]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright consolidation 09/10
[thirdparty/openssl.git] / crypto / evp / e_aes.c
CommitLineData
deb2c1a1 1/* ====================================================================
d31fed73 2 * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
deb2c1a1
DSH		 3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
0f113f3e 9 * notice, this list of conditions and the following disclaimer.
deb2c1a1
DSH		 10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
48 *
49 */
50
8c84b677 51#include <openssl/opensslconf.h>
5158c763
MC		 52#include <openssl/crypto.h>
53#include <openssl/evp.h>
54#include <openssl/err.h>
55#include <string.h>
56#include <assert.h>
57#include <openssl/aes.h>
58#include "internal/evp_int.h"
59#include "modes_lcl.h"
60#include <openssl/rand.h>
0f113f3e
MC		 61
62typedef struct {
63 union {
64 double align;
65 AES_KEY ks;
66 } ks;
67 block128_f block;
68 union {
69 cbc128_f cbc;
70 ctr128_f ctr;
71 } stream;
72} EVP_AES_KEY;
73
74typedef struct {
75 union {
76 double align;
77 AES_KEY ks;
78 } ks; /* AES key schedule to use */
79 int key_set; /* Set if key initialised */
80 int iv_set; /* Set if an iv is set */
81 GCM128_CONTEXT gcm;
82 unsigned char *iv; /* Temporary IV store */
83 int ivlen; /* IV length */
84 int taglen;
85 int iv_gen; /* It is OK to generate IVs */
86 int tls_aad_len; /* TLS AAD length */
87 ctr128_f ctr;
88} EVP_AES_GCM_CTX;
89
90typedef struct {
91 union {
92 double align;
93 AES_KEY ks;
94 } ks1, ks2; /* AES key schedules to use */
95 XTS128_CONTEXT xts;
96 void (*stream) (const unsigned char *in,
97 unsigned char *out, size_t length,
98 const AES_KEY *key1, const AES_KEY *key2,
99 const unsigned char iv[16]);
100} EVP_AES_XTS_CTX;
101
102typedef struct {
103 union {
104 double align;
105 AES_KEY ks;
106 } ks; /* AES key schedule to use */
107 int key_set; /* Set if key initialised */
108 int iv_set; /* Set if an iv is set */
109 int tag_set; /* Set if tag is valid */
110 int len_set; /* Set if message length set */
111 int L, M; /* L and M parameters from RFC3610 */
e75c5a79 112 int tls_aad_len; /* TLS AAD length */
0f113f3e
MC		 113 CCM128_CONTEXT ccm;
114 ccm128_f str;
115} EVP_AES_CCM_CTX;
116
5158c763 117#ifndef OPENSSL_NO_OCB
0f113f3e 118typedef struct {
bdc985b1
AP		 119 union {
120 double align;
121 AES_KEY ks;
122 } ksenc; /* AES key schedule to use for encryption */
123 union {
124 double align;
125 AES_KEY ks;
126 } ksdec; /* AES key schedule to use for decryption */
0f113f3e
MC		 127 int key_set; /* Set if key initialised */
128 int iv_set; /* Set if an iv is set */
129 OCB128_CONTEXT ocb;
130 unsigned char *iv; /* Temporary IV store */
131 unsigned char tag[16];
132 unsigned char data_buf[16]; /* Store partial data blocks */
133 unsigned char aad_buf[16]; /* Store partial AAD blocks */
134 int data_buf_len;
135 int aad_buf_len;
136 int ivlen; /* IV length */
137 int taglen;
138} EVP_AES_OCB_CTX;
5158c763 139#endif
e6b336ef 140
5158c763 141#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
17f121de 142
5158c763 143#ifdef VPAES_ASM
8ca28da0 144int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 145 AES_KEY *key);
8ca28da0 146int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 147 AES_KEY *key);
8ca28da0
AP		 148
149void vpaes_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 150 const AES_KEY *key);
8ca28da0 151void vpaes_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 152 const AES_KEY *key);
8ca28da0
AP		 153
154void vpaes_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 155 unsigned char *out,
156 size_t length,
157 const AES_KEY *key, unsigned char *ivec, int enc);
5158c763
MC		 158#endif
159#ifdef BSAES_ASM
a75a52a4 160void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 161 size_t length, const AES_KEY *key,
162 unsigned char ivec[16], int enc);
993adc05 163void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 164 size_t len, const AES_KEY *key,
165 const unsigned char ivec[16]);
60d4e99c 166void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 167 size_t len, const AES_KEY *key1,
168 const AES_KEY *key2, const unsigned char iv[16]);
60d4e99c 169void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 170 size_t len, const AES_KEY *key1,
171 const AES_KEY *key2, const unsigned char iv[16]);
5158c763
MC		 172#endif
173#ifdef AES_CTR_ASM
07904e0c 174void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 175 size_t blocks, const AES_KEY *key,
176 const unsigned char ivec[AES_BLOCK_SIZE]);
5158c763
MC		 177#endif
178#ifdef AES_XTS_ASM
0f113f3e
MC		 179void AES_xts_encrypt(const char *inp, char *out, size_t len,
180 const AES_KEY *key1, const AES_KEY *key2,
181 const unsigned char iv[16]);
182void AES_xts_decrypt(const char *inp, char *out, size_t len,
183 const AES_KEY *key1, const AES_KEY *key2,
184 const unsigned char iv[16]);
5158c763 185#endif
8ca28da0 186
6944565b 187#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
5158c763
MC		 188# include "ppc_arch.h"
189# ifdef VPAES_ASM
190# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
de51e830 191# endif
5158c763
MC		 192# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
193# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
194# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
195# define HWAES_encrypt aes_p8_encrypt
196# define HWAES_decrypt aes_p8_decrypt
197# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
198# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
199#endif
07f3e4f3 200
5158c763 201#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
0f113f3e
MC		 202 ((defined(__i386) || defined(__i386__) || \
203 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
204 defined(__x86_64) || defined(__x86_64__) || \
b1a07c38 205 defined(_M_AMD64) || defined(_M_X64) )
8ca28da0 206
c5f6da54 207extern unsigned int OPENSSL_ia32cap_P[];
8ca28da0 208
5158c763
MC		 209# ifdef VPAES_ASM
210# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
211# endif
212# ifdef BSAES_ASM
213# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
214# endif
17f121de
AP		 215/*
216 * AES-NI section
217 */
5158c763 218# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
d1fff483
AP		 219
220int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 221 AES_KEY *key);
d1fff483 222int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 223 AES_KEY *key);
d1fff483
AP		 224
225void aesni_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 226 const AES_KEY *key);
d1fff483 227void aesni_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 228 const AES_KEY *key);
d1fff483
AP		 229
230void aesni_ecb_encrypt(const unsigned char *in,
0f113f3e
MC		 231 unsigned char *out,
232 size_t length, const AES_KEY *key, int enc);
d1fff483 233void aesni_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 234 unsigned char *out,
235 size_t length,
236 const AES_KEY *key, unsigned char *ivec, int enc);
d1fff483
AP		 237
238void aesni_ctr32_encrypt_blocks(const unsigned char *in,
0f113f3e
MC		 239 unsigned char *out,
240 size_t blocks,
241 const void *key, const unsigned char *ivec);
17f121de
AP		 242
243void aesni_xts_encrypt(const unsigned char *in,
0f113f3e
MC		 244 unsigned char *out,
245 size_t length,
246 const AES_KEY *key1, const AES_KEY *key2,
247 const unsigned char iv[16]);
17f121de
AP		 248
249void aesni_xts_decrypt(const unsigned char *in,
0f113f3e
MC		 250 unsigned char *out,
251 size_t length,
252 const AES_KEY *key1, const AES_KEY *key2,
253 const unsigned char iv[16]);
254
255void aesni_ccm64_encrypt_blocks(const unsigned char *in,
256 unsigned char *out,
257 size_t blocks,
258 const void *key,
259 const unsigned char ivec[16],
260 unsigned char cmac[16]);
261
262void aesni_ccm64_decrypt_blocks(const unsigned char *in,
263 unsigned char *out,
264 size_t blocks,
265 const void *key,
266 const unsigned char ivec[16],
267 unsigned char cmac[16]);
268
5158c763 269# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
4e049c52 270size_t aesni_gcm_encrypt(const unsigned char *in,
0f113f3e
MC		 271 unsigned char *out,
272 size_t len,
273 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 274# define AES_gcm_encrypt aesni_gcm_encrypt
4e049c52 275size_t aesni_gcm_decrypt(const unsigned char *in,
0f113f3e
MC		 276 unsigned char *out,
277 size_t len,
278 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 279# define AES_gcm_decrypt aesni_gcm_decrypt
0f113f3e
MC		 280void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
281 size_t len);
5158c763 282# define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
0f113f3e 283 gctx->gcm.ghash==gcm_ghash_avx)
5158c763 284# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
0f113f3e 285 gctx->gcm.ghash==gcm_ghash_avx)
5158c763
MC		 286# undef AES_GCM_ASM2 /* minor size optimization */
287# endif
4e049c52 288
17f121de 289static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 290 const unsigned char *iv, int enc)
291{
292 int ret, mode;
6435f0f6 293 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 294
6435f0f6 295 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 296 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
297 && !enc) {
6435f0f6
RL		 298 ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
299 &dat->ks.ks);
0f113f3e
MC		 300 dat->block = (block128_f) aesni_decrypt;
301 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
302 (cbc128_f) aesni_cbc_encrypt : NULL;
303 } else {
6435f0f6
RL		 304 ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
305 &dat->ks.ks);
0f113f3e
MC		 306 dat->block = (block128_f) aesni_encrypt;
307 if (mode == EVP_CIPH_CBC_MODE)
308 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
309 else if (mode == EVP_CIPH_CTR_MODE)
310 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
311 else
312 dat->stream.cbc = NULL;
313 }
314
315 if (ret < 0) {
316 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
317 return 0;
318 }
319
320 return 1;
321}
322
323static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
324 const unsigned char *in, size_t len)
d1fff483 325{
6435f0f6
RL		 326 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
327 EVP_CIPHER_CTX_iv_noconst(ctx),
328 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 329
0f113f3e 330 return 1;
d1fff483
AP		 331}
332
0f113f3e
MC		 333static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
334 const unsigned char *in, size_t len)
d1fff483 335{
6435f0f6 336 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
d1fff483 337
0f113f3e
MC		 338 if (len < bl)
339 return 1;
d1fff483 340
6435f0f6
RL		 341 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
342 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 343
0f113f3e 344 return 1;
d1fff483
AP		 345}
346
5158c763 347# define aesni_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 348static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
349 const unsigned char *in, size_t len);
d1fff483 350
5158c763 351# define aesni_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 352static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
353 const unsigned char *in, size_t len);
d1fff483 354
5158c763 355# define aesni_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 356static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
357 const unsigned char *in, size_t len);
d1fff483 358
5158c763 359# define aesni_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 360static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
361 const unsigned char *in, size_t len);
d1fff483 362
5158c763 363# define aesni_ctr_cipher aes_ctr_cipher
17f121de 364static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 365 const unsigned char *in, size_t len);
d1fff483 366
17f121de 367static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 368 const unsigned char *iv, int enc)
369{
6435f0f6 370 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 371 if (!iv && !key)
372 return 1;
373 if (key) {
6435f0f6
RL		 374 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
375 &gctx->ks.ks);
0f113f3e
MC		 376 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
377 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
378 /*
379 * If we have an iv can set it directly, otherwise use saved IV.
