]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
s390x assembly pack: add KMO code path for aes-ofb
[thirdparty/openssl.git] / crypto / evp / e_aes.c
CommitLineData
aa6bb135 1/*
3c7d0945 2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
deb2c1a1 3 *
aa6bb135
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
deb2c1a1
DSH		 8 */
9
8c84b677 10#include <openssl/opensslconf.h>
5158c763
MC		 11#include <openssl/crypto.h>
12#include <openssl/evp.h>
13#include <openssl/err.h>
14#include <string.h>
15#include <assert.h>
16#include <openssl/aes.h>
17#include "internal/evp_int.h"
18#include "modes_lcl.h"
19#include <openssl/rand.h>
7141ba31 20#include "evp_locl.h"
0f113f3e
MC		 21
22typedef struct {
23 union {
24 double align;
25 AES_KEY ks;
26 } ks;
27 block128_f block;
28 union {
29 cbc128_f cbc;
30 ctr128_f ctr;
31 } stream;
32} EVP_AES_KEY;
33
34typedef struct {
35 union {
36 double align;
37 AES_KEY ks;
38 } ks; /* AES key schedule to use */
39 int key_set; /* Set if key initialised */
40 int iv_set; /* Set if an iv is set */
41 GCM128_CONTEXT gcm;
42 unsigned char *iv; /* Temporary IV store */
43 int ivlen; /* IV length */
44 int taglen;
45 int iv_gen; /* It is OK to generate IVs */
46 int tls_aad_len; /* TLS AAD length */
47 ctr128_f ctr;
48} EVP_AES_GCM_CTX;
49
50typedef struct {
51 union {
52 double align;
53 AES_KEY ks;
54 } ks1, ks2; /* AES key schedules to use */
55 XTS128_CONTEXT xts;
56 void (*stream) (const unsigned char *in,
57 unsigned char *out, size_t length,
58 const AES_KEY *key1, const AES_KEY *key2,
59 const unsigned char iv[16]);
60} EVP_AES_XTS_CTX;
61
62typedef struct {
63 union {
64 double align;
65 AES_KEY ks;
66 } ks; /* AES key schedule to use */
67 int key_set; /* Set if key initialised */
68 int iv_set; /* Set if an iv is set */
69 int tag_set; /* Set if tag is valid */
70 int len_set; /* Set if message length set */
71 int L, M; /* L and M parameters from RFC3610 */
e75c5a79 72 int tls_aad_len; /* TLS AAD length */
0f113f3e
MC		 73 CCM128_CONTEXT ccm;
74 ccm128_f str;
75} EVP_AES_CCM_CTX;
76
5158c763 77#ifndef OPENSSL_NO_OCB
0f113f3e 78typedef struct {
bdc985b1
AP		 79 union {
80 double align;
81 AES_KEY ks;
82 } ksenc; /* AES key schedule to use for encryption */
83 union {
84 double align;
85 AES_KEY ks;
86 } ksdec; /* AES key schedule to use for decryption */
0f113f3e
MC		 87 int key_set; /* Set if key initialised */
88 int iv_set; /* Set if an iv is set */
89 OCB128_CONTEXT ocb;
90 unsigned char *iv; /* Temporary IV store */
91 unsigned char tag[16];
92 unsigned char data_buf[16]; /* Store partial data blocks */
93 unsigned char aad_buf[16]; /* Store partial AAD blocks */
94 int data_buf_len;
95 int aad_buf_len;
96 int ivlen; /* IV length */
97 int taglen;
98} EVP_AES_OCB_CTX;
5158c763 99#endif
e6b336ef 100
5158c763 101#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
17f121de 102
5158c763 103#ifdef VPAES_ASM
8ca28da0 104int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 105 AES_KEY *key);
8ca28da0 106int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 107 AES_KEY *key);
8ca28da0
AP		 108
109void vpaes_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 110 const AES_KEY *key);
8ca28da0 111void vpaes_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 112 const AES_KEY *key);
8ca28da0
AP		 113
114void vpaes_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 115 unsigned char *out,
116 size_t length,
117 const AES_KEY *key, unsigned char *ivec, int enc);
5158c763
MC		 118#endif
119#ifdef BSAES_ASM
a75a52a4 120void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 121 size_t length, const AES_KEY *key,
122 unsigned char ivec[16], int enc);
993adc05 123void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 124 size_t len, const AES_KEY *key,
125 const unsigned char ivec[16]);
60d4e99c 126void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 127 size_t len, const AES_KEY *key1,
128 const AES_KEY *key2, const unsigned char iv[16]);
60d4e99c 129void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 130 size_t len, const AES_KEY *key1,
131 const AES_KEY *key2, const unsigned char iv[16]);
5158c763
MC		 132#endif
133#ifdef AES_CTR_ASM
07904e0c 134void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 135 size_t blocks, const AES_KEY *key,
136 const unsigned char ivec[AES_BLOCK_SIZE]);
5158c763
MC		 137#endif
138#ifdef AES_XTS_ASM
96cce820 139void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 140 const AES_KEY *key1, const AES_KEY *key2,
141 const unsigned char iv[16]);
96cce820 142void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 143 const AES_KEY *key1, const AES_KEY *key2,
144 const unsigned char iv[16]);
5158c763 145#endif
8ca28da0 146
6944565b 147#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
5158c763
MC		 148# include "ppc_arch.h"
149# ifdef VPAES_ASM
150# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
de51e830 151# endif
5158c763
MC		 152# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
153# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
154# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
155# define HWAES_encrypt aes_p8_encrypt
156# define HWAES_decrypt aes_p8_decrypt
157# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
158# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
46f047d7
AP		 159# define HWAES_xts_encrypt aes_p8_xts_encrypt
160# define HWAES_xts_decrypt aes_p8_xts_decrypt
5158c763 161#endif
07f3e4f3 162
5158c763 163#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
0f113f3e
MC		 164 ((defined(__i386) || defined(__i386__) || \
165 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
166 defined(__x86_64) || defined(__x86_64__) || \
b1a07c38 167 defined(_M_AMD64) || defined(_M_X64) )
8ca28da0 168
c5f6da54 169extern unsigned int OPENSSL_ia32cap_P[];
8ca28da0 170
5158c763
MC		 171# ifdef VPAES_ASM
172# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
173# endif
174# ifdef BSAES_ASM
175# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
176# endif
17f121de
AP		 177/*
178 * AES-NI section
179 */
5158c763 180# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
d1fff483
AP		 181
182int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 183 AES_KEY *key);
d1fff483 184int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 185 AES_KEY *key);
d1fff483
AP		 186
187void aesni_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 188 const AES_KEY *key);
d1fff483 189void aesni_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 190 const AES_KEY *key);
d1fff483
AP		 191
192void aesni_ecb_encrypt(const unsigned char *in,
0f113f3e
MC		 193 unsigned char *out,
194 size_t length, const AES_KEY *key, int enc);
d1fff483 195void aesni_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 196 unsigned char *out,
197 size_t length,
198 const AES_KEY *key, unsigned char *ivec, int enc);
d1fff483
AP		 199
200void aesni_ctr32_encrypt_blocks(const unsigned char *in,
0f113f3e
MC		 201 unsigned char *out,
202 size_t blocks,
203 const void *key, const unsigned char *ivec);
17f121de
AP		 204
205void aesni_xts_encrypt(const unsigned char *in,
0f113f3e
MC		 206 unsigned char *out,
207 size_t length,
208 const AES_KEY *key1, const AES_KEY *key2,
209 const unsigned char iv[16]);
17f121de
AP		 210
211void aesni_xts_decrypt(const unsigned char *in,
0f113f3e
MC		 212 unsigned char *out,
213 size_t length,
214 const AES_KEY *key1, const AES_KEY *key2,
215 const unsigned char iv[16]);
216
217void aesni_ccm64_encrypt_blocks(const unsigned char *in,
218 unsigned char *out,
219 size_t blocks,
220 const void *key,
221 const unsigned char ivec[16],
222 unsigned char cmac[16]);
223
224void aesni_ccm64_decrypt_blocks(const unsigned char *in,
225 unsigned char *out,
226 size_t blocks,
227 const void *key,
228 const unsigned char ivec[16],
229 unsigned char cmac[16]);
230
5158c763 231# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
4e049c52 232size_t aesni_gcm_encrypt(const unsigned char *in,
0f113f3e
MC		 233 unsigned char *out,
234 size_t len,
235 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 236# define AES_gcm_encrypt aesni_gcm_encrypt
4e049c52 237size_t aesni_gcm_decrypt(const unsigned char *in,
0f113f3e
MC		 238 unsigned char *out,
239 size_t len,
240 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 241# define AES_gcm_decrypt aesni_gcm_decrypt
0f113f3e
MC		 242void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
243 size_t len);
5158c763 244# define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
0f113f3e 245 gctx->gcm.ghash==gcm_ghash_avx)
5158c763 246# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
0f113f3e 247 gctx->gcm.ghash==gcm_ghash_avx)
5158c763
MC		 248# undef AES_GCM_ASM2 /* minor size optimization */
249# endif
4e049c52 250
17f121de 251static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 252 const unsigned char *iv, int enc)
253{
254 int ret, mode;
6435f0f6 255 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 256
6435f0f6 257 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 258 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
259 && !enc) {
6435f0f6
RL		 260 ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
261 &dat->ks.ks);
0f113f3e
MC		 262 dat->block = (block128_f) aesni_decrypt;
263 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
264 (cbc128_f) aesni_cbc_encrypt : NULL;
265 } else {
6435f0f6
RL		 266 ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
267 &dat->ks.ks);
0f113f3e
MC		 268 dat->block = (block128_f) aesni_encrypt;
269 if (mode == EVP_CIPH_CBC_MODE)
270 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
271 else if (mode == EVP_CIPH_CTR_MODE)
272 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
273 else
274 dat->stream.cbc = NULL;
275 }
276
277 if (ret < 0) {
278 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
279 return 0;
280 }
281
282 return 1;
283}
284
285static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
286 const unsigned char *in, size_t len)
d1fff483 287{
6435f0f6
RL		 288 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
289 EVP_CIPHER_CTX_iv_noconst(ctx),
290 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 291
0f113f3e 292 return 1;
d1fff483
AP		 293}
294
0f113f3e
MC		 295static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
296 const unsigned char *in, size_t len)
d1fff483 297{
6435f0f6 298 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
d1fff483 299
0f113f3e
MC		 300 if (len < bl)
301 return 1;
d1fff483 302
6435f0f6
RL		 303 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
304 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 305
0f113f3e 306 return 1;
d1fff483
AP		 307}
308
5158c763 309# define aesni_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 310static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
311 const unsigned char *in, size_t len);
d1fff483 312
5158c763 313# define aesni_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 314static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
315 const unsigned char *in, size_t len);
d1fff483 316
5158c763 317# define aesni_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 318static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
319 const unsigned char *in, size_t len);
d1fff483 320
5158c763 321# define aesni_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 322static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
323 const unsigned char *in, size_t len);
d1fff483 324
5158c763 325# define aesni_ctr_cipher aes_ctr_cipher
17f121de 326static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 327 const unsigned char *in, size_t len);
d1fff483 328
17f121de 329static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 330 const unsigned char *iv, int enc)
331{
6435f0f6 332 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 333 if (!iv && !key)
334 return 1;
335 if (key) {
6435f0f6
RL		 336 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
337 &gctx->ks.ks);
0f113f3e
MC		 338 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
339 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
340 /*
341 * If we have an iv can set it directly, otherwise use saved IV.
