]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright consolidation 05/10
[thirdparty/openssl.git] / crypto / evp / e_aes.c
CommitLineData
aa6bb135
RS		 1/*
2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
deb2c1a1 3 *
aa6bb135
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
deb2c1a1
DSH		 8 */
9
8c84b677 10#include <openssl/opensslconf.h>
5158c763
MC		 11#include <openssl/crypto.h>
12#include <openssl/evp.h>
13#include <openssl/err.h>
14#include <string.h>
15#include <assert.h>
16#include <openssl/aes.h>
17#include "internal/evp_int.h"
18#include "modes_lcl.h"
19#include <openssl/rand.h>
0f113f3e
MC		 20
21typedef struct {
22 union {
23 double align;
24 AES_KEY ks;
25 } ks;
26 block128_f block;
27 union {
28 cbc128_f cbc;
29 ctr128_f ctr;
30 } stream;
31} EVP_AES_KEY;
32
33typedef struct {
34 union {
35 double align;
36 AES_KEY ks;
37 } ks; /* AES key schedule to use */
38 int key_set; /* Set if key initialised */
39 int iv_set; /* Set if an iv is set */
40 GCM128_CONTEXT gcm;
41 unsigned char *iv; /* Temporary IV store */
42 int ivlen; /* IV length */
43 int taglen;
44 int iv_gen; /* It is OK to generate IVs */
45 int tls_aad_len; /* TLS AAD length */
46 ctr128_f ctr;
47} EVP_AES_GCM_CTX;
48
49typedef struct {
50 union {
51 double align;
52 AES_KEY ks;
53 } ks1, ks2; /* AES key schedules to use */
54 XTS128_CONTEXT xts;
55 void (*stream) (const unsigned char *in,
56 unsigned char *out, size_t length,
57 const AES_KEY *key1, const AES_KEY *key2,
58 const unsigned char iv[16]);
59} EVP_AES_XTS_CTX;
60
61typedef struct {
62 union {
63 double align;
64 AES_KEY ks;
65 } ks; /* AES key schedule to use */
66 int key_set; /* Set if key initialised */
67 int iv_set; /* Set if an iv is set */
68 int tag_set; /* Set if tag is valid */
69 int len_set; /* Set if message length set */
70 int L, M; /* L and M parameters from RFC3610 */
e75c5a79 71 int tls_aad_len; /* TLS AAD length */
0f113f3e
MC		 72 CCM128_CONTEXT ccm;
73 ccm128_f str;
74} EVP_AES_CCM_CTX;
75
5158c763 76#ifndef OPENSSL_NO_OCB
0f113f3e 77typedef struct {
bdc985b1
AP		 78 union {
79 double align;
80 AES_KEY ks;
81 } ksenc; /* AES key schedule to use for encryption */
82 union {
83 double align;
84 AES_KEY ks;
85 } ksdec; /* AES key schedule to use for decryption */
0f113f3e
MC		 86 int key_set; /* Set if key initialised */
87 int iv_set; /* Set if an iv is set */
88 OCB128_CONTEXT ocb;
89 unsigned char *iv; /* Temporary IV store */
90 unsigned char tag[16];
91 unsigned char data_buf[16]; /* Store partial data blocks */
92 unsigned char aad_buf[16]; /* Store partial AAD blocks */
93 int data_buf_len;
94 int aad_buf_len;
95 int ivlen; /* IV length */
96 int taglen;
97} EVP_AES_OCB_CTX;
5158c763 98#endif
e6b336ef 99
5158c763 100#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
17f121de 101
5158c763 102#ifdef VPAES_ASM
8ca28da0 103int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 104 AES_KEY *key);
8ca28da0 105int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 106 AES_KEY *key);
8ca28da0
AP		 107
108void vpaes_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 109 const AES_KEY *key);
8ca28da0 110void vpaes_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 111 const AES_KEY *key);
8ca28da0
AP		 112
113void vpaes_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 114 unsigned char *out,
115 size_t length,
116 const AES_KEY *key, unsigned char *ivec, int enc);
5158c763
MC		 117#endif
118#ifdef BSAES_ASM
a75a52a4 119void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 120 size_t length, const AES_KEY *key,
121 unsigned char ivec[16], int enc);
993adc05 122void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 123 size_t len, const AES_KEY *key,
124 const unsigned char ivec[16]);
60d4e99c 125void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 126 size_t len, const AES_KEY *key1,
127 const AES_KEY *key2, const unsigned char iv[16]);
60d4e99c 128void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 129 size_t len, const AES_KEY *key1,
130 const AES_KEY *key2, const unsigned char iv[16]);
5158c763
MC		 131#endif
132#ifdef AES_CTR_ASM
07904e0c 133void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 134 size_t blocks, const AES_KEY *key,
135 const unsigned char ivec[AES_BLOCK_SIZE]);
5158c763
MC		 136#endif
137#ifdef AES_XTS_ASM
0f113f3e
MC		 138void AES_xts_encrypt(const char *inp, char *out, size_t len,
139 const AES_KEY *key1, const AES_KEY *key2,
140 const unsigned char iv[16]);
141void AES_xts_decrypt(const char *inp, char *out, size_t len,
142 const AES_KEY *key1, const AES_KEY *key2,
143 const unsigned char iv[16]);
5158c763 144#endif
8ca28da0 145
6944565b 146#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
5158c763
MC		 147# include "ppc_arch.h"
148# ifdef VPAES_ASM
149# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
de51e830 150# endif
5158c763
MC		 151# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
152# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
153# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
154# define HWAES_encrypt aes_p8_encrypt
155# define HWAES_decrypt aes_p8_decrypt
156# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
157# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
158#endif
07f3e4f3 159
5158c763 160#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
0f113f3e
MC		 161 ((defined(__i386) || defined(__i386__) || \
162 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
163 defined(__x86_64) || defined(__x86_64__) || \
b1a07c38 164 defined(_M_AMD64) || defined(_M_X64) )
8ca28da0 165
c5f6da54 166extern unsigned int OPENSSL_ia32cap_P[];
8ca28da0 167
5158c763
MC		 168# ifdef VPAES_ASM
169# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
170# endif
171# ifdef BSAES_ASM
172# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
173# endif
17f121de
AP		 174/*
175 * AES-NI section
176 */
5158c763 177# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
d1fff483
AP		 178
179int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 180 AES_KEY *key);
d1fff483 181int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 182 AES_KEY *key);
d1fff483
AP		 183
184void aesni_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 185 const AES_KEY *key);
d1fff483 186void aesni_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 187 const AES_KEY *key);
d1fff483
AP		 188
189void aesni_ecb_encrypt(const unsigned char *in,
0f113f3e
MC		 190 unsigned char *out,
191 size_t length, const AES_KEY *key, int enc);
d1fff483 192void aesni_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 193 unsigned char *out,
194 size_t length,
195 const AES_KEY *key, unsigned char *ivec, int enc);
d1fff483
AP		 196
197void aesni_ctr32_encrypt_blocks(const unsigned char *in,
0f113f3e
MC		 198 unsigned char *out,
199 size_t blocks,
200 const void *key, const unsigned char *ivec);
17f121de
AP		 201
202void aesni_xts_encrypt(const unsigned char *in,
0f113f3e
MC		 203 unsigned char *out,
204 size_t length,
205 const AES_KEY *key1, const AES_KEY *key2,
206 const unsigned char iv[16]);
17f121de
AP		 207
208void aesni_xts_decrypt(const unsigned char *in,
0f113f3e
MC		 209 unsigned char *out,
210 size_t length,
211 const AES_KEY *key1, const AES_KEY *key2,
212 const unsigned char iv[16]);
213
214void aesni_ccm64_encrypt_blocks(const unsigned char *in,
215 unsigned char *out,
216 size_t blocks,
217 const void *key,
218 const unsigned char ivec[16],
219 unsigned char cmac[16]);
220
221void aesni_ccm64_decrypt_blocks(const unsigned char *in,
222 unsigned char *out,
223 size_t blocks,
224 const void *key,
225 const unsigned char ivec[16],
226 unsigned char cmac[16]);
227
5158c763 228# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
4e049c52 229size_t aesni_gcm_encrypt(const unsigned char *in,
0f113f3e
MC		 230 unsigned char *out,
231 size_t len,
232 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 233# define AES_gcm_encrypt aesni_gcm_encrypt
4e049c52 234size_t aesni_gcm_decrypt(const unsigned char *in,
0f113f3e
MC		 235 unsigned char *out,
236 size_t len,
237 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 238# define AES_gcm_decrypt aesni_gcm_decrypt
0f113f3e
MC		 239void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
240 size_t len);
5158c763 241# define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
0f113f3e 242 gctx->gcm.ghash==gcm_ghash_avx)
5158c763 243# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
0f113f3e 244 gctx->gcm.ghash==gcm_ghash_avx)
5158c763
MC		 245# undef AES_GCM_ASM2 /* minor size optimization */
246# endif
4e049c52 247
17f121de 248static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 249 const unsigned char *iv, int enc)
250{
251 int ret, mode;
6435f0f6 252 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 253
6435f0f6 254 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 255 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
256 && !enc) {
6435f0f6
RL		 257 ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
258 &dat->ks.ks);
0f113f3e
MC		 259 dat->block = (block128_f) aesni_decrypt;
260 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
261 (cbc128_f) aesni_cbc_encrypt : NULL;
262 } else {
6435f0f6
RL		 263 ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
264 &dat->ks.ks);
0f113f3e
MC		 265 dat->block = (block128_f) aesni_encrypt;
266 if (mode == EVP_CIPH_CBC_MODE)
267 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
268 else if (mode == EVP_CIPH_CTR_MODE)
269 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
270 else
271 dat->stream.cbc = NULL;
272 }
273
274 if (ret < 0) {
275 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
276 return 0;
277 }
278
279 return 1;
280}
281
282static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
283 const unsigned char *in, size_t len)
d1fff483 284{
6435f0f6
RL		 285 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
286 EVP_CIPHER_CTX_iv_noconst(ctx),
287 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 288
0f113f3e 289 return 1;
d1fff483
AP		 290}
291
0f113f3e
MC		 292static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
293 const unsigned char *in, size_t len)
d1fff483 294{
6435f0f6 295 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
d1fff483 296
0f113f3e
MC		 297 if (len < bl)
298 return 1;
d1fff483 299
6435f0f6
RL		 300 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
301 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 302
0f113f3e 303 return 1;
d1fff483
AP		 304}
305
5158c763 306# define aesni_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 307static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
308 const unsigned char *in, size_t len);
d1fff483 309
5158c763 310# define aesni_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 311static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
312 const unsigned char *in, size_t len);
d1fff483 313
5158c763 314# define aesni_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 315static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
316 const unsigned char *in, size_t len);
d1fff483 317
5158c763 318# define aesni_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 319static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
320 const unsigned char *in, size_t len);
d1fff483 321
5158c763 322# define aesni_ctr_cipher aes_ctr_cipher
17f121de 323static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 324 const unsigned char *in, size_t len);
d1fff483 325
17f121de 326static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 327 const unsigned char *iv, int enc)
328{
6435f0f6 329 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 330 if (!iv && !key)
331 return 1;
332 if (key) {
6435f0f6
RL		 333 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
334 &gctx->ks.ks);
0f113f3e
MC		 335 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
336 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
337 /*
338 * If we have an iv can set it directly, otherwise use saved IV.