380 */
381 if (iv == NULL && gctx->iv_set)
382 iv = gctx->iv;
383 if (iv) {
384 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
385 gctx->iv_set = 1;
386 }
387 gctx->key_set = 1;
388 } else {
389 /* If key set use IV, otherwise copy */
390 if (gctx->key_set)
391 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
392 else
393 memcpy(gctx->iv, iv, gctx->ivlen);
394 gctx->iv_set = 1;
395 gctx->iv_gen = 0;
396 }
397 return 1;
398}
399
5158c763 400# define aesni_gcm_cipher aes_gcm_cipher
17f121de 401static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 402 const unsigned char *in, size_t len);
17f121de
AP		 403
404static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 405 const unsigned char *iv, int enc)
406{
6435f0f6 407 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 408 if (!iv && !key)
409 return 1;
410
411 if (key) {
412 /* key_len is two AES keys */
413 if (enc) {
6435f0f6
RL		 414 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
415 &xctx->ks1.ks);
0f113f3e
MC		 416 xctx->xts.block1 = (block128_f) aesni_encrypt;
417 xctx->stream = aesni_xts_encrypt;
418 } else {
6435f0f6
RL		 419 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
420 &xctx->ks1.ks);
0f113f3e
MC		 421 xctx->xts.block1 = (block128_f) aesni_decrypt;
422 xctx->stream = aesni_xts_decrypt;
423 }
424
6435f0f6
RL		 425 aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
426 EVP_CIPHER_CTX_key_length(ctx) * 4,
427 &xctx->ks2.ks);
0f113f3e
MC		 428 xctx->xts.block2 = (block128_f) aesni_encrypt;
429
430 xctx->xts.key1 = &xctx->ks1;
431 }
432
433 if (iv) {
434 xctx->xts.key2 = &xctx->ks2;
6435f0f6 435 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 436 }
437
438 return 1;
439}
440
5158c763 441# define aesni_xts_cipher aes_xts_cipher
17f121de 442static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 443 const unsigned char *in, size_t len);
17f121de
AP		 444
445static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 446 const unsigned char *iv, int enc)
447{
6435f0f6 448 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 449 if (!iv && !key)
450 return 1;
451 if (key) {
6435f0f6
RL		 452 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
453 &cctx->ks.ks);
0f113f3e
MC		 454 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
455 &cctx->ks, (block128_f) aesni_encrypt);
456 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
457 (ccm128_f) aesni_ccm64_decrypt_blocks;
458 cctx->key_set = 1;
459 }
460 if (iv) {
6435f0f6 461 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 462 cctx->iv_set = 1;
463 }
464 return 1;
465}
466
5158c763 467# define aesni_ccm_cipher aes_ccm_cipher
17f121de 468static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 469 const unsigned char *in, size_t len);
17f121de 470
5158c763 471# ifndef OPENSSL_NO_OCB
bd30091c
AP		 472void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
473 size_t blocks, const void *key,
474 size_t start_block_num,
475 unsigned char offset_i[16],
476 const unsigned char L_[][16],
477 unsigned char checksum[16]);
478void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
479 size_t blocks, const void *key,
480 size_t start_block_num,
481 unsigned char offset_i[16],
482 const unsigned char L_[][16],
483 unsigned char checksum[16]);
484
e6b336ef 485static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 486 const unsigned char *iv, int enc)
487{
6435f0f6 488 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 489 if (!iv && !key)
490 return 1;
491 if (key) {
492 do {
493 /*
494 * We set both the encrypt and decrypt key here because decrypt
495 * needs both. We could possibly optimise to remove setting the
496 * decrypt for an encryption operation.
497 */
6435f0f6
RL		 498 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
499 &octx->ksenc.ks);
500 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
501 &octx->ksdec.ks);
bdc985b1
AP		 502 if (!CRYPTO_ocb128_init(&octx->ocb,
503 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 504 (block128_f) aesni_encrypt,
bd30091c
AP		 505 (block128_f) aesni_decrypt,
506 enc ? aesni_ocb_encrypt
507 : aesni_ocb_decrypt))
0f113f3e
MC		 508 return 0;
509 }
510 while (0);
511
512 /*
513 * If we have an iv we can set it directly, otherwise use saved IV.
514 */
515 if (iv == NULL && octx->iv_set)
516 iv = octx->iv;
517 if (iv) {
518 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
519 != 1)
520 return 0;
521 octx->iv_set = 1;
522 }
523 octx->key_set = 1;
524 } else {
525 /* If key set use IV, otherwise copy */
526 if (octx->key_set)
527 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
528 else
529 memcpy(octx->iv, iv, octx->ivlen);
530 octx->iv_set = 1;
531 }
532 return 1;
533}
534
5158c763 535# define aesni_ocb_cipher aes_ocb_cipher
e6b336ef 536static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 537 const unsigned char *in, size_t len);
5158c763 538# endif /* OPENSSL_NO_OCB */
e6b336ef 539
5158c763 540# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 541static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 542 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
543 flags|EVP_CIPH_##MODE##_MODE, \
544 aesni_init_key, \
545 aesni_##mode##_cipher, \
546 NULL, \
547 sizeof(EVP_AES_KEY), \
548 NULL,NULL,NULL,NULL }; \
17f121de 549static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 550 nid##_##keylen##_##nmode,blocksize, \
551 keylen/8,ivlen, \
552 flags|EVP_CIPH_##MODE##_MODE, \
553 aes_init_key, \
554 aes_##mode##_cipher, \
555 NULL, \
556 sizeof(EVP_AES_KEY), \
557 NULL,NULL,NULL,NULL }; \
17f121de 558const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 559{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
17f121de 560
5158c763 561# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 562static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 563 nid##_##keylen##_##mode,blocksize, \
564 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
565 flags|EVP_CIPH_##MODE##_MODE, \
566 aesni_##mode##_init_key, \
567 aesni_##mode##_cipher, \
568 aes_##mode##_cleanup, \
569 sizeof(EVP_AES_##MODE##_CTX), \
570 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 571static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 572 nid##_##keylen##_##mode,blocksize, \
573 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
574 flags|EVP_CIPH_##MODE##_MODE, \
575 aes_##mode##_init_key, \
576 aes_##mode##_cipher, \
577 aes_##mode##_cleanup, \
578 sizeof(EVP_AES_##MODE##_CTX), \
579 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 580const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 581{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
d1fff483 582
5158c763 583#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
c5f6da54 584
5158c763 585# include "sparc_arch.h"
c5f6da54
AP		 586
587extern unsigned int OPENSSL_sparcv9cap_P[];
588
6944565b
AP		 589/*
590 * Initial Fujitsu SPARC64 X support
591 */
592# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
593# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
594# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
595# define HWAES_encrypt aes_fx_encrypt
596# define HWAES_decrypt aes_fx_decrypt
597
5158c763 598# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
c5f6da54 599
0f113f3e
MC		 600void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
601void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
602void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
603 const AES_KEY *key);
604void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
605 const AES_KEY *key);
c5f6da54
AP		 606/*
607 * Key-length specific subroutines were chosen for following reason.
608 * Each SPARC T4 core can execute up to 8 threads which share core's
609 * resources. Loading as much key material to registers allows to
610 * minimize references to shared memory interface, as well as amount
611 * of instructions in inner loops [much needed on T4]. But then having
612 * non-key-length specific routines would require conditional branches
613 * either in inner loops or on subroutines' entries. Former is hardly
614 * acceptable, while latter means code size increase to size occupied
0d4fb843 615 * by multiple key-length specific subroutines, so why fight?
c5f6da54 616 */
0f113f3e
MC		 617void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
618 size_t len, const AES_KEY *key,
619 unsigned char *ivec);
620void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
621 size_t len, const AES_KEY *key,
622 unsigned char *ivec);
623void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
624 size_t len, const AES_KEY *key,
625 unsigned char *ivec);
626void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
627 size_t len, const AES_KEY *key,
628 unsigned char *ivec);
629void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
630 size_t len, const AES_KEY *key,
631 unsigned char *ivec);
632void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
633 size_t len, const AES_KEY *key,
634 unsigned char *ivec);
635void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
636 size_t blocks, const AES_KEY *key,
637 unsigned char *ivec);
638void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
639 size_t blocks, const AES_KEY *key,
640 unsigned char *ivec);
641void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
642 size_t blocks, const AES_KEY *key,
643 unsigned char *ivec);
644void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
645 size_t blocks, const AES_KEY *key1,
646 const AES_KEY *key2, const unsigned char *ivec);
647void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
648 size_t blocks, const AES_KEY *key1,
649 const AES_KEY *key2, const unsigned char *ivec);
650void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
651 size_t blocks, const AES_KEY *key1,
652 const AES_KEY *key2, const unsigned char *ivec);
653void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
654 size_t blocks, const AES_KEY *key1,
655 const AES_KEY *key2, const unsigned char *ivec);
c5f6da54
AP		 656
657static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 658 const unsigned char *iv, int enc)
659{
660 int ret, mode, bits;
6435f0f6 661 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 662
6435f0f6
RL		 663 mode = EVP_CIPHER_CTX_mode(ctx);
664 bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 665 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
666 && !enc) {
667 ret = 0;
6435f0f6 668 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 669 dat->block = (block128_f) aes_t4_decrypt;
670 switch (bits) {
671 case 128:
672 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
673 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
674 break;
675 case 192:
676 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
677 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
678 break;
679 case 256:
680 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
681 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
682 break;
683 default:
684 ret = -1;
685 }
686 } else {
687 ret = 0;
6435f0f6 688 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 689 dat->block = (block128_f) aes_t4_encrypt;
690 switch (bits) {
691 case 128:
692 if (mode == EVP_CIPH_CBC_MODE)
693 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
694 else if (mode == EVP_CIPH_CTR_MODE)
695 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
696 else
697 dat->stream.cbc = NULL;
698 break;
699 case 192:
700 if (mode == EVP_CIPH_CBC_MODE)
701 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
702 else if (mode == EVP_CIPH_CTR_MODE)
703 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
704 else
705 dat->stream.cbc = NULL;
706 break;
707 case 256:
708 if (mode == EVP_CIPH_CBC_MODE)
709 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
710 else if (mode == EVP_CIPH_CTR_MODE)
711 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
712 else
713 dat->stream.cbc = NULL;
714 break;
715 default:
716 ret = -1;
717 }
718 }
719
720 if (ret < 0) {
721 EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
722 return 0;
723 }
724
725 return 1;
726}
727
5158c763 728# define aes_t4_cbc_cipher aes_cbc_cipher
0f113f3e
MC		 729static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
730 const unsigned char *in, size_t len);
731
5158c763 732# define aes_t4_ecb_cipher aes_ecb_cipher
0f113f3e
MC		 733static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
734 const unsigned char *in, size_t len);
735
5158c763 736# define aes_t4_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 737static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
738 const unsigned char *in, size_t len);
739
5158c763 740# define aes_t4_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 741static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
742 const unsigned char *in, size_t len);
743
5158c763 744# define aes_t4_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 745static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
746 const unsigned char *in, size_t len);
747
5158c763 748# define aes_t4_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 749static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
750 const unsigned char *in, size_t len);
751
5158c763 752# define aes_t4_ctr_cipher aes_ctr_cipher
c5f6da54 753static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 754 const unsigned char *in, size_t len);
c5f6da54
AP		 755
756static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 757 const unsigned char *iv, int enc)
758{
6435f0f6 759 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 760 if (!iv && !key)
761 return 1;
762 if (key) {
6435f0f6 763 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 764 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
765 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
766 (block128_f) aes_t4_encrypt);
767 switch (bits) {
768 case 128:
769 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
770 break;
771 case 192:
772 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
773 break;
774 case 256:
775 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
776 break;
777 default:
778 return 0;
779 }
780 /*
781 * If we have an iv can set it directly, otherwise use saved IV.