342 */
343 if (iv == NULL && gctx->iv_set)
344 iv = gctx->iv;
345 if (iv) {
346 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
347 gctx->iv_set = 1;
348 }
349 gctx->key_set = 1;
350 } else {
351 /* If key set use IV, otherwise copy */
352 if (gctx->key_set)
353 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
354 else
355 memcpy(gctx->iv, iv, gctx->ivlen);
356 gctx->iv_set = 1;
357 gctx->iv_gen = 0;
358 }
359 return 1;
360}
361
5158c763 362# define aesni_gcm_cipher aes_gcm_cipher
17f121de 363static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 364 const unsigned char *in, size_t len);
17f121de
AP		 365
366static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 367 const unsigned char *iv, int enc)
368{
6435f0f6 369 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 370 if (!iv && !key)
371 return 1;
372
373 if (key) {
374 /* key_len is two AES keys */
375 if (enc) {
6435f0f6
RL		 376 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
377 &xctx->ks1.ks);
0f113f3e
MC		 378 xctx->xts.block1 = (block128_f) aesni_encrypt;
379 xctx->stream = aesni_xts_encrypt;
380 } else {
6435f0f6
RL		 381 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
382 &xctx->ks1.ks);
0f113f3e
MC		 383 xctx->xts.block1 = (block128_f) aesni_decrypt;
384 xctx->stream = aesni_xts_decrypt;
385 }
386
6435f0f6
RL		 387 aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
388 EVP_CIPHER_CTX_key_length(ctx) * 4,
389 &xctx->ks2.ks);
0f113f3e
MC		 390 xctx->xts.block2 = (block128_f) aesni_encrypt;
391
392 xctx->xts.key1 = &xctx->ks1;
393 }
394
395 if (iv) {
396 xctx->xts.key2 = &xctx->ks2;
6435f0f6 397 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 398 }
399
400 return 1;
401}
402
5158c763 403# define aesni_xts_cipher aes_xts_cipher
17f121de 404static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 405 const unsigned char *in, size_t len);
17f121de
AP		 406
407static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 408 const unsigned char *iv, int enc)
409{
6435f0f6 410 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 411 if (!iv && !key)
412 return 1;
413 if (key) {
6435f0f6
RL		 414 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
415 &cctx->ks.ks);
0f113f3e
MC		 416 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
417 &cctx->ks, (block128_f) aesni_encrypt);
418 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
419 (ccm128_f) aesni_ccm64_decrypt_blocks;
420 cctx->key_set = 1;
421 }
422 if (iv) {
6435f0f6 423 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 424 cctx->iv_set = 1;
425 }
426 return 1;
427}
428
5158c763 429# define aesni_ccm_cipher aes_ccm_cipher
17f121de 430static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 431 const unsigned char *in, size_t len);
17f121de 432
5158c763 433# ifndef OPENSSL_NO_OCB
bd30091c
AP		 434void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
435 size_t blocks, const void *key,
436 size_t start_block_num,
437 unsigned char offset_i[16],
438 const unsigned char L_[][16],
439 unsigned char checksum[16]);
440void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
441 size_t blocks, const void *key,
442 size_t start_block_num,
443 unsigned char offset_i[16],
444 const unsigned char L_[][16],
445 unsigned char checksum[16]);
446
e6b336ef 447static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 448 const unsigned char *iv, int enc)
449{
6435f0f6 450 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 451 if (!iv && !key)
452 return 1;
453 if (key) {
454 do {
455 /*
456 * We set both the encrypt and decrypt key here because decrypt
457 * needs both. We could possibly optimise to remove setting the
458 * decrypt for an encryption operation.
459 */
6435f0f6
RL		 460 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
461 &octx->ksenc.ks);
462 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
463 &octx->ksdec.ks);
bdc985b1
AP		 464 if (!CRYPTO_ocb128_init(&octx->ocb,
465 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 466 (block128_f) aesni_encrypt,
bd30091c
AP		 467 (block128_f) aesni_decrypt,
468 enc ? aesni_ocb_encrypt
469 : aesni_ocb_decrypt))
0f113f3e
MC		 470 return 0;
471 }
472 while (0);
473
474 /*
475 * If we have an iv we can set it directly, otherwise use saved IV.
476 */
477 if (iv == NULL && octx->iv_set)
478 iv = octx->iv;
479 if (iv) {
480 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
481 != 1)
482 return 0;
483 octx->iv_set = 1;
484 }
485 octx->key_set = 1;
486 } else {
487 /* If key set use IV, otherwise copy */
488 if (octx->key_set)
489 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
490 else
491 memcpy(octx->iv, iv, octx->ivlen);
492 octx->iv_set = 1;
493 }
494 return 1;
495}
496
5158c763 497# define aesni_ocb_cipher aes_ocb_cipher
e6b336ef 498static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 499 const unsigned char *in, size_t len);
5158c763 500# endif /* OPENSSL_NO_OCB */
e6b336ef 501
5158c763 502# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 503static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 504 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
505 flags|EVP_CIPH_##MODE##_MODE, \
506 aesni_init_key, \
507 aesni_##mode##_cipher, \
508 NULL, \
509 sizeof(EVP_AES_KEY), \
510 NULL,NULL,NULL,NULL }; \
17f121de 511static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 512 nid##_##keylen##_##nmode,blocksize, \
513 keylen/8,ivlen, \
514 flags|EVP_CIPH_##MODE##_MODE, \
515 aes_init_key, \
516 aes_##mode##_cipher, \
517 NULL, \
518 sizeof(EVP_AES_KEY), \
519 NULL,NULL,NULL,NULL }; \
17f121de 520const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 521{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
17f121de 522
5158c763 523# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 524static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 525 nid##_##keylen##_##mode,blocksize, \
526 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
527 flags|EVP_CIPH_##MODE##_MODE, \
528 aesni_##mode##_init_key, \
529 aesni_##mode##_cipher, \
530 aes_##mode##_cleanup, \
531 sizeof(EVP_AES_##MODE##_CTX), \
532 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 533static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 534 nid##_##keylen##_##mode,blocksize, \
535 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
536 flags|EVP_CIPH_##MODE##_MODE, \
537 aes_##mode##_init_key, \
538 aes_##mode##_cipher, \
539 aes_##mode##_cleanup, \
540 sizeof(EVP_AES_##MODE##_CTX), \
541 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 542const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 543{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
d1fff483 544
5158c763 545#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
c5f6da54 546
5158c763 547# include "sparc_arch.h"
c5f6da54
AP		 548
549extern unsigned int OPENSSL_sparcv9cap_P[];
550
6944565b
AP		 551/*
552 * Initial Fujitsu SPARC64 X support
553 */
554# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
555# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
556# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
557# define HWAES_encrypt aes_fx_encrypt
558# define HWAES_decrypt aes_fx_decrypt
365f95ad
AP		 559# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
560# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
6944565b 561
5158c763 562# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
c5f6da54 563
0f113f3e
MC		 564void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
565void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
566void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
567 const AES_KEY *key);
568void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
569 const AES_KEY *key);
c5f6da54
AP		 570/*
571 * Key-length specific subroutines were chosen for following reason.
572 * Each SPARC T4 core can execute up to 8 threads which share core's
573 * resources. Loading as much key material to registers allows to
574 * minimize references to shared memory interface, as well as amount
575 * of instructions in inner loops [much needed on T4]. But then having
576 * non-key-length specific routines would require conditional branches
577 * either in inner loops or on subroutines' entries. Former is hardly
578 * acceptable, while latter means code size increase to size occupied
0d4fb843 579 * by multiple key-length specific subroutines, so why fight?
c5f6da54 580 */
0f113f3e
MC		 581void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
582 size_t len, const AES_KEY *key,
583 unsigned char *ivec);
584void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
585 size_t len, const AES_KEY *key,
586 unsigned char *ivec);
587void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
588 size_t len, const AES_KEY *key,
589 unsigned char *ivec);
590void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
591 size_t len, const AES_KEY *key,
592 unsigned char *ivec);
593void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
594 size_t len, const AES_KEY *key,
595 unsigned char *ivec);
596void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
597 size_t len, const AES_KEY *key,
598 unsigned char *ivec);
599void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
600 size_t blocks, const AES_KEY *key,
601 unsigned char *ivec);
602void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
603 size_t blocks, const AES_KEY *key,
604 unsigned char *ivec);
605void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
606 size_t blocks, const AES_KEY *key,
607 unsigned char *ivec);
608void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
609 size_t blocks, const AES_KEY *key1,
610 const AES_KEY *key2, const unsigned char *ivec);
611void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
612 size_t blocks, const AES_KEY *key1,
613 const AES_KEY *key2, const unsigned char *ivec);
614void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
615 size_t blocks, const AES_KEY *key1,
616 const AES_KEY *key2, const unsigned char *ivec);
617void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
618 size_t blocks, const AES_KEY *key1,
619 const AES_KEY *key2, const unsigned char *ivec);
c5f6da54
AP		 620
621static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 622 const unsigned char *iv, int enc)
623{
624 int ret, mode, bits;
6435f0f6 625 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 626
6435f0f6
RL		 627 mode = EVP_CIPHER_CTX_mode(ctx);
628 bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 629 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
630 && !enc) {
631 ret = 0;
6435f0f6 632 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 633 dat->block = (block128_f) aes_t4_decrypt;
634 switch (bits) {
635 case 128:
636 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
637 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
638 break;
639 case 192:
640 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
641 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
642 break;
643 case 256:
644 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
645 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
646 break;
647 default:
648 ret = -1;
649 }
650 } else {
651 ret = 0;
6435f0f6 652 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 653 dat->block = (block128_f) aes_t4_encrypt;
654 switch (bits) {
655 case 128:
656 if (mode == EVP_CIPH_CBC_MODE)
657 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
658 else if (mode == EVP_CIPH_CTR_MODE)
659 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
660 else
661 dat->stream.cbc = NULL;
662 break;
663 case 192:
664 if (mode == EVP_CIPH_CBC_MODE)
665 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
666 else if (mode == EVP_CIPH_CTR_MODE)
667 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
668 else
669 dat->stream.cbc = NULL;
670 break;
671 case 256:
672 if (mode == EVP_CIPH_CBC_MODE)
673 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
674 else if (mode == EVP_CIPH_CTR_MODE)
675 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
676 else
677 dat->stream.cbc = NULL;
678 break;
679 default:
680 ret = -1;
681 }
682 }
683
684 if (ret < 0) {
685 EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
686 return 0;
687 }
688
689 return 1;
690}
691
5158c763 692# define aes_t4_cbc_cipher aes_cbc_cipher
0f113f3e
MC		 693static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
694 const unsigned char *in, size_t len);
695
5158c763 696# define aes_t4_ecb_cipher aes_ecb_cipher
0f113f3e
MC		 697static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
698 const unsigned char *in, size_t len);
699
5158c763 700# define aes_t4_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 701static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
702 const unsigned char *in, size_t len);
703
5158c763 704# define aes_t4_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 705static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
706 const unsigned char *in, size_t len);
707
5158c763 708# define aes_t4_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 709static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
710 const unsigned char *in, size_t len);
711
5158c763 712# define aes_t4_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 713static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
714 const unsigned char *in, size_t len);
715
5158c763 716# define aes_t4_ctr_cipher aes_ctr_cipher
c5f6da54 717static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 718 const unsigned char *in, size_t len);
c5f6da54
AP		 719
720static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 721 const unsigned char *iv, int enc)
722{
6435f0f6 723 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 724 if (!iv && !key)
725 return 1;
726 if (key) {
6435f0f6 727 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 728 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
729 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
730 (block128_f) aes_t4_encrypt);
731 switch (bits) {
732 case 128:
733 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
734 break;
735 case 192:
736 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
737 break;
738 case 256:
739 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
740 break;
741 default:
742 return 0;
743 }
744 /*
745 * If we have an iv can set it directly, otherwise use saved IV.