339 */
340 if (iv == NULL && gctx->iv_set)
341 iv = gctx->iv;
342 if (iv) {
343 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
344 gctx->iv_set = 1;
345 }
346 gctx->key_set = 1;
347 } else {
348 /* If key set use IV, otherwise copy */
349 if (gctx->key_set)
350 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
351 else
352 memcpy(gctx->iv, iv, gctx->ivlen);
353 gctx->iv_set = 1;
354 gctx->iv_gen = 0;
355 }
356 return 1;
357}
358
5158c763 359# define aesni_gcm_cipher aes_gcm_cipher
17f121de 360static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 361 const unsigned char *in, size_t len);
17f121de
AP		 362
363static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 364 const unsigned char *iv, int enc)
365{
6435f0f6 366 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 367 if (!iv && !key)
368 return 1;
369
370 if (key) {
371 /* key_len is two AES keys */
372 if (enc) {
6435f0f6
RL		 373 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
374 &xctx->ks1.ks);
0f113f3e
MC		 375 xctx->xts.block1 = (block128_f) aesni_encrypt;
376 xctx->stream = aesni_xts_encrypt;
377 } else {
6435f0f6
RL		 378 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
379 &xctx->ks1.ks);
0f113f3e
MC		 380 xctx->xts.block1 = (block128_f) aesni_decrypt;
381 xctx->stream = aesni_xts_decrypt;
382 }
383
6435f0f6
RL		 384 aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
385 EVP_CIPHER_CTX_key_length(ctx) * 4,
386 &xctx->ks2.ks);
0f113f3e
MC		 387 xctx->xts.block2 = (block128_f) aesni_encrypt;
388
389 xctx->xts.key1 = &xctx->ks1;
390 }
391
392 if (iv) {
393 xctx->xts.key2 = &xctx->ks2;
6435f0f6 394 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 395 }
396
397 return 1;
398}
399
5158c763 400# define aesni_xts_cipher aes_xts_cipher
17f121de 401static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 402 const unsigned char *in, size_t len);
17f121de
AP		 403
404static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 405 const unsigned char *iv, int enc)
406{
6435f0f6 407 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 408 if (!iv && !key)
409 return 1;
410 if (key) {
6435f0f6
RL		 411 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
412 &cctx->ks.ks);
0f113f3e
MC		 413 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
414 &cctx->ks, (block128_f) aesni_encrypt);
415 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
416 (ccm128_f) aesni_ccm64_decrypt_blocks;
417 cctx->key_set = 1;
418 }
419 if (iv) {
6435f0f6 420 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 421 cctx->iv_set = 1;
422 }
423 return 1;
424}
425
5158c763 426# define aesni_ccm_cipher aes_ccm_cipher
17f121de 427static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 428 const unsigned char *in, size_t len);
17f121de 429
5158c763 430# ifndef OPENSSL_NO_OCB
bd30091c
AP		 431void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
432 size_t blocks, const void *key,
433 size_t start_block_num,
434 unsigned char offset_i[16],
435 const unsigned char L_[][16],
436 unsigned char checksum[16]);
437void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
438 size_t blocks, const void *key,
439 size_t start_block_num,
440 unsigned char offset_i[16],
441 const unsigned char L_[][16],
442 unsigned char checksum[16]);
443
e6b336ef 444static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 445 const unsigned char *iv, int enc)
446{
6435f0f6 447 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 448 if (!iv && !key)
449 return 1;
450 if (key) {
451 do {
452 /*
453 * We set both the encrypt and decrypt key here because decrypt
454 * needs both. We could possibly optimise to remove setting the
455 * decrypt for an encryption operation.
456 */
6435f0f6
RL		 457 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
458 &octx->ksenc.ks);
459 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
460 &octx->ksdec.ks);
bdc985b1
AP		 461 if (!CRYPTO_ocb128_init(&octx->ocb,
462 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 463 (block128_f) aesni_encrypt,
bd30091c
AP		 464 (block128_f) aesni_decrypt,
465 enc ? aesni_ocb_encrypt
466 : aesni_ocb_decrypt))
0f113f3e
MC		 467 return 0;
468 }
469 while (0);
470
471 /*
472 * If we have an iv we can set it directly, otherwise use saved IV.
473 */
474 if (iv == NULL && octx->iv_set)
475 iv = octx->iv;
476 if (iv) {
477 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
478 != 1)
479 return 0;
480 octx->iv_set = 1;
481 }
482 octx->key_set = 1;
483 } else {
484 /* If key set use IV, otherwise copy */
485 if (octx->key_set)
486 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
487 else
488 memcpy(octx->iv, iv, octx->ivlen);
489 octx->iv_set = 1;
490 }
491 return 1;
492}
493
5158c763 494# define aesni_ocb_cipher aes_ocb_cipher
e6b336ef 495static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 496 const unsigned char *in, size_t len);
5158c763 497# endif /* OPENSSL_NO_OCB */
e6b336ef 498
5158c763 499# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 500static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 501 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
502 flags|EVP_CIPH_##MODE##_MODE, \
503 aesni_init_key, \
504 aesni_##mode##_cipher, \
505 NULL, \
506 sizeof(EVP_AES_KEY), \
507 NULL,NULL,NULL,NULL }; \
17f121de 508static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 509 nid##_##keylen##_##nmode,blocksize, \
510 keylen/8,ivlen, \
511 flags|EVP_CIPH_##MODE##_MODE, \
512 aes_init_key, \
513 aes_##mode##_cipher, \
514 NULL, \
515 sizeof(EVP_AES_KEY), \
516 NULL,NULL,NULL,NULL }; \
17f121de 517const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 518{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
17f121de 519
5158c763 520# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 521static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 522 nid##_##keylen##_##mode,blocksize, \
523 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
524 flags|EVP_CIPH_##MODE##_MODE, \
525 aesni_##mode##_init_key, \
526 aesni_##mode##_cipher, \
527 aes_##mode##_cleanup, \
528 sizeof(EVP_AES_##MODE##_CTX), \
529 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 530static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 531 nid##_##keylen##_##mode,blocksize, \
532 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
533 flags|EVP_CIPH_##MODE##_MODE, \
534 aes_##mode##_init_key, \
535 aes_##mode##_cipher, \
536 aes_##mode##_cleanup, \
537 sizeof(EVP_AES_##MODE##_CTX), \
538 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 539const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 540{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
d1fff483 541
5158c763 542#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
c5f6da54 543
5158c763 544# include "sparc_arch.h"
c5f6da54
AP		 545
546extern unsigned int OPENSSL_sparcv9cap_P[];
547
6944565b
AP		 548/*
549 * Initial Fujitsu SPARC64 X support
550 */
551# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
552# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
553# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
554# define HWAES_encrypt aes_fx_encrypt
555# define HWAES_decrypt aes_fx_decrypt
556
5158c763 557# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
c5f6da54 558
0f113f3e
MC		 559void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
560void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
561void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
562 const AES_KEY *key);
563void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
564 const AES_KEY *key);
c5f6da54
AP		 565/*
566 * Key-length specific subroutines were chosen for following reason.
567 * Each SPARC T4 core can execute up to 8 threads which share core's
568 * resources. Loading as much key material to registers allows to
569 * minimize references to shared memory interface, as well as amount
570 * of instructions in inner loops [much needed on T4]. But then having
571 * non-key-length specific routines would require conditional branches
572 * either in inner loops or on subroutines' entries. Former is hardly
573 * acceptable, while latter means code size increase to size occupied
0d4fb843 574 * by multiple key-length specific subroutines, so why fight?
c5f6da54 575 */
0f113f3e
MC		 576void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
577 size_t len, const AES_KEY *key,
578 unsigned char *ivec);
579void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
580 size_t len, const AES_KEY *key,
581 unsigned char *ivec);
582void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
583 size_t len, const AES_KEY *key,
584 unsigned char *ivec);
585void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
586 size_t len, const AES_KEY *key,
587 unsigned char *ivec);
588void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
589 size_t len, const AES_KEY *key,
590 unsigned char *ivec);
591void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
592 size_t len, const AES_KEY *key,
593 unsigned char *ivec);
594void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
595 size_t blocks, const AES_KEY *key,
596 unsigned char *ivec);
597void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
598 size_t blocks, const AES_KEY *key,
599 unsigned char *ivec);
600void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
601 size_t blocks, const AES_KEY *key,
602 unsigned char *ivec);
603void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
604 size_t blocks, const AES_KEY *key1,
605 const AES_KEY *key2, const unsigned char *ivec);
606void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
607 size_t blocks, const AES_KEY *key1,
608 const AES_KEY *key2, const unsigned char *ivec);
609void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
610 size_t blocks, const AES_KEY *key1,
611 const AES_KEY *key2, const unsigned char *ivec);
612void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
613 size_t blocks, const AES_KEY *key1,
614 const AES_KEY *key2, const unsigned char *ivec);
c5f6da54
AP		 615
616static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 617 const unsigned char *iv, int enc)
618{
619 int ret, mode, bits;
6435f0f6 620 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 621
6435f0f6
RL		 622 mode = EVP_CIPHER_CTX_mode(ctx);
623 bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 624 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
625 && !enc) {
626 ret = 0;
6435f0f6 627 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 628 dat->block = (block128_f) aes_t4_decrypt;
629 switch (bits) {
630 case 128:
631 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
632 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
633 break;
634 case 192:
635 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
636 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
637 break;
638 case 256:
639 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
640 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
641 break;
642 default:
643 ret = -1;
644 }
645 } else {
646 ret = 0;
6435f0f6 647 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 648 dat->block = (block128_f) aes_t4_encrypt;
649 switch (bits) {
650 case 128:
651 if (mode == EVP_CIPH_CBC_MODE)
652 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
653 else if (mode == EVP_CIPH_CTR_MODE)
654 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
655 else
656 dat->stream.cbc = NULL;
657 break;
658 case 192:
659 if (mode == EVP_CIPH_CBC_MODE)
660 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
661 else if (mode == EVP_CIPH_CTR_MODE)
662 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
663 else
664 dat->stream.cbc = NULL;
665 break;
666 case 256:
667 if (mode == EVP_CIPH_CBC_MODE)
668 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
669 else if (mode == EVP_CIPH_CTR_MODE)
670 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
671 else
672 dat->stream.cbc = NULL;
673 break;
674 default:
675 ret = -1;
676 }
677 }
678
679 if (ret < 0) {
680 EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
681 return 0;
682 }
683
684 return 1;
685}
686
5158c763 687# define aes_t4_cbc_cipher aes_cbc_cipher
0f113f3e
MC		 688static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
689 const unsigned char *in, size_t len);
690
5158c763 691# define aes_t4_ecb_cipher aes_ecb_cipher
0f113f3e
MC		 692static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
693 const unsigned char *in, size_t len);
694
5158c763 695# define aes_t4_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 696static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
697 const unsigned char *in, size_t len);
698
5158c763 699# define aes_t4_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 700static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
701 const unsigned char *in, size_t len);
702
5158c763 703# define aes_t4_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 704static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
705 const unsigned char *in, size_t len);
706
5158c763 707# define aes_t4_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 708static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
709 const unsigned char *in, size_t len);
710
5158c763 711# define aes_t4_ctr_cipher aes_ctr_cipher
c5f6da54 712static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 713 const unsigned char *in, size_t len);
c5f6da54
AP		 714
715static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 716 const unsigned char *iv, int enc)
717{
6435f0f6 718 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 719 if (!iv && !key)
720 return 1;
721 if (key) {
6435f0f6 722 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 723 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
724 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
725 (block128_f) aes_t4_encrypt);
726 switch (bits) {
727 case 128:
728 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
729 break;
730 case 192:
731 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
732 break;
733 case 256:
734 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
735 break;
736 default:
737 return 0;
738 }
739 /*
740 * If we have an iv can set it directly, otherwise use saved IV.