782 */
783 if (iv == NULL && gctx->iv_set)
784 iv = gctx->iv;
785 if (iv) {
786 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
787 gctx->iv_set = 1;
788 }
789 gctx->key_set = 1;
790 } else {
791 /* If key set use IV, otherwise copy */
792 if (gctx->key_set)
793 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
794 else
795 memcpy(gctx->iv, iv, gctx->ivlen);
796 gctx->iv_set = 1;
797 gctx->iv_gen = 0;
798 }
799 return 1;
800}
801
5158c763 802# define aes_t4_gcm_cipher aes_gcm_cipher
c5f6da54 803static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 804 const unsigned char *in, size_t len);
c5f6da54
AP		 805
806static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 807 const unsigned char *iv, int enc)
808{
6435f0f6 809 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 810 if (!iv && !key)
811 return 1;
812
813 if (key) {
6435f0f6 814 int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
0f113f3e
MC		 815 xctx->stream = NULL;
816 /* key_len is two AES keys */
817 if (enc) {
818 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
819 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
820 switch (bits) {
821 case 128:
822 xctx->stream = aes128_t4_xts_encrypt;
823 break;
0f113f3e
MC		 824 case 256:
825 xctx->stream = aes256_t4_xts_encrypt;
826 break;
827 default:
828 return 0;
829 }
830 } else {
6435f0f6
RL		 831 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
832 &xctx->ks1.ks);
0f113f3e
MC		 833 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
834 switch (bits) {
835 case 128:
836 xctx->stream = aes128_t4_xts_decrypt;
837 break;
0f113f3e
MC		 838 case 256:
839 xctx->stream = aes256_t4_xts_decrypt;
840 break;
841 default:
842 return 0;
843 }
844 }
845
6435f0f6
RL		 846 aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
847 EVP_CIPHER_CTX_key_length(ctx) * 4,
848 &xctx->ks2.ks);
0f113f3e
MC		 849 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
850
851 xctx->xts.key1 = &xctx->ks1;
852 }
853
854 if (iv) {
855 xctx->xts.key2 = &xctx->ks2;
6435f0f6 856 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 857 }
858
859 return 1;
860}
861
5158c763 862# define aes_t4_xts_cipher aes_xts_cipher
c5f6da54 863static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 864 const unsigned char *in, size_t len);
c5f6da54
AP		 865
866static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 867 const unsigned char *iv, int enc)
868{
6435f0f6 869 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 870 if (!iv && !key)
871 return 1;
872 if (key) {
6435f0f6 873 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 874 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
875 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
876 &cctx->ks, (block128_f) aes_t4_encrypt);
bdc985b1 877 cctx->str = NULL;
0f113f3e
MC		 878 cctx->key_set = 1;
879 }
880 if (iv) {
6435f0f6 881 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 882 cctx->iv_set = 1;
883 }
884 return 1;
885}
886
5158c763 887# define aes_t4_ccm_cipher aes_ccm_cipher
c5f6da54 888static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 889 const unsigned char *in, size_t len);
c5f6da54 890
5158c763 891# ifndef OPENSSL_NO_OCB
e6b336ef 892static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 893 const unsigned char *iv, int enc)
894{
6435f0f6 895 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 896 if (!iv && !key)
897 return 1;
898 if (key) {
899 do {
900 /*
901 * We set both the encrypt and decrypt key here because decrypt
902 * needs both. We could possibly optimise to remove setting the
903 * decrypt for an encryption operation.
904 */
6435f0f6
RL		 905 aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
906 &octx->ksenc.ks);
907 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
908 &octx->ksdec.ks);
bdc985b1
AP		 909 if (!CRYPTO_ocb128_init(&octx->ocb,
910 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 911 (block128_f) aes_t4_encrypt,
02dc0b82
AP		 912 (block128_f) aes_t4_decrypt,
913 NULL))
0f113f3e
MC		 914 return 0;
915 }
916 while (0);
917
918 /*
919 * If we have an iv we can set it directly, otherwise use saved IV.
920 */
921 if (iv == NULL && octx->iv_set)
922 iv = octx->iv;
923 if (iv) {
924 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
925 != 1)
926 return 0;
927 octx->iv_set = 1;
928 }
929 octx->key_set = 1;
930 } else {
931 /* If key set use IV, otherwise copy */
932 if (octx->key_set)
933 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
934 else
935 memcpy(octx->iv, iv, octx->ivlen);
936 octx->iv_set = 1;
937 }
938 return 1;
939}
940
5158c763 941# define aes_t4_ocb_cipher aes_ocb_cipher
e6b336ef 942static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 943 const unsigned char *in, size_t len);
5158c763 944# endif /* OPENSSL_NO_OCB */
e6b336ef 945
5158c763 946# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
c5f6da54 947static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 948 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
949 flags|EVP_CIPH_##MODE##_MODE, \
950 aes_t4_init_key, \
951 aes_t4_##mode##_cipher, \
952 NULL, \
953 sizeof(EVP_AES_KEY), \
954 NULL,NULL,NULL,NULL }; \
c5f6da54 955static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 956 nid##_##keylen##_##nmode,blocksize, \
957 keylen/8,ivlen, \
958 flags|EVP_CIPH_##MODE##_MODE, \
959 aes_init_key, \
960 aes_##mode##_cipher, \
961 NULL, \
962 sizeof(EVP_AES_KEY), \
963 NULL,NULL,NULL,NULL }; \
c5f6da54
AP		 964const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
965{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
966
5158c763 967# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
c5f6da54 968static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 969 nid##_##keylen##_##mode,blocksize, \
970 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
971 flags|EVP_CIPH_##MODE##_MODE, \
972 aes_t4_##mode##_init_key, \
973 aes_t4_##mode##_cipher, \
974 aes_##mode##_cleanup, \
975 sizeof(EVP_AES_##MODE##_CTX), \
976 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54 977static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 978 nid##_##keylen##_##mode,blocksize, \
979 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
980 flags|EVP_CIPH_##MODE##_MODE, \
981 aes_##mode##_init_key, \
982 aes_##mode##_cipher, \
983 aes_##mode##_cleanup, \
984 sizeof(EVP_AES_##MODE##_CTX), \
985 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54
AP		 986const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
987{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
988
5158c763 989#else
17f121de 990
5158c763 991# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 992static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 993 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
994 flags|EVP_CIPH_##MODE##_MODE, \
995 aes_init_key, \
996 aes_##mode##_cipher, \
997 NULL, \
998 sizeof(EVP_AES_KEY), \
999 NULL,NULL,NULL,NULL }; \
17f121de
AP		 1000const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
1001{ return &aes_##keylen##_##mode; }
d1fff483 1002
5158c763 1003# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 1004static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 1005 nid##_##keylen##_##mode,blocksize, \
1006 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
1007 flags|EVP_CIPH_##MODE##_MODE, \
1008 aes_##mode##_init_key, \
1009 aes_##mode##_cipher, \
1010 aes_##mode##_cleanup, \
1011 sizeof(EVP_AES_##MODE##_CTX), \
1012 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de
AP		 1013const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
1014{ return &aes_##keylen##_##mode; }
9575d1a9 1015
5158c763 1016#endif
9575d1a9 1017
5158c763
MC		 1018#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
1019# include "arm_arch.h"
1020# if __ARM_MAX_ARCH__>=7
1021# if defined(BSAES_ASM)
1022# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
1023# endif
1024# if defined(VPAES_ASM)
1025# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
0f113f3e 1026# endif
5158c763
MC		 1027# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
1028# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
1029# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
1030# define HWAES_encrypt aes_v8_encrypt
1031# define HWAES_decrypt aes_v8_decrypt
1032# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
1033# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
ddacb8f2 1034# endif
5158c763 1035#endif
d1fff483 1036
5158c763 1037#if defined(HWAES_CAPABLE)
ddacb8f2 1038int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 1039 AES_KEY *key);
ddacb8f2 1040int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 1041 AES_KEY *key);
ddacb8f2 1042void HWAES_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 1043 const AES_KEY *key);
ddacb8f2 1044void HWAES_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 1045 const AES_KEY *key);
ddacb8f2 1046void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 1047 size_t length, const AES_KEY *key,
1048 unsigned char *ivec, const int enc);
ddacb8f2 1049void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 1050 size_t len, const AES_KEY *key,
1051 const unsigned char ivec[16]);
5158c763 1052#endif
ddacb8f2 1053
5158c763 1054#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
0f113f3e
MC		 1055 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1056 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1057 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1058 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
1059 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
1060 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
1061 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
d1fff483
AP		 1062
1063static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1064 const unsigned char *iv, int enc)
1065{
1066 int ret, mode;
6435f0f6 1067 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 1068
6435f0f6 1069 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 1070 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
1071 && !enc)
5158c763 1072#ifdef HWAES_CAPABLE
0f113f3e 1073 if (HWAES_CAPABLE) {
6435f0f6
RL		 1074 ret = HWAES_set_decrypt_key(key,
1075 EVP_CIPHER_CTX_key_length(ctx) * 8,
1076 &dat->ks.ks);
0f113f3e
MC		 1077 dat->block = (block128_f) HWAES_decrypt;
1078 dat->stream.cbc = NULL;
5158c763 1079# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 1080 if (mode == EVP_CIPH_CBC_MODE)
1081 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
0f113f3e 1082# endif
5158c763
MC		 1083 } else
1084#endif
1085#ifdef BSAES_CAPABLE
0f113f3e 1086 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
6435f0f6
RL		 1087 ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1088 &dat->ks.ks);
0f113f3e
MC		 1089 dat->block = (block128_f) AES_decrypt;
1090 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
1091 } else
5158c763
MC		 1092#endif
1093#ifdef VPAES_CAPABLE
0f113f3e 1094 if (VPAES_CAPABLE) {
6435f0f6
RL		 1095 ret = vpaes_set_decrypt_key(key,
