctx), dat->block); | |
1209 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e MC |
1210 | return 1; |
1211 | } | |
1212 | ||
1213 | while (len >= MAXBITCHUNK) { | |
6435f0f6 | 1214 | int num = EVP_CIPHER_CTX_num(ctx); |
0f113f3e | 1215 | CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks, |
6435f0f6 RL |
1216 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, |
1217 | EVP_CIPHER_CTX_encrypting(ctx), dat->block); | |
1218 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e MC |
1219 | len -= MAXBITCHUNK; |
1220 | } | |
6435f0f6 RL |
1221 | if (len) { |
1222 | int num = EVP_CIPHER_CTX_num(ctx); | |
0f113f3e | 1223 | CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, |
6435f0f6 RL |
1224 | EVP_CIPHER_CTX_iv_noconst(ctx), &num, |
1225 | EVP_CIPHER_CTX_encrypting(ctx), dat->block); | |
1226 | EVP_CIPHER_CTX_set_num(ctx, num); | |
1227 | } | |
0f113f3e MC |
1228 | |
1229 | return 1; | |
17f121de | 1230 | } |
8d1ebe0b | 1231 | |
0f113f3e MC |
1232 | static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1233 | const unsigned char *in, size_t len) | |
d976f992 | 1234 | { |
6435f0f6 RL |
1235 | unsigned int num = EVP_CIPHER_CTX_num(ctx); |
1236 | EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); | |
0f113f3e MC |
1237 | |
1238 | if (dat->stream.ctr) | |
1239 | CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, | |
6435f0f6 RL |
1240 | EVP_CIPHER_CTX_iv_noconst(ctx), |
1241 | EVP_CIPHER_CTX_buf_noconst(ctx), | |
1242 | &num, dat->stream.ctr); | |
0f113f3e MC |
1243 | else |
1244 | CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, | |
6435f0f6 RL |
1245 | EVP_CIPHER_CTX_iv_noconst(ctx), |
1246 | EVP_CIPHER_CTX_buf_noconst(ctx), &num, | |
1247 | dat->block); | |
1248 | EVP_CIPHER_CTX_set_num(ctx, num); | |
0f113f3e | 1249 | return 1; |
d976f992 AP |
1250 | } |
1251 | ||
0f113f3e MC |
1252 | BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) |
1253 | BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) | |
1254 | BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) | |
bdaa5415 DSH |
1255 | |
1256 | static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) | |
0f113f3e | 1257 | { |
6435f0f6 | 1258 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c); |
0f113f3e | 1259 | OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); |
6435f0f6 | 1260 | if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c)) |
0f113f3e MC |
1261 | OPENSSL_free(gctx->iv); |
1262 | return 1; | |
1263 | } | |
bdaa5415 | 1264 | |
b3d8022e | 1265 | /* increment counter (64-bit int) by 1 */ |
0f113f3e MC |
1266 | static void ctr64_inc(unsigned char *counter) |
1267 | { | |
1268 | int n = 8; | |
1269 | unsigned char c; | |
1270 | ||
1271 | do { | |
1272 | --n; | |
1273 | c = counter[n]; | |
1274 | ++c; | |
1275 | counter[n] = c; | |
1276 | if (c) | |
1277 | return; | |
1278 | } while (n); | |
b3d8022e DSH |
1279 | } |
1280 | ||
bdaa5415 | 1281 | static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
0f113f3e | 1282 | { |
6435f0f6 | 1283 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c); |
0f113f3e MC |
1284 | switch (type) { |
1285 | case EVP_CTRL_INIT: | |
1286 | gctx->key_set = 0; | |
1287 | gctx->iv_set = 0; | |
6435f0f6 RL |
1288 | gctx->ivlen = EVP_CIPHER_CTX_iv_length(c); |
1289 | gctx->iv = EVP_CIPHER_CTX_iv_noconst(c); | |
0f113f3e MC |
1290 | gctx->taglen = -1; |
1291 | gctx->iv_gen = 0; | |
1292 | gctx->tls_aad_len = -1; | |
1293 | return 1; | |
1294 | ||
e640fa02 | 1295 | case EVP_CTRL_AEAD_SET_IVLEN: |
0f113f3e MC |
1296 | if (arg <= 0) |
1297 | return 0; | |
1298 | /* Allocate memory for IV if needed */ | |
1299 | if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { | |
6435f0f6 | 1300 | if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c)) |
0f113f3e MC |
1301 | OPENSSL_free(gctx->iv); |
1302 | gctx->iv = OPENSSL_malloc(arg); | |
90945fa3 | 1303 | if (gctx->iv == NULL) |
0f113f3e MC |
1304 | return 0; |
1305 | } | |
1306 | gctx->ivlen = arg; | |
1307 | return 1; | |
1308 | ||
e640fa02 | 1309 | case EVP_CTRL_AEAD_SET_TAG: |
6435f0f6 | 1310 | if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c)) |
0f113f3e | 1311 | return 0; |
6435f0f6 | 1312 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
0f113f3e MC |
1313 | gctx->taglen = arg; |
1314 | return 1; | |
1315 | ||
e640fa02 | 1316 | case EVP_CTRL_AEAD_GET_TAG: |
6435f0f6 RL |
1317 | if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_encrypting(c) |
1318 | || gctx->taglen < 0) | |
0f113f3e | 1319 | return 0; |
6435f0f6 | 1320 | memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg); |
0f113f3e MC |
1321 | return 1; |
1322 | ||
1323 | case EVP_CTRL_GCM_SET_IV_FIXED: | |
1324 | /* Special case: -1 length restores whole IV */ | |
1325 | if (arg == -1) { | |
1326 | memcpy(gctx->iv, ptr, gctx->ivlen); | |
1327 | gctx->iv_gen = 1; | |
1328 | return 1; | |
1329 | } | |
1330 | /* | |
1331 | * Fixed field must be at least 4 bytes and invocation field at least | |
1332 | * 8. | |
1333 | */ | |
1334 | if ((arg < 4) || (gctx->ivlen - arg) < 8) | |
1335 | return 0; | |
1336 | if (arg) | |
1337 | memcpy(gctx->iv, ptr, arg); | |
6435f0f6 RL |
1338 | if (EVP_CIPHER_CTX_encrypting(c) |
1339 | && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) | |
0f113f3e MC |
1340 | return 0; |
1341 | gctx->iv_gen = 1; | |
1342 | return 1; | |
1343 | ||
1344 | case EVP_CTRL_GCM_IV_GEN: | |
1345 | if (gctx->iv_gen == 0 || gctx->key_set == 0) | |
1346 | return 0; | |
1347 | CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); | |
1348 | if (arg <= 0 || arg > gctx->ivlen) | |
1349 | arg = gctx->ivlen; | |
1350 | memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); | |
1351 | /* | |
1352 | * Invocation field will be at least 8 bytes in size and so no need | |
1353 | * to check wrap around or increment more than last 8 bytes. | |
1354 | */ | |
1355 | ctr64_inc(gctx->iv + gctx->ivlen - 8); | |
1356 | gctx->iv_set = 1; | |
1357 | return 1; | |
1358 | ||
1359 | case EVP_CTRL_GCM_SET_IV_INV: | |
6435f0f6 RL |
1360 | if (gctx->iv_gen == 0 || gctx->key_set == 0 |
1361 | || EVP_CIPHER_CTX_encrypting(c)) | |
0f113f3e MC |
1362 | return 0; |
1363 | memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); | |
1364 | CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); | |
1365 | gctx->iv_set = 1; | |
1366 | return 1; | |
1367 | ||
1368 | case EVP_CTRL_AEAD_TLS1_AAD: | |
1369 | /* Save the AAD for later use */ | |
c8269881 | 1370 | if (arg != EVP_AEAD_TLS1_AAD_LEN) |
0f113f3e | 1371 | return 0; |
6435f0f6 | 1372 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
0f113f3e MC |
1373 | gctx->tls_aad_len = arg; |
1374 | { | |
6435f0f6 RL |
1375 | unsigned int len = |
1376 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 | |
1377 | | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; | |
0f113f3e MC |
1378 | /* Correct length for explicit IV */ |