746 */
747 if (iv == NULL && gctx->iv_set)
748 iv = gctx->iv;
749 if (iv) {
750 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
751 gctx->iv_set = 1;
752 }
753 gctx->key_set = 1;
754 } else {
755 /* If key set use IV, otherwise copy */
756 if (gctx->key_set)
757 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
758 else
759 memcpy(gctx->iv, iv, gctx->ivlen);
760 gctx->iv_set = 1;
761 gctx->iv_gen = 0;
762 }
763 return 1;
764}
765
5158c763 766# define aes_t4_gcm_cipher aes_gcm_cipher
c5f6da54 767static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 768 const unsigned char *in, size_t len);
c5f6da54
AP		 769
770static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 771 const unsigned char *iv, int enc)
772{
6435f0f6 773 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 774 if (!iv && !key)
775 return 1;
776
777 if (key) {
6435f0f6 778 int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
0f113f3e
MC		 779 xctx->stream = NULL;
780 /* key_len is two AES keys */
781 if (enc) {
782 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
783 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
784 switch (bits) {
785 case 128:
786 xctx->stream = aes128_t4_xts_encrypt;
787 break;
0f113f3e
MC		 788 case 256:
789 xctx->stream = aes256_t4_xts_encrypt;
790 break;
791 default:
792 return 0;
793 }
794 } else {
6435f0f6
RL		 795 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
796 &xctx->ks1.ks);
0f113f3e
MC		 797 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
798 switch (bits) {
799 case 128:
800 xctx->stream = aes128_t4_xts_decrypt;
801 break;
0f113f3e
MC		 802 case 256:
803 xctx->stream = aes256_t4_xts_decrypt;
804 break;
805 default:
806 return 0;
807 }
808 }
809
6435f0f6
RL		 810 aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
811 EVP_CIPHER_CTX_key_length(ctx) * 4,
812 &xctx->ks2.ks);
0f113f3e
MC		 813 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
814
815 xctx->xts.key1 = &xctx->ks1;
816 }
817
818 if (iv) {
819 xctx->xts.key2 = &xctx->ks2;
6435f0f6 820 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 821 }
822
823 return 1;
824}
825
5158c763 826# define aes_t4_xts_cipher aes_xts_cipher
c5f6da54 827static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 828 const unsigned char *in, size_t len);
c5f6da54
AP		 829
830static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 831 const unsigned char *iv, int enc)
832{
6435f0f6 833 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 834 if (!iv && !key)
835 return 1;
836 if (key) {
6435f0f6 837 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 838 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
839 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
840 &cctx->ks, (block128_f) aes_t4_encrypt);
bdc985b1 841 cctx->str = NULL;
0f113f3e
MC		 842 cctx->key_set = 1;
843 }
844 if (iv) {
6435f0f6 845 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 846 cctx->iv_set = 1;
847 }
848 return 1;
849}
850
5158c763 851# define aes_t4_ccm_cipher aes_ccm_cipher
c5f6da54 852static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 853 const unsigned char *in, size_t len);
c5f6da54 854
5158c763 855# ifndef OPENSSL_NO_OCB
e6b336ef 856static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 857 const unsigned char *iv, int enc)
858{
6435f0f6 859 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 860 if (!iv && !key)
861 return 1;
862 if (key) {
863 do {
864 /*
865 * We set both the encrypt and decrypt key here because decrypt
866 * needs both. We could possibly optimise to remove setting the
867 * decrypt for an encryption operation.
868 */
6435f0f6
RL		 869 aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
870 &octx->ksenc.ks);
871 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
872 &octx->ksdec.ks);
bdc985b1
AP		 873 if (!CRYPTO_ocb128_init(&octx->ocb,
874 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 875 (block128_f) aes_t4_encrypt,
02dc0b82
AP		 876 (block128_f) aes_t4_decrypt,
877 NULL))
0f113f3e
MC		 878 return 0;
879 }
880 while (0);
881
882 /*
883 * If we have an iv we can set it directly, otherwise use saved IV.
884 */
885 if (iv == NULL && octx->iv_set)
886 iv = octx->iv;
887 if (iv) {
888 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
889 != 1)
890 return 0;
891 octx->iv_set = 1;
892 }
893 octx->key_set = 1;
894 } else {
895 /* If key set use IV, otherwise copy */
896 if (octx->key_set)
897 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
898 else
899 memcpy(octx->iv, iv, octx->ivlen);
900 octx->iv_set = 1;
901 }
902 return 1;
903}
904
5158c763 905# define aes_t4_ocb_cipher aes_ocb_cipher
e6b336ef 906static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 907 const unsigned char *in, size_t len);
5158c763 908# endif /* OPENSSL_NO_OCB */
e6b336ef 909
5158c763 910# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
c5f6da54 911static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 912 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
913 flags|EVP_CIPH_##MODE##_MODE, \
914 aes_t4_init_key, \
915 aes_t4_##mode##_cipher, \
916 NULL, \
917 sizeof(EVP_AES_KEY), \
918 NULL,NULL,NULL,NULL }; \
c5f6da54 919static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 920 nid##_##keylen##_##nmode,blocksize, \
921 keylen/8,ivlen, \
922 flags|EVP_CIPH_##MODE##_MODE, \
923 aes_init_key, \
924 aes_##mode##_cipher, \
925 NULL, \
926 sizeof(EVP_AES_KEY), \
927 NULL,NULL,NULL,NULL }; \
c5f6da54
AP		 928const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
929{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
930
5158c763 931# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
c5f6da54 932static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 933 nid##_##keylen##_##mode,blocksize, \
934 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
935 flags|EVP_CIPH_##MODE##_MODE, \
936 aes_t4_##mode##_init_key, \
937 aes_t4_##mode##_cipher, \
938 aes_##mode##_cleanup, \
939 sizeof(EVP_AES_##MODE##_CTX), \
940 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54 941static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 942 nid##_##keylen##_##mode,blocksize, \
943 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
944 flags|EVP_CIPH_##MODE##_MODE, \
945 aes_##mode##_init_key, \
946 aes_##mode##_cipher, \
947 aes_##mode##_cleanup, \
948 sizeof(EVP_AES_##MODE##_CTX), \
949 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54
AP		 950const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
951{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
952
96530eea
PS		 953#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
954/*
955 * IBM S390X support
956 */
957# include "s390x_arch.h"
958
55bd169f
PS		 959typedef struct {
960 union {
961 double align;
962 /*-
963 * KM-AES parameter block - begin
964 * (see z/Architecture Principles of Operation >= SA22-7832-06)
965 */
966 struct {
967 unsigned char k[32];
968 } param;
969 /* KM-AES parameter block - end */
970 } km;
971 unsigned int fc;
972} S390X_AES_ECB_CTX;
973
dacd2a87
PS		 974typedef struct {
975 union {
976 double align;
977 /*-
978 * KMO-AES parameter block - begin
979 * (see z/Architecture Principles of Operation >= SA22-7832-08)
980 */
981 struct {
982 unsigned char cv[16];
983 unsigned char k[32];
984 } param;
985 /* KMO-AES parameter block - end */
986 } kmo;
987 unsigned int fc;
988
989 int res;
990} S390X_AES_OFB_CTX;
991
96530eea
PS		 992typedef struct {
993 union {
994 double align;
995 /*-
5d2a6f4b
PS		 996 * KMA-GCM-AES parameter block - begin
997 * (see z/Architecture Principles of Operation >= SA22-7832-11)
96530eea
PS		 998 */
999 struct {
1000 unsigned char reserved[12];
1001 union {
1002 unsigned int w;
1003 unsigned char b[4];
1004 } cv;
1005 union {
1006 unsigned long long g[2];
1007 unsigned char b[16];
1008 } t;
1009 unsigned char h[16];
1010 unsigned long long taadl;
1011 unsigned long long tpcl;
1012 union {
1013 unsigned long long g[2];
1014 unsigned int w[4];
1015 } j0;
1016 unsigned char k[32];
1017 } param;
5d2a6f4b 1018 /* KMA-GCM-AES parameter block - end */
96530eea
PS		 1019 } kma;
1020 unsigned int fc;
1021 int key_set;
1022
1023 unsigned char *iv;
1024 int ivlen;
1025 int iv_set;
1026 int iv_gen;
1027
1028 int taglen;
1029
1030 unsigned char ares[16];
1031 unsigned char mres[16];
1032 unsigned char kres[16];
1033 int areslen;
1034 int mreslen;
1035 int kreslen;
1036
1037 int tls_aad_len;
1038} S390X_AES_GCM_CTX;
1039
39f5b069
PS		 1040typedef struct {
1041 union {
1042 double align;
1043 /*-
1044 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
1045 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
1046 * rounds field is used to store the function code and that the key
1047 * schedule is not stored (if aes hardware support is detected).