741 */
742 if (iv == NULL && gctx->iv_set)
743 iv = gctx->iv;
744 if (iv) {
745 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
746 gctx->iv_set = 1;
747 }
748 gctx->key_set = 1;
749 } else {
750 /* If key set use IV, otherwise copy */
751 if (gctx->key_set)
752 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
753 else
754 memcpy(gctx->iv, iv, gctx->ivlen);
755 gctx->iv_set = 1;
756 gctx->iv_gen = 0;
757 }
758 return 1;
759}
760
5158c763 761# define aes_t4_gcm_cipher aes_gcm_cipher
c5f6da54 762static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 763 const unsigned char *in, size_t len);
c5f6da54
AP		 764
765static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 766 const unsigned char *iv, int enc)
767{
6435f0f6 768 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 769 if (!iv && !key)
770 return 1;
771
772 if (key) {
6435f0f6 773 int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
0f113f3e
MC		 774 xctx->stream = NULL;
775 /* key_len is two AES keys */
776 if (enc) {
777 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
778 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
779 switch (bits) {
780 case 128:
781 xctx->stream = aes128_t4_xts_encrypt;
782 break;
0f113f3e
MC		 783 case 256:
784 xctx->stream = aes256_t4_xts_encrypt;
785 break;
786 default:
787 return 0;
788 }
789 } else {
6435f0f6
RL		 790 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
791 &xctx->ks1.ks);
0f113f3e
MC		 792 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
793 switch (bits) {
794 case 128:
795 xctx->stream = aes128_t4_xts_decrypt;
796 break;
0f113f3e
MC		 797 case 256:
798 xctx->stream = aes256_t4_xts_decrypt;
799 break;
800 default:
801 return 0;
802 }
803 }
804
6435f0f6
RL		 805 aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
806 EVP_CIPHER_CTX_key_length(ctx) * 4,
807 &xctx->ks2.ks);
0f113f3e
MC		 808 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
809
810 xctx->xts.key1 = &xctx->ks1;
811 }
812
813 if (iv) {
814 xctx->xts.key2 = &xctx->ks2;
6435f0f6 815 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 816 }
817
818 return 1;
819}
820
5158c763 821# define aes_t4_xts_cipher aes_xts_cipher
c5f6da54 822static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 823 const unsigned char *in, size_t len);
c5f6da54
AP		 824
825static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 826 const unsigned char *iv, int enc)
827{
6435f0f6 828 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 829 if (!iv && !key)
830 return 1;
831 if (key) {
6435f0f6 832 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 833 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
834 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
835 &cctx->ks, (block128_f) aes_t4_encrypt);
bdc985b1 836 cctx->str = NULL;
0f113f3e
MC		 837 cctx->key_set = 1;
838 }
839 if (iv) {
6435f0f6 840 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 841 cctx->iv_set = 1;
842 }
843 return 1;
844}
845
5158c763 846# define aes_t4_ccm_cipher aes_ccm_cipher
c5f6da54 847static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 848 const unsigned char *in, size_t len);
c5f6da54 849
5158c763 850# ifndef OPENSSL_NO_OCB
e6b336ef 851static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 852 const unsigned char *iv, int enc)
853{
6435f0f6 854 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 855 if (!iv && !key)
856 return 1;
857 if (key) {
858 do {
859 /*
860 * We set both the encrypt and decrypt key here because decrypt
861 * needs both. We could possibly optimise to remove setting the
862 * decrypt for an encryption operation.
863 */
6435f0f6
RL		 864 aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
865 &octx->ksenc.ks);
866 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
867 &octx->ksdec.ks);
bdc985b1
AP		 868 if (!CRYPTO_ocb128_init(&octx->ocb,
869 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 870 (block128_f) aes_t4_encrypt,
02dc0b82
AP		 871 (block128_f) aes_t4_decrypt,
872 NULL))
0f113f3e
MC		 873 return 0;
874 }
875 while (0);
876
877 /*
878 * If we have an iv we can set it directly, otherwise use saved IV.
879 */
880 if (iv == NULL && octx->iv_set)
881 iv = octx->iv;
882 if (iv) {
883 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
884 != 1)
885 return 0;
886 octx->iv_set = 1;
887 }
888 octx->key_set = 1;
889 } else {
890 /* If key set use IV, otherwise copy */
891 if (octx->key_set)
892 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
893 else
894 memcpy(octx->iv, iv, octx->ivlen);
895 octx->iv_set = 1;
896 }
897 return 1;
898}
899
5158c763 900# define aes_t4_ocb_cipher aes_ocb_cipher
e6b336ef 901static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 902 const unsigned char *in, size_t len);
5158c763 903# endif /* OPENSSL_NO_OCB */
e6b336ef 904
5158c763 905# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
c5f6da54 906static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 907 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
908 flags|EVP_CIPH_##MODE##_MODE, \
909 aes_t4_init_key, \
910 aes_t4_##mode##_cipher, \
911 NULL, \
912 sizeof(EVP_AES_KEY), \
913 NULL,NULL,NULL,NULL }; \
c5f6da54 914static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 915 nid##_##keylen##_##nmode,blocksize, \
916 keylen/8,ivlen, \
917 flags|EVP_CIPH_##MODE##_MODE, \
918 aes_init_key, \
919 aes_##mode##_cipher, \
920 NULL, \
921 sizeof(EVP_AES_KEY), \
922 NULL,NULL,NULL,NULL }; \
c5f6da54
AP		 923const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
924{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
925
5158c763 926# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
c5f6da54 927static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 928 nid##_##keylen##_##mode,blocksize, \
929 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
930 flags|EVP_CIPH_##MODE##_MODE, \
931 aes_t4_##mode##_init_key, \
932 aes_t4_##mode##_cipher, \
933 aes_##mode##_cleanup, \
934 sizeof(EVP_AES_##MODE##_CTX), \
935 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54 936static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 937 nid##_##keylen##_##mode,blocksize, \
938 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
939 flags|EVP_CIPH_##MODE##_MODE, \
940 aes_##mode##_init_key, \
941 aes_##mode##_cipher, \
942 aes_##mode##_cleanup, \
943 sizeof(EVP_AES_##MODE##_CTX), \
944 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54
AP		 945const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
946{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
947
5158c763 948#else
17f121de 949
5158c763 950# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 951static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 952 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
953 flags|EVP_CIPH_##MODE##_MODE, \
954 aes_init_key, \
955 aes_##mode##_cipher, \
956 NULL, \
957 sizeof(EVP_AES_KEY), \
958 NULL,NULL,NULL,NULL }; \
17f121de
AP		 959const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
960{ return &aes_##keylen##_##mode; }
d1fff483 961
5158c763 962# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 963static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 964 nid##_##keylen##_##mode,blocksize, \
965 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
966 flags|EVP_CIPH_##MODE##_MODE, \
967 aes_##mode##_init_key, \
968 aes_##mode##_cipher, \
969 aes_##mode##_cleanup, \
970 sizeof(EVP_AES_##MODE##_CTX), \
971 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de
AP		 972const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
973{ return &aes_##keylen##_##mode; }
9575d1a9 974
5158c763 975#endif
9575d1a9 976
5158c763
MC		 977#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
978# include "arm_arch.h"
979# if __ARM_MAX_ARCH__>=7
980# if defined(BSAES_ASM)
981# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
982# endif
983# if defined(VPAES_ASM)
984# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
0f113f3e 985# endif
5158c763
MC		 986# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
987# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
988# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
989# define HWAES_encrypt aes_v8_encrypt
990# define HWAES_decrypt aes_v8_decrypt
991# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
992# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
ddacb8f2 993# endif
5158c763 994#endif
d1fff483 995
5158c763 996#if defined(HWAES_CAPABLE)
ddacb8f2 997int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 998 AES_KEY *key);
ddacb8f2 999int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 1000 AES_KEY *key);
ddacb8f2 1001void HWAES_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 1002 const AES_KEY *key);
ddacb8f2 1003void HWAES_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 1004 const AES_KEY *key);
ddacb8f2 1005void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 1006 size_t length, const AES_KEY *key,
1007 unsigned char *ivec, const int enc);
ddacb8f2 1008void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 1009 size_t len, const AES_KEY *key,
1010 const unsigned char ivec[16]);
5158c763 1011#endif
ddacb8f2 1012
5158c763 1013#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
0f113f3e
MC		 1014 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1015 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1016 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1017 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1018 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
1019 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
1020 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
d1fff483
AP		 1021
1022static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1023 const unsigned char *iv, int enc)
1024{
1025 int ret, mode;
6435f0f6 1026 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 1027
6435f0f6 1028 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 1029 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
1030 && !enc)
5158c763 1031#ifdef HWAES_CAPABLE
0f113f3e 1032 if (HWAES_CAPABLE) {
6435f0f6
RL		 1033 ret = HWAES_set_decrypt_key(key,
1034 EVP_CIPHER_CTX_key_length(ctx) * 8,
1035 &dat->ks.ks);
0f113f3e
MC		 1036 dat->block = (block128_f) HWAES_decrypt;
1037 dat->stream.cbc = NULL;
5158c763 1038# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 1039 if (mode == EVP_CIPH_CBC_MODE)
1040 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
0f113f3e 1041# endif
5158c763
MC		 1042 } else
1043#endif
1044#ifdef BSAES_CAPABLE
0f113f3e 1045 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
6435f0f6
RL		 1046 ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1047 &dat->ks.ks);
0f113f3e
MC		 1048 dat->block = (block128_f) AES_decrypt;
1049 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
1050 } else
5158c763
MC		 1051#endif
1052#ifdef VPAES_CAPABLE
0f113f3e 1053 if (VPAES_CAPABLE) {
6435f0f6
RL		 1054 ret = vpaes_set_decrypt_key(key,