1379 | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1380 | /* If decrypting correct for tag too */ | |
6435f0f6 | 1381 | if (!EVP_CIPHER_CTX_encrypting(c)) |
0f113f3e | 1382 | len -= EVP_GCM_TLS_TAG_LEN; |
6435f0f6 RL |
1383 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; |
1384 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; | |
0f113f3e MC |
1385 | } |
1386 | /* Extra padding: tag appended to record */ | |
1387 | return EVP_GCM_TLS_TAG_LEN; | |
1388 | ||
1389 | case EVP_CTRL_COPY: | |
1390 | { | |
1391 | EVP_CIPHER_CTX *out = ptr; | |
6435f0f6 | 1392 | EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out); |
0f113f3e MC |
1393 | if (gctx->gcm.key) { |
1394 | if (gctx->gcm.key != &gctx->ks) | |
1395 | return 0; | |
1396 | gctx_out->gcm.key = &gctx_out->ks; | |
1397 | } | |
6435f0f6 RL |
1398 | if (gctx->iv == EVP_CIPHER_CTX_iv_noconst(c)) |
1399 | gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out); | |
0f113f3e MC |
1400 | else { |
1401 | gctx_out->iv = OPENSSL_malloc(gctx->ivlen); | |
90945fa3 | 1402 | if (gctx_out->iv == NULL) |
0f113f3e MC |
1403 | return 0; |
1404 | memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); | |
1405 | } | |
1406 | return 1; | |
1407 | } | |
1408 | ||
1409 | default: | |
1410 | return -1; | |
1411 | ||
1412 | } | |
1413 | } | |
bdaa5415 DSH |
1414 | |
1415 | static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
1416 | const unsigned char *iv, int enc) |
1417 | { | |
6435f0f6 | 1418 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); |
0f113f3e MC |
1419 | if (!iv && !key) |
1420 | return 1; | |
1421 | if (key) { | |
1422 | do { | |
5158c763 | 1423 | #ifdef HWAES_CAPABLE |
0f113f3e | 1424 | if (HWAES_CAPABLE) { |
6435f0f6 RL |
1425 | HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1426 | &gctx->ks.ks); | |
0f113f3e MC |
1427 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
1428 | (block128_f) HWAES_encrypt); | |
5158c763 | 1429 | # ifdef HWAES_ctr32_encrypt_blocks |
0f113f3e | 1430 | gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks; |
5158c763 | 1431 | # else |
0f113f3e | 1432 | gctx->ctr = NULL; |
5158c763 | 1433 | # endif |
0f113f3e MC |
1434 | break; |
1435 | } else | |
5158c763 MC |
1436 | #endif |
1437 | #ifdef BSAES_CAPABLE | |
0f113f3e | 1438 | if (BSAES_CAPABLE) { |
6435f0f6 RL |
1439 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1440 | &gctx->ks.ks); | |
0f113f3e MC |
1441 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
1442 | (block128_f) AES_encrypt); | |
1443 | gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks; | |
1444 | break; | |
1445 | } else | |
5158c763 MC |
1446 | #endif |
1447 | #ifdef VPAES_CAPABLE | |
0f113f3e | 1448 | if (VPAES_CAPABLE) { |
6435f0f6 RL |
1449 | vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1450 | &gctx->ks.ks); | |
0f113f3e MC |
1451 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
1452 | (block128_f) vpaes_encrypt); | |
1453 | gctx->ctr = NULL; | |
1454 | break; | |
1455 | } else | |
5158c763 | 1456 | #endif |
0f113f3e MC |
1457 | (void)0; /* terminate potentially open 'else' */ |
1458 | ||
6435f0f6 RL |
1459 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
1460 | &gctx->ks.ks); | |
0f113f3e MC |
1461 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
1462 | (block128_f) AES_encrypt); | |
5158c763 | 1463 | #ifdef AES_CTR_ASM |
0f113f3e | 1464 | gctx->ctr = (ctr128_f) AES_ctr32_encrypt; |
5158c763 | 1465 | #else |
0f113f3e | 1466 | gctx->ctr = NULL; |
5158c763 | 1467 | #endif |
0f113f3e MC |
1468 | } while (0); |
1469 | ||
1470 | /* | |
1471 | * If we have an iv can set it directly, otherwise use saved IV. | |
1472 | */ | |
1473 | if (iv == NULL && gctx->iv_set) | |
1474 | iv = gctx->iv; | |
1475 | if (iv) { | |
1476 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
1477 | gctx->iv_set = 1; | |
1478 | } | |
1479 | gctx->key_set = 1; | |
1480 | } else { | |
1481 | /* If key set use IV, otherwise copy */ | |
1482 | if (gctx->key_set) | |
1483 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
1484 | else | |
1485 | memcpy(gctx->iv, iv, gctx->ivlen); | |
1486 | gctx->iv_set = 1; | |
1487 | gctx->iv_gen = 0; | |
1488 | } | |
1489 | return 1; | |
1490 | } | |
1491 | ||
1492 | /* | |
1493 | * Handle TLS GCM packet format. This consists of the last portion of the IV | |
28dd49fa DSH |
1494 | * followed by the payload and finally the tag. On encrypt generate IV, |
1495 | * encrypt payload and write the tag. On verify retrieve IV, decrypt payload | |
1496 | * and verify tag. | |
1497 | */ | |
1498 | ||
1499 | static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
0f113f3e MC |
1500 | const unsigned char *in, size_t len) |
1501 | { | |
6435f0f6 | 1502 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); |
0f113f3e MC |
1503 | int rv = -1; |
1504 | /* Encrypt/decrypt must be performed in place */ | |
1505 | if (out != in | |
1506 | || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) | |
1507 | return -1; | |
1508 | /* | |
1509 | * Set IV from start of buffer or generate IV and write to start of | |
1510 | * buffer. | |
1511 | */ | |
6435f0f6 | 1512 | if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ? |
0f113f3e MC |
1513 | EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, |
1514 | EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) | |
1515 | goto err; | |
1516 | /* Use saved AAD */ | |
6435f0f6 RL |
1517 | if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), |
1518 | gctx->tls_aad_len)) | |
0f113f3e MC |
1519 | goto err; |
1520 | /* Fix buffer and length to point to payload */ | |
1521 | in += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1522 | out += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1523 | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; | |
6435f0f6 | 1524 | if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
1525 | /* Encrypt payload */ |
1526 | if (gctx->ctr) { | |
1527 | size_t bulk = 0; | |
5158c763 | 1528 | #if defined(AES_GCM_ASM) |
0f113f3e MC |
1529 | if (len >= 32 && AES_GCM_ASM(gctx)) { |
1530 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0)) | |
1531 | return -1; | |
1532 | ||
1533 | bulk = AES_gcm_encrypt(in, out, len, | |
1534 | gctx->gcm.key, | |
1535 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1536 | gctx->gcm.len.u[1] += bulk; | |
1537 | } | |
5158c763 | 1538 | #endif |
0f113f3e MC |
1539 | if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, |
1540 | in + bulk, | |
1541 | out + bulk, | |
1542 | len - bulk, gctx->ctr)) | |
1543 | goto err; | |
1544 | } else { | |
1545 | size_t bulk = 0; | |
5158c763 | 1546 | #if defined(AES_GCM_ASM2) |
0f113f3e MC |
1547 | if (len >= 32 && AES_GCM_ASM2(gctx)) { |
1548 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0)) | |
1549 | return -1; | |
1550 | ||
1551 | bulk = AES_gcm_encrypt(in, out, len, | |