1048 */
1049 struct {
1050 unsigned char pad[16];
1051 AES_KEY k;
1052 } key;
1053
1054 struct {
1055 /*-
1056 * KMAC-AES parameter block - begin
1057 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1058 */
1059 struct {
1060 union {
1061 unsigned long long g[2];
1062 unsigned char b[16];
1063 } icv;
1064 unsigned char k[32];
1065 } kmac_param;
1066 /* KMAC-AES paramater block - end */
1067
1068 union {
1069 unsigned long long g[2];
1070 unsigned char b[16];
1071 } nonce;
1072 union {
1073 unsigned long long g[2];
1074 unsigned char b[16];
1075 } buf;
1076
1077 unsigned long long blocks;
1078 int l;
1079 int m;
1080 int tls_aad_len;
1081 int iv_set;
1082 int tag_set;
1083 int len_set;
1084 int key_set;
1085
1086 unsigned char pad[140];
1087 unsigned int fc;
1088 } ccm;
1089 } aes;
1090} S390X_AES_CCM_CTX;
1091
55bd169f
PS		 1092/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
1093# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
1094
1095/* Most modes of operation need km for partial block processing. */
1096# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1097 S390X_CAPBIT(S390X_AES_128))
1098# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1099 S390X_CAPBIT(S390X_AES_192))
1100# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1101 S390X_CAPBIT(S390X_AES_256))
96530eea
PS		 1102
1103# define s390x_aes_init_key aes_init_key
1104static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1105 const unsigned char *iv, int enc);
1106
1107# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
1108# define S390X_aes_192_cbc_CAPABLE 1
1109# define S390X_aes_256_cbc_CAPABLE 1
55bd169f
PS		 1110# define S390X_AES_CBC_CTX EVP_AES_KEY
1111
1112# define s390x_aes_cbc_init_key aes_init_key
96530eea
PS		 1113
1114# define s390x_aes_cbc_cipher aes_cbc_cipher
1115static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1116 const unsigned char *in, size_t len);
1117
55bd169f
PS		 1118# define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
1119# define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
1120# define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
1121
1122static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
1123 const unsigned char *key,
1124 const unsigned char *iv, int enc)
1125{
1126 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1127 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1128
1129 cctx->fc = S390X_AES_FC(keylen);
1130 if (!enc)
1131 cctx->fc |= S390X_DECRYPT;
1132
1133 memcpy(cctx->km.param.k, key, keylen);
1134 return 1;
1135}
96530eea 1136
96530eea 1137static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
55bd169f
PS		 1138 const unsigned char *in, size_t len)
1139{
1140 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1141
1142 s390x_km(in, len, out, cctx->fc, &cctx->km.param);
1143 return 1;
1144}
96530eea 1145
dacd2a87
PS		 1146# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
1147 (OPENSSL_s390xcap_P.kmo[0] & \
1148 S390X_CAPBIT(S390X_AES_128)))
1149# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
1150 (OPENSSL_s390xcap_P.kmo[0] & \
1151 S390X_CAPBIT(S390X_AES_192)))
1152# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
1153 (OPENSSL_s390xcap_P.kmo[0] & \
1154 S390X_CAPBIT(S390X_AES_256)))
1155
1156static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
1157 const unsigned char *key,
1158 const unsigned char *ivec, int enc)
1159{
1160 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1161 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1162 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1163 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
55bd169f 1164
dacd2a87
PS		 1165 memcpy(cctx->kmo.param.cv, iv, ivlen);
1166 memcpy(cctx->kmo.param.k, key, keylen);
1167 cctx->fc = S390X_AES_FC(keylen);
1168 cctx->res = 0;
1169 return 1;
1170}
96530eea 1171
96530eea 1172static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
dacd2a87
PS		 1173 const unsigned char *in, size_t len)
1174{
1175 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1176 int n = cctx->res;
1177 int rem;
1178
1179 while (n && len) {
1180 *out = *in ^ cctx->kmo.param.cv[n];
1181 n = (n + 1) & 0xf;
1182 --len;
1183 ++in;
1184 ++out;
1185 }
1186
1187 rem = len & 0xf;
1188
1189 len &= ~(size_t)0xf;
1190 if (len) {
1191 s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
1192
1193 out += len;
1194 in += len;
1195 }
1196
1197 if (rem) {
1198 s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
1199 cctx->kmo.param.k);
1200
1201 while (rem--) {
1202 out[n] = in[n] ^ cctx->kmo.param.cv[n];
1203 ++n;
1204 }
1205 }
1206
1207 cctx->res = n;
1208 return 1;
1209}
96530eea
PS		 1210
1211# define S390X_aes_128_cfb_CAPABLE 0
1212# define S390X_aes_192_cfb_CAPABLE 0
1213# define S390X_aes_256_cfb_CAPABLE 0
55bd169f
PS		 1214# define S390X_AES_CFB_CTX EVP_AES_KEY
1215
1216# define s390x_aes_cfb_init_key aes_init_key
96530eea
PS		 1217
1218# define s390x_aes_cfb_cipher aes_cfb_cipher
1219static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1220 const unsigned char *in, size_t len);
1221
1222# define S390X_aes_128_cfb8_CAPABLE 0
1223# define S390X_aes_192_cfb8_CAPABLE 0
1224# define S390X_aes_256_cfb8_CAPABLE 0
1225
55bd169f
PS		 1226# define s390x_aes_cfb8_init_key aes_init_key
1227
96530eea
PS		 1228# define s390x_aes_cfb8_cipher aes_cfb8_cipher
1229static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1230 const unsigned char *in, size_t len);
1231
1232# define S390X_aes_128_cfb1_CAPABLE 0
1233# define S390X_aes_192_cfb1_CAPABLE 0
1234# define S390X_aes_256_cfb1_CAPABLE 0
1235
55bd169f
PS		 1236# define s390x_aes_cfb1_init_key aes_init_key
1237
96530eea
PS		 1238# define s390x_aes_cfb1_cipher aes_cfb1_cipher
1239static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1240 const unsigned char *in, size_t len);
1241
1242# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
1243# define S390X_aes_192_ctr_CAPABLE 1
1244# define S390X_aes_256_ctr_CAPABLE 1
55bd169f
PS		 1245# define S390X_AES_CTR_CTX EVP_AES_KEY
1246
1247# define s390x_aes_ctr_init_key aes_init_key
96530eea
PS		 1248
1249# define s390x_aes_ctr_cipher aes_ctr_cipher
1250static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1251 const unsigned char *in, size_t len);
1252
1253# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
1254 (OPENSSL_s390xcap_P.kma[0] & \
1255 S390X_CAPBIT(S390X_AES_128)))
1256# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
1257 (OPENSSL_s390xcap_P.kma[0] & \
1258 S390X_CAPBIT(S390X_AES_192)))
1259# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
1260 (OPENSSL_s390xcap_P.kma[0] & \
1261 S390X_CAPBIT(S390X_AES_256)))
1262
1263/* iv + padding length for iv lenghts != 12 */
1264# define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1265
5d2a6f4b
PS		 1266/*-
1267 * Process additional authenticated data. Returns 0 on success. Code is
1268 * big-endian.
1269 */
96530eea
PS		 1270static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
1271 size_t len)
1272{
1273 unsigned long long alen;
1274 int n, rem;
1275
1276 if (ctx->kma.param.tpcl)
1277 return -2;
1278
1279 alen = ctx->kma.param.taadl + len;
1280 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
1281 return -1;
1282 ctx->kma.param.taadl = alen;
1283
1284 n = ctx->areslen;
1285 if (n) {
1286 while (n && len) {
1287 ctx->ares[n] = *aad;
1288 n = (n + 1) & 0xf;
1289 ++aad;
1290 --len;
1291 }
1292 /* ctx->ares contains a complete block if offset has wrapped around */
1293 if (!n) {
1294 s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1295 ctx->fc |= S390X_KMA_HS;
1296 }
1297 ctx->areslen = n;
1298 }
1299
1300 rem = len & 0xf;
1301
1302 len &= ~0xf;
1303 if (len) {
1304 s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1305 aad += len;
1306 ctx->fc |= S390X_KMA_HS;
1307 }
1308
1309 if (rem) {
1310 ctx->areslen = rem;
1311
1312 do {
1313 --rem;
1314 ctx->ares[rem] = aad[rem];
1315 } while (rem);
1316 }
1317 return 0;
1318}
1319
5d2a6f4b
PS		 1320/*-
1321 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1322 * success. Code is big-endian.
1323 */
96530eea
PS		 1324static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
1325 unsigned char *out, size_t len)
1326{
1327 const unsigned char *inptr;
1328 unsigned long long mlen;
1329 union {
1330 unsigned int w[4];
1331 unsigned char b[16];
1332 } buf;
1333 size_t inlen;
1334 int n, rem, i;
1335
1336 mlen = ctx->kma.param.tpcl + len;
1337 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1338 return -1;
1339 ctx->kma.param.tpcl = mlen;
1340
1341 n = ctx->mreslen;
1342 if (n) {
1343 inptr = in;
1344 inlen = len;
1345 while (n && inlen) {
1346 ctx->mres[n] = *inptr;
1347 n = (n + 1) & 0xf;
1348 ++inptr;
1349 --inlen;
1350 }
1351 /* ctx->mres contains a complete block if offset has wrapped around */
1352 if (!n) {
1353 s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
1354 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1355 ctx->fc |= S390X_KMA_HS;
1356 ctx->areslen = 0;
1357
1358 /* previous call already encrypted/decrypted its remainder,
1359 * see comment below */
1360 n = ctx->mreslen;
1361 while (n) {
1362 *out = buf.b[n];
1363 n = (n + 1) & 0xf;
1364 ++out;
1365 ++in;
1366 --len;
1367 }
1368 ctx->mreslen = 0;
1369 }
1370 }
1371
1372 rem = len & 0xf;
1373
1374 len &= ~0xf;
1375 if (len) {
1376 s390x_kma(ctx->ares, ctx->areslen, in, len, out,
1377 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1378 in += len;
1379 out += len;
1380 ctx->fc |= S390X_KMA_HS;
1381 ctx->areslen = 0;
1382 }
1383
1384 /*-
1385 * If there is a remainder, it has to be saved such that it can be
1386 * processed by kma later. However, we also have to do the for-now
1387 * unauthenticated encryption/decryption part here and now...
1388 */
1389 if (rem) {
1390 if (!ctx->mreslen) {
1391 buf.w[0] = ctx->kma.param.j0.w[0];
1392 buf.w[1] = ctx->kma.param.j0.w[1];
1393 buf.w[2] = ctx->kma.param.j0.w[2];
1394 buf.w[3] = ctx->kma.param.cv.w + 1;
1395 s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
1396 }
1397
1398 n = ctx->mreslen;
1399 for (i = 0; i < rem; i++) {
1400 ctx->mres[n + i] = in[i];
1401 out[i] = in[i] ^ ctx->kres[n + i];
1402 }
1403
1404 ctx->mreslen += rem;
1405 }
1406 return 0;
1407}
1408
5d2a6f4b
PS		 1409/*-
1410 * Initialize context structure. Code is big-endian.