1096 EVP_CIPHER_CTX_key_length(ctx) * 8,
1097 &dat->ks.ks);
0f113f3e
MC		 1098 dat->block = (block128_f) vpaes_decrypt;
1099 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1100 (cbc128_f) vpaes_cbc_encrypt : NULL;
1101 } else
5158c763 1102#endif
0f113f3e 1103 {
6435f0f6
RL		 1104 ret = AES_set_decrypt_key(key,
1105 EVP_CIPHER_CTX_key_length(ctx) * 8,
1106 &dat->ks.ks);
0f113f3e
MC		 1107 dat->block = (block128_f) AES_decrypt;
1108 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1109 (cbc128_f) AES_cbc_encrypt : NULL;
1110 } else
5158c763 1111#ifdef HWAES_CAPABLE
0f113f3e 1112 if (HWAES_CAPABLE) {
6435f0f6
RL		 1113 ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1114 &dat->ks.ks);
0f113f3e
MC		 1115 dat->block = (block128_f) HWAES_encrypt;
1116 dat->stream.cbc = NULL;
5158c763 1117# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 1118 if (mode == EVP_CIPH_CBC_MODE)
1119 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
1120 else
5158c763
MC		 1121# endif
1122# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e
MC		 1123 if (mode == EVP_CIPH_CTR_MODE)
1124 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
1125 else
5158c763 1126# endif
0f113f3e
MC		 1127 (void)0; /* terminate potentially open 'else' */
1128 } else
5158c763
MC		 1129#endif
1130#ifdef BSAES_CAPABLE
0f113f3e 1131 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
6435f0f6
RL		 1132 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1133 &dat->ks.ks);
0f113f3e
MC		 1134 dat->block = (block128_f) AES_encrypt;
1135 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1136 } else
5158c763
MC		 1137#endif
1138#ifdef VPAES_CAPABLE
0f113f3e 1139 if (VPAES_CAPABLE) {
6435f0f6
RL		 1140 ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1141 &dat->ks.ks);
0f113f3e
MC		 1142 dat->block = (block128_f) vpaes_encrypt;
1143 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1144 (cbc128_f) vpaes_cbc_encrypt : NULL;
1145 } else
5158c763 1146#endif
0f113f3e 1147 {
6435f0f6
RL		 1148 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1149 &dat->ks.ks);
0f113f3e
MC		 1150 dat->block = (block128_f) AES_encrypt;
1151 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1152 (cbc128_f) AES_cbc_encrypt : NULL;
5158c763 1153#ifdef AES_CTR_ASM
0f113f3e
MC		 1154 if (mode == EVP_CIPH_CTR_MODE)
1155 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 1156#endif
0f113f3e 1157 }
d1fff483 1158
0f113f3e
MC		 1159 if (ret < 0) {
1160 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
1161 return 0;
1162 }
d1fff483 1163
0f113f3e
MC		 1164 return 1;
1165}
d1fff483 1166
0f113f3e
MC		 1167static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1168 const unsigned char *in, size_t len)
17f121de 1169{
6435f0f6 1170 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1171
0f113f3e 1172 if (dat->stream.cbc)
6435f0f6
RL		 1173 (*dat->stream.cbc) (in, out, len, &dat->ks,
1174 EVP_CIPHER_CTX_iv_noconst(ctx),
1175 EVP_CIPHER_CTX_encrypting(ctx));
1176 else if (EVP_CIPHER_CTX_encrypting(ctx))
1177 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
1178 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
0f113f3e 1179 else
6435f0f6
RL		 1180 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
1181 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
17f121de 1182
0f113f3e 1183 return 1;
17f121de
AP		 1184}
1185
0f113f3e
MC		 1186static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1187 const unsigned char *in, size_t len)
17f121de 1188{
6435f0f6 1189 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
0f113f3e 1190 size_t i;
6435f0f6 1191 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
17f121de 1192
0f113f3e
MC		 1193 if (len < bl)
1194 return 1;
17f121de 1195
0f113f3e
MC		 1196 for (i = 0, len -= bl; i <= len; i += bl)
1197 (*dat->block) (in + i, out + i, &dat->ks);
17f121de 1198
0f113f3e 1199 return 1;
17f121de 1200}
deb2c1a1 1201
0f113f3e
MC		 1202static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1203 const unsigned char *in, size_t len)
17f121de 1204{
6435f0f6 1205 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1206
6435f0f6 1207 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1208 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1209 EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
1210 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1211 return 1;
17f121de 1212}
deb2c1a1 1213
0f113f3e
MC		 1214static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1215 const unsigned char *in, size_t len)
17f121de 1216{
6435f0f6 1217 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1218
6435f0f6 1219 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1220 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1221 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1222 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1223 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1224 return 1;
17f121de
AP		 1225}
1226
0f113f3e
MC		 1227static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1228 const unsigned char *in, size_t len)
17f121de 1229{
6435f0f6 1230 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 1231
6435f0f6 1232 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1233 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1234 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1235 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1236 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1237 return 1;
17f121de 1238}
8d1ebe0b 1239
0f113f3e
MC		 1240static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1241 const unsigned char *in, size_t len)
17f121de 1242{
6435f0f6 1243 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 1244
6435f0f6
RL		 1245 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
1246 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1247 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1248 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1249 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1250 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 1251 return 1;
1252 }
1253
1254 while (len >= MAXBITCHUNK) {
6435f0f6 1255 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1256 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
6435f0f6
RL		 1257 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1258 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1259 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 1260 len -= MAXBITCHUNK;
1261 }
6435f0f6
RL		 1262 if (len) {
1263 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 1264 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
6435f0f6
RL		 1265 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
1266 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
1267 EVP_CIPHER_CTX_set_num(ctx, num);
1268 }
0f113f3e
MC		 1269
1270 return 1;
17f121de 1271}
8d1ebe0b 1272
0f113f3e
MC		 1273static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1274 const unsigned char *in, size_t len)
d976f992 1275{
6435f0f6
RL		 1276 unsigned int num = EVP_CIPHER_CTX_num(ctx);
1277 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e
MC		 1278
1279 if (dat->stream.ctr)
1280 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
6435f0f6
RL		 1281 EVP_CIPHER_CTX_iv_noconst(ctx),
1282 EVP_CIPHER_CTX_buf_noconst(ctx),
1283 &num, dat->stream.ctr);
0f113f3e
MC		 1284 else
1285 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 1286 EVP_CIPHER_CTX_iv_noconst(ctx),
1287 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
1288 dat->block);
1289 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 1290 return 1;
d976f992
AP		 1291}
1292
0f113f3e
MC		 1293BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
1294 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
1295 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
bdaa5415
DSH		 1296
1297static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 1298{
6435f0f6 1299 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e 1300 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
6435f0f6 1301 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 1302 OPENSSL_free(gctx->iv);
1303 return 1;
1304}
bdaa5415 1305
b3d8022e 1306/* increment counter (64-bit int) by 1 */
0f113f3e
MC		 1307static void ctr64_inc(unsigned char *counter)
1308{
1309 int n = 8;
1310 unsigned char c;
1311
1312 do {
1313 --n;
1314 c = counter[n];
1315 ++c;
1316 counter[n] = c;
1317 if (c)
1318 return;
1319 } while (n);
b3d8022e
DSH		 1320}
1321
bdaa5415 1322static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1323{
6435f0f6 1324 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e
MC		 1325 switch (type) {
1326 case EVP_CTRL_INIT:
1327 gctx->key_set = 0;
1328 gctx->iv_set = 0;
6435f0f6
RL		 1329 gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
1330 gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 1331 gctx->taglen = -1;
1332 gctx->iv_gen = 0;
1333 gctx->tls_aad_len = -1;
1334 return 1;
1335
e640fa02 1336 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 1337 if (arg <= 0)
1338 return 0;
1339 /* Allocate memory for IV if needed */
1340 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
6435f0f6 1341 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 1342 OPENSSL_free(gctx->iv);
1343 gctx->iv = OPENSSL_malloc(arg);
90945fa3 1344 if (gctx->iv == NULL)
0f113f3e
MC		 1345 return 0;
1346 }
1347 gctx->ivlen = arg;
1348 return 1;
1349
e640fa02 1350 case EVP_CTRL_AEAD_SET_TAG:
6435f0f6 1351 if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e 1352 return 0;
6435f0f6 1353 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 1354 gctx->taglen = arg;
1355 return 1;
1356
e640fa02 1357 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6
RL		 1358 if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_encrypting(c)
1359 || gctx->taglen < 0)
0f113f3e 1360 return 0;
6435f0f6 1361 memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg);
0f113f3e
MC		 1362 return 1;
1363
1364 case EVP_CTRL_GCM_SET_IV_FIXED:
1365 /* Special case: -1 length restores whole IV */
1366 if (arg == -1) {
1367 memcpy(gctx->iv, ptr, gctx->ivlen);
1368 gctx->iv_gen = 1;
1369 return 1;
1370 }
1371 /*
1372 * Fixed field must be at least 4 bytes and invocation field at least
1373 * 8.
1374 */
1375 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1376 return 0;
1377 if (arg)
1378 memcpy(gctx->iv, ptr, arg);
6435f0f6
RL		 1379 if (EVP_CIPHER_CTX_encrypting(c)
1380 && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
0f113f3e
MC		 1381 return 0;
1382 gctx->iv_gen = 1;
1383 return 1;
1384
1385 case EVP_CTRL_GCM_IV_GEN:
1386 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1387 return 0;
1388 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1389 if (arg <= 0 || arg > gctx->ivlen)
1390 arg = gctx->ivlen;
1391 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1392 /*
1393 * Invocation field will be at least 8 bytes in size and so no need
1394 * to check wrap around or increment more than last 8 bytes.