1552 | gctx->gcm.key, | |
1553 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1554 | gctx->gcm.len.u[1] += bulk; | |
1555 | } | |
5158c763 | 1556 | #endif |
0f113f3e MC |
1557 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, |
1558 | in + bulk, out + bulk, len - bulk)) | |
1559 | goto err; | |
1560 | } | |
1561 | out += len; | |
1562 | /* Finally write tag */ | |
1563 | CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); | |
1564 | rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; | |
1565 | } else { | |
1566 | /* Decrypt */ | |
1567 | if (gctx->ctr) { | |
1568 | size_t bulk = 0; | |
5158c763 | 1569 | #if defined(AES_GCM_ASM) |
0f113f3e MC |
1570 | if (len >= 16 && AES_GCM_ASM(gctx)) { |
1571 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0)) | |
1572 | return -1; | |
1573 | ||
1574 | bulk = AES_gcm_decrypt(in, out, len, | |
1575 | gctx->gcm.key, | |
1576 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1577 | gctx->gcm.len.u[1] += bulk; | |
1578 | } | |
5158c763 | 1579 | #endif |
0f113f3e MC |
1580 | if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, |
1581 | in + bulk, | |
1582 | out + bulk, | |
1583 | len - bulk, gctx->ctr)) | |
1584 | goto err; | |
1585 | } else { | |
1586 | size_t bulk = 0; | |
5158c763 | 1587 | #if defined(AES_GCM_ASM2) |
0f113f3e MC |
1588 | if (len >= 16 && AES_GCM_ASM2(gctx)) { |
1589 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0)) | |
1590 | return -1; | |
1591 | ||
1592 | bulk = AES_gcm_decrypt(in, out, len, | |
1593 | gctx->gcm.key, | |
1594 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1595 | gctx->gcm.len.u[1] += bulk; | |
1596 | } | |
5158c763 | 1597 | #endif |
0f113f3e MC |
1598 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, |
1599 | in + bulk, out + bulk, len - bulk)) | |
1600 | goto err; | |
1601 | } | |
1602 | /* Retrieve tag */ | |
6435f0f6 RL |
1603 | CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), |
1604 | EVP_GCM_TLS_TAG_LEN); | |
0f113f3e | 1605 | /* If tag mismatch wipe buffer */ |
6435f0f6 RL |
1606 | if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len, |
1607 | EVP_GCM_TLS_TAG_LEN)) { | |
0f113f3e MC |
1608 | OPENSSL_cleanse(out, len); |
1609 | goto err; | |
1610 | } | |
1611 | rv = len; | |
1612 | } | |
1613 | ||
1614 | err: | |
1615 | gctx->iv_set = 0; | |
1616 | gctx->tls_aad_len = -1; | |
1617 | return rv; | |
1618 | } | |
28dd49fa | 1619 | |
17f121de | 1620 | static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e MC |
1621 | const unsigned char *in, size_t len) |
1622 | { | |
6435f0f6 | 1623 | EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); |
0f113f3e MC |
1624 | /* If not set up, return error */ |
1625 | if (!gctx->key_set) | |
1626 | return -1; | |
1627 | ||
1628 | if (gctx->tls_aad_len >= 0) | |
1629 | return aes_gcm_tls_cipher(ctx, out, in, len); | |
1630 | ||
1631 | if (!gctx->iv_set) | |
1632 | return -1; | |
1633 | if (in) { | |
1634 | if (out == NULL) { | |
1635 | if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) | |
1636 | return -1; | |
6435f0f6 | 1637 | } else if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
1638 | if (gctx->ctr) { |
1639 | size_t bulk = 0; | |
5158c763 | 1640 | #if defined(AES_GCM_ASM) |
0f113f3e MC |
1641 | if (len >= 32 && AES_GCM_ASM(gctx)) { |
1642 | size_t res = (16 - gctx->gcm.mres) % 16; | |
1643 | ||
1644 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) | |
1645 | return -1; | |
1646 | ||
1647 | bulk = AES_gcm_encrypt(in + res, | |
1648 | out + res, len - res, | |
1649 | gctx->gcm.key, gctx->gcm.Yi.c, | |
1650 | gctx->gcm.Xi.u); | |
1651 | gctx->gcm.len.u[1] += bulk; | |
1652 | bulk += res; | |
1653 | } | |
5158c763 | 1654 | #endif |
0f113f3e MC |
1655 | if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, |
1656 | in + bulk, | |
1657 | out + bulk, | |
1658 | len - bulk, gctx->ctr)) | |
1659 | return -1; | |
1660 | } else { | |
1661 | size_t bulk = 0; | |
5158c763 | 1662 | #if defined(AES_GCM_ASM2) |
0f113f3e MC |
1663 | if (len >= 32 && AES_GCM_ASM2(gctx)) { |
1664 | size_t res = (16 - gctx->gcm.mres) % 16; | |
1665 | ||
1666 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) | |
1667 | return -1; | |
1668 | ||
1669 | bulk = AES_gcm_encrypt(in + res, | |
1670 | out + res, len - res, | |
1671 | gctx->gcm.key, gctx->gcm.Yi.c, | |
1672 | gctx->gcm.Xi.u); | |
1673 | gctx->gcm.len.u[1] += bulk; | |
1674 | bulk += res; | |
1675 | } | |
5158c763 | 1676 | #endif |
0f113f3e MC |
1677 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, |
1678 | in + bulk, out + bulk, len - bulk)) | |
1679 | return -1; | |
1680 | } | |
1681 | } else { | |
1682 | if (gctx->ctr) { | |
1683 | size_t bulk = 0; | |
5158c763 | 1684 | #if defined(AES_GCM_ASM) |
0f113f3e MC |
1685 | if (len >= 16 && AES_GCM_ASM(gctx)) { |
1686 | size_t res = (16 - gctx->gcm.mres) % 16; | |
1687 | ||
1688 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) | |
1689 | return -1; | |
1690 | ||
1691 | bulk = AES_gcm_decrypt(in + res, | |
1692 | out + res, len - res, | |
1693 | gctx->gcm.key, | |
1694 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1695 | gctx->gcm.len.u[1] += bulk; | |
1696 | bulk += res; | |
1697 | } | |
5158c763 | 1698 | #endif |
0f113f3e MC |
1699 | if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, |
1700 | in + bulk, | |
1701 | out + bulk, | |
1702 | len - bulk, gctx->ctr)) | |
1703 | return -1; | |
1704 | } else { | |
1705 | size_t bulk = 0; | |
5158c763 | 1706 | #if defined(AES_GCM_ASM2) |
0f113f3e MC |
1707 | if (len >= 16 && AES_GCM_ASM2(gctx)) { |
1708 | size_t res = (16 - gctx->gcm.mres) % 16; | |
1709 | ||
1710 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) | |
1711 | return -1; | |
1712 | ||
1713 | bulk = AES_gcm_decrypt(in + res, | |
1714 | out + res, len - res, | |
1715 | gctx->gcm.key, | |
1716 | gctx->gcm.Yi.c, gctx->gcm.Xi.u); | |
1717 | gctx->gcm.len.u[1] += bulk; | |
1718 | bulk += res; | |
1719 | } | |
5158c763 | 1720 | #endif |
0f113f3e MC |
1721 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, |
1722 | in + bulk, out + bulk, len - bulk)) | |
1723 | return -1; | |
1724 | } | |
1725 | } | |
1726 | return len; | |
1727 | } else { | |
6435f0f6 | 1728 | if (!EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
1729 | if (gctx->taglen < 0) |
1730 | return -1; | |
6435f0f6 RL |
1731 | if (CRYPTO_gcm128_finish(&gctx->gcm, |
1732 | EVP_CIPHER_CTX_buf_noconst(ctx), | |
1733 | gctx->taglen) != 0) | |
0f113f3e MC |
1734 | return -1; |
1735 | gctx->iv_set = 0; | |
1736 | return 0; | |
1737 | } | |
6435f0f6 | 1738 | CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16); |
0f113f3e MC |
1739 | gctx->taglen = 16; |
1740 | /* Don't reuse the IV */ | |
1741 | gctx->iv_set = 0; | |
1742 | return 0; | |
1743 | } | |
1744 | ||
1745 | } | |
1746 | ||
5158c763 | 1747 | #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ |
0f113f3e MC |