1411 */
96530eea
PS		 1412static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
1413 const unsigned char *iv)
1414{
1415 ctx->kma.param.t.g[0] = 0;
1416 ctx->kma.param.t.g[1] = 0;
1417 ctx->kma.param.tpcl = 0;
1418 ctx->kma.param.taadl = 0;
1419 ctx->mreslen = 0;
1420 ctx->areslen = 0;
1421 ctx->kreslen = 0;
1422
1423 if (ctx->ivlen == 12) {
1424 memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
1425 ctx->kma.param.j0.w[3] = 1;
1426 ctx->kma.param.cv.w = 1;
1427 } else {
1428 /* ctx->iv has the right size and is already padded. */
1429 memcpy(ctx->iv, iv, ctx->ivlen);
1430 s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
1431 ctx->fc, &ctx->kma.param);
1432 ctx->fc |= S390X_KMA_HS;
1433
1434 ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
1435 ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
1436 ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
1437 ctx->kma.param.t.g[0] = 0;
1438 ctx->kma.param.t.g[1] = 0;
1439 }
1440}
1441
5d2a6f4b
PS		 1442/*-
1443 * Performs various operations on the context structure depending on control
1444 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1445 * Code is big-endian.
1446 */
96530eea
PS		 1447static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1448{
1449 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1450 S390X_AES_GCM_CTX *gctx_out;
1451 EVP_CIPHER_CTX *out;
1452 unsigned char *buf, *iv;
1453 int ivlen, enc, len;
1454
1455 switch (type) {
1456 case EVP_CTRL_INIT:
1457 ivlen = EVP_CIPHER_CTX_iv_length(c);
1458 iv = EVP_CIPHER_CTX_iv_noconst(c);
1459 gctx->key_set = 0;
1460 gctx->iv_set = 0;
1461 gctx->ivlen = ivlen;
1462 gctx->iv = iv;
1463 gctx->taglen = -1;
1464 gctx->iv_gen = 0;
1465 gctx->tls_aad_len = -1;
1466 return 1;
1467
1468 case EVP_CTRL_AEAD_SET_IVLEN:
1469 if (arg <= 0)
1470 return 0;
1471
1472 if (arg != 12) {
1473 iv = EVP_CIPHER_CTX_iv_noconst(c);
1474 len = S390X_gcm_ivpadlen(arg);
1475
1476 /* Allocate memory for iv if needed. */
1477 if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
1478 if (gctx->iv != iv)
1479 OPENSSL_free(gctx->iv);
1480
1481 gctx->iv = OPENSSL_malloc(len);
1482 if (gctx->iv == NULL)
1483 return 0;
1484 }
1485 /* Add padding. */
1486 memset(gctx->iv + arg, 0, len - arg - 8);
1487 *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
1488 }
1489 gctx->ivlen = arg;
1490 return 1;
1491
1492 case EVP_CTRL_AEAD_SET_TAG:
1493 buf = EVP_CIPHER_CTX_buf_noconst(c);
1494 enc = EVP_CIPHER_CTX_encrypting(c);
1495 if (arg <= 0 || arg > 16 || enc)
1496 return 0;
1497
1498 memcpy(buf, ptr, arg);
1499 gctx->taglen = arg;
1500 return 1;
1501
1502 case EVP_CTRL_AEAD_GET_TAG:
1503 enc = EVP_CIPHER_CTX_encrypting(c);
1504 if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
1505 return 0;
1506
1507 memcpy(ptr, gctx->kma.param.t.b, arg);
1508 return 1;
1509
1510 case EVP_CTRL_GCM_SET_IV_FIXED:
1511 /* Special case: -1 length restores whole iv */
1512 if (arg == -1) {
1513 memcpy(gctx->iv, ptr, gctx->ivlen);
1514 gctx->iv_gen = 1;
1515 return 1;
1516 }
1517 /*
1518 * Fixed field must be at least 4 bytes and invocation field at least
1519 * 8.
1520 */
1521 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1522 return 0;
1523
1524 if (arg)
1525 memcpy(gctx->iv, ptr, arg);
1526
1527 enc = EVP_CIPHER_CTX_encrypting(c);
16cfc2c9
KR		 1528 if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1529 return 0;
96530eea
PS		 1530
1531 gctx->iv_gen = 1;
1532 return 1;
1533
1534 case EVP_CTRL_GCM_IV_GEN:
1535 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1536 return 0;
1537
1538 s390x_aes_gcm_setiv(gctx, gctx->iv);
1539
1540 if (arg <= 0 || arg > gctx->ivlen)
1541 arg = gctx->ivlen;
1542
1543 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1544 /*
1545 * Invocation field will be at least 8 bytes in size and so no need
1546 * to check wrap around or increment more than last 8 bytes.
1547 */
1548 (*(unsigned long long *)(gctx->iv + gctx->ivlen - 8))++;
1549 gctx->iv_set = 1;
1550 return 1;
1551
1552 case EVP_CTRL_GCM_SET_IV_INV:
1553 enc = EVP_CIPHER_CTX_encrypting(c);
1554 if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
1555 return 0;
1556
1557 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1558 s390x_aes_gcm_setiv(gctx, gctx->iv);
1559 gctx->iv_set = 1;
1560 return 1;
1561
1562 case EVP_CTRL_AEAD_TLS1_AAD:
1563 /* Save the aad for later use. */
1564 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1565 return 0;
1566
1567 buf = EVP_CIPHER_CTX_buf_noconst(c);
1568 memcpy(buf, ptr, arg);
1569 gctx->tls_aad_len = arg;
1570
1571 len = buf[arg - 2] << 8 | buf[arg - 1];
1572 /* Correct length for explicit iv. */
1573 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1574 return 0;
1575 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1576
1577 /* If decrypting correct for tag too. */
1578 enc = EVP_CIPHER_CTX_encrypting(c);
1579 if (!enc) {
1580 if (len < EVP_GCM_TLS_TAG_LEN)
1581 return 0;
1582 len -= EVP_GCM_TLS_TAG_LEN;
1583 }
1584 buf[arg - 2] = len >> 8;
1585 buf[arg - 1] = len & 0xff;
1586 /* Extra padding: tag appended to record. */
1587 return EVP_GCM_TLS_TAG_LEN;
1588
1589 case EVP_CTRL_COPY:
1590 out = ptr;
1591 gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
1592 iv = EVP_CIPHER_CTX_iv_noconst(c);
1593
1594 if (gctx->iv == iv) {
1595 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
1596 } else {
1597 len = S390X_gcm_ivpadlen(gctx->ivlen);
1598
1599 gctx_out->iv = OPENSSL_malloc(len);
1600 if (gctx_out->iv == NULL)
1601 return 0;
1602
1603 memcpy(gctx_out->iv, gctx->iv, len);
1604 }
1605 return 1;
1606
1607 default:
1608 return -1;
1609 }
1610}
1611
5d2a6f4b
PS		 1612/*-
1613 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1614 */
96530eea
PS		 1615static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
1616 const unsigned char *key,
1617 const unsigned char *iv, int enc)
1618{
1619 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1620 int keylen;
1621
1622 if (iv == NULL && key == NULL)
1623 return 1;
1624
1625 if (key != NULL) {
1626 keylen = EVP_CIPHER_CTX_key_length(ctx);
1627 memcpy(&gctx->kma.param.k, key, keylen);
1628
1629 /* Convert key size to function code. */
1630 gctx->fc = S390X_AES_128 + (((keylen << 3) - 128) >> 6);
1631 if (!enc)
1632 gctx->fc |= S390X_DECRYPT;
1633
1634 if (iv == NULL && gctx->iv_set)
1635 iv = gctx->iv;
1636
1637 if (iv != NULL) {
1638 s390x_aes_gcm_setiv(gctx, iv);
1639 gctx->iv_set = 1;
1640 }
1641 gctx->key_set = 1;
1642 } else {
1643 if (gctx->key_set)
1644 s390x_aes_gcm_setiv(gctx, iv);
1645 else
1646 memcpy(gctx->iv, iv, gctx->ivlen);
1647
1648 gctx->iv_set = 1;
1649 gctx->iv_gen = 0;
1650 }
1651 return 1;
1652}
1653
5d2a6f4b
PS		 1654/*-
1655 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1656 * if successful. Otherwise -1 is returned. Code is big-endian.
1657 */
96530eea
PS		 1658static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1659 const unsigned char *in, size_t len)
1660{
1661 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1662 const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1663 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1664 int rv = -1;
1665
1666 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1667 return -1;
1668
1669 if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
1670 : EVP_CTRL_GCM_SET_IV_INV,
1671 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1672 goto err;
1673
1674 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1675 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1676 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1677
1678 gctx->kma.param.taadl = gctx->tls_aad_len << 3;
1679 gctx->kma.param.tpcl = len << 3;
1680 s390x_kma(buf, gctx->tls_aad_len, in, len, out,
1681 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1682
1683 if (enc) {
1684 memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
1685 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1686 } else {
1687 if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
1688 EVP_GCM_TLS_TAG_LEN)) {
1689 OPENSSL_cleanse(out, len);
1690 goto err;
1691 }
1692 rv = len;
1693 }
1694err:
1695 gctx->iv_set = 0;
1696 gctx->tls_aad_len = -1;
1697 return rv;
1698}
1699
5d2a6f4b
PS		 1700/*-
1701 * Called from EVP layer to initialize context, process additional
1702 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1703 * ciphertext or process a TLS packet, depending on context. Returns bytes
1704 * written on success. Otherwise -1 is returned. Code is big-endian.
1705 */
96530eea
PS		 1706static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1707 const unsigned char *in, size_t len)
1708{
1709 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1710 unsigned char *buf, tmp[16];
1711 int enc;
1712
1713 if (!gctx->key_set)
1714 return -1;
1715
1716 if (gctx->tls_aad_len >= 0)
1717 return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
1718
1719 if (!gctx->iv_set)
1720 return -1;
1721
1722 if (in != NULL) {
1723 if (out == NULL) {
1724 if (s390x_aes_gcm_aad(gctx, in, len))
1725 return -1;
1726 } else {
1727 if (s390x_aes_gcm(gctx, in, out, len))
1728 return -1;
1729 }
1730 return len;
1731 } else {
1732 gctx->kma.param.taadl <<= 3;
1733 gctx->kma.param.tpcl <<= 3;
1734 s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
1735 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1736 /* recall that we already did en-/decrypt gctx->mres
1737 * and returned it to caller... */
1738 OPENSSL_cleanse(tmp, gctx->mreslen);
1739 gctx->iv_set = 0;
1740
1741 enc = EVP_CIPHER_CTX_encrypting(ctx);
1742 if (enc) {
1743 gctx->taglen = 16;
1744 } else {
1745 if (gctx->taglen < 0)
1746 return -1;
1747
1748 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1749 if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
1750 return -1;
1751 }
1752 return 0;
1753 }
1754}
1755
1756static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1757{
1758 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1759 const unsigned char *iv;
1760
1761 if (gctx == NULL)
1762 return 0;
1763
1764 iv = EVP_CIPHER_CTX_iv(c);
1765 if (iv != gctx->iv)
1766 OPENSSL_free(gctx->iv);
1767
1768 OPENSSL_cleanse(gctx, sizeof(*gctx));
1769 return 1;
1770}
1771
1772# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1773# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
1774# define S390X_aes_256_xts_CAPABLE 1
1775
1776# define s390x_aes_xts_init_key aes_xts_init_key
1777static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
1778 const unsigned char *key,
1779 const unsigned char *iv, int enc);
1780# define s390x_aes_xts_cipher aes_xts_cipher
1781static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1782 const unsigned char *in, size_t len);
1783# define s390x_aes_xts_ctrl aes_xts_ctrl
1784static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
1785# define s390x_aes_xts_cleanup aes_xts_cleanup
1786
39f5b069
PS		 1787# define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
1788 (OPENSSL_s390xcap_P.kmac[0] & \
1789 S390X_CAPBIT(S390X_AES_128)))
1790# define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
1791 (OPENSSL_s390xcap_P.kmac[0] & \
1792 S390X_CAPBIT(S390X_AES_192)))
1793# define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
1794 (OPENSSL_s390xcap_P.kmac[0] & \
1795 S390X_CAPBIT(S390X_AES_256)))
1796
1797# define S390X_CCM_AAD_FLAG 0x40
1798
1799/*-
1800 * Set nonce and length fields. Code is big-endian.