1055 EVP_CIPHER_CTX_key_length(ctx) * 8,
1056 &dat->ks.ks);
0f113f3e
MC		 1057 dat->block = (block128_f) vpaes_decrypt;
1058 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1059 (cbc128_f) vpaes_cbc_encrypt : NULL;
1060 } else
5158c763 1061#endif
0f113f3e 1062 {
6435f0f6
RL		 1063 ret = AES_set_decrypt_key(key,
1064 EVP_CIPHER_CTX_key_length(ctx) * 8,
1065 &dat->ks.ks);
0f113f3e
MC		 1066 dat->block = (block128_f) AES_decrypt;
1067 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1068 (cbc128_f) AES_cbc_encrypt : NULL;
1069 } else
5158c763 1070#ifdef HWAES_CAPABLE
0f113f3e 1071 if (HWAES_CAPABLE) {
6435f0f6
RL		 1072 ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1073 &dat->ks.ks);
0f113f3e
MC		 1074 dat->block = (block128_f) HWAES_encrypt;
1075 dat->stream.cbc = NULL;
5158c763 1076# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 1077 if (mode == EVP_CIPH_CBC_MODE)
1078 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
1079 else
5158c763
MC		 1080# endif
1081# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e
MC		 1082 if (mode == EVP_CIPH_CTR_MODE)
1083 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
1084 else
5158c763 1085# endif
0f113f3e
MC		 1086 (void)0; /* terminate potentially open 'else' */
1087 } else
5158c763
MC		 1088#endif
1089#ifdef BSAES_CAPABLE
0f113f3e 1090 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
6435f0f6
RL		 1091 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1092 &dat->ks.ks);
0f113f3e
MC		 1093 dat->block = (block128_f) AES_encrypt;
1094 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1095 } else
5158c763
MC		 1096#endif
1097#ifdef VPAES_CAPABLE
0f113f3e 1098 if (VPAES_CAPABLE) {
6435f0f6
RL		 1099 ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1100 &dat->ks.ks);
0f113f3e
MC		 1101 dat->block = (block128_f) vpaes_encrypt;
1102 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1103 (cbc128_f) vpaes_cbc_encrypt : NULL;
1104 } else
5158c763 1105#endif
0f113f3e 1106 {
6435f0f6
RL		 1107 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1108 &dat->ks.ks);
0f113f3e
MC		 1109 dat->block = (block128_f) AES_encrypt;
1110 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1111 (cbc128_f) AES_cbc_encrypt : NULL;
5158c763 1112#ifdef AES_CTR_ASM
0f113f3e
MC		 1113 if (mode == EVP_CIPH_CTR_MODE)
1114 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 1115#endif
0f113f3e 1116 }
d1fff483 1117
0f113f3e
MC		 1118 if (ret < 0) {
1119 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
1120 return 0;
1121 }
d1fff483 1122
0f113f3e
MC		 1123 return 1;
1124}
d1fff483 1125
0f113f3e
MC		 1126static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1127 const unsigned char *in, size_t len)
17f121de 1128{
6435f0f6 1129 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1130
0f113f3e 1131 if (dat->stream.cbc)
6435f0f6
RL		 1132 (*dat->stream.cbc) (in, out, len, &dat->ks,
1133 EVP_CIPHER_CTX_iv_noconst(ctx),
1134 EVP_CIPHER_CTX_encrypting(ctx));
1135 else if (EVP_CIPHER_CTX_encrypting(ctx))
1136 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
1137 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
0f113f3e 1138 else
6435f0f6
RL		 1139 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
1140 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
17f121de 1141
0f113f3e 1142 return 1;
17f121de
AP		 1143}
1144
0f113f3e
MC		 1145static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1146 const unsigned char *in, size_t len)
17f121de 1147{
6435f0f6 1148 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
0f113f3e 1149 size_t i;
6435f0f6 1150 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
17f121de 1151
0f113f3e
MC		 1152 if (len < bl)
1153 return 1;
17f121de 1154
0f113f3e
MC		 1155 for (i = 0, len -= bl; i <= len; i += bl)
1156 (*dat->block) (in + i, out + i, &dat->ks);
17f121de 1157
0f113f3e 1158 return 1;
17f121de 1159}
deb2c1a1 1160
0f113f3e
MC		 1161static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1162 const unsigned char *in, size_t len)
17f121de 1163{
6435f0f6 1164 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1165
6435f0f6 1166 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1167 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1168 EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
1169 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1170 return 1;
17f121de 1171}
deb2c1a1 1172
0f113f3e
MC		 1173static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1174 const unsigned char *in, size_t len)
17f121de 1175{
6435f0f6 1176 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1177
6435f0f6 1178 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1179 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1180 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1181 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1182 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1183 return 1;
17f121de
AP		 1184}
1185
0f113f3e
MC		 1186static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1187 const unsigned char *in, size_t len)
17f121de 1188{
6435f0f6 1189 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1190
6435f0f6 1191 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1192 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1193 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1194 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1195 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1196 return 1;
17f121de 1197}
8d1ebe0b 1198
0f113f3e
MC		 1199static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1200 const unsigned char *in, size_t len)
17f121de 1201{
6435f0f6 1202 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 1203
6435f0f6
RL		 1204 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
1205 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1206 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1207 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1208 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1209 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 1210 return 1;
1211 }
1212
1213 while (len >= MAXBITCHUNK) {
6435f0f6 1214 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1215 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
6435f0f6
RL		 1216 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1217 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1218 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 1219 len -= MAXBITCHUNK;
1220 }
6435f0f6
RL		 1221 if (len) {
1222 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1223 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
6435f0f6
RL		 1224 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1225 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1226 EVP_CIPHER_CTX_set_num(ctx, num);
1227 }
0f113f3e
MC		 1228
1229 return 1;
17f121de 1230}
8d1ebe0b 1231
0f113f3e
MC		 1232static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1233 const unsigned char *in, size_t len)
d976f992 1234{
6435f0f6
RL		 1235 unsigned int num = EVP_CIPHER_CTX_num(ctx);
1236 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e
MC		 1237
1238 if (dat->stream.ctr)
1239 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
6435f0f6
RL		 1240 EVP_CIPHER_CTX_iv_noconst(ctx),
1241 EVP_CIPHER_CTX_buf_noconst(ctx),
1242 &num, dat->stream.ctr);
0f113f3e
MC		 1243 else
1244 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1245 EVP_CIPHER_CTX_iv_noconst(ctx),
1246 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
1247 dat->block);
1248 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1249 return 1;
d976f992
AP		 1250}
1251
0f113f3e
MC		 1252BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
1253 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
1254 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
bdaa5415
DSH		 1255
1256static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 1257{
6435f0f6 1258 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e 1259 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
6435f0f6 1260 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 1261 OPENSSL_free(gctx->iv);
1262 return 1;
1263}
bdaa5415 1264
b3d8022e 1265/* increment counter (64-bit int) by 1 */
0f113f3e
MC		 1266static void ctr64_inc(unsigned char *counter)
1267{
1268 int n = 8;
1269 unsigned char c;
1270
1271 do {
1272 --n;
1273 c = counter[n];
1274 ++c;
1275 counter[n] = c;
1276 if (c)
1277 return;
1278 } while (n);
b3d8022e
DSH		 1279}
1280
bdaa5415 1281static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1282{
6435f0f6 1283 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e
MC		 1284 switch (type) {
1285 case EVP_CTRL_INIT:
1286 gctx->key_set = 0;
1287 gctx->iv_set = 0;
6435f0f6
RL		 1288 gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
1289 gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 1290 gctx->taglen = -1;
1291 gctx->iv_gen = 0;
1292 gctx->tls_aad_len = -1;
1293 return 1;
1294
e640fa02 1295 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 1296 if (arg <= 0)
1297 return 0;
1298 /* Allocate memory for IV if needed */
1299 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
6435f0f6 1300 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 1301 OPENSSL_free(gctx->iv);
1302 gctx->iv = OPENSSL_malloc(arg);
90945fa3 1303 if (gctx->iv == NULL)
0f113f3e
MC		 1304 return 0;
1305 }
1306 gctx->ivlen = arg;
1307 return 1;
1308
e640fa02 1309 case EVP_CTRL_AEAD_SET_TAG:
6435f0f6 1310 if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e 1311 return 0;
6435f0f6 1312 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 1313 gctx->taglen = arg;
1314 return 1;
1315
e640fa02 1316 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6
RL		 1317 if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_encrypting(c)
1318 || gctx->taglen < 0)
0f113f3e 1319 return 0;
6435f0f6 1320 memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg);
0f113f3e
MC		 1321 return 1;
1322
1323 case EVP_CTRL_GCM_SET_IV_FIXED:
1324 /* Special case: -1 length restores whole IV */
1325 if (arg == -1) {
1326 memcpy(gctx->iv, ptr, gctx->ivlen);
1327 gctx->iv_gen = 1;
1328 return 1;
1329 }
1330 /*
1331 * Fixed field must be at least 4 bytes and invocation field at least
1332 * 8.
1333 */
1334 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1335 return 0;
1336 if (arg)
1337 memcpy(gctx->iv, ptr, arg);
6435f0f6
RL		 1338 if (EVP_CIPHER_CTX_encrypting(c)
1339 && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
0f113f3e
MC		 1340 return 0;
1341 gctx->iv_gen = 1;
1342 return 1;
1343
1344 case EVP_CTRL_GCM_IV_GEN:
1345 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1346 return 0;
1347 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1348 if (arg <= 0 || arg > gctx->ivlen)
1349 arg = gctx->ivlen;
1350 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1351 /*
1352 * Invocation field will be at least 8 bytes in size and so no need
1353 * to check wrap around or increment more than last 8 bytes.