1748 | | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ |
1749 | | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | |
1750 | | EVP_CIPH_CUSTOM_COPY) | |
1751 | ||
1752 | BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, | |
1753 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
1754 | BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, | |
1755 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
1756 | BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, | |
1757 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
32a2d8dd DSH |
1758 | |
1759 | static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) | |
0f113f3e | 1760 | { |
6435f0f6 | 1761 | EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c); |
0f113f3e MC |
1762 | if (type == EVP_CTRL_COPY) { |
1763 | EVP_CIPHER_CTX *out = ptr; | |
6435f0f6 | 1764 | EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out); |
0f113f3e MC |
1765 | if (xctx->xts.key1) { |
1766 | if (xctx->xts.key1 != &xctx->ks1) | |
1767 | return 0; | |
1768 | xctx_out->xts.key1 = &xctx_out->ks1; | |
1769 | } | |
1770 | if (xctx->xts.key2) { | |
1771 | if (xctx->xts.key2 != &xctx->ks2) | |
1772 | return 0; | |
1773 | xctx_out->xts.key2 = &xctx_out->ks2; | |
1774 | } | |
1775 | return 1; | |
1776 | } else if (type != EVP_CTRL_INIT) | |
1777 | return -1; | |
1778 | /* key1 and key2 are used as an indicator both key and IV are set */ | |
1779 | xctx->xts.key1 = NULL; | |
1780 | xctx->xts.key2 = NULL; | |
1781 | return 1; | |
1782 | } | |
32a2d8dd DSH |
1783 | |
1784 | static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
1785 | const unsigned char *iv, int enc) |
1786 | { | |
6435f0f6 | 1787 | EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); |
0f113f3e MC |
1788 | if (!iv && !key) |
1789 | return 1; | |
1790 | ||
1791 | if (key) | |
1792 | do { | |
5158c763 | 1793 | #ifdef AES_XTS_ASM |
0f113f3e | 1794 | xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; |
5158c763 | 1795 | #else |
0f113f3e | 1796 | xctx->stream = NULL; |
5158c763 | 1797 | #endif |
0f113f3e | 1798 | /* key_len is two AES keys */ |
5158c763 | 1799 | #ifdef HWAES_CAPABLE |
0f113f3e MC |
1800 | if (HWAES_CAPABLE) { |
1801 | if (enc) { | |
6435f0f6 RL |
1802 | HWAES_set_encrypt_key(key, |
1803 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
0f113f3e MC |
1804 | &xctx->ks1.ks); |
1805 | xctx->xts.block1 = (block128_f) HWAES_encrypt; | |
1806 | } else { | |
6435f0f6 RL |
1807 | HWAES_set_decrypt_key(key, |
1808 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
0f113f3e MC |
1809 | &xctx->ks1.ks); |
1810 | xctx->xts.block1 = (block128_f) HWAES_decrypt; | |
1811 | } | |
1812 | ||
6435f0f6 RL |
1813 | HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, |
1814 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
1815 | &xctx->ks2.ks); | |
0f113f3e MC |
1816 | xctx->xts.block2 = (block128_f) HWAES_encrypt; |
1817 | ||
1818 | xctx->xts.key1 = &xctx->ks1; | |
1819 | break; | |
1820 | } else | |
5158c763 MC |
1821 | #endif |
1822 | #ifdef BSAES_CAPABLE | |
0f113f3e MC |
1823 | if (BSAES_CAPABLE) |
1824 | xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; | |
1825 | else | |
5158c763 MC |
1826 | #endif |
1827 | #ifdef VPAES_CAPABLE | |
0f113f3e MC |
1828 | if (VPAES_CAPABLE) { |
1829 | if (enc) { | |
6435f0f6 RL |
1830 | vpaes_set_encrypt_key(key, |
1831 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
0f113f3e MC |
1832 | &xctx->ks1.ks); |
1833 | xctx->xts.block1 = (block128_f) vpaes_encrypt; | |
1834 | } else { | |
6435f0f6 RL |
1835 | vpaes_set_decrypt_key(key, |
1836 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
0f113f3e MC |
1837 | &xctx->ks1.ks); |
1838 | xctx->xts.block1 = (block128_f) vpaes_decrypt; | |
1839 | } | |
1840 | ||
6435f0f6 RL |
1841 | vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, |
1842 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
1843 | &xctx->ks2.ks); | |
0f113f3e MC |
1844 | xctx->xts.block2 = (block128_f) vpaes_encrypt; |
1845 | ||
1846 | xctx->xts.key1 = &xctx->ks1; | |
1847 | break; | |
1848 | } else | |
5158c763 | 1849 | #endif |
0f113f3e MC |
1850 | (void)0; /* terminate potentially open 'else' */ |
1851 | ||
1852 | if (enc) { | |
6435f0f6 RL |
1853 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, |
1854 | &xctx->ks1.ks); | |
0f113f3e MC |
1855 | xctx->xts.block1 = (block128_f) AES_encrypt; |
1856 | } else { | |
6435f0f6 RL |
1857 | AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, |
1858 | &xctx->ks1.ks); | |
0f113f3e MC |
1859 | xctx->xts.block1 = (block128_f) AES_decrypt; |
1860 | } | |
1861 | ||
6435f0f6 RL |
1862 | AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, |
1863 | EVP_CIPHER_CTX_key_length(ctx) * 4, | |
1864 | &xctx->ks2.ks); | |
0f113f3e MC |
1865 | xctx->xts.block2 = (block128_f) AES_encrypt; |
1866 | ||
1867 | xctx->xts.key1 = &xctx->ks1; | |
1868 | } while (0); | |
1869 | ||
1870 | if (iv) { | |
1871 | xctx->xts.key2 = &xctx->ks2; | |
6435f0f6 | 1872 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16); |
0f113f3e MC |
1873 | } |
1874 | ||
1875 | return 1; | |
1876 | } | |
32a2d8dd | 1877 | |
17f121de | 1878 | static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e MC |
1879 | const unsigned char *in, size_t len) |
1880 | { | |
6435f0f6 | 1881 | EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); |
0f113f3e MC |
1882 | if (!xctx->xts.key1 || !xctx->xts.key2) |
1883 | return 0; | |
1884 | if (!out || !in || len < AES_BLOCK_SIZE) | |
1885 | return 0; | |
1886 | if (xctx->stream) | |
1887 | (*xctx->stream) (in, out, len, | |
6435f0f6 RL |
1888 | xctx->xts.key1, xctx->xts.key2, |
1889 | EVP_CIPHER_CTX_iv_noconst(ctx)); | |
1890 | else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx), | |
1891 | in, out, len, | |
1892 | EVP_CIPHER_CTX_encrypting(ctx))) | |
0f113f3e MC |
1893 | return 0; |
1894 | return 1; | |
1895 | } | |
1896 | ||
5158c763 | 1897 | #define aes_xts_cleanup NULL |
0f113f3e | 1898 | |
5158c763 | 1899 | #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ |
0f113f3e MC |
1900 | | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ |
1901 | | EVP_CIPH_CUSTOM_COPY) | |
1902 | ||
1903 | BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) | |
1904 | BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) | |
23916810 DSH |
1905 | |
1906 | static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) | |
0f113f3e | 1907 | { |
6435f0f6 | 1908 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c); |
0f113f3e MC |
1909 | switch (type) { |
1910 | case EVP_CTRL_INIT: | |
1911 | cctx->key_set = 0; | |
1912 | cctx->iv_set = 0; | |
1913 | cctx->L = 8; | |
1914 | cctx->M = 12; | |
1915 | cctx->tag_set = 0; | |
1916 | cctx->len_set = 0; | |
e75c5a79 DSH |
1917 | cctx->tls_aad_len = -1; |
1918 | return 1; | |
1919 | ||
1920 | case EVP_CTRL_AEAD_TLS1_AAD: | |