1395 */
1396 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1397 gctx->iv_set = 1;
1398 return 1;
1399
1400 case EVP_CTRL_GCM_SET_IV_INV:
6435f0f6
RL		 1401 if (gctx->iv_gen == 0 || gctx->key_set == 0
1402 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 1403 return 0;
1404 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1405 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1406 gctx->iv_set = 1;
1407 return 1;
1408
1409 case EVP_CTRL_AEAD_TLS1_AAD:
1410 /* Save the AAD for later use */
c8269881 1411 if (arg != EVP_AEAD_TLS1_AAD_LEN)
0f113f3e 1412 return 0;
6435f0f6 1413 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 1414 gctx->tls_aad_len = arg;
1415 {
6435f0f6
RL		 1416 unsigned int len =
1417 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
1418 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
0f113f3e
MC		 1419 /* Correct length for explicit IV */
1420 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1421 /* If decrypting correct for tag too */
6435f0f6 1422 if (!EVP_CIPHER_CTX_encrypting(c))
0f113f3e 1423 len -= EVP_GCM_TLS_TAG_LEN;
6435f0f6
RL		 1424 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
1425 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
0f113f3e
MC		 1426 }
1427 /* Extra padding: tag appended to record */
1428 return EVP_GCM_TLS_TAG_LEN;
1429
1430 case EVP_CTRL_COPY:
1431 {
1432 EVP_CIPHER_CTX *out = ptr;
6435f0f6 1433 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
0f113f3e
MC		 1434 if (gctx->gcm.key) {
1435 if (gctx->gcm.key != &gctx->ks)
1436 return 0;
1437 gctx_out->gcm.key = &gctx_out->ks;
1438 }
6435f0f6
RL		 1439 if (gctx->iv == EVP_CIPHER_CTX_iv_noconst(c))
1440 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
0f113f3e
MC		 1441 else {
1442 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
90945fa3 1443 if (gctx_out->iv == NULL)
0f113f3e
MC		 1444 return 0;
1445 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1446 }
1447 return 1;
1448 }
1449
1450 default:
1451 return -1;
1452
1453 }
1454}
bdaa5415
DSH		 1455
1456static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1457 const unsigned char *iv, int enc)
1458{
6435f0f6 1459 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1460 if (!iv && !key)
1461 return 1;
1462 if (key) {
1463 do {
5158c763 1464#ifdef HWAES_CAPABLE
0f113f3e 1465 if (HWAES_CAPABLE) {
6435f0f6
RL		 1466 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1467 &gctx->ks.ks);
0f113f3e
MC		 1468 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1469 (block128_f) HWAES_encrypt);
5158c763 1470# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e 1471 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
5158c763 1472# else
0f113f3e 1473 gctx->ctr = NULL;
5158c763 1474# endif
0f113f3e
MC		 1475 break;
1476 } else
5158c763
MC		 1477#endif
1478#ifdef BSAES_CAPABLE
0f113f3e 1479 if (BSAES_CAPABLE) {
6435f0f6
RL		 1480 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1481 &gctx->ks.ks);
0f113f3e
MC		 1482 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1483 (block128_f) AES_encrypt);
1484 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1485 break;
1486 } else
5158c763
MC		 1487#endif
1488#ifdef VPAES_CAPABLE
0f113f3e 1489 if (VPAES_CAPABLE) {
6435f0f6
RL		 1490 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1491 &gctx->ks.ks);
0f113f3e
MC		 1492 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1493 (block128_f) vpaes_encrypt);
1494 gctx->ctr = NULL;
1495 break;
1496 } else
5158c763 1497#endif
0f113f3e
MC		 1498 (void)0; /* terminate potentially open 'else' */
1499
6435f0f6
RL		 1500 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
1501 &gctx->ks.ks);
0f113f3e
MC		 1502 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1503 (block128_f) AES_encrypt);
5158c763 1504#ifdef AES_CTR_ASM
0f113f3e 1505 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 1506#else
0f113f3e 1507 gctx->ctr = NULL;
5158c763 1508#endif
0f113f3e
MC		 1509 } while (0);
1510
1511 /*
1512 * If we have an iv can set it directly, otherwise use saved IV.
1513 */
1514 if (iv == NULL && gctx->iv_set)
1515 iv = gctx->iv;
1516 if (iv) {
1517 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1518 gctx->iv_set = 1;
1519 }
1520 gctx->key_set = 1;
1521 } else {
1522 /* If key set use IV, otherwise copy */
1523 if (gctx->key_set)
1524 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1525 else
1526 memcpy(gctx->iv, iv, gctx->ivlen);
1527 gctx->iv_set = 1;
1528 gctx->iv_gen = 0;
1529 }
1530 return 1;
1531}
1532
1533/*
1534 * Handle TLS GCM packet format. This consists of the last portion of the IV
28dd49fa
DSH		 1535 * followed by the payload and finally the tag. On encrypt generate IV,
1536 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1537 * and verify tag.
1538 */
1539
1540static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1541 const unsigned char *in, size_t len)
1542{
6435f0f6 1543 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1544 int rv = -1;
1545 /* Encrypt/decrypt must be performed in place */
1546 if (out != in
1547 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1548 return -1;
1549 /*
1550 * Set IV from start of buffer or generate IV and write to start of
1551 * buffer.
1552 */
6435f0f6 1553 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ?
0f113f3e
MC		 1554 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1555 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1556 goto err;
1557 /* Use saved AAD */
6435f0f6
RL		 1558 if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
1559 gctx->tls_aad_len))
0f113f3e
MC		 1560 goto err;
1561 /* Fix buffer and length to point to payload */
1562 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1563 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1564 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
6435f0f6 1565 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1566 /* Encrypt payload */
1567 if (gctx->ctr) {
1568 size_t bulk = 0;
5158c763 1569#if defined(AES_GCM_ASM)
0f113f3e
MC		 1570 if (len >= 32 && AES_GCM_ASM(gctx)) {
1571 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1572 return -1;
1573
1574 bulk = AES_gcm_encrypt(in, out, len,
1575 gctx->gcm.key,
1576 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1577 gctx->gcm.len.u[1] += bulk;
1578 }
5158c763 1579#endif
0f113f3e
MC		 1580 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1581 in + bulk,
1582 out + bulk,
1583 len - bulk, gctx->ctr))
1584 goto err;
1585 } else {
1586 size_t bulk = 0;
5158c763 1587#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1588 if (len >= 32 && AES_GCM_ASM2(gctx)) {
1589 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1590 return -1;
1591
1592 bulk = AES_gcm_encrypt(in, out, len,
1593 gctx->gcm.key,
1594 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1595 gctx->gcm.len.u[1] += bulk;
1596 }
5158c763 1597#endif
0f113f3e
MC		 1598 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1599 in + bulk, out + bulk, len - bulk))
1600 goto err;
1601 }
1602 out += len;
1603 /* Finally write tag */
1604 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1605 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1606 } else {
1607 /* Decrypt */
1608 if (gctx->ctr) {
1609 size_t bulk = 0;
5158c763 1610#if defined(AES_GCM_ASM)
0f113f3e
MC		 1611 if (len >= 16 && AES_GCM_ASM(gctx)) {
1612 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1613 return -1;
1614
1615 bulk = AES_gcm_decrypt(in, out, len,
1616 gctx->gcm.key,
1617 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1618 gctx->gcm.len.u[1] += bulk;
1619 }
5158c763 1620#endif
0f113f3e
MC		 1621 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1622 in + bulk,
1623 out + bulk,
1624 len - bulk, gctx->ctr))
1625 goto err;
1626 } else {
1627 size_t bulk = 0;
5158c763 1628#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1629 if (len >= 16 && AES_GCM_ASM2(gctx)) {
1630 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1631 return -1;
1632
1633 bulk = AES_gcm_decrypt(in, out, len,
1634 gctx->gcm.key,
1635 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1636 gctx->gcm.len.u[1] += bulk;
1637 }
5158c763 1638#endif
0f113f3e
MC		 1639 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1640 in + bulk, out + bulk, len - bulk))
1641 goto err;
1642 }
1643 /* Retrieve tag */
6435f0f6
RL		 1644 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
1645 EVP_GCM_TLS_TAG_LEN);
0f113f3e 1646 /* If tag mismatch wipe buffer */
6435f0f6
RL		 1647 if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
1648 EVP_GCM_TLS_TAG_LEN)) {
0f113f3e
MC		 1649 OPENSSL_cleanse(out, len);
1650 goto err;
1651 }
1652 rv = len;
1653 }
1654
1655 err:
1656 gctx->iv_set = 0;
1657 gctx->tls_aad_len = -1;
1658 return rv;
1659}
28dd49fa 1660
17f121de 1661static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1662 const unsigned char *in, size_t len)
1663{
6435f0f6 1664 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 1665 /* If not set up, return error */
1666 if (!gctx->key_set)
1667 return -1;
1668
1669 if (gctx->tls_aad_len >= 0)
1670 return aes_gcm_tls_cipher(ctx, out, in, len);
1671
1672 if (!gctx->iv_set)
1673 return -1;
1674 if (in) {
1675 if (out == NULL) {
1676 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1677 return -1;
6435f0f6 1678 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1679 if (gctx->ctr) {
1680 size_t bulk = 0;
5158c763 1681#if defined(AES_GCM_ASM)
0f113f3e
MC		 1682 if (len >= 32 && AES_GCM_ASM(gctx)) {
1683 size_t res = (16 - gctx->gcm.mres) % 16;
1684
1685 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1686 return -1;
1687
1688 bulk = AES_gcm_encrypt(in + res,
1689 out + res, len - res,
1690 gctx->gcm.key, gctx->gcm.Yi.c,
1691 gctx->gcm.Xi.u);
1692 gctx->gcm.len.u[1] += bulk;
1693 bulk += res;
1694 }
5158c763 1695#endif
0f113f3e
MC		 1696 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1697 in + bulk,
1698 out + bulk,
1699 len - bulk, gctx->ctr))
1700 return -1;
1701 } else {
1702 size_t bulk = 0;
5158c763 1703#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1704 if (len >= 32 && AES_GCM_ASM2(gctx)) {
1705 size_t res = (16 - gctx->gcm.mres) % 16;
1706
1707 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1708 return -1;
1709
1710 bulk = AES_gcm_encrypt(in + res,
1711 out + res, len - res,
1712 gctx->gcm.key, gctx->gcm.Yi.c,