1354 */
1355 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1356 gctx->iv_set = 1;
1357 return 1;
1358
1359 case EVP_CTRL_GCM_SET_IV_INV:
6435f0f6
RL		 1360 if (gctx->iv_gen == 0 || gctx->key_set == 0
1361 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 1362 return 0;
1363 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1364 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1365 gctx->iv_set = 1;
1366 return 1;
1367
1368 case EVP_CTRL_AEAD_TLS1_AAD:
1369 /* Save the AAD for later use */
c8269881 1370 if (arg != EVP_AEAD_TLS1_AAD_LEN)
0f113f3e 1371 return 0;
6435f0f6 1372 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 1373 gctx->tls_aad_len = arg;
1374 {
6435f0f6
RL		 1375 unsigned int len =
1376 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
1377 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
0f113f3e
MC		 1378 /* Correct length for explicit IV */
1379 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1380 /* If decrypting correct for tag too */
6435f0f6 1381 if (!EVP_CIPHER_CTX_encrypting(c))
0f113f3e 1382 len -= EVP_GCM_TLS_TAG_LEN;
6435f0f6
RL		 1383 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
1384 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
0f113f3e
MC		 1385 }
1386 /* Extra padding: tag appended to record */
1387 return EVP_GCM_TLS_TAG_LEN;
1388
1389 case EVP_CTRL_COPY:
1390 {
1391 EVP_CIPHER_CTX *out = ptr;
6435f0f6 1392 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
0f113f3e
MC		 1393 if (gctx->gcm.key) {
1394 if (gctx->gcm.key != &gctx->ks)
1395 return 0;
1396 gctx_out->gcm.key = &gctx_out->ks;
1397 }
6435f0f6
RL		 1398 if (gctx->iv == EVP_CIPHER_CTX_iv_noconst(c))
1399 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
0f113f3e
MC		 1400 else {
1401 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
90945fa3 1402 if (gctx_out->iv == NULL)
0f113f3e
MC		 1403 return 0;
1404 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1405 }
1406 return 1;
1407 }
1408
1409 default:
1410 return -1;
1411
1412 }
1413}
bdaa5415
DSH		 1414
1415static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1416 const unsigned char *iv, int enc)
1417{
6435f0f6 1418 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1419 if (!iv && !key)
1420 return 1;
1421 if (key) {
1422 do {
5158c763 1423#ifdef HWAES_CAPABLE
0f113f3e 1424 if (HWAES_CAPABLE) {
6435f0f6
RL		 1425 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1426 &gctx->ks.ks);
0f113f3e
MC		 1427 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1428 (block128_f) HWAES_encrypt);
5158c763 1429# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e 1430 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
5158c763 1431# else
0f113f3e 1432 gctx->ctr = NULL;
5158c763 1433# endif
0f113f3e
MC		 1434 break;
1435 } else
5158c763
MC		 1436#endif
1437#ifdef BSAES_CAPABLE
0f113f3e 1438 if (BSAES_CAPABLE) {
6435f0f6
RL		 1439 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1440 &gctx->ks.ks);
0f113f3e
MC		 1441 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1442 (block128_f) AES_encrypt);
1443 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1444 break;
1445 } else
5158c763
MC		 1446#endif
1447#ifdef VPAES_CAPABLE
0f113f3e 1448 if (VPAES_CAPABLE) {
6435f0f6
RL		 1449 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1450 &gctx->ks.ks);
0f113f3e
MC		 1451 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1452 (block128_f) vpaes_encrypt);
1453 gctx->ctr = NULL;
1454 break;
1455 } else
5158c763 1456#endif
0f113f3e
MC		 1457 (void)0; /* terminate potentially open 'else' */
1458
6435f0f6
RL		 1459 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1460 &gctx->ks.ks);
0f113f3e
MC		 1461 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1462 (block128_f) AES_encrypt);
5158c763 1463#ifdef AES_CTR_ASM
0f113f3e 1464 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 1465#else
0f113f3e 1466 gctx->ctr = NULL;
5158c763 1467#endif
0f113f3e
MC		 1468 } while (0);
1469
1470 /*
1471 * If we have an iv can set it directly, otherwise use saved IV.
1472 */
1473 if (iv == NULL && gctx->iv_set)
1474 iv = gctx->iv;
1475 if (iv) {
1476 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1477 gctx->iv_set = 1;
1478 }
1479 gctx->key_set = 1;
1480 } else {
1481 /* If key set use IV, otherwise copy */
1482 if (gctx->key_set)
1483 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1484 else
1485 memcpy(gctx->iv, iv, gctx->ivlen);
1486 gctx->iv_set = 1;
1487 gctx->iv_gen = 0;
1488 }
1489 return 1;
1490}
1491
1492/*
1493 * Handle TLS GCM packet format. This consists of the last portion of the IV
28dd49fa
DSH		 1494 * followed by the payload and finally the tag. On encrypt generate IV,
1495 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1496 * and verify tag.
1497 */
1498
1499static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1500 const unsigned char *in, size_t len)
1501{
6435f0f6 1502 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1503 int rv = -1;
1504 /* Encrypt/decrypt must be performed in place */
1505 if (out != in
1506 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1507 return -1;
1508 /*
1509 * Set IV from start of buffer or generate IV and write to start of
1510 * buffer.
1511 */
6435f0f6 1512 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ?
0f113f3e
MC		 1513 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1514 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1515 goto err;
1516 /* Use saved AAD */
6435f0f6
RL		 1517 if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
1518 gctx->tls_aad_len))
0f113f3e
MC		 1519 goto err;
1520 /* Fix buffer and length to point to payload */
1521 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1522 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1523 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
6435f0f6 1524 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1525 /* Encrypt payload */
1526 if (gctx->ctr) {
1527 size_t bulk = 0;
5158c763 1528#if defined(AES_GCM_ASM)
0f113f3e
MC		 1529 if (len >= 32 && AES_GCM_ASM(gctx)) {
1530 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1531 return -1;
1532
1533 bulk = AES_gcm_encrypt(in, out, len,
1534 gctx->gcm.key,
1535 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1536 gctx->gcm.len.u[1] += bulk;
1537 }
5158c763 1538#endif
0f113f3e
MC		 1539 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1540 in + bulk,
1541 out + bulk,
1542 len - bulk, gctx->ctr))
1543 goto err;
1544 } else {
1545 size_t bulk = 0;
5158c763 1546#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1547 if (len >= 32 && AES_GCM_ASM2(gctx)) {
1548 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1549 return -1;
1550
1551 bulk = AES_gcm_encrypt(in, out, len,
1552 gctx->gcm.key,
1553 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1554 gctx->gcm.len.u[1] += bulk;
1555 }
5158c763 1556#endif
0f113f3e
MC		 1557 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1558 in + bulk, out + bulk, len - bulk))
1559 goto err;
1560 }
1561 out += len;
1562 /* Finally write tag */
1563 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1564 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1565 } else {
1566 /* Decrypt */
1567 if (gctx->ctr) {
1568 size_t bulk = 0;
5158c763 1569#if defined(AES_GCM_ASM)
0f113f3e
MC		 1570 if (len >= 16 && AES_GCM_ASM(gctx)) {
1571 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1572 return -1;
1573
1574 bulk = AES_gcm_decrypt(in, out, len,
1575 gctx->gcm.key,
1576 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1577 gctx->gcm.len.u[1] += bulk;
1578 }
5158c763 1579#endif
0f113f3e
MC		 1580 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1581 in + bulk,
1582 out + bulk,
1583 len - bulk, gctx->ctr))
1584 goto err;
1585 } else {
1586 size_t bulk = 0;
5158c763 1587#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1588 if (len >= 16 && AES_GCM_ASM2(gctx)) {
1589 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1590 return -1;
1591
1592 bulk = AES_gcm_decrypt(in, out, len,
1593 gctx->gcm.key,
1594 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1595 gctx->gcm.len.u[1] += bulk;
1596 }
5158c763 1597#endif
0f113f3e
MC		 1598 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1599 in + bulk, out + bulk, len - bulk))
1600 goto err;
1601 }
1602 /* Retrieve tag */
6435f0f6
RL		 1603 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
1604 EVP_GCM_TLS_TAG_LEN);
0f113f3e 1605 /* If tag mismatch wipe buffer */
6435f0f6
RL		 1606 if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
1607 EVP_GCM_TLS_TAG_LEN)) {
0f113f3e
MC		 1608 OPENSSL_cleanse(out, len);
1609 goto err;
1610 }
1611 rv = len;
1612 }
1613
1614 err:
1615 gctx->iv_set = 0;
1616 gctx->tls_aad_len = -1;
1617 return rv;
1618}
28dd49fa 1619
17f121de 1620static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1621 const unsigned char *in, size_t len)
1622{
6435f0f6 1623 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1624 /* If not set up, return error */
1625 if (!gctx->key_set)
1626 return -1;
1627
1628 if (gctx->tls_aad_len >= 0)
1629 return aes_gcm_tls_cipher(ctx, out, in, len);
1630
1631 if (!gctx->iv_set)
1632 return -1;
1633 if (in) {
1634 if (out == NULL) {
1635 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1636 return -1;
6435f0f6 1637 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1638 if (gctx->ctr) {
1639 size_t bulk = 0;
5158c763 1640#if defined(AES_GCM_ASM)
0f113f3e
MC		 1641 if (len >= 32 && AES_GCM_ASM(gctx)) {
1642 size_t res = (16 - gctx->gcm.mres) % 16;
1643
1644 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1645 return -1;
1646
1647 bulk = AES_gcm_encrypt(in + res,
1648 out + res, len - res,
1649 gctx->gcm.key, gctx->gcm.Yi.c,
1650 gctx->gcm.Xi.u);
1651 gctx->gcm.len.u[1] += bulk;
1652 bulk += res;
1653 }
5158c763 1654#endif
0f113f3e
MC		 1655 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1656 in + bulk,
1657 out + bulk,
1658 len - bulk, gctx->ctr))
1659 return -1;
1660 } else {
1661 size_t bulk = 0;
5158c763 1662#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1663 if (len >= 32 && AES_GCM_ASM2(gctx)) {
1664 size_t res = (16 - gctx->gcm.mres) % 16;
1665
1666 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1667 return -1;
1668
1669 bulk = AES_gcm_encrypt(in + res,
1670 out + res, len - res,
1671 gctx->gcm.key, gctx->gcm.Yi.c,