1921 | /* Save the AAD for later use */ | |
1922 | if (arg != EVP_AEAD_TLS1_AAD_LEN) | |
1923 | return 0; | |
6435f0f6 | 1924 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
e75c5a79 DSH |
1925 | cctx->tls_aad_len = arg; |
1926 | { | |
6435f0f6 RL |
1927 | uint16_t len = |
1928 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 | |
1929 | | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; | |
e75c5a79 DSH |
1930 | /* Correct length for explicit IV */ |
1931 | len -= EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
1932 | /* If decrypting correct for tag too */ | |
6435f0f6 | 1933 | if (!EVP_CIPHER_CTX_encrypting(c)) |
e75c5a79 | 1934 | len -= cctx->M; |
6435f0f6 RL |
1935 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; |
1936 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; | |
e75c5a79 DSH |
1937 | } |
1938 | /* Extra padding: tag appended to record */ | |
1939 | return cctx->M; | |
1940 | ||
1941 | case EVP_CTRL_CCM_SET_IV_FIXED: | |
1942 | /* Sanity check length */ | |
1943 | if (arg != EVP_CCM_TLS_FIXED_IV_LEN) | |
1944 | return 0; | |
1945 | /* Just copy to first part of IV */ | |
6435f0f6 | 1946 | memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg); |
0f113f3e MC |
1947 | return 1; |
1948 | ||
e640fa02 | 1949 | case EVP_CTRL_AEAD_SET_IVLEN: |
0f113f3e MC |
1950 | arg = 15 - arg; |
1951 | case EVP_CTRL_CCM_SET_L: | |
1952 | if (arg < 2 || arg > 8) | |
1953 | return 0; | |
1954 | cctx->L = arg; | |
1955 | return 1; | |
1956 | ||
e640fa02 | 1957 | case EVP_CTRL_AEAD_SET_TAG: |
0f113f3e MC |
1958 | if ((arg & 1) || arg < 4 || arg > 16) |
1959 | return 0; | |
6435f0f6 | 1960 | if (EVP_CIPHER_CTX_encrypting(c) && ptr) |
0f113f3e MC |
1961 | return 0; |
1962 | if (ptr) { | |
1963 | cctx->tag_set = 1; | |
6435f0f6 | 1964 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
0f113f3e MC |
1965 | } |
1966 | cctx->M = arg; | |
1967 | return 1; | |
1968 | ||
e640fa02 | 1969 | case EVP_CTRL_AEAD_GET_TAG: |
6435f0f6 | 1970 | if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set) |
0f113f3e MC |
1971 | return 0; |
1972 | if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) | |
1973 | return 0; | |
1974 | cctx->tag_set = 0; | |
1975 | cctx->iv_set = 0; | |
1976 | cctx->len_set = 0; | |
1977 | return 1; | |
1978 | ||
1979 | case EVP_CTRL_COPY: | |
1980 | { | |
1981 | EVP_CIPHER_CTX *out = ptr; | |
6435f0f6 | 1982 | EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out); |
0f113f3e MC |
1983 | if (cctx->ccm.key) { |
1984 | if (cctx->ccm.key != &cctx->ks) | |
1985 | return 0; | |
1986 | cctx_out->ccm.key = &cctx_out->ks; | |
1987 | } | |
1988 | return 1; | |
1989 | } | |
1990 | ||
1991 | default: | |
1992 | return -1; | |
1993 | ||
1994 | } | |
1995 | } | |
23916810 DSH |
1996 | |
1997 | static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
1998 | const unsigned char *iv, int enc) |
1999 | { | |
6435f0f6 | 2000 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); |
0f113f3e MC |
2001 | if (!iv && !key) |
2002 | return 1; | |
2003 | if (key) | |
2004 | do { | |
5158c763 | 2005 | #ifdef HWAES_CAPABLE |
0f113f3e | 2006 | if (HWAES_CAPABLE) { |
6435f0f6 RL |
2007 | HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2008 | &cctx->ks.ks); | |
0f113f3e MC |
2009 | |
2010 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | |
2011 | &cctx->ks, (block128_f) HWAES_encrypt); | |
2012 | cctx->str = NULL; | |
2013 | cctx->key_set = 1; | |
2014 | break; | |
2015 | } else | |
5158c763 MC |
2016 | #endif |
2017 | #ifdef VPAES_CAPABLE | |
0f113f3e | 2018 | if (VPAES_CAPABLE) { |
6435f0f6 RL |
2019 | vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2020 | &cctx->ks.ks); | |
0f113f3e MC |
2021 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
2022 | &cctx->ks, (block128_f) vpaes_encrypt); | |
2023 | cctx->str = NULL; | |
2024 | cctx->key_set = 1; | |
2025 | break; | |
2026 | } | |
5158c763 | 2027 | #endif |
6435f0f6 RL |
2028 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2029 | &cctx->ks.ks); | |
0f113f3e MC |
2030 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
2031 | &cctx->ks, (block128_f) AES_encrypt); | |
2032 | cctx->str = NULL; | |
2033 | cctx->key_set = 1; | |
2034 | } while (0); | |
2035 | if (iv) { | |
6435f0f6 | 2036 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L); |
0f113f3e MC |
2037 | cctx->iv_set = 1; |
2038 | } | |
2039 | return 1; | |
2040 | } | |
23916810 | 2041 | |
e75c5a79 DSH |
2042 | static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
2043 | const unsigned char *in, size_t len) | |
2044 | { | |
6435f0f6 | 2045 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); |
e75c5a79 DSH |
2046 | CCM128_CONTEXT *ccm = &cctx->ccm; |
2047 | /* Encrypt/decrypt must be performed in place */ | |
2048 | if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M)) | |
2049 | return -1; | |
2050 | /* If encrypting set explicit IV from sequence number (start of AAD) */ | |
6435f0f6 RL |
2051 | if (EVP_CIPHER_CTX_encrypting(ctx)) |
2052 | memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx), | |
2053 | EVP_CCM_TLS_EXPLICIT_IV_LEN); | |
e75c5a79 | 2054 | /* Get rest of IV from explicit IV */ |
6435f0f6 RL |
2055 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in, |
2056 | EVP_CCM_TLS_EXPLICIT_IV_LEN); | |
e75c5a79 DSH |
2057 | /* Correct length value */ |
2058 | len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M; | |
6435f0f6 RL |
2059 | if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L, |
2060 | len)) | |
e75c5a79 DSH |
2061 | return -1; |
2062 | /* Use saved AAD */ | |
6435f0f6 | 2063 | CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len); |
e75c5a79 DSH |
2064 | /* Fix buffer to point to payload */ |
2065 | in += EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
2066 | out += EVP_CCM_TLS_EXPLICIT_IV_LEN; | |
6435f0f6 | 2067 | if (EVP_CIPHER_CTX_encrypting(ctx)) { |
e75c5a79 DSH |
2068 | if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, |
2069 | cctx->str) : | |
2070 | CRYPTO_ccm128_encrypt(ccm, in, out, len)) | |
2071 | return -1; | |
2072 | if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M)) | |
2073 | return -1; | |
2074 | return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M; | |
2075 | } else { | |
2076 | if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, | |
2077 | cctx->str) : | |
2078 | !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { | |
2079 | unsigned char tag[16]; | |
2080 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { | |
2081 | if (!CRYPTO_memcmp(tag, in + len, cctx->M)) | |
2082 | return len; | |
2083 | } | |
2084 | } | |
2085 | OPENSSL_cleanse(out, len); | |
2086 | return -1; | |
2087 | } | |
2088 | } | |
2089 | ||
17f121de | 2090 | static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
0f113f3e MC |
2091 | const unsigned char *in, size_t len) |
2092 | { | |