1713 gctx->gcm.Xi.u);
1714 gctx->gcm.len.u[1] += bulk;
1715 bulk += res;
1716 }
5158c763 1717#endif
0f113f3e
MC		 1718 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1719 in + bulk, out + bulk, len - bulk))
1720 return -1;
1721 }
1722 } else {
1723 if (gctx->ctr) {
1724 size_t bulk = 0;
5158c763 1725#if defined(AES_GCM_ASM)
0f113f3e
MC		 1726 if (len >= 16 && AES_GCM_ASM(gctx)) {
1727 size_t res = (16 - gctx->gcm.mres) % 16;
1728
1729 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1730 return -1;
1731
1732 bulk = AES_gcm_decrypt(in + res,
1733 out + res, len - res,
1734 gctx->gcm.key,
1735 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1736 gctx->gcm.len.u[1] += bulk;
1737 bulk += res;
1738 }
5158c763 1739#endif
0f113f3e
MC		 1740 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1741 in + bulk,
1742 out + bulk,
1743 len - bulk, gctx->ctr))
1744 return -1;
1745 } else {
1746 size_t bulk = 0;
5158c763 1747#if defined(AES_GCM_ASM2)
0f113f3e
MC		 1748 if (len >= 16 && AES_GCM_ASM2(gctx)) {
1749 size_t res = (16 - gctx->gcm.mres) % 16;
1750
1751 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1752 return -1;
1753
1754 bulk = AES_gcm_decrypt(in + res,
1755 out + res, len - res,
1756 gctx->gcm.key,
1757 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1758 gctx->gcm.len.u[1] += bulk;
1759 bulk += res;
1760 }
5158c763 1761#endif
0f113f3e
MC		 1762 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1763 in + bulk, out + bulk, len - bulk))
1764 return -1;
1765 }
1766 }
1767 return len;
1768 } else {
6435f0f6 1769 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 1770 if (gctx->taglen < 0)
1771 return -1;
6435f0f6
RL		 1772 if (CRYPTO_gcm128_finish(&gctx->gcm,
1773 EVP_CIPHER_CTX_buf_noconst(ctx),
1774 gctx->taglen) != 0)
0f113f3e
MC		 1775 return -1;
1776 gctx->iv_set = 0;
1777 return 0;
1778 }
6435f0f6 1779 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
0f113f3e
MC		 1780 gctx->taglen = 16;
1781 /* Don't reuse the IV */
1782 gctx->iv_set = 0;
1783 return 0;
1784 }
1785
1786}
1787
5158c763 1788#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
0f113f3e
MC		 1789 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1790 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1791 | EVP_CIPH_CUSTOM_COPY)
1792
1793BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
1794 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
1795 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
1796 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
1797 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
1798 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
32a2d8dd
DSH		 1799
1800static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1801{
6435f0f6 1802 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
0f113f3e
MC		 1803 if (type == EVP_CTRL_COPY) {
1804 EVP_CIPHER_CTX *out = ptr;
6435f0f6 1805 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
0f113f3e
MC		 1806 if (xctx->xts.key1) {
1807 if (xctx->xts.key1 != &xctx->ks1)
1808 return 0;
1809 xctx_out->xts.key1 = &xctx_out->ks1;
1810 }
1811 if (xctx->xts.key2) {
1812 if (xctx->xts.key2 != &xctx->ks2)
1813 return 0;
1814 xctx_out->xts.key2 = &xctx_out->ks2;
1815 }
1816 return 1;
1817 } else if (type != EVP_CTRL_INIT)
1818 return -1;
1819 /* key1 and key2 are used as an indicator both key and IV are set */
1820 xctx->xts.key1 = NULL;
1821 xctx->xts.key2 = NULL;
1822 return 1;
1823}
32a2d8dd
DSH		 1824
1825static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 1826 const unsigned char *iv, int enc)
1827{
6435f0f6 1828 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 1829 if (!iv && !key)
1830 return 1;
1831
1832 if (key)
1833 do {
5158c763 1834#ifdef AES_XTS_ASM
0f113f3e 1835 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
5158c763 1836#else
0f113f3e 1837 xctx->stream = NULL;
5158c763 1838#endif
0f113f3e 1839 /* key_len is two AES keys */
5158c763 1840#ifdef HWAES_CAPABLE
0f113f3e
MC		 1841 if (HWAES_CAPABLE) {
1842 if (enc) {
6435f0f6
RL		 1843 HWAES_set_encrypt_key(key,
1844 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1845 &xctx->ks1.ks);
1846 xctx->xts.block1 = (block128_f) HWAES_encrypt;
1847 } else {
6435f0f6
RL		 1848 HWAES_set_decrypt_key(key,
1849 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1850 &xctx->ks1.ks);
1851 xctx->xts.block1 = (block128_f) HWAES_decrypt;
1852 }
1853
6435f0f6
RL		 1854 HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1855 EVP_CIPHER_CTX_key_length(ctx) * 4,
1856 &xctx->ks2.ks);
0f113f3e
MC		 1857 xctx->xts.block2 = (block128_f) HWAES_encrypt;
1858
1859 xctx->xts.key1 = &xctx->ks1;
1860 break;
1861 } else
5158c763
MC		 1862#endif
1863#ifdef BSAES_CAPABLE
0f113f3e
MC		 1864 if (BSAES_CAPABLE)
1865 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1866 else
5158c763
MC		 1867#endif
1868#ifdef VPAES_CAPABLE
0f113f3e
MC		 1869 if (VPAES_CAPABLE) {
1870 if (enc) {
6435f0f6
RL		 1871 vpaes_set_encrypt_key(key,
1872 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1873 &xctx->ks1.ks);
1874 xctx->xts.block1 = (block128_f) vpaes_encrypt;
1875 } else {
6435f0f6
RL		 1876 vpaes_set_decrypt_key(key,
1877 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 1878 &xctx->ks1.ks);
1879 xctx->xts.block1 = (block128_f) vpaes_decrypt;
1880 }
1881
6435f0f6
RL		 1882 vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1883 EVP_CIPHER_CTX_key_length(ctx) * 4,
1884 &xctx->ks2.ks);
0f113f3e
MC		 1885 xctx->xts.block2 = (block128_f) vpaes_encrypt;
1886
1887 xctx->xts.key1 = &xctx->ks1;
1888 break;
1889 } else
5158c763 1890#endif
0f113f3e
MC		 1891 (void)0; /* terminate potentially open 'else' */
1892
1893 if (enc) {
6435f0f6
RL		 1894 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
1895 &xctx->ks1.ks);
0f113f3e
MC		 1896 xctx->xts.block1 = (block128_f) AES_encrypt;
1897 } else {
6435f0f6
RL		 1898 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
1899 &xctx->ks1.ks);
0f113f3e
MC		 1900 xctx->xts.block1 = (block128_f) AES_decrypt;
1901 }
1902
6435f0f6
RL		 1903 AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
1904 EVP_CIPHER_CTX_key_length(ctx) * 4,
1905 &xctx->ks2.ks);
0f113f3e
MC		 1906 xctx->xts.block2 = (block128_f) AES_encrypt;
1907
1908 xctx->xts.key1 = &xctx->ks1;
1909 } while (0);
1910
1911 if (iv) {
1912 xctx->xts.key2 = &xctx->ks2;
6435f0f6 1913 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 1914 }
1915
1916 return 1;
1917}
32a2d8dd 1918
17f121de 1919static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 1920 const unsigned char *in, size_t len)
1921{
6435f0f6 1922 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 1923 if (!xctx->xts.key1 || !xctx->xts.key2)
1924 return 0;
1925 if (!out || !in || len < AES_BLOCK_SIZE)
1926 return 0;
1927 if (xctx->stream)
1928 (*xctx->stream) (in, out, len,
6435f0f6
RL		 1929 xctx->xts.key1, xctx->xts.key2,
1930 EVP_CIPHER_CTX_iv_noconst(ctx));
1931 else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
1932 in, out, len,
1933 EVP_CIPHER_CTX_encrypting(ctx)))
0f113f3e
MC		 1934 return 0;
1935 return 1;
1936}
1937
5158c763 1938#define aes_xts_cleanup NULL
0f113f3e 1939
5158c763 1940#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
0f113f3e
MC		 1941 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1942 | EVP_CIPH_CUSTOM_COPY)
1943
1944BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
1945 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
23916810
DSH		 1946
1947static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 1948{
6435f0f6 1949 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
0f113f3e
MC		 1950 switch (type) {
1951 case EVP_CTRL_INIT:
1952 cctx->key_set = 0;
1953 cctx->iv_set = 0;
1954 cctx->L = 8;
1955 cctx->M = 12;
1956 cctx->tag_set = 0;
1957 cctx->len_set = 0;
e75c5a79
DSH		 1958 cctx->tls_aad_len = -1;
1959 return 1;
1960
1961 case EVP_CTRL_AEAD_TLS1_AAD:
1962 /* Save the AAD for later use */
1963 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1964 return 0;
6435f0f6 1965 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
e75c5a79
DSH		 1966 cctx->tls_aad_len = arg;
1967 {
6435f0f6
RL		 1968 uint16_t len =
1969 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
1970 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
e75c5a79
DSH		 1971 /* Correct length for explicit IV */
1972 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
1973 /* If decrypting correct for tag too */
6435f0f6 1974 if (!EVP_CIPHER_CTX_encrypting(c))
e75c5a79 1975 len -= cctx->M;
6435f0f6
RL		 1976 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
1977 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
e75c5a79
DSH		 1978 }
1979 /* Extra padding: tag appended to record */
1980 return cctx->M;
1981
1982 case EVP_CTRL_CCM_SET_IV_FIXED:
1983 /* Sanity check length */
1984 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
1985 return 0;
1986 /* Just copy to first part of IV */
6435f0f6 1987 memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
0f113f3e
MC		 1988 return 1;
1989
e640fa02 1990 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 1991 arg = 15 - arg;
1992 case EVP_CTRL_CCM_SET_L:
1993 if (arg < 2 || arg > 8)
1994 return 0;
1995 cctx->L = arg;
1996 return 1;
1997
e640fa02 1998 case EVP_CTRL_AEAD_SET_TAG:
0f113f3e
MC		 1999 if ((arg & 1) || arg < 4 || arg > 16)
2000 return 0;
6435f0f6 2001 if (EVP_CIPHER_CTX_encrypting(c) && ptr)
0f113f3e
MC		 2002 return 0;
2003 if (ptr) {
2004 cctx->tag_set = 1;
6435f0f6 2005 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 2006 }
2007 cctx->M = arg;
2008 return 1;
2009
e640fa02 2010 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 2011 if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
0f113f3e
MC		 2012 return 0;
2013 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
2014 return 0;
2015 cctx->tag_set = 0;
2016 cctx->iv_set = 0;
2017 cctx->len_set = 0;
2018 return 1;
2019
2020 case EVP_CTRL_COPY:
2021 {
2022 EVP_CIPHER_CTX *out = ptr;
6435f0f6 2023 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
0f113f3e
MC		 2024 if (cctx->ccm.key) {
2025 if (cctx->ccm.key != &cctx->ks)
2026 return 0;
2027 cctx_out->ccm.key = &cctx_out->ks;
2028 }
2029 return 1;
2030 }
2031
2032 default:
2033 return -1;
2034
2035 }
2036}
23916810
DSH		 2037
2038static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2039 const unsigned char *iv, int enc)
2040{
6435f0f6 2041 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 2042 if (!iv && !key)
2043 return 1;
2044 if (key)
2045 do {
5158c763 2046#ifdef HWAES_CAPABLE
0f113f3e 2047 if (HWAES_CAPABLE) {
6435f0f6
RL		 2048 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2049 &cctx->ks.ks);
0f113f3e
MC		 2050
2051 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2052 &cctx->ks, (block128_f) HWAES_encrypt);
2053 cctx->str = NULL;
2054 cctx->key_set = 1;
2055 break;
2056 } else
5158c763
MC		 2057#endif
2058#ifdef VPAES_CAPABLE
0f113f3e 2059 if (VPAES_CAPABLE) {
6435f0f6
RL		 2060 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2061 &cctx->ks.ks);
0f113f3e
MC		 2062 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2063 &cctx->ks, (block128_f) vpaes_encrypt);
2064 cctx->str = NULL;
2065 cctx->key_set = 1;
2066 break;
2067 }
5158c763 2068#endif
6435f0f6
RL		 2069 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2070 &cctx->ks.ks);
0f113f3e
MC		 2071 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2072 &cctx->ks, (block128_f) AES_encrypt);
2073 cctx->str = NULL;
2074 cctx->key_set = 1;
2075 } while (0);
2076 if (iv) {
6435f0f6 2077 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 2078 cctx->iv_set = 1;
2079 }
2080 return 1;
2081}
23916810 2082
e75c5a79
DSH		 2083static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2084 const unsigned char *in, size_t len)
2085{
6435f0f6 2086 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
e75c5a79
DSH		 2087 CCM128_CONTEXT *ccm = &cctx->ccm;
2088 /* Encrypt/decrypt must be performed in place */
2089 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
2090 return -1;
2091 /* If encrypting set explicit IV from sequence number (start of AAD) */
6435f0f6
RL		 2092 if (EVP_CIPHER_CTX_encrypting(ctx))
2093 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
2094 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79 2095 /* Get rest of IV from explicit IV */
6435f0f6
RL		 2096 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
2097 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79
DSH		 2098 /* Correct length value */
2099 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
6435f0f6
RL		 2100 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
2101 len))
e75c5a79
DSH		 2102 return -1;
2103 /* Use saved AAD */
6435f0f6 2104 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
e75c5a79
DSH		 2105 /* Fix buffer to point to payload */
2106 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2107 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
6435f0f6 2108 if (EVP_CIPHER_CTX_encrypting(ctx)) {
e75c5a79
DSH		 2109 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2110 cctx->str) :
2111 CRYPTO_ccm128_encrypt(ccm, in, out, len))
2112 return -1;
2113 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
2114 return -1;
2115 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
2116 } else {
2117 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2118 cctx->str) :
2119 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2120 unsigned char tag[16];
2121 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2122 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
2123 return len;
2124 }
2125 }
2126 OPENSSL_cleanse(out, len);
2127 return -1;
2128 }
2129}
2130
17f121de 2131static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2132 const unsigned char *in, size_t len)
2133{
6435f0f6 2134 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 2135 CCM128_CONTEXT *ccm = &cctx->ccm;
2136 /* If not set up, return error */
e75c5a79
DSH		 2137 if (!cctx->key_set)
2138 return -1;
2139
2140 if (cctx->tls_aad_len >= 0)
2141 return aes_ccm_tls_cipher(ctx, out, in, len);
2142
2143 if (!cctx->iv_set)
0f113f3e 2144 return -1;
e75c5a79 2145
6435f0f6 2146 if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
0f113f3e
MC		 2147 return -1;
2148 if (!out) {
2149 if (!in) {
6435f0f6
RL		 2150 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
2151 15 - cctx->L, len))
0f113f3e
MC		 2152 return -1;
2153 cctx->len_set = 1;
2154 return len;
2155 }
2156 /* If have AAD need message length */
2157 if (!cctx->len_set && len)
2158 return -1;
2159 CRYPTO_ccm128_aad(ccm, in, len);
2160 return len;
2161 }
2162 /* EVP_*Final() doesn't return any data */
2163 if (!in)
2164 return 0;
2165 /* If not set length yet do it */
2166 if (!cctx->len_set) {
6435f0f6
RL		 2167 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
2168 15 - cctx->L, len))
0f113f3e
MC		 2169 return -1;
2170 cctx->len_set = 1;
2171 }
6435f0f6 2172 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2173 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2174 cctx->str) :
2175 CRYPTO_ccm128_encrypt(ccm, in, out, len))
2176 return -1;
2177 cctx->tag_set = 1;
2178 return len;
2179 } else {
2180 int rv = -1;
2181 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2182 cctx->str) :
2183 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2184 unsigned char tag[16];
2185 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
6435f0f6
RL		 2186 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
2187 cctx->M))
0f113f3e
MC		 2188 rv = len;
2189 }
2190 }
2191 if (rv == -1)
2192 OPENSSL_cleanse(out, len);
2193 cctx->iv_set = 0;
2194 cctx->tag_set = 0;
2195 cctx->len_set = 0;
2196 return rv;
2197 }
0f113f3e
MC		 2198}
2199
5158c763 2200#define aes_ccm_cleanup NULL
0f113f3e 2201
e75c5a79
DSH		 2202BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
2203 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2204 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
2205 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2206 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
2207 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
0f113f3e
MC		 2208
2209typedef struct {
2210 union {
2211 double align;
2212 AES_KEY ks;
2213 } ks;
2214 /* Indicates if IV has been set */
2215 unsigned char *iv;
2216} EVP_AES_WRAP_CTX;
97cf1f6c
DSH		 2217
2218static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2219 const unsigned char *iv, int enc)
2220{
6435f0f6 2221 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 2222 if (!iv && !key)
2223 return 1;
2224 if (key) {
6435f0f6
RL		 2225 if (EVP_CIPHER_CTX_encrypting(ctx))
2226 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2227 &wctx->ks.ks);
0f113f3e 2228 else
6435f0f6
RL		 2229 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2230 &wctx->ks.ks);
0f113f3e
MC		 2231 if (!iv)
2232 wctx->iv = NULL;
2233 }
2234 if (iv) {
6435f0f6
RL		 2235 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
2236 wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
0f113f3e
MC		 2237 }
2238 return 1;
2239}
97cf1f6c
DSH		 2240
2241static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2242 const unsigned char *in, size_t inlen)
2243{
6435f0f6 2244 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 2245 size_t rv;
2246 /* AES wrap with padding has IV length of 4, without padding 8 */
2247 int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
2248 /* No final operation so always return zero length */
2249 if (!in)
2250 return 0;
2251 /* Input length must always be non-zero */
2252 if (!inlen)
2253 return -1;
2254 /* If decrypting need at least 16 bytes and multiple of 8 */
6435f0f6 2255 if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
0f113f3e
MC		 2256 return -1;
2257 /* If not padding input must be multiple of 8 */
2258 if (!pad && inlen & 0x7)
2259 return -1;
2260 if (!out) {
6435f0f6 2261 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2262 /* If padding round up to multiple of 8 */
2263 if (pad)
2264 inlen = (inlen + 7) / 8 * 8;
2265 /* 8 byte prefix */
2266 return inlen + 8;
2267 } else {
2268 /*
2269 * If not padding output will be exactly 8 bytes smaller than
2270 * input. If padding it will be at least 8 bytes smaller but we
2271 * don't know how much.
2272 */
2273 return inlen - 8;
2274 }
2275 }
2276 if (pad) {
6435f0f6 2277 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 2278 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
2279 out, in, inlen,
2280 (block128_f) AES_encrypt);
2281 else
2282 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
2283 out, in, inlen,
2284 (block128_f) AES_decrypt);
2285 } else {
6435f0f6 2286 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 2287 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
2288 out, in, inlen, (block128_f) AES_encrypt);
2289 else
2290 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
2291 out, in, inlen, (block128_f) AES_decrypt);
2292 }
2293 return rv ? (int)rv : -1;
2294}
2295
5158c763 2296#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
0f113f3e
MC		 2297 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
2298 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
97cf1f6c
DSH		 2299
2300static const EVP_CIPHER aes_128_wrap = {
0f113f3e
MC		 2301 NID_id_aes128_wrap,
2302 8, 16, 8, WRAP_FLAGS,
2303 aes_wrap_init_key, aes_wrap_cipher,
2304 NULL,
2305 sizeof(EVP_AES_WRAP_CTX),
2306 NULL, NULL, NULL, NULL
2307};
97cf1f6c
DSH		 2308
2309const EVP_CIPHER *EVP_aes_128_wrap(void)
0f113f3e
MC		 2310{
2311 return &aes_128_wrap;
2312}
97cf1f6c
DSH		 2313
2314static const EVP_CIPHER aes_192_wrap = {
0f113f3e
MC		 2315 NID_id_aes192_wrap,
2316 8, 24, 8, WRAP_FLAGS,
2317 aes_wrap_init_key, aes_wrap_cipher,
2318 NULL,
2319 sizeof(EVP_AES_WRAP_CTX),
2320 NULL, NULL, NULL, NULL
2321};
97cf1f6c
DSH		 2322
2323const EVP_CIPHER *EVP_aes_192_wrap(void)
0f113f3e
MC		 2324{
2325 return &aes_192_wrap;
2326}
97cf1f6c
DSH		 2327
2328static const EVP_CIPHER aes_256_wrap = {
0f113f3e
MC		 2329 NID_id_aes256_wrap,
2330 8, 32, 8, WRAP_FLAGS,
2331 aes_wrap_init_key, aes_wrap_cipher,
2332 NULL,
2333 sizeof(EVP_AES_WRAP_CTX),
2334 NULL, NULL, NULL, NULL
2335};
97cf1f6c
DSH		 2336
2337const EVP_CIPHER *EVP_aes_256_wrap(void)
0f113f3e
MC		 2338{
2339 return &aes_256_wrap;
2340}
97cf1f6c 2341
d31fed73 2342static const EVP_CIPHER aes_128_wrap_pad = {
0f113f3e
MC		 2343 NID_id_aes128_wrap_pad,
2344 8, 16, 4, WRAP_FLAGS,
2345 aes_wrap_init_key, aes_wrap_cipher,
2346 NULL,
2347 sizeof(EVP_AES_WRAP_CTX),
2348 NULL, NULL, NULL, NULL
2349};
d31fed73
DSH		 2350
2351const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
0f113f3e
MC		 2352{
2353 return &aes_128_wrap_pad;
2354}
d31fed73
DSH		 2355
2356static const EVP_CIPHER aes_192_wrap_pad = {
0f113f3e
MC		 2357 NID_id_aes192_wrap_pad,
2358 8, 24, 4, WRAP_FLAGS,
2359 aes_wrap_init_key, aes_wrap_cipher,
2360 NULL,
2361 sizeof(EVP_AES_WRAP_CTX),
2362 NULL, NULL, NULL, NULL
2363};
d31fed73
DSH		 2364
2365const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
0f113f3e
MC		 2366{
2367 return &aes_192_wrap_pad;
2368}
d31fed73
DSH		 2369
2370static const EVP_CIPHER aes_256_wrap_pad = {
0f113f3e
MC		 2371 NID_id_aes256_wrap_pad,
2372 8, 32, 4, WRAP_FLAGS,
2373 aes_wrap_init_key, aes_wrap_cipher,
2374 NULL,
2375 sizeof(EVP_AES_WRAP_CTX),
2376 NULL, NULL, NULL, NULL
2377};
d31fed73
DSH		 2378
2379const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
0f113f3e
MC		 2380{
2381 return &aes_256_wrap_pad;
2382}
d31fed73 2383
5158c763 2384#ifndef OPENSSL_NO_OCB
e6b336ef 2385static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 2386{
6435f0f6 2387 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 2388 EVP_CIPHER_CTX *newc;
2389 EVP_AES_OCB_CTX *new_octx;
2390
2391 switch (type) {
2392 case EVP_CTRL_INIT:
2393 octx->key_set = 0;
2394 octx->iv_set = 0;
6435f0f6
RL		 2395 octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
2396 octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 2397 octx->taglen = 16;
2398 octx->data_buf_len = 0;
2399 octx->aad_buf_len = 0;
2400 return 1;
2401
e640fa02 2402 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 2403 /* IV len must be 1 to 15 */
2404 if (arg <= 0 || arg > 15)
2405 return 0;
2406
2407 octx->ivlen = arg;
2408 return 1;
2409
e640fa02 2410 case EVP_CTRL_AEAD_SET_TAG:
d57d135c
MC		 2411 if (!ptr) {
2412 /* Tag len must be 0 to 16 */
2413 if (arg < 0 || arg > 16)
2414 return 0;
2415
2416 octx->taglen = arg;
2417 return 1;
2418 }
6435f0f6 2419 if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 2420 return 0;
2421 memcpy(octx->tag, ptr, arg);
2422 return 1;
2423
e640fa02 2424 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 2425 if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 2426 return 0;
2427
2428 memcpy(ptr, octx->tag, arg);
2429 return 1;
2430
2431 case EVP_CTRL_COPY:
2432 newc = (EVP_CIPHER_CTX *)ptr;
6435f0f6 2433 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
0f113f3e 2434 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
bdc985b1
AP		 2435 &new_octx->ksenc.ks,
2436 &new_octx->ksdec.ks);
0f113f3e
MC		 2437
2438 default:
2439 return -1;
2440
2441 }
2442}
e6b336ef 2443
5158c763
MC		 2444# ifdef HWAES_CAPABLE
2445# ifdef HWAES_ocb_encrypt
02dc0b82
AP		 2446void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
2447 size_t blocks, const void *key,
2448 size_t start_block_num,
2449 unsigned char offset_i[16],
2450 const unsigned char L_[][16],
2451 unsigned char checksum[16]);
5158c763
MC		 2452# else
2453# define HWAES_ocb_encrypt NULL
2454# endif
2455# ifdef HWAES_ocb_decrypt
02dc0b82
AP		 2456void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
2457 size_t blocks, const void *key,
2458 size_t start_block_num,
2459 unsigned char offset_i[16],
2460 const unsigned char L_[][16],
2461 unsigned char checksum[16]);
5158c763
MC		 2462# else
2463# define HWAES_ocb_decrypt NULL
02dc0b82 2464# endif
5158c763 2465# endif
02dc0b82 2466
e6b336ef 2467static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2468 const unsigned char *iv, int enc)
2469{
6435f0f6 2470 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 2471 if (!iv && !key)
2472 return 1;
2473 if (key) {
2474 do {
2475 /*
2476 * We set both the encrypt and decrypt key here because decrypt
2477 * needs both. We could possibly optimise to remove setting the
2478 * decrypt for an encryption operation.
2479 */
5158c763 2480# ifdef HWAES_CAPABLE
02dc0b82 2481 if (HWAES_CAPABLE) {
6435f0f6
RL		 2482 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2483 &octx->ksenc.ks);
2484 HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2485 &octx->ksdec.ks);
02dc0b82
AP		 2486 if (!CRYPTO_ocb128_init(&octx->ocb,
2487 &octx->ksenc.ks, &octx->ksdec.ks,
2488 (block128_f) HWAES_encrypt,
2489 (block128_f) HWAES_decrypt,
2490 enc ? HWAES_ocb_encrypt
2491 : HWAES_ocb_decrypt))
2492 return 0;
2493 break;
2494 }
5158c763
MC		 2495# endif
2496# ifdef VPAES_CAPABLE
0f113f3e 2497 if (VPAES_CAPABLE) {
6435f0f6
RL		 2498 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2499 &octx->ksenc.ks);
2500 vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2501 &octx->ksdec.ks);
bdc985b1
AP		 2502 if (!CRYPTO_ocb128_init(&octx->ocb,
2503 &octx->ksenc.ks, &octx->ksdec.ks,
2504 (block128_f) vpaes_encrypt,
bd30091c
AP		 2505 (block128_f) vpaes_decrypt,
2506 NULL))
0f113f3e
MC		 2507 return 0;
2508 break;
2509 }
5158c763 2510# endif
6435f0f6
RL		 2511 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2512 &octx->ksenc.ks);
2513 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2514 &octx->ksdec.ks);
bdc985b1
AP		 2515 if (!CRYPTO_ocb128_init(&octx->ocb,
2516 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 2517 (block128_f) AES_encrypt,
bd30091c
AP		 2518 (block128_f) AES_decrypt,
2519 NULL))
0f113f3e
MC		 2520 return 0;
2521 }
2522 while (0);
2523
2524 /*
2525 * If we have an iv we can set it directly, otherwise use saved IV.
2526 */
2527 if (iv == NULL && octx->iv_set)
2528 iv = octx->iv;
2529 if (iv) {
2530 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
2531 != 1)
2532 return 0;
2533 octx->iv_set = 1;
2534 }
2535 octx->key_set = 1;
2536 } else {
2537 /* If key set use IV, otherwise copy */
2538 if (octx->key_set)
2539 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
2540 else
2541 memcpy(octx->iv, iv, octx->ivlen);
2542 octx->iv_set = 1;
2543 }
2544 return 1;
2545}
e6b336ef
MC		 2546
2547static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2548 const unsigned char *in, size_t len)
2549{
2550 unsigned char *buf;
2551 int *buf_len;
2552 int written_len = 0;
2553 size_t trailing_len;
6435f0f6 2554 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 2555
2556 /* If IV or Key not set then return error */
2557 if (!octx->iv_set)
2558 return -1;
2559
2560 if (!octx->key_set)
2561 return -1;
2562
2563 if (in) {
2564 /*
2565 * Need to ensure we are only passing full blocks to low level OCB
2566 * routines. We do it here rather than in EVP_EncryptUpdate/
2567 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
2568 * and those routines don't support that
2569 */
2570
2571 /* Are we dealing with AAD or normal data here? */
2572 if (out == NULL) {
2573 buf = octx->aad_buf;
2574 buf_len = &(octx->aad_buf_len);
2575 } else {
2576 buf = octx->data_buf;
2577 buf_len = &(octx->data_buf_len);
2578 }
2579
2580 /*
2581 * If we've got a partially filled buffer from a previous call then
2582 * use that data first
2583 */
2584 if (*buf_len) {
2585 unsigned int remaining;
2586
2587 remaining = 16 - (*buf_len);
2588 if (remaining > len) {
2589 memcpy(buf + (*buf_len), in, len);
2590 *(buf_len) += len;
2591 return 0;
2592 }
2593 memcpy(buf + (*buf_len), in, remaining);
2594
2595 /*
2596 * If we get here we've filled the buffer, so process it
2597 */
2598 len -= remaining;
2599 in += remaining;
2600 if (out == NULL) {
2601 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, 16))
2602 return -1;
6435f0f6 2603 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2604 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out, 16))
2605 return -1;
2606 } else {
2607 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out, 16))
2608 return -1;
2609 }
2610 written_len = 16;
2611 *buf_len = 0;
2612 }
2613
2614 /* Do we have a partial block to handle at the end? */
2615 trailing_len = len % 16;
2616
2617 /*
2618 * If we've got some full blocks to handle, then process these first
2619 */
2620 if (len != trailing_len) {
2621 if (out == NULL) {
2622 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
2623 return -1;
6435f0f6 2624 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2625 if (!CRYPTO_ocb128_encrypt
2626 (&octx->ocb, in, out, len - trailing_len))
2627 return -1;
2628 } else {
2629 if (!CRYPTO_ocb128_decrypt
2630 (&octx->ocb, in, out, len - trailing_len))
2631 return -1;
2632 }
2633 written_len += len - trailing_len;
2634 in += len - trailing_len;
2635 }
2636
2637 /* Handle any trailing partial block */
2638 if (trailing_len) {
2639 memcpy(buf, in, trailing_len);
2640 *buf_len = trailing_len;
2641 }
2642
2643 return written_len;
2644 } else {
2645 /*
2646 * First of all empty the buffer of any partial block that we might
2647 * have been provided - both for data and AAD
2648 */
2649 if (octx->data_buf_len) {
6435f0f6 2650 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2651 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
2652 octx->data_buf_len))
2653 return -1;
2654 } else {
2655 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
2656 octx->data_buf_len))
2657 return -1;
2658 }
2659 written_len = octx->data_buf_len;
2660 octx->data_buf_len = 0;
2661 }
2662 if (octx->aad_buf_len) {
2663 if (!CRYPTO_ocb128_aad
2664 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
2665 return -1;
2666 octx->aad_buf_len = 0;
2667 }
2668 /* If decrypting then verify */
6435f0f6 2669 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2670 if (octx->taglen < 0)
2671 return -1;
2672 if (CRYPTO_ocb128_finish(&octx->ocb,
2673 octx->tag, octx->taglen) != 0)
2674 return -1;
2675 octx->iv_set = 0;
2676 return written_len;
2677 }
2678 /* If encrypting then just get the tag */
2679 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
2680 return -1;
2681 /* Don't reuse the IV */
2682 octx->iv_set = 0;
2683 return written_len;
2684 }
2685}
e6b336ef
MC		 2686
2687static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 2688{
6435f0f6 2689 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 2690 CRYPTO_ocb128_cleanup(&octx->ocb);
2691 return 1;
2692}
e6b336ef 2693
c4aede20
MC		 2694BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
2695 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2696BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
2697 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
2698BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
2699 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
5158c763 2700#endif /* OPENSSL_NO_OCB */
A mirror of the official openssl repository