1672 gctx->gcm.Xi.u);
1673 gctx->gcm.len.u[1] += bulk;
1674 bulk += res;
1675 }
5158c763 1676#endif
0f113f3e
MC		 1677 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1678 in + bulk, out + bulk, len - bulk))
1679 return -1;
1680 }
1681 } else {
1682 if (gctx->ctr) {
1683 size_t bulk = 0;
5158c763 1684#if defined(AES_GCM_ASM)
0f113f3e
MC		 1685 if (len >= 16 && AES_GCM_ASM(gctx)) {
1686 size_t res = (16 - gctx->gcm.mres) % 16;
1687
1688 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1689 return -1;
1690
1691 bulk = AES_gcm_decrypt(in + res,
1692 out + res, len - res,
1693 gctx->gcm.key,
1694 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1695 gctx->gcm.len.u[1] += bulk;
1696 bulk += res;
1697 }
5158c763 1698#endif
0f113f3e
MC		 1699 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1700 in + bulk,
1701 out + bulk,
1702 len - bulk, gctx->ctr))
1703 return -1;
1704 } else {
1705 size_t bulk = 0;
5158c763 1706#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1707 if (len >= 16 && AES_GCM_ASM2(gctx)) {
1708 size_t res = (16 - gctx->gcm.mres) % 16;
1709
1710 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1711 return -1;
1712
1713 bulk = AES_gcm_decrypt(in + res,
1714 out + res, len - res,
1715 gctx->gcm.key,
1716 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1717 gctx->gcm.len.u[1] += bulk;
1718 bulk += res;
1719 }
5158c763 1720#endif
0f113f3e
MC		 1721 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1722 in + bulk, out + bulk, len - bulk))
1723 return -1;
1724 }
1725 }
1726 return len;
1727 } else {
6435f0f6 1728 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1729 if (gctx->taglen < 0)
1730 return -1;
6435f0f6
RL		 1731 if (CRYPTO_gcm128_finish(&gctx->gcm,
1732 EVP_CIPHER_CTX_buf_noconst(ctx),
1733 gctx->taglen) != 0)
0f113f3e
MC		 1734 return -1;
1735 gctx->iv_set = 0;
1736 return 0;
1737 }
6435f0f6 1738 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
0f113f3e
MC		 1739 gctx->taglen = 16;
1740 /* Don't reuse the IV */
1741 gctx->iv_set = 0;
1742 return 0;
1743 }
1744
1745}
1746
5158c763 1747#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
0f113f3e
MC		 1748 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1749 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1750 | EVP_CIPH_CUSTOM_COPY)
1751
1752BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
1753 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
1754 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
1755 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
1756 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
1757 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
32a2d8dd
DSH		 1758
1759static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1760{
6435f0f6 1761 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
0f113f3e
MC		 1762 if (type == EVP_CTRL_COPY) {
1763 EVP_CIPHER_CTX *out = ptr;
6435f0f6 1764 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
0f113f3e
MC		 1765 if (xctx->xts.key1) {
1766 if (xctx->xts.key1 != &xctx->ks1)
1767 return 0;
1768 xctx_out->xts.key1 = &xctx_out->ks1;
1769 }
1770 if (xctx->xts.key2) {
1771 if (xctx->xts.key2 != &xctx->ks2)
1772 return 0;
1773 xctx_out->xts.key2 = &xctx_out->ks2;
1774 }
1775 return 1;
1776 } else if (type != EVP_CTRL_INIT)
1777 return -1;
1778 /* key1 and key2 are used as an indicator both key and IV are set */
1779 xctx->xts.key1 = NULL;
1780 xctx->xts.key2 = NULL;
1781 return 1;
1782}
32a2d8dd
DSH		 1783
1784static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1785 const unsigned char *iv, int enc)
1786{
6435f0f6 1787 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 1788 if (!iv && !key)
1789 return 1;
1790
1791 if (key)
1792 do {
5158c763 1793#ifdef AES_XTS_ASM
0f113f3e 1794 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
5158c763 1795#else
0f113f3e 1796 xctx->stream = NULL;
5158c763 1797#endif
0f113f3e 1798 /* key_len is two AES keys */
5158c763 1799#ifdef HWAES_CAPABLE
0f113f3e
MC		 1800 if (HWAES_CAPABLE) {
1801 if (enc) {
6435f0f6
RL		 1802 HWAES_set_encrypt_key(key,
1803 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1804 &xctx->ks1.ks);
1805 xctx->xts.block1 = (block128_f) HWAES_encrypt;
1806 } else {
6435f0f6
RL		 1807 HWAES_set_decrypt_key(key,
1808 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1809 &xctx->ks1.ks);
1810 xctx->xts.block1 = (block128_f) HWAES_decrypt;
1811 }
1812
6435f0f6
RL		 1813 HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1814 EVP_CIPHER_CTX_key_length(ctx) * 4,
1815 &xctx->ks2.ks);
0f113f3e
MC		 1816 xctx->xts.block2 = (block128_f) HWAES_encrypt;
1817
1818 xctx->xts.key1 = &xctx->ks1;
1819 break;
1820 } else
5158c763
MC		 1821#endif
1822#ifdef BSAES_CAPABLE
0f113f3e
MC		 1823 if (BSAES_CAPABLE)
1824 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1825 else
5158c763
MC		 1826#endif
1827#ifdef VPAES_CAPABLE
0f113f3e
MC		 1828 if (VPAES_CAPABLE) {
1829 if (enc) {
6435f0f6
RL		 1830 vpaes_set_encrypt_key(key,
1831 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1832 &xctx->ks1.ks);
1833 xctx->xts.block1 = (block128_f) vpaes_encrypt;
1834 } else {
6435f0f6
RL		 1835 vpaes_set_decrypt_key(key,
1836 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1837 &xctx->ks1.ks);
1838 xctx->xts.block1 = (block128_f) vpaes_decrypt;
1839 }
1840
6435f0f6
RL		 1841 vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1842 EVP_CIPHER_CTX_key_length(ctx) * 4,
1843 &xctx->ks2.ks);
0f113f3e
MC		 1844 xctx->xts.block2 = (block128_f) vpaes_encrypt;
1845
1846 xctx->xts.key1 = &xctx->ks1;
1847 break;
1848 } else
5158c763 1849#endif
0f113f3e
MC		 1850 (void)0; /* terminate potentially open 'else' */
1851
1852 if (enc) {
6435f0f6
RL		 1853 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
1854 &xctx->ks1.ks);
0f113f3e
MC		 1855 xctx->xts.block1 = (block128_f) AES_encrypt;
1856 } else {
6435f0f6
RL		 1857 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
1858 &xctx->ks1.ks);
0f113f3e
MC		 1859 xctx->xts.block1 = (block128_f) AES_decrypt;
1860 }
1861
6435f0f6
RL		 1862 AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1863 EVP_CIPHER_CTX_key_length(ctx) * 4,
1864 &xctx->ks2.ks);
0f113f3e
MC		 1865 xctx->xts.block2 = (block128_f) AES_encrypt;
1866
1867 xctx->xts.key1 = &xctx->ks1;
1868 } while (0);
1869
1870 if (iv) {
1871 xctx->xts.key2 = &xctx->ks2;
6435f0f6 1872 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 1873 }
1874
1875 return 1;
1876}
32a2d8dd 1877
17f121de 1878static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1879 const unsigned char *in, size_t len)
1880{
6435f0f6 1881 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 1882 if (!xctx->xts.key1 || !xctx->xts.key2)
1883 return 0;
1884 if (!out || !in || len < AES_BLOCK_SIZE)
1885 return 0;
1886 if (xctx->stream)
1887 (*xctx->stream) (in, out, len,
6435f0f6
RL		 1888 xctx->xts.key1, xctx->xts.key2,
1889 EVP_CIPHER_CTX_iv_noconst(ctx));
1890 else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
1891 in, out, len,
1892 EVP_CIPHER_CTX_encrypting(ctx)))
0f113f3e
MC		 1893 return 0;
1894 return 1;
1895}
1896
5158c763 1897#define aes_xts_cleanup NULL
0f113f3e 1898
5158c763 1899#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
0f113f3e
MC		 1900 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1901 | EVP_CIPH_CUSTOM_COPY)
1902
1903BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
1904 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
23916810
DSH		 1905
1906static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1907{
6435f0f6 1908 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
0f113f3e
MC		 1909 switch (type) {
1910 case EVP_CTRL_INIT:
1911 cctx->key_set = 0;
1912 cctx->iv_set = 0;
1913 cctx->L = 8;
1914 cctx->M = 12;
1915 cctx->tag_set = 0;
1916 cctx->len_set = 0;
e75c5a79
DSH		 1917 cctx->tls_aad_len = -1;
1918 return 1;
1919
1920 case EVP_CTRL_AEAD_TLS1_AAD:
1921 /* Save the AAD for later use */
1922 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1923 return 0;
6435f0f6 1924 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
e75c5a79
DSH		 1925 cctx->tls_aad_len = arg;
1926 {
6435f0f6
RL		 1927 uint16_t len =
1928 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
1929 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
e75c5a79
DSH		 1930 /* Correct length for explicit IV */
1931 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
1932 /* If decrypting correct for tag too */
6435f0f6 1933 if (!EVP_CIPHER_CTX_encrypting(c))
e75c5a79 1934 len -= cctx->M;
6435f0f6
RL		 1935 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
1936 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
e75c5a79
DSH		 1937 }
1938 /* Extra padding: tag appended to record */
1939 return cctx->M;
1940
1941 case EVP_CTRL_CCM_SET_IV_FIXED:
1942 /* Sanity check length */
1943 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
1944 return 0;
1945 /* Just copy to first part of IV */
6435f0f6 1946 memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
0f113f3e
MC		 1947 return 1;
1948
e640fa02 1949 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 1950 arg = 15 - arg;
1951 case EVP_CTRL_CCM_SET_L:
1952 if (arg < 2 || arg > 8)
1953 return 0;
1954 cctx->L = arg;
1955 return 1;
1956
e640fa02 1957 case EVP_CTRL_AEAD_SET_TAG:
0f113f3e
MC		 1958 if ((arg & 1) || arg < 4 || arg > 16)
1959 return 0;
6435f0f6 1960 if (EVP_CIPHER_CTX_encrypting(c) && ptr)
0f113f3e
MC		 1961 return 0;
1962 if (ptr) {
1963 cctx->tag_set = 1;
6435f0f6 1964 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 1965 }
1966 cctx->M = arg;
1967 return 1;
1968
e640fa02 1969 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 1970 if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
0f113f3e
MC		 1971 return 0;
1972 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1973 return 0;
1974 cctx->tag_set = 0;
1975 cctx->iv_set = 0;
1976 cctx->len_set = 0;
1977 return 1;
1978
1979 case EVP_CTRL_COPY:
1980 {
1981 EVP_CIPHER_CTX *out = ptr;
6435f0f6 1982 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
0f113f3e
MC		 1983 if (cctx->ccm.key) {
1984 if (cctx->ccm.key != &cctx->ks)
1985 return 0;
1986 cctx_out->ccm.key = &cctx_out->ks;
1987 }
1988 return 1;
1989 }
1990
1991 default:
1992 return -1;
1993
1994 }
1995}
23916810
DSH		 1996
1997static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1998 const unsigned char *iv, int enc)