6435f0f6 | 2093 | EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); |
0f113f3e MC |
2094 | CCM128_CONTEXT *ccm = &cctx->ccm; |
2095 | /* If not set up, return error */ | |
e75c5a79 DSH |
2096 | if (!cctx->key_set) |
2097 | return -1; | |
2098 | ||
2099 | if (cctx->tls_aad_len >= 0) | |
2100 | return aes_ccm_tls_cipher(ctx, out, in, len); | |
2101 | ||
2102 | if (!cctx->iv_set) | |
0f113f3e | 2103 | return -1; |
e75c5a79 | 2104 | |
6435f0f6 | 2105 | if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set) |
0f113f3e MC |
2106 | return -1; |
2107 | if (!out) { | |
2108 | if (!in) { | |
6435f0f6 RL |
2109 | if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), |
2110 | 15 - cctx->L, len)) | |
0f113f3e MC |
2111 | return -1; |
2112 | cctx->len_set = 1; | |
2113 | return len; | |
2114 | } | |
2115 | /* If have AAD need message length */ | |
2116 | if (!cctx->len_set && len) | |
2117 | return -1; | |
2118 | CRYPTO_ccm128_aad(ccm, in, len); | |
2119 | return len; | |
2120 | } | |
2121 | /* EVP_*Final() doesn't return any data */ | |
2122 | if (!in) | |
2123 | return 0; | |
2124 | /* If not set length yet do it */ | |
2125 | if (!cctx->len_set) { | |
6435f0f6 RL |
2126 | if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), |
2127 | 15 - cctx->L, len)) | |
0f113f3e MC |
2128 | return -1; |
2129 | cctx->len_set = 1; | |
2130 | } | |
6435f0f6 | 2131 | if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2132 | if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, |
2133 | cctx->str) : | |
2134 | CRYPTO_ccm128_encrypt(ccm, in, out, len)) | |
2135 | return -1; | |
2136 | cctx->tag_set = 1; | |
2137 | return len; | |
2138 | } else { | |
2139 | int rv = -1; | |
2140 | if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, | |
2141 | cctx->str) : | |
2142 | !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { | |
2143 | unsigned char tag[16]; | |
2144 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { | |
6435f0f6 RL |
2145 | if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx), |
2146 | cctx->M)) | |
0f113f3e MC |
2147 | rv = len; |
2148 | } | |
2149 | } | |
2150 | if (rv == -1) | |
2151 | OPENSSL_cleanse(out, len); | |
2152 | cctx->iv_set = 0; | |
2153 | cctx->tag_set = 0; | |
2154 | cctx->len_set = 0; | |
2155 | return rv; | |
2156 | } | |
0f113f3e MC |
2157 | } |
2158 | ||
5158c763 | 2159 | #define aes_ccm_cleanup NULL |
0f113f3e | 2160 | |
e75c5a79 DSH |
2161 | BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, |
2162 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
2163 | BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, | |
2164 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
2165 | BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, | |
2166 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
0f113f3e MC |
2167 | |
2168 | typedef struct { | |
2169 | union { | |
2170 | double align; | |
2171 | AES_KEY ks; | |
2172 | } ks; | |
2173 | /* Indicates if IV has been set */ | |
2174 | unsigned char *iv; | |
2175 | } EVP_AES_WRAP_CTX; | |
97cf1f6c DSH |
2176 | |
2177 | static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
0f113f3e MC |
2178 | const unsigned char *iv, int enc) |
2179 | { | |
6435f0f6 | 2180 | EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx); |
0f113f3e MC |
2181 | if (!iv && !key) |
2182 | return 1; | |
2183 | if (key) { | |
6435f0f6 RL |
2184 | if (EVP_CIPHER_CTX_encrypting(ctx)) |
2185 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
2186 | &wctx->ks.ks); | |
0f113f3e | 2187 | else |
6435f0f6 RL |
2188 | AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2189 | &wctx->ks.ks); | |
0f113f3e MC |
2190 | if (!iv) |
2191 | wctx->iv = NULL; | |
2192 | } | |
2193 | if (iv) { | |
6435f0f6 RL |
2194 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx)); |
2195 | wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx); | |
0f113f3e MC |
2196 | } |
2197 | return 1; | |
2198 | } | |
97cf1f6c DSH |
2199 | |
2200 | static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
0f113f3e MC |
2201 | const unsigned char *in, size_t inlen) |
2202 | { | |
6435f0f6 | 2203 | EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx); |
0f113f3e MC |
2204 | size_t rv; |
2205 | /* AES wrap with padding has IV length of 4, without padding 8 */ | |
2206 | int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4; | |
2207 | /* No final operation so always return zero length */ | |
2208 | if (!in) | |
2209 | return 0; | |
2210 | /* Input length must always be non-zero */ | |
2211 | if (!inlen) | |
2212 | return -1; | |
2213 | /* If decrypting need at least 16 bytes and multiple of 8 */ | |
6435f0f6 | 2214 | if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7)) |
0f113f3e MC |
2215 | return -1; |
2216 | /* If not padding input must be multiple of 8 */ | |
2217 | if (!pad && inlen & 0x7) | |
2218 | return -1; | |
2219 | if (!out) { | |
6435f0f6 | 2220 | if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2221 | /* If padding round up to multiple of 8 */ |
2222 | if (pad) | |
2223 | inlen = (inlen + 7) / 8 * 8; | |
2224 | /* 8 byte prefix */ | |
2225 | return inlen + 8; | |
2226 | } else { | |
2227 | /* | |
2228 | * If not padding output will be exactly 8 bytes smaller than | |
2229 | * input. If padding it will be at least 8 bytes smaller but we | |
2230 | * don't know how much. | |
2231 | */ | |
2232 | return inlen - 8; | |
2233 | } | |
2234 | } | |
2235 | if (pad) { | |
6435f0f6 | 2236 | if (EVP_CIPHER_CTX_encrypting(ctx)) |
0f113f3e MC |
2237 | rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv, |
2238 | out, in, inlen, | |
2239 | (block128_f) AES_encrypt); | |
2240 | else | |
2241 | rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv, | |
2242 | out, in, inlen, | |
2243 | (block128_f) AES_decrypt); | |
2244 | } else { | |
6435f0f6 | 2245 | if (EVP_CIPHER_CTX_encrypting(ctx)) |
0f113f3e MC |
2246 | rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, |
2247 | out, in, inlen, (block128_f) AES_encrypt); | |
2248 | else | |
2249 | rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, | |
2250 | out, in, inlen, (block128_f) AES_decrypt); | |
2251 | } | |
2252 | return rv ? (int)rv : -1; | |
2253 | } | |
2254 | ||
5158c763 | 2255 | #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ |
0f113f3e MC |
2256 | | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ |
2257 | | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) | |
97cf1f6c DSH |
2258 | |
2259 | static const EVP_CIPHER aes_128_wrap = { | |
0f113f3e MC |
2260 | NID_id_aes128_wrap, |
2261 | 8, 16, 8, WRAP_FLAGS, | |
2262 | aes_wrap_init_key, aes_wrap_cipher, | |
2263 | NULL, | |
2264 | sizeof(EVP_AES_WRAP_CTX), | |
2265 | NULL, NULL, NULL, NULL | |
2266 | }; | |
97cf1f6c DSH |
2267 | |
2268 | const EVP_CIPHER *EVP_aes_128_wrap(void) | |
0f113f3e MC |
2269 | { |
2270 | return &aes_128_wrap; | |
2271 | } | |