1801 */
1802static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
1803 const unsigned char *nonce,
1804 size_t mlen)
1805{
1806 ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
1807 ctx->aes.ccm.nonce.g[1] = mlen;
1808 memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
1809}
1810
1811/*-
1812 * Process additional authenticated data. Code is big-endian.
1813 */
1814static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
1815 size_t alen)
1816{
1817 unsigned char *ptr;
1818 int i, rem;
1819
1820 if (!alen)
1821 return;
1822
1823 ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
1824
1825 /* Suppress 'type-punned pointer dereference' warning. */
1826 ptr = ctx->aes.ccm.buf.b;
1827
1828 if (alen < ((1 << 16) - (1 << 8))) {
1829 *(uint16_t *)ptr = alen;
1830 i = 2;
1831 } else if (sizeof(alen) == 8
1832 && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
1833 *(uint16_t *)ptr = 0xffff;
1834 *(uint64_t *)(ptr + 2) = alen;
1835 i = 10;
1836 } else {
1837 *(uint16_t *)ptr = 0xfffe;
1838 *(uint32_t *)(ptr + 2) = alen;
1839 i = 6;
1840 }
1841
1842 while (i < 16 && alen) {
1843 ctx->aes.ccm.buf.b[i] = *aad;
1844 ++aad;
1845 --alen;
1846 ++i;
1847 }
1848 while (i < 16) {
1849 ctx->aes.ccm.buf.b[i] = 0;
1850 ++i;
1851 }
1852
1853 ctx->aes.ccm.kmac_param.icv.g[0] = 0;
1854 ctx->aes.ccm.kmac_param.icv.g[1] = 0;
1855 s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
1856 &ctx->aes.ccm.kmac_param);
1857 ctx->aes.ccm.blocks += 2;
1858
1859 rem = alen & 0xf;
1860 alen &= ~0xf;
1861 if (alen) {
1862 s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1863 ctx->aes.ccm.blocks += alen >> 4;
1864 aad += alen;
1865 }
1866 if (rem) {
1867 for (i = 0; i < rem; i++)
1868 ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
1869
1870 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1871 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1872 ctx->aes.ccm.kmac_param.k);
1873 ctx->aes.ccm.blocks++;
1874 }
1875}
1876
1877/*-
1878 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
1879 * success.
1880 */
1881static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
1882 unsigned char *out, size_t len, int enc)
1883{
1884 size_t n, rem;
1885 unsigned int i, l, num;
1886 unsigned char flags;
1887
1888 flags = ctx->aes.ccm.nonce.b[0];
1889 if (!(flags & S390X_CCM_AAD_FLAG)) {
1890 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
1891 ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
1892 ctx->aes.ccm.blocks++;
1893 }
1894 l = flags & 0x7;
1895 ctx->aes.ccm.nonce.b[0] = l;
1896
1897 /*-
1898 * Reconstruct length from encoded length field
1899 * and initialize it with counter value.
1900 */
1901 n = 0;
1902 for (i = 15 - l; i < 15; i++) {
1903 n |= ctx->aes.ccm.nonce.b[i];
1904 ctx->aes.ccm.nonce.b[i] = 0;
1905 n <<= 8;
1906 }
1907 n |= ctx->aes.ccm.nonce.b[15];
1908 ctx->aes.ccm.nonce.b[15] = 1;
1909
1910 if (n != len)
1911 return -1; /* length mismatch */
1912
1913 if (enc) {
1914 /* Two operations per block plus one for tag encryption */
1915 ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
1916 if (ctx->aes.ccm.blocks > (1ULL << 61))
1917 return -2; /* too much data */
1918 }
1919
1920 num = 0;
1921 rem = len & 0xf;
1922 len &= ~0xf;
1923
1924 if (enc) {
1925 /* mac-then-encrypt */
1926 if (len)
1927 s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1928 if (rem) {
1929 for (i = 0; i < rem; i++)
1930 ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
1931
1932 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1933 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1934 ctx->aes.ccm.kmac_param.k);
1935 }
1936
1937 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
1938 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
1939 &num, (ctr128_f)AES_ctr32_encrypt);
1940 } else {
1941 /* decrypt-then-mac */
1942 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
1943 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
1944 &num, (ctr128_f)AES_ctr32_encrypt);
1945
1946 if (len)
1947 s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1948 if (rem) {
1949 for (i = 0; i < rem; i++)
1950 ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
1951
1952 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1953 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1954 ctx->aes.ccm.kmac_param.k);
1955 }
1956 }
1957 /* encrypt tag */
1958 for (i = 15 - l; i < 16; i++)
1959 ctx->aes.ccm.nonce.b[i] = 0;
1960
1961 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
1962 ctx->aes.ccm.kmac_param.k);
1963 ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
1964 ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
1965
1966 ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
1967 return 0;
1968}
1969
1970/*-
1971 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1972 * if successful. Otherwise -1 is returned.
1973 */
1974static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1975 const unsigned char *in, size_t len)
1976{
1977 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
1978 unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
1979 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1980 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1981
1982 if (out != in
1983 || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
1984 return -1;
1985
1986 if (enc) {
1987 /* Set explicit iv (sequence number). */
1988 memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
1989 }
1990
1991 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
1992 /*-
1993 * Get explicit iv (sequence number). We already have fixed iv
1994 * (server/client_write_iv) here.
1995 */
1996 memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
1997 s390x_aes_ccm_setiv(cctx, ivec, len);
1998
1999 /* Process aad (sequence number|type|version|length) */
2000 s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
2001
2002 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2003 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
96530eea 2004
39f5b069
PS		 2005 if (enc) {
2006 if (s390x_aes_ccm(cctx, in, out, len, enc))
2007 return -1;
2008
2009 memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2010 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2011 } else {
2012 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2013 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
2014 cctx->aes.ccm.m))
2015 return len;
2016 }
2017
2018 OPENSSL_cleanse(out, len);
2019 return -1;
2020 }
2021}
2022
2023/*-
2024 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2025 * returned.
2026 */
96530eea
PS		 2027static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
2028 const unsigned char *key,
39f5b069
PS		 2029 const unsigned char *iv, int enc)
2030{
2031 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2032 unsigned char *ivec;
2033 int keylen;
2034
2035 if (iv == NULL && key == NULL)
2036 return 1;
2037
2038 if (key != NULL) {
2039 keylen = EVP_CIPHER_CTX_key_length(ctx);
2040 /* Convert key size to function code. */
2041 cctx->aes.ccm.fc = S390X_AES_128 + (((keylen << 3) - 128) >> 6);
2042 memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
2043
2044 /* Store encoded m and l. */
2045 cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
2046 | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
2047 memset(cctx->aes.ccm.nonce.b + 1, 0,
2048 sizeof(cctx->aes.ccm.nonce.b));
2049 cctx->aes.ccm.blocks = 0;
2050
2051 cctx->aes.ccm.key_set = 1;
2052 }
2053
2054 if (iv != NULL) {
2055 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2056 memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
2057
2058 cctx->aes.ccm.iv_set = 1;
2059 }
2060
2061 return 1;
2062}
2063
2064/*-
2065 * Called from EVP layer to initialize context, process additional
2066 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2067 * plaintext or process a TLS packet, depending on context. Returns bytes
2068 * written on success. Otherwise -1 is returned.
2069 */
96530eea 2070static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
39f5b069
PS		 2071 const unsigned char *in, size_t len)
2072{
2073 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2074 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
2075 int rv;
2076 unsigned char *buf, *ivec;
2077
2078 if (!cctx->aes.ccm.key_set)
2079 return -1;
2080
2081 if (cctx->aes.ccm.tls_aad_len >= 0)
2082 return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
2083
2084 /*-
2085 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2086 * so integrity must be checked already at Update() i.e., before
2087 * potentially corrupted data is output.
2088 */
2089 if (in == NULL && out != NULL)
2090 return 0;
2091
2092 if (!cctx->aes.ccm.iv_set)
2093 return -1;
2094
2095 if (!enc && !cctx->aes.ccm.tag_set)
2096 return -1;
2097
2098 if (out == NULL) {
2099 /* Update(): Pass message length. */
2100 if (in == NULL) {
2101 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2102 s390x_aes_ccm_setiv(cctx, ivec, len);
2103
2104 cctx->aes.ccm.len_set = 1;
2105 return len;
2106 }
2107
2108 /* Update(): Process aad. */
2109 if (!cctx->aes.ccm.len_set && len)
2110 return -1;
2111
2112 s390x_aes_ccm_aad(cctx, in, len);
2113 return len;
2114 }
2115
2116 /* Update(): Process message. */
2117
2118 if (!cctx->aes.ccm.len_set) {
2119 /*-
2120 * In case message length was not previously set explicitely via
2121 * Update(), set it now.
2122 */
2123 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2124 s390x_aes_ccm_setiv(cctx, ivec, len);
2125
2126 cctx->aes.ccm.len_set = 1;
2127 }
2128
2129 if (enc) {
2130 if (s390x_aes_ccm(cctx, in, out, len, enc))
2131 return -1;
2132
2133 cctx->aes.ccm.tag_set = 1;
2134 return len;
2135 } else {
2136 rv = -1;
2137
2138 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2139 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2140 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
2141 cctx->aes.ccm.m))
2142 rv = len;
2143 }
2144
2145 if (rv == -1)
2146 OPENSSL_cleanse(out, len);
2147
2148 cctx->aes.ccm.iv_set = 0;
2149 cctx->aes.ccm.tag_set = 0;
2150 cctx->aes.ccm.len_set = 0;
2151 return rv;
2152 }
2153}
2154
2155/*-
2156 * Performs various operations on the context structure depending on control
2157 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2158 * Code is big-endian.