1999{
6435f0f6 2000 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 2001 if (!iv && !key)
2002 return 1;
2003 if (key)
2004 do {
5158c763 2005#ifdef HWAES_CAPABLE
0f113f3e 2006 if (HWAES_CAPABLE) {
6435f0f6
RL		 2007 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2008 &cctx->ks.ks);
0f113f3e
MC		 2009
2010 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2011 &cctx->ks, (block128_f) HWAES_encrypt);
2012 cctx->str = NULL;
2013 cctx->key_set = 1;
2014 break;
2015 } else
5158c763
MC		 2016#endif
2017#ifdef VPAES_CAPABLE
0f113f3e 2018 if (VPAES_CAPABLE) {
6435f0f6
RL		 2019 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2020 &cctx->ks.ks);
0f113f3e
MC		 2021 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2022 &cctx->ks, (block128_f) vpaes_encrypt);
2023 cctx->str = NULL;
2024 cctx->key_set = 1;
2025 break;
2026 }
5158c763 2027#endif
6435f0f6
RL		 2028 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2029 &cctx->ks.ks);
0f113f3e
MC		 2030 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2031 &cctx->ks, (block128_f) AES_encrypt);
2032 cctx->str = NULL;
2033 cctx->key_set = 1;
2034 } while (0);
2035 if (iv) {
6435f0f6 2036 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 2037 cctx->iv_set = 1;
2038 }
2039 return 1;
2040}
23916810 2041
e75c5a79
DSH		 2042static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2043 const unsigned char *in, size_t len)
2044{
6435f0f6 2045 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
e75c5a79
DSH		 2046 CCM128_CONTEXT *ccm = &cctx->ccm;
2047 /* Encrypt/decrypt must be performed in place */
2048 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
2049 return -1;
2050 /* If encrypting set explicit IV from sequence number (start of AAD) */
6435f0f6
RL		 2051 if (EVP_CIPHER_CTX_encrypting(ctx))
2052 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
2053 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79 2054 /* Get rest of IV from explicit IV */
6435f0f6
RL		 2055 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
2056 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79
DSH		 2057 /* Correct length value */
2058 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
6435f0f6
RL		 2059 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
2060 len))
e75c5a79
DSH		 2061 return -1;
2062 /* Use saved AAD */
6435f0f6 2063 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
e75c5a79
DSH		 2064 /* Fix buffer to point to payload */
2065 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2066 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
6435f0f6 2067 if (EVP_CIPHER_CTX_encrypting(ctx)) {
e75c5a79
DSH		 2068 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2069 cctx->str) :
2070 CRYPTO_ccm128_encrypt(ccm, in, out, len))
2071 return -1;
2072 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
2073 return -1;
2074 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
2075 } else {
2076 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2077 cctx->str) :
2078 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2079 unsigned char tag[16];
2080 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2081 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
2082 return len;
2083 }
2084 }
2085 OPENSSL_cleanse(out, len);
2086 return -1;
2087 }
2088}
2089
17f121de 2090static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2091 const unsigned char *in, size_t len)
2092{
6435f0f6 2093 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 2094 CCM128_CONTEXT *ccm = &cctx->ccm;
2095 /* If not set up, return error */
e75c5a79
DSH		 2096 if (!cctx->key_set)
2097 return -1;
2098
2099 if (cctx->tls_aad_len >= 0)
2100 return aes_ccm_tls_cipher(ctx, out, in, len);
2101
2102 if (!cctx->iv_set)
0f113f3e 2103 return -1;
e75c5a79 2104
6435f0f6 2105 if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
0f113f3e
MC		 2106 return -1;
2107 if (!out) {
2108 if (!in) {
6435f0f6
RL		 2109 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
2110 15 - cctx->L, len))
0f113f3e
MC		 2111 return -1;
2112 cctx->len_set = 1;
2113 return len;
2114 }
2115 /* If have AAD need message length */
2116 if (!cctx->len_set && len)
2117 return -1;
2118 CRYPTO_ccm128_aad(ccm, in, len);
2119 return len;
2120 }
2121 /* EVP_*Final() doesn't return any data */
2122 if (!in)
2123 return 0;
2124 /* If not set length yet do it */
2125 if (!cctx->len_set) {
6435f0f6
RL		 2126 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
2127 15 - cctx->L, len))
0f113f3e
MC		 2128 return -1;
2129 cctx->len_set = 1;
2130 }
6435f0f6 2131 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2132 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2133 cctx->str) :
2134 CRYPTO_ccm128_encrypt(ccm, in, out, len))
2135 return -1;
2136 cctx->tag_set = 1;
2137 return len;
2138 } else {
2139 int rv = -1;
2140 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2141 cctx->str) :
2142 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2143 unsigned char tag[16];
2144 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
6435f0f6
RL		 2145 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
2146 cctx->M))
0f113f3e
MC		 2147 rv = len;
2148 }
2149 }
2150 if (rv == -1)
2151 OPENSSL_cleanse(out, len);
2152 cctx->iv_set = 0;
2153 cctx->tag_set = 0;
2154 cctx->len_set = 0;
2155 return rv;
2156 }
0f113f3e
MC		 2157}
2158
5158c763 2159#define aes_ccm_cleanup NULL
0f113f3e 2160
e75c5a79
DSH		 2161BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
2162 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2163 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
2164 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2165 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
2166 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
0f113f3e
MC		 2167
2168typedef struct {
2169 union {
2170 double align;
2171 AES_KEY ks;
2172 } ks;
2173 /* Indicates if IV has been set */
2174 unsigned char *iv;
2175} EVP_AES_WRAP_CTX;
97cf1f6c
DSH		 2176
2177static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2178 const unsigned char *iv, int enc)
2179{
6435f0f6 2180 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 2181 if (!iv && !key)
2182 return 1;
2183 if (key) {
6435f0f6
RL		 2184 if (EVP_CIPHER_CTX_encrypting(ctx))
2185 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2186 &wctx->ks.ks);
0f113f3e 2187 else
6435f0f6
RL		 2188 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2189 &wctx->ks.ks);
0f113f3e
MC		 2190 if (!iv)
2191 wctx->iv = NULL;
2192 }
2193 if (iv) {
6435f0f6
RL		 2194 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
2195 wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
0f113f3e
MC		 2196 }
2197 return 1;
2198}
97cf1f6c
DSH		 2199
2200static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2201 const unsigned char *in, size_t inlen)
2202{
6435f0f6 2203 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 2204 size_t rv;
2205 /* AES wrap with padding has IV length of 4, without padding 8 */
2206 int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
2207 /* No final operation so always return zero length */
2208 if (!in)
2209 return 0;
2210 /* Input length must always be non-zero */
2211 if (!inlen)
2212 return -1;
2213 /* If decrypting need at least 16 bytes and multiple of 8 */
6435f0f6 2214 if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
0f113f3e
MC		 2215 return -1;
2216 /* If not padding input must be multiple of 8 */
2217 if (!pad && inlen & 0x7)
2218 return -1;
2219 if (!out) {
6435f0f6 2220 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2221 /* If padding round up to multiple of 8 */
2222 if (pad)
2223 inlen = (inlen + 7) / 8 * 8;
2224 /* 8 byte prefix */
2225 return inlen + 8;
2226 } else {
2227 /*
2228 * If not padding output will be exactly 8 bytes smaller than
2229 * input. If padding it will be at least 8 bytes smaller but we
2230 * don't know how much.
2231 */
2232 return inlen - 8;
2233 }
2234 }
2235 if (pad) {
6435f0f6 2236 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 2237 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
2238 out, in, inlen,
2239 (block128_f) AES_encrypt);
2240 else
2241 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
2242 out, in, inlen,
2243 (block128_f) AES_decrypt);
2244 } else {
6435f0f6 2245 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 2246 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
2247 out, in, inlen, (block128_f) AES_encrypt);
2248 else
2249 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
2250 out, in, inlen, (block128_f) AES_decrypt);
2251 }
2252 return rv ? (int)rv : -1;
2253}
2254
5158c763 2255#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
0f113f3e
MC		 2256 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
2257 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
97cf1f6c
DSH		 2258
2259static const EVP_CIPHER aes_128_wrap = {
0f113f3e
MC		 2260 NID_id_aes128_wrap,
2261 8, 16, 8, WRAP_FLAGS,
2262 aes_wrap_init_key, aes_wrap_cipher,
2263 NULL,
2264 sizeof(EVP_AES_WRAP_CTX),
2265 NULL, NULL, NULL, NULL
2266};
97cf1f6c
DSH		 2267
2268const EVP_CIPHER *EVP_aes_128_wrap(void)
0f113f3e
MC		 2269{
2270 return &aes_128_wrap;
2271}
97cf1f6c
DSH		 2272
2273static const EVP_CIPHER aes_192_wrap = {
0f113f3e
MC		 2274 NID_id_aes192_wrap,
2275 8, 24, 8, WRAP_FLAGS,
2276 aes_wrap_init_key, aes_wrap_cipher,
2277 NULL,
2278 sizeof(EVP_AES_WRAP_CTX),
2279 NULL, NULL, NULL, NULL
2280};
97cf1f6c
DSH		 2281
2282const EVP_CIPHER *EVP_aes_192_wrap(void)
0f113f3e
MC		 2283{
2284 return &aes_192_wrap;
2285}
97cf1f6c
DSH		 2286
2287static const EVP_CIPHER aes_256_wrap = {
0f113f3e
MC		 2288 NID_id_aes256_wrap,
2289 8, 32, 8, WRAP_FLAGS,
2290 aes_wrap_init_key, aes_wrap_cipher,
2291 NULL,
2292 sizeof(EVP_AES_WRAP_CTX),
2293 NULL, NULL, NULL, NULL
2294};
97cf1f6c
DSH		 2295
2296const EVP_CIPHER *EVP_aes_256_wrap(void)
0f113f3e
MC		 2297{
2298 return &aes_256_wrap;
2299}
97cf1f6c 2300
d31fed73 2301static const EVP_CIPHER aes_128_wrap_pad = {
0f113f3e
MC		 2302 NID_id_aes128_wrap_pad,
2303 8, 16, 4, WRAP_FLAGS,
2304 aes_wrap_init_key, aes_wrap_cipher,
2305 NULL,
2306 sizeof(EVP_AES_WRAP_CTX),
2307 NULL, NULL, NULL, NULL
2308};
d31fed73
DSH		 2309
2310const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
0f113f3e
MC		 2311{
2312 return &aes_128_wrap_pad;
2313}
d31fed73
DSH		 2314
2315static const EVP_CIPHER aes_192_wrap_pad = {
0f113f3e
MC		 2316 NID_id_aes192_wrap_pad,
2317 8, 24, 4, WRAP_FLAGS,
2318 aes_wrap_init_key, aes_wrap_cipher,
2319 NULL,
2320 sizeof(EVP_AES_WRAP_CTX),
2321 NULL, NULL, NULL, NULL
2322};
d31fed73
DSH		 2323
2324const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
0f113f3e
MC		 2325{
2326 return &aes_192_wrap_pad;
2327}
d31fed73
DSH		 2328
2329static const EVP_CIPHER aes_256_wrap_pad = {
0f113f3e
MC		 2330 NID_id_aes256_wrap_pad,
2331 8, 32, 4, WRAP_FLAGS,
2332 aes_wrap_init_key, aes_wrap_cipher,
2333 NULL,
2334 sizeof(EVP_AES_WRAP_CTX),
2335 NULL, NULL, NULL, NULL
2336};
d31fed73
DSH		 2337
2338const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
0f113f3e
MC		 2339{
2340 return &aes_256_wrap_pad;
2341}
d31fed73 2342
5158c763 2343#ifndef OPENSSL_NO_OCB
e6b336ef 2344static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 2345{
6435f0f6 2346 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 2347 EVP_CIPHER_CTX *newc;
2348 EVP_AES_OCB_CTX *new_octx;
2349
2350 switch (type) {
2351 case EVP_CTRL_INIT:
2352 octx->key_set = 0;
2353 octx->iv_set = 0;
6435f0f6
RL		 2354 octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
2355 octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 2356 octx->taglen = 16;
2357 octx->data_buf_len = 0;
2358 octx->aad_buf_len = 0;
2359 return 1;
2360
e640fa02 2361 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 2362 /* IV len must be 1 to 15 */
2363 if (arg <= 0 || arg > 15)
2364 return 0;
2365
2366 octx->ivlen = arg;
2367 return 1;
2368
e640fa02 2369 case EVP_CTRL_AEAD_SET_TAG:
d57d135c
MC		 2370 if (!ptr) {
2371 /* Tag len must be 0 to 16 */
2372 if (arg < 0 || arg > 16)
2373 return 0;
2374
2375 octx->taglen = arg;
2376 return 1;
2377 }
6435f0f6 2378 if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 2379 return 0;
2380 memcpy(octx->tag, ptr, arg);
2381 return 1;
2382
e640fa02 2383 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 2384 if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 2385 return 0;
2386
2387 memcpy(ptr, octx->tag, arg);
2388 return 1;
2389
2390 case EVP_CTRL_COPY:
2391 newc = (EVP_CIPHER_CTX *)ptr;
6435f0f6 2392 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
0f113f3e 2393 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
bdc985b1
AP		 2394 &new_octx->ksenc.ks,
2395 &new_octx->ksdec.ks);
0f113f3e
MC		 2396
2397 default:
2398 return -1;
2399
2400 }
2401}
e6b336ef 2402
5158c763
MC		 2403# ifdef HWAES_CAPABLE
2404# ifdef HWAES_ocb_encrypt
02dc0b82
AP		 2405void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
2406 size_t blocks, const void *key,
2407 size_t start_block_num,
2408 unsigned char offset_i[16],
2409 const unsigned char L_[][16],
2410 unsigned char checksum[16]);
5158c763
MC		 2411# else
2412# define HWAES_ocb_encrypt NULL
2413# endif
2414# ifdef HWAES_ocb_decrypt
02dc0b82
AP		 2415void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
2416 size_t blocks, const void *key,
2417 size_t start_block_num,
2418 unsigned char offset_i[16],
2419 const unsigned char L_[][16],
2420 unsigned char checksum[16]);
5158c763
MC		 2421# else
2422# define HWAES_ocb_decrypt NULL
02dc0b82 2423# endif
5158c763 2424# endif
02dc0b82 2425
e6b336ef 2426static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2427 const unsigned char *iv, int enc)
2428{
6435f0f6 2429 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 2430 if (!iv && !key)
2431 return 1;
2432 if (key) {
2433 do {
2434 /*
2435 * We set both the encrypt and decrypt key here because decrypt
2436 * needs both. We could possibly optimise to remove setting the
2437 * decrypt for an encryption operation.
2438 */
5158c763 2439# ifdef HWAES_CAPABLE
02dc0b82 2440 if (HWAES_CAPABLE) {
6435f0f6
RL		 2441 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2442 &octx->ksenc.ks);
2443 HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2444 &octx->ksdec.ks);
02dc0b82
AP		 2445 if (!CRYPTO_ocb128_init(&octx->ocb,
2446 &octx->ksenc.ks, &octx->ksdec.ks,
2447 (block128_f) HWAES_encrypt,
2448 (block128_f) HWAES_decrypt,
2449 enc ? HWAES_ocb_encrypt
2450 : HWAES_ocb_decrypt))
2451 return 0;
2452 break;
2453 }
5158c763
MC		 2454# endif
2455# ifdef VPAES_CAPABLE
0f113f3e 2456 if (VPAES_CAPABLE) {
6435f0f6
RL		 2457 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2458 &octx->ksenc.ks);
2459 vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2460 &octx->ksdec.ks);
bdc985b1
AP		 2461 if (!CRYPTO_ocb128_init(&octx->ocb,
2462 &octx->ksenc.ks, &octx->ksdec.ks,
2463 (block128_f) vpaes_encrypt,
bd30091c
AP		 2464 (block128_f) vpaes_decrypt,
2465 NULL))
0f113f3e
MC		 2466 return 0;
2467 break;
2468 }
5158c763 2469# endif
6435f0f6
RL		 2470 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2471 &octx->ksenc.ks);
2472 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2473 &octx->ksdec.ks);
bdc985b1
AP		 2474 if (!CRYPTO_ocb128_init(&octx->ocb,
2475 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 2476 (block128_f) AES_encrypt,
bd30091c
AP		 2477 (block128_f) AES_decrypt,
2478 NULL))
0f113f3e
MC		 2479 return 0;
2480 }
2481 while (0);
2482
2483 /*
2484 * If we have an iv we can set it directly, otherwise use saved IV.
2485 */
2486 if (iv == NULL && octx->iv_set)
2487 iv = octx->iv;
2488 if (iv) {
2489 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
2490 != 1)
2491 return 0;
2492 octx->iv_set = 1;
2493 }
2494 octx->key_set = 1;
2495 } else {
2496 /* If key set use IV, otherwise copy */
2497 if (octx->key_set)
2498 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
2499 else
2500 memcpy(octx->iv, iv, octx->ivlen);
2501 octx->iv_set = 1;
2502 }
2503 return 1;
2504}
e6b336ef
MC		 2505
2506static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2507 const unsigned char *in, size_t len)
2508{
2509 unsigned char *buf;
2510 int *buf_len;
2511 int written_len = 0;
2512 size_t trailing_len;
6435f0f6 2513 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 2514
2515 /* If IV or Key not set then return error */
2516 if (!octx->iv_set)
2517 return -1;
2518
2519 if (!octx->key_set)
2520 return -1;
2521
2522 if (in) {
2523 /*
2524 * Need to ensure we are only passing full blocks to low level OCB
2525 * routines. We do it here rather than in EVP_EncryptUpdate/
2526 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
2527 * and those routines don't support that
2528 */
2529
2530 /* Are we dealing with AAD or normal data here? */
2531 if (out == NULL) {
2532 buf = octx->aad_buf;
2533 buf_len = &(octx->aad_buf_len);
2534 } else {
2535 buf = octx->data_buf;
2536 buf_len = &(octx->data_buf_len);
2537 }
2538
2539 /*
2540 * If we've got a partially filled buffer from a previous call then
2541 * use that data first
2542 */
2543 if (*buf_len) {
2544 unsigned int remaining;
2545
2546 remaining = 16 - (*buf_len);
2547 if (remaining > len) {
2548 memcpy(buf + (*buf_len), in, len);
2549 *(buf_len) += len;
2550 return 0;
2551 }
2552 memcpy(buf + (*buf_len), in, remaining);
2553
2554 /*
2555 * If we get here we've filled the buffer, so process it
2556 */
2557 len -= remaining;
2558 in += remaining;
2559 if (out == NULL) {
2560 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, 16))
2561 return -1;
6435f0f6 2562 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2563 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out, 16))
2564 return -1;
2565 } else {
2566 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out, 16))
2567 return -1;
2568 }
2569 written_len = 16;
2570 *buf_len = 0;
2571 }
2572
2573 /* Do we have a partial block to handle at the end? */
2574 trailing_len = len % 16;
2575
2576 /*
2577 * If we've got some full blocks to handle, then process these first
2578 */
2579 if (len != trailing_len) {
2580 if (out == NULL) {
2581 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
2582 return -1;
6435f0f6 2583 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2584 if (!CRYPTO_ocb128_encrypt
2585 (&octx->ocb, in, out, len - trailing_len))
2586 return -1;
2587 } else {
2588 if (!CRYPTO_ocb128_decrypt
2589 (&octx->ocb, in, out, len - trailing_len))
2590 return -1;
2591 }
2592 written_len += len - trailing_len;
2593 in += len - trailing_len;
2594 }
2595
2596 /* Handle any trailing partial block */
2597 if (trailing_len) {
2598 memcpy(buf, in, trailing_len);
2599 *buf_len = trailing_len;
2600 }
2601
2602 return written_len;
2603 } else {
2604 /*
2605 * First of all empty the buffer of any partial block that we might
2606 * have been provided - both for data and AAD
2607 */
2608 if (octx->data_buf_len) {
6435f0f6 2609 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2610 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
2611 octx->data_buf_len))
2612 return -1;
2613 } else {
2614 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
2615 octx->data_buf_len))
2616 return -1;
2617 }
2618 written_len = octx->data_buf_len;
2619 octx->data_buf_len = 0;
2620 }
2621 if (octx->aad_buf_len) {
2622 if (!CRYPTO_ocb128_aad
2623 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
2624 return -1;
2625 octx->aad_buf_len = 0;
2626 }
2627 /* If decrypting then verify */
6435f0f6 2628 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2629 if (octx->taglen < 0)
2630 return -1;
2631 if (CRYPTO_ocb128_finish(&octx->ocb,
2632 octx->tag, octx->taglen) != 0)
2633 return -1;
2634 octx->iv_set = 0;
2635 return written_len;
2636 }
2637 /* If encrypting then just get the tag */
2638 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
2639 return -1;
2640 /* Don't reuse the IV */
2641 octx->iv_set = 0;
2642 return written_len;
2643 }
2644}
e6b336ef
MC		 2645
2646static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 2647{
6435f0f6 2648 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 2649 CRYPTO_ocb128_cleanup(&octx->ocb);
2650 return 1;
2651}
e6b336ef 2652
c4aede20
MC		 2653BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
2654 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2655BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
2656 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2657BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
2658 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
5158c763 2659#endif /* OPENSSL_NO_OCB */
A mirror of the official openssl repository