97cf1f6c DSH |
2272 | |
2273 | static const EVP_CIPHER aes_192_wrap = { | |
0f113f3e MC |
2274 | NID_id_aes192_wrap, |
2275 | 8, 24, 8, WRAP_FLAGS, | |
2276 | aes_wrap_init_key, aes_wrap_cipher, | |
2277 | NULL, | |
2278 | sizeof(EVP_AES_WRAP_CTX), | |
2279 | NULL, NULL, NULL, NULL | |
2280 | }; | |
97cf1f6c DSH |
2281 | |
2282 | const EVP_CIPHER *EVP_aes_192_wrap(void) | |
0f113f3e MC |
2283 | { |
2284 | return &aes_192_wrap; | |
2285 | } | |
97cf1f6c DSH |
2286 | |
2287 | static const EVP_CIPHER aes_256_wrap = { | |
0f113f3e MC |
2288 | NID_id_aes256_wrap, |
2289 | 8, 32, 8, WRAP_FLAGS, | |
2290 | aes_wrap_init_key, aes_wrap_cipher, | |
2291 | NULL, | |
2292 | sizeof(EVP_AES_WRAP_CTX), | |
2293 | NULL, NULL, NULL, NULL | |
2294 | }; | |
97cf1f6c DSH |
2295 | |
2296 | const EVP_CIPHER *EVP_aes_256_wrap(void) | |
0f113f3e MC |
2297 | { |
2298 | return &aes_256_wrap; | |
2299 | } | |
97cf1f6c | 2300 | |
d31fed73 | 2301 | static const EVP_CIPHER aes_128_wrap_pad = { |
0f113f3e MC |
2302 | NID_id_aes128_wrap_pad, |
2303 | 8, 16, 4, WRAP_FLAGS, | |
2304 | aes_wrap_init_key, aes_wrap_cipher, | |
2305 | NULL, | |
2306 | sizeof(EVP_AES_WRAP_CTX), | |
2307 | NULL, NULL, NULL, NULL | |
2308 | }; | |
d31fed73 DSH |
2309 | |
2310 | const EVP_CIPHER *EVP_aes_128_wrap_pad(void) | |
0f113f3e MC |
2311 | { |
2312 | return &aes_128_wrap_pad; | |
2313 | } | |
d31fed73 DSH |
2314 | |
2315 | static const EVP_CIPHER aes_192_wrap_pad = { | |
0f113f3e MC |
2316 | NID_id_aes192_wrap_pad, |
2317 | 8, 24, 4, WRAP_FLAGS, | |
2318 | aes_wrap_init_key, aes_wrap_cipher, | |
2319 | NULL, | |
2320 | sizeof(EVP_AES_WRAP_CTX), | |
2321 | NULL, NULL, NULL, NULL | |
2322 | }; | |
d31fed73 DSH |
2323 | |
2324 | const EVP_CIPHER *EVP_aes_192_wrap_pad(void) | |
0f113f3e MC |
2325 | { |
2326 | return &aes_192_wrap_pad; | |
2327 | } | |
d31fed73 DSH |
2328 | |
2329 | static const EVP_CIPHER aes_256_wrap_pad = { | |
0f113f3e MC |
2330 | NID_id_aes256_wrap_pad, |
2331 | 8, 32, 4, WRAP_FLAGS, | |
2332 | aes_wrap_init_key, aes_wrap_cipher, | |
2333 | NULL, | |
2334 | sizeof(EVP_AES_WRAP_CTX), | |
2335 | NULL, NULL, NULL, NULL | |
2336 | }; | |
d31fed73 DSH |
2337 | |
2338 | const EVP_CIPHER *EVP_aes_256_wrap_pad(void) | |
0f113f3e MC |
2339 | { |
2340 | return &aes_256_wrap_pad; | |
2341 | } | |
d31fed73 | 2342 | |
5158c763 | 2343 | #ifndef OPENSSL_NO_OCB |
e6b336ef | 2344 | static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
0f113f3e | 2345 | { |
6435f0f6 | 2346 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c); |
0f113f3e MC |
2347 | EVP_CIPHER_CTX *newc; |
2348 | EVP_AES_OCB_CTX *new_octx; | |
2349 | ||
2350 | switch (type) { | |
2351 | case EVP_CTRL_INIT: | |
2352 | octx->key_set = 0; | |
2353 | octx->iv_set = 0; | |
6435f0f6 RL |
2354 | octx->ivlen = EVP_CIPHER_CTX_iv_length(c); |
2355 | octx->iv = EVP_CIPHER_CTX_iv_noconst(c); | |
0f113f3e MC |
2356 | octx->taglen = 16; |
2357 | octx->data_buf_len = 0; | |
2358 | octx->aad_buf_len = 0; | |
2359 | return 1; | |
2360 | ||
e640fa02 | 2361 | case EVP_CTRL_AEAD_SET_IVLEN: |
0f113f3e MC |
2362 | /* IV len must be 1 to 15 */ |
2363 | if (arg <= 0 || arg > 15) | |
2364 | return 0; | |
2365 | ||
2366 | octx->ivlen = arg; | |
2367 | return 1; | |
2368 | ||
e640fa02 | 2369 | case EVP_CTRL_AEAD_SET_TAG: |
d57d135c MC |
2370 | if (!ptr) { |
2371 | /* Tag len must be 0 to 16 */ | |
2372 | if (arg < 0 || arg > 16) | |
2373 | return 0; | |
2374 | ||
2375 | octx->taglen = arg; | |
2376 | return 1; | |
2377 | } | |
6435f0f6 | 2378 | if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c)) |
0f113f3e MC |
2379 | return 0; |
2380 | memcpy(octx->tag, ptr, arg); | |
2381 | return 1; | |
2382 | ||
e640fa02 | 2383 | case EVP_CTRL_AEAD_GET_TAG: |
6435f0f6 | 2384 | if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c)) |
0f113f3e MC |
2385 | return 0; |
2386 | ||
2387 | memcpy(ptr, octx->tag, arg); | |
2388 | return 1; | |
2389 | ||
2390 | case EVP_CTRL_COPY: | |
2391 | newc = (EVP_CIPHER_CTX *)ptr; | |
6435f0f6 | 2392 | new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc); |
0f113f3e | 2393 | return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb, |
bdc985b1 AP |
2394 | &new_octx->ksenc.ks, |
2395 | &new_octx->ksdec.ks); | |
0f113f3e MC |
2396 | |
2397 | default: | |
2398 | return -1; | |
2399 | ||
2400 | } | |
2401 | } | |
e6b336ef | 2402 | |
5158c763 MC |
2403 | # ifdef HWAES_CAPABLE |
2404 | # ifdef HWAES_ocb_encrypt | |
02dc0b82 AP |
2405 | void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out, |
2406 | size_t blocks, const void *key, | |
2407 | size_t start_block_num, | |
2408 | unsigned char offset_i[16], | |
2409 | const unsigned char L_[][16], | |
2410 | unsigned char checksum[16]); | |
5158c763 MC |
2411 | # else |
2412 | # define HWAES_ocb_encrypt NULL | |
2413 | # endif | |
2414 | # ifdef HWAES_ocb_decrypt | |
02dc0b82 AP |
2415 | void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out, |
2416 | size_t blocks, const void *key, | |
2417 | size_t start_block_num, | |
2418 | unsigned char offset_i[16], | |
2419 | const unsigned char L_[][16], | |
2420 | unsigned char checksum[16]); | |
5158c763 MC |
2421 | # else |
2422 | # define HWAES_ocb_decrypt NULL | |
02dc0b82 | 2423 | # endif |
5158c763 | 2424 | # endif |
02dc0b82 | 2425 | |
e6b336ef | 2426 | static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
0f113f3e MC |
2427 | const unsigned char *iv, int enc) |
2428 | { | |
6435f0f6 | 2429 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); |
0f113f3e MC |
2430 | if (!iv && !key) |
2431 | return 1; | |
2432 | if (key) { | |
2433 | do { | |
2434 | /* | |
2435 | * We set both the encrypt and decrypt key here because decrypt | |
2436 | * needs both. We could possibly optimise to remove setting the | |
2437 | * decrypt for an encryption operation. | |
2438 | */ | |
5158c763 | 2439 | # ifdef HWAES_CAPABLE |
02dc0b82 | 2440 | if (HWAES_CAPABLE) { |
6435f0f6 RL |
2441 | HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2442 | &octx->ksenc.ks); | |
2443 | HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
2444 | &octx->ksdec.ks); | |
02dc0b82 AP |
2445 | if (!CRYPTO_ocb128_init(&octx->ocb, |
2446 | &octx->ksenc.ks, &octx->ksdec.ks, | |
2447 | (block128_f) HWAES_encrypt, | |
2448 | (block128_f) HWAES_decrypt, | |
2449 | enc ? HWAES_ocb_encrypt | |
2450 | : HWAES_ocb_decrypt)) | |
2451 | return 0; | |
2452 | break; | |
2453 | } | |
5158c763 MC |
2454 | # endif |
2455 | # ifdef VPAES_CAPABLE | |
0f113f3e | 2456 | if (VPAES_CAPABLE) { |
6435f0f6 RL |
2457 | vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2458 | &octx->ksenc.ks); | |
2459 | vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
2460 | &octx->ksdec.ks); | |
bdc985b1 AP |
2461 | if (!CRYPTO_ocb128_init(&octx->ocb, |
2462 | &octx->ksenc.ks, &octx->ksdec.ks, | |
2463 | (block128_f) vpaes_encrypt, | |
bd30091c AP |