2159 */
2160static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2161{
2162 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
2163 unsigned char *buf, *iv;
2164 int enc, len;
2165
2166 switch (type) {
2167 case EVP_CTRL_INIT:
2168 cctx->aes.ccm.key_set = 0;
2169 cctx->aes.ccm.iv_set = 0;
2170 cctx->aes.ccm.l = 8;
2171 cctx->aes.ccm.m = 12;
2172 cctx->aes.ccm.tag_set = 0;
2173 cctx->aes.ccm.len_set = 0;
2174 cctx->aes.ccm.tls_aad_len = -1;
2175 return 1;
2176
2177 case EVP_CTRL_AEAD_TLS1_AAD:
2178 if (arg != EVP_AEAD_TLS1_AAD_LEN)
2179 return 0;
2180
2181 /* Save the aad for later use. */
2182 buf = EVP_CIPHER_CTX_buf_noconst(c);
2183 memcpy(buf, ptr, arg);
2184 cctx->aes.ccm.tls_aad_len = arg;
2185
2186 len = *(uint16_t *)(buf + arg - 2);
2187 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
2188 return 0;
2189
2190 /* Correct length for explicit iv. */
2191 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
2192
2193 enc = EVP_CIPHER_CTX_encrypting(c);
2194 if (!enc) {
2195 if (len < cctx->aes.ccm.m)
2196 return 0;
2197
2198 /* Correct length for tag. */
2199 len -= cctx->aes.ccm.m;
2200 }
2201
2202 *(uint16_t *)(buf + arg - 2) = len;
2203 /* Extra padding: tag appended to record. */
2204 return cctx->aes.ccm.m;
2205
2206 case EVP_CTRL_CCM_SET_IV_FIXED:
2207 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
2208 return 0;
2209
2210 /* Copy to first part of the iv. */
2211 iv = EVP_CIPHER_CTX_iv_noconst(c);
2212 memcpy(iv, ptr, arg);
2213 return 1;
2214
2215 case EVP_CTRL_AEAD_SET_IVLEN:
2216 arg = 15 - arg;
2217 /* fall-through */
2218
2219 case EVP_CTRL_CCM_SET_L:
2220 if (arg < 2 || arg > 8)
2221 return 0;
2222
2223 cctx->aes.ccm.l = arg;
2224 return 1;
2225
2226 case EVP_CTRL_AEAD_SET_TAG:
2227 if ((arg & 1) || arg < 4 || arg > 16)
2228 return 0;
2229
2230 enc = EVP_CIPHER_CTX_encrypting(c);
2231 if (enc && ptr)
2232 return 0;
2233
2234 if (ptr) {
2235 cctx->aes.ccm.tag_set = 1;
2236 buf = EVP_CIPHER_CTX_buf_noconst(c);
2237 memcpy(buf, ptr, arg);
2238 }
2239
2240 cctx->aes.ccm.m = arg;
2241 return 1;
2242
2243 case EVP_CTRL_AEAD_GET_TAG:
2244 enc = EVP_CIPHER_CTX_encrypting(c);
2245 if (!enc || !cctx->aes.ccm.tag_set)
2246 return 0;
2247
2248 if(arg < cctx->aes.ccm.m)
2249 return 0;
2250
2251 memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2252 cctx->aes.ccm.tag_set = 0;
2253 cctx->aes.ccm.iv_set = 0;
2254 cctx->aes.ccm.len_set = 0;
2255 return 1;
2256
2257 case EVP_CTRL_COPY:
2258 return 1;
2259
2260 default:
2261 return -1;
2262 }
2263}
2264
96530eea
PS		 2265# define s390x_aes_ccm_cleanup aes_ccm_cleanup
2266
2267# ifndef OPENSSL_NO_OCB
2268# define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2269# define S390X_aes_128_ocb_CAPABLE 0
2270# define S390X_aes_192_ocb_CAPABLE 0
2271# define S390X_aes_256_ocb_CAPABLE 0
2272
2273# define s390x_aes_ocb_init_key aes_ocb_init_key
2274static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2275 const unsigned char *iv, int enc);
2276# define s390x_aes_ocb_cipher aes_ocb_cipher
2277static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2278 const unsigned char *in, size_t len);
2279# define s390x_aes_ocb_cleanup aes_ocb_cleanup
2280static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
2281# define s390x_aes_ocb_ctrl aes_ocb_ctrl
2282static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
2283# endif
2284
2285# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2286 MODE,flags) \
2287static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2288 nid##_##keylen##_##nmode,blocksize, \
2289 keylen / 8, \
2290 ivlen, \
2291 flags | EVP_CIPH_##MODE##_MODE, \
55bd169f 2292 s390x_aes_##mode##_init_key, \
96530eea
PS		 2293 s390x_aes_##mode##_cipher, \
2294 NULL, \
55bd169f 2295 sizeof(S390X_AES_##MODE##_CTX), \
96530eea
PS		 2296 NULL, \
2297 NULL, \
2298 NULL, \
2299 NULL \
2300}; \
2301static const EVP_CIPHER aes_##keylen##_##mode = { \
2302 nid##_##keylen##_##nmode, \
2303 blocksize, \
2304 keylen / 8, \
2305 ivlen, \
2306 flags | EVP_CIPH_##MODE##_MODE, \
2307 aes_init_key, \
2308 aes_##mode##_cipher, \
2309 NULL, \
2310 sizeof(EVP_AES_KEY), \
55bd169f
PS		 2311 NULL, \
2312 NULL, \
2313 NULL, \
2314 NULL \
96530eea
PS		 2315}; \
2316const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2317{ \
2318 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2319 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2320}
2321
2322# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2323static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2324 nid##_##keylen##_##mode, \
2325 blocksize, \
2326 (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
2327 ivlen, \
2328 flags | EVP_CIPH_##MODE##_MODE, \
2329 s390x_aes_##mode##_init_key, \
2330 s390x_aes_##mode##_cipher, \
2331 s390x_aes_##mode##_cleanup, \
2332 sizeof(S390X_AES_##MODE##_CTX), \
2333 NULL, \
2334 NULL, \
2335 s390x_aes_##mode##_ctrl, \
2336 NULL \
2337}; \
2338static const EVP_CIPHER aes_##keylen##_##mode = { \
2339 nid##_##keylen##_##mode,blocksize, \
2340 (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
2341 ivlen, \
2342 flags | EVP_CIPH_##MODE##_MODE, \
2343 aes_##mode##_init_key, \
2344 aes_##mode##_cipher, \
2345 aes_##mode##_cleanup, \
2346 sizeof(EVP_AES_##MODE##_CTX), \
2347 NULL, \
2348 NULL, \
2349 aes_##mode##_ctrl, \
2350 NULL \
2351}; \
2352const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2353{ \
2354 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2355 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2356}
2357
5158c763 2358#else
17f121de 2359
5158c763 2360# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 2361static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 2362 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2363 flags|EVP_CIPH_##MODE##_MODE, \
2364 aes_init_key, \
2365 aes_##mode##_cipher, \
2366 NULL, \
2367 sizeof(EVP_AES_KEY), \
2368 NULL,NULL,NULL,NULL }; \
17f121de
AP		 2369const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2370{ return &aes_##keylen##_##mode; }
d1fff483 2371
5158c763 2372# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 2373static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 2374 nid##_##keylen##_##mode,blocksize, \
2375 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
2376 flags|EVP_CIPH_##MODE##_MODE, \
2377 aes_##mode##_init_key, \
2378 aes_##mode##_cipher, \
2379 aes_##mode##_cleanup, \
2380 sizeof(EVP_AES_##MODE##_CTX), \
2381 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de
AP		 2382const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2383{ return &aes_##keylen##_##mode; }
9575d1a9 2384
5158c763 2385#endif
9575d1a9 2386
5158c763
MC		 2387#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
2388# include "arm_arch.h"
2389# if __ARM_MAX_ARCH__>=7
2390# if defined(BSAES_ASM)
2391# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
2392# endif
2393# if defined(VPAES_ASM)
2394# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
0f113f3e 2395# endif
5158c763
MC		 2396# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
2397# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
2398# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
2399# define HWAES_encrypt aes_v8_encrypt
2400# define HWAES_decrypt aes_v8_decrypt
2401# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
2402# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
ddacb8f2 2403# endif
5158c763 2404#endif
d1fff483 2405
5158c763 2406#if defined(HWAES_CAPABLE)
ddacb8f2 2407int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2408 AES_KEY *key);
ddacb8f2 2409int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2410 AES_KEY *key);
ddacb8f2 2411void HWAES_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2412 const AES_KEY *key);
ddacb8f2 2413void HWAES_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2414 const AES_KEY *key);
ddacb8f2 2415void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2416 size_t length, const AES_KEY *key,
2417 unsigned char *ivec, const int enc);
ddacb8f2 2418void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2419 size_t len, const AES_KEY *key,
2420 const unsigned char ivec[16]);
46f047d7
AP		 2421void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
2422 size_t len, const AES_KEY *key1,
2423 const AES_KEY *key2, const unsigned char iv[16]);
2424void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
2425 size_t len, const AES_KEY *key1,
2426 const AES_KEY *key2, const unsigned char iv[16]);
5158c763 2427#endif
ddacb8f2 2428
5158c763 2429#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
0f113f3e
MC		 2430 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2431 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2432 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2433 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2434 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2435 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2436 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
d1fff483
AP		 2437
2438static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2439 const unsigned char *iv, int enc)
2440{
2441 int ret, mode;
6435f0f6 2442 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2443
6435f0f6 2444 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e 2445 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
c01a3c6d 2446 && !enc) {
5158c763 2447#ifdef HWAES_CAPABLE
0f113f3e 2448 if (HWAES_CAPABLE) {
6435f0f6
RL		 2449 ret = HWAES_set_decrypt_key(key,
2450 EVP_CIPHER_CTX_key_length(ctx) * 8,
2451 &dat->ks.ks);
0f113f3e
MC		 2452 dat->block = (block128_f) HWAES_decrypt;
2453 dat->stream.cbc = NULL;
5158c763 2454# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2455 if (mode == EVP_CIPH_CBC_MODE)
2456 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
0f113f3e 2457# endif
5158c763
MC		 2458 } else
2459#endif
2460#ifdef BSAES_CAPABLE
0f113f3e 2461 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
6435f0f6
RL		 2462 ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2463 &dat->ks.ks);
0f113f3e
MC		 2464 dat->block = (block128_f) AES_decrypt;
2465 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
2466 } else
5158c763
MC		 2467#endif
2468#ifdef VPAES_CAPABLE
0f113f3e 2469 if (VPAES_CAPABLE) {
6435f0f6
RL		 2470 ret = vpaes_set_decrypt_key(key,
2471 EVP_CIPHER_CTX_key_length(ctx) * 8,
2472 &dat->ks.ks);
0f113f3e
MC		 2473 dat->block = (block128_f) vpaes_decrypt;
2474 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2475 (cbc128_f) vpaes_cbc_encrypt : NULL;
2476 } else
5158c763 2477#endif
0f113f3e 2478 {
6435f0f6
RL		 2479 ret = AES_set_decrypt_key(key,
2480 EVP_CIPHER_CTX_key_length(ctx) * 8,
2481 &dat->ks.ks);
0f113f3e
MC		 2482 dat->block = (block128_f) AES_decrypt;
2483 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2484 (cbc128_f) AES_cbc_encrypt : NULL;
c01a3c6d 2485 }
0f113f3e 2486 } else
5158c763 2487#ifdef HWAES_CAPABLE
0f113f3e 2488 if (HWAES_CAPABLE) {
6435f0f6
RL		 2489 ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2490 &dat->ks.ks);
0f113f3e
MC		 2491 dat->block = (block128_f) HWAES_encrypt;
2492 dat->stream.cbc = NULL;
5158c763 2493# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2494 if (mode == EVP_CIPH_CBC_MODE)
2495 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
2496 else
5158c763
MC		 2497# endif
2498# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e
MC		 2499 if (mode == EVP_CIPH_CTR_MODE)
2500 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
2501 else
5158c763 2502# endif
0f113f3e
MC		 2503 (void)0; /* terminate potentially open 'else' */
2504 } else
5158c763
MC		 2505#endif
2506#ifdef BSAES_CAPABLE
0f113f3e 2507 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
6435f0f6
RL		 2508 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2509 &dat->ks.ks);
0f113f3e
MC		 2510 dat->block = (block128_f) AES_encrypt;
2511 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
2512 } else
5158c763
MC		 2513#endif
2514#ifdef VPAES_CAPABLE
0f113f3e 2515 if (VPAES_CAPABLE) {
6435f0f6
RL		 2516 ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2517 &dat->ks.ks);
0f113f3e
MC		 2518 dat->block = (block128_f) vpaes_encrypt;
2519 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2520 (cbc128_f) vpaes_cbc_encrypt : NULL;
2521 } else
5158c763 2522#endif
0f113f3e 2523 {
6435f0f6
RL		 2524 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2525 &dat->ks.ks);
0f113f3e
MC		 2526 dat->block = (block128_f) AES_encrypt;
2527 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2528 (cbc128_f) AES_cbc_encrypt : NULL;
5158c763 2529#ifdef AES_CTR_ASM
0f113f3e
MC		 2530 if (mode == EVP_CIPH_CTR_MODE)
2531 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 2532#endif
0f113f3e 2533 }
d1fff483 2534
0f113f3e
MC		 2535 if (ret < 0) {
2536 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
2537 return 0;
2538 }
d1fff483 2539
0f113f3e
MC		 2540 return 1;
2541}
d1fff483 2542
0f113f3e
MC		 2543static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2544 const unsigned char *in, size_t len)
17f121de 2545{
6435f0f6 2546 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2547
0f113f3e 2548 if (dat->stream.cbc)
6435f0f6
RL		 2549 (*dat->stream.cbc) (in, out, len, &dat->ks,
2550 EVP_CIPHER_CTX_iv_noconst(ctx),
2551 EVP_CIPHER_CTX_encrypting(ctx));
2552 else if (EVP_CIPHER_CTX_encrypting(ctx))
2553 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
2554 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
0f113f3e 2555 else
6435f0f6
RL		 2556 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
2557 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
17f121de 2558
0f113f3e 2559 return 1;
17f121de
AP		 2560}
2561
0f113f3e
MC		 2562static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2563 const unsigned char *in, size_t len)
17f121de 2564{
6435f0f6 2565 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
0f113f3e 2566 size_t i;
6435f0f6 2567 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
17f121de 2568
0f113f3e
MC		 2569 if (len < bl)
2570 return 1;
17f121de 2571
0f113f3e
MC		 2572 for (i = 0, len -= bl; i <= len; i += bl)
2573 (*dat->block) (in + i, out + i, &dat->ks);
17f121de 2574
0f113f3e 2575 return 1;
17f121de 2576}
deb2c1a1 2577
0f113f3e
MC		 2578static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2579 const unsigned char *in, size_t len)
17f121de 2580{
6435f0f6 2581 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2582
6435f0f6 2583 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2584 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2585 EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
2586 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2587 return 1;
17f121de 2588}
deb2c1a1 2589
0f113f3e
MC		 2590static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2591 const unsigned char *in, size_t len)
17f121de 2592{
6435f0f6 2593 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2594
6435f0f6 2595 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2596 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2597 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2598 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2599 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2600 return 1;
17f121de
AP		 2601}
2602
0f113f3e
MC		 2603static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2604 const unsigned char *in, size_t len)
17f121de 2605{
6435f0f6 2606 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2607
6435f0f6 2608 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2609 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2610 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2611 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2612 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2613 return 1;
17f121de 2614}
8d1ebe0b 2615
0f113f3e
MC		 2616static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2617 const unsigned char *in, size_t len)
17f121de 2618{
6435f0f6 2619 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2620
6435f0f6
RL		 2621 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
2622 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2623 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2624 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2625 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2626 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 2627 return 1;
2628 }
2629
2630 while (len >= MAXBITCHUNK) {
6435f0f6 2631 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2632 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
6435f0f6
RL		 2633 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2634 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2635 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2636 len -= MAXBITCHUNK;
604e591e
BE		 2637 out += MAXBITCHUNK;
2638 in += MAXBITCHUNK;
0f113f3e 2639 }
6435f0f6
RL		 2640 if (len) {
2641 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2642 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
6435f0f6
RL		 2643 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2644 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2645 EVP_CIPHER_CTX_set_num(ctx, num);
2646 }
0f113f3e
MC		 2647
2648 return 1;
17f121de 2649}
8d1ebe0b 2650
0f113f3e
MC		 2651static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2652 const unsigned char *in, size_t len)
d976f992 2653{
6435f0f6
RL		 2654 unsigned int num = EVP_CIPHER_CTX_num(ctx);
2655 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e
MC		 2656
2657 if (dat->stream.ctr)
2658 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
6435f0f6
RL		 2659 EVP_CIPHER_CTX_iv_noconst(ctx),
2660 EVP_CIPHER_CTX_buf_noconst(ctx),
2661 &num, dat->stream.ctr);
0f113f3e
MC		 2662 else
2663 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2664 EVP_CIPHER_CTX_iv_noconst(ctx),
2665 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
2666 dat->block);
2667 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2668 return 1;
d976f992
AP		 2669}
2670
0f113f3e
MC		 2671BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
2672 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
2673 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
bdaa5415
DSH		 2674
2675static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 2676{
6435f0f6 2677 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
273a0218
BE		 2678 if (gctx == NULL)
2679 return 0;
0f113f3e 2680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
6435f0f6 2681 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 2682 OPENSSL_free(gctx->iv);
2683 return 1;
2684}
bdaa5415 2685
b3d8022e 2686/* increment counter (64-bit int) by 1 */
0f113f3e
MC		 2687static void ctr64_inc(unsigned char *counter)
2688{
2689 int n = 8;
2690 unsigned char c;
2691
2692 do {
2693 --n;
2694 c = counter[n];
2695 ++c;
2696 counter[n] = c;
2697 if (c)
2698 return;
2699 } while (n);
b3d8022e
DSH		 2700}
2701
bdaa5415 2702static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 2703{
6435f0f6 2704 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e
MC		 2705 switch (type) {
2706 case EVP_CTRL_INIT:
2707 gctx->key_set = 0;
2708 gctx->iv_set = 0;
6435f0f6
RL		 2709 gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
2710 gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 2711 gctx->taglen = -1;
2712 gctx->iv_gen = 0;
2713 gctx->tls_aad_len = -1;
2714 return 1;
2715
e640fa02 2716 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 2717 if (arg <= 0)
2718 return 0;
2719 /* Allocate memory for IV if needed */
2720 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
6435f0f6 2721 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 2722 OPENSSL_free(gctx->iv);
2723 gctx->iv = OPENSSL_malloc(arg);
90945fa3 2724 if (gctx->iv == NULL)
0f113f3e
MC		 2725 return 0;
2726 }
2727 gctx->ivlen = arg;
2728 return 1;
2729
e640fa02 2730 case EVP_CTRL_AEAD_SET_TAG:
6435f0f6 2731 if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e 2732 return 0;
6435f0f6 2733 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 2734 gctx->taglen = arg;
2735 return 1;
2736
e640fa02 2737 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6
RL		 2738 if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_encrypting(c)
2739 || gctx->taglen < 0)
0f113f3e 2740 return 0;
6435f0f6 2741 memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg);
0f113f3e
MC		 2742 return 1;
2743
2744 case EVP_CTRL_GCM_SET_IV_FIXED:
2745 /* Special case: -1 length restores whole IV */
2746 if (arg == -1) {
2747 memcpy(gctx->iv, ptr, gctx->ivlen);
2748 gctx->iv_gen = 1;
2749 return 1;
2750 }
2751 /*
2752 * Fixed field must be at least 4 bytes and invocation field at least
2753 * 8.
2754 */
2755 if ((arg < 4) || (gctx->ivlen - arg) < 8)
2756 return 0;
2757 if (arg)
2758 memcpy(gctx->iv, ptr, arg);
16cfc2c9
KR		 2759 if (EVP_CIPHER_CTX_encrypting(c)
2760 && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
2761 return 0;
0f113f3e
MC		 2762 gctx->iv_gen = 1;
2763 return 1;
2764
2765 case EVP_CTRL_GCM_IV_GEN:
2766 if (gctx->iv_gen == 0 || gctx->key_set == 0)
2767 return 0;
2768 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2769 if (arg <= 0 || arg > gctx->ivlen)
2770 arg = gctx->ivlen;
2771 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
2772 /*
2773 * Invocation field will be at least 8 bytes in size and so no need
2774 * to check wrap around or increment more than last 8 bytes.
2775 */
2776 ctr64_inc(gctx->iv + gctx->ivlen - 8);
2777 gctx->iv_set = 1;
2778 return 1;
2779
2780 case EVP_CTRL_GCM_SET_IV_INV:
6435f0f6
RL		 2781 if (gctx->iv_gen == 0 || gctx->key_set == 0
2782 || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 2783 return 0;
2784 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
2785 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2786 gctx->iv_set = 1;
2787 return 1;
2788
2789 case EVP_CTRL_AEAD_TLS1_AAD:
2790 /* Save the AAD for later use */
c8269881 2791 if (arg != EVP_AEAD_TLS1_AAD_LEN)
0f113f3e 2792 return 0;
6435f0f6 2793 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 2794 gctx->tls_aad_len = arg;
2795 {
6435f0f6
RL		 2796 unsigned int len =
2797 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
2798 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
0f113f3e 2799 /* Correct length for explicit IV */
2198b3a5
AP		 2800 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
2801 return 0;
0f113f3e
MC		 2802 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
2803 /* If decrypting correct for tag too */
2198b3a5
AP		 2804 if (!EVP_CIPHER_CTX_encrypting(c)) {
2805 if (len < EVP_GCM_TLS_TAG_LEN)
2806 return 0;
0f113f3e 2807 len -= EVP_GCM_TLS_TAG_LEN;
2198b3a5 2808 }
6435f0f6
RL		 2809 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
2810 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
0f113f3e
MC		 2811 }
2812 /* Extra