2464 | (block128_f) vpaes_decrypt, |
2465 | NULL)) | |
0f113f3e MC |
2466 | return 0; |
2467 | break; | |
2468 | } | |
5158c763 | 2469 | # endif |
6435f0f6 RL |
2470 | AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, |
2471 | &octx->ksenc.ks); | |
2472 | AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
2473 | &octx->ksdec.ks); | |
bdc985b1 AP |
2474 | if (!CRYPTO_ocb128_init(&octx->ocb, |
2475 | &octx->ksenc.ks, &octx->ksdec.ks, | |
0f113f3e | 2476 | (block128_f) AES_encrypt, |
bd30091c AP |
2477 | (block128_f) AES_decrypt, |
2478 | NULL)) | |
0f113f3e MC |
2479 | return 0; |
2480 | } | |
2481 | while (0); | |
2482 | ||
2483 | /* | |
2484 | * If we have an iv we can set it directly, otherwise use saved IV. | |
2485 | */ | |
2486 | if (iv == NULL && octx->iv_set) | |
2487 | iv = octx->iv; | |
2488 | if (iv) { | |
2489 | if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen) | |
2490 | != 1) | |
2491 | return 0; | |
2492 | octx->iv_set = 1; | |
2493 | } | |
2494 | octx->key_set = 1; | |
2495 | } else { | |
2496 | /* If key set use IV, otherwise copy */ | |
2497 | if (octx->key_set) | |
2498 | CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen); | |
2499 | else | |
2500 | memcpy(octx->iv, iv, octx->ivlen); | |
2501 | octx->iv_set = 1; | |
2502 | } | |
2503 | return 1; | |
2504 | } | |
e6b336ef MC |
2505 | |
2506 | static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
0f113f3e MC |
2507 | const unsigned char *in, size_t len) |
2508 | { | |
2509 | unsigned char *buf; | |
2510 | int *buf_len; | |
2511 | int written_len = 0; | |
2512 | size_t trailing_len; | |
6435f0f6 | 2513 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); |
0f113f3e MC |
2514 | |
2515 | /* If IV or Key not set then return error */ | |
2516 | if (!octx->iv_set) | |
2517 | return -1; | |
2518 | ||
2519 | if (!octx->key_set) | |
2520 | return -1; | |
2521 | ||
2522 | if (in) { | |
2523 | /* | |
2524 | * Need to ensure we are only passing full blocks to low level OCB | |
2525 | * routines. We do it here rather than in EVP_EncryptUpdate/ | |
2526 | * EVP_DecryptUpdate because we need to pass full blocks of AAD too | |
2527 | * and those routines don't support that | |
2528 | */ | |
2529 | ||
2530 | /* Are we dealing with AAD or normal data here? */ | |
2531 | if (out == NULL) { | |
2532 | buf = octx->aad_buf; | |
2533 | buf_len = &(octx->aad_buf_len); | |
2534 | } else { | |
2535 | buf = octx->data_buf; | |
2536 | buf_len = &(octx->data_buf_len); | |
2537 | } | |
2538 | ||
2539 | /* | |
2540 | * If we've got a partially filled buffer from a previous call then | |
2541 | * use that data first | |
2542 | */ | |
2543 | if (*buf_len) { | |
2544 | unsigned int remaining; | |
2545 | ||
2546 | remaining = 16 - (*buf_len); | |
2547 | if (remaining > len) { | |
2548 | memcpy(buf + (*buf_len), in, len); | |
2549 | *(buf_len) += len; | |
2550 | return 0; | |
2551 | } | |
2552 | memcpy(buf + (*buf_len), in, remaining); | |
2553 | ||
2554 | /* | |
2555 | * If we get here we've filled the buffer, so process it | |
2556 | */ | |
2557 | len -= remaining; | |
2558 | in += remaining; | |
2559 | if (out == NULL) { | |
2560 | if (!CRYPTO_ocb128_aad(&octx->ocb, buf, 16)) | |
2561 | return -1; | |
6435f0f6 | 2562 | } else if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2563 | if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out, 16)) |
2564 | return -1; | |
2565 | } else { | |
2566 | if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out, 16)) | |
2567 | return -1; | |
2568 | } | |
2569 | written_len = 16; | |
2570 | *buf_len = 0; | |
2571 | } | |
2572 | ||
2573 | /* Do we have a partial block to handle at the end? */ | |
2574 | trailing_len = len % 16; | |
2575 | ||
2576 | /* | |
2577 | * If we've got some full blocks to handle, then process these first | |
2578 | */ | |
2579 | if (len != trailing_len) { | |
2580 | if (out == NULL) { | |
2581 | if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len)) | |
2582 | return -1; | |
6435f0f6 | 2583 | } else if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2584 | if (!CRYPTO_ocb128_encrypt |
2585 | (&octx->ocb, in, out, len - trailing_len)) | |
2586 | return -1; | |
2587 | } else { | |
2588 | if (!CRYPTO_ocb128_decrypt | |
2589 | (&octx->ocb, in, out, len - trailing_len)) | |
2590 | return -1; | |
2591 | } | |
2592 | written_len += len - trailing_len; | |
2593 | in += len - trailing_len; | |
2594 | } | |
2595 | ||
2596 | /* Handle any trailing partial block */ | |
2597 | if (trailing_len) { | |
2598 | memcpy(buf, in, trailing_len); | |
2599 | *buf_len = trailing_len; | |
2600 | } | |
2601 | ||
2602 | return written_len; | |
2603 | } else { | |
2604 | /* | |
2605 | * First of all empty the buffer of any partial block that we might | |
2606 | * have been provided - both for data and AAD | |
2607 | */ | |
2608 | if (octx->data_buf_len) { | |
6435f0f6 | 2609 | if (EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2610 | if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out, |
2611 | octx->data_buf_len)) | |
2612 | return -1; | |
2613 | } else { | |
2614 | if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out, | |
2615 | octx->data_buf_len)) | |
2616 | return -1; | |
2617 | } | |
2618 | written_len = octx->data_buf_len; | |
2619 | octx->data_buf_len = 0; | |
2620 | } | |
2621 | if (octx->aad_buf_len) { | |
2622 | if (!CRYPTO_ocb128_aad | |
2623 | (&octx->ocb, octx->aad_buf, octx->aad_buf_len)) | |
2624 | return -1; | |
2625 | octx->aad_buf_len = 0; | |
2626 | } | |
2627 | /* If decrypting then verify */ | |
6435f0f6 | 2628 | if (!EVP_CIPHER_CTX_encrypting(ctx)) { |
0f113f3e MC |
2629 | if (octx->taglen < 0) |
2630 | return -1; | |
2631 | if (CRYPTO_ocb128_finish(&octx->ocb, | |
2632 | octx->tag, octx->taglen) != 0) | |
2633 | return -1; | |
2634 | octx->iv_set = 0; | |
2635 | return written_len; | |
2636 | } | |
2637 | /* If encrypting then just get the tag */ | |
2638 | if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1) | |
2639 | return -1; | |
2640 | /* Don't reuse the IV */ | |
2641 | octx->iv_set = 0; | |
2642 | return written_len; | |
2643 | } | |
2644 | } | |
e6b336ef MC |
2645 | |
2646 | static int aes_ocb_cleanup(EVP_CIPHER_CTX *c) | |
0f113f3e | 2647 | { |
6435f0f6 | 2648 | EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c); |
0f113f3e MC |
2649 | CRYPTO_ocb128_cleanup(&octx->ocb); |
2650 | return 1; | |
2651 | } | |
e6b336ef | 2652 | |
c4aede20 MC |
2653 | BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB, |
2654 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
2655 | BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB, | |
2656 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
2657 | BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB, | |
2658 | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) | |
5158c763 | 2659 | #endif /* OPENSSL_NO_OCB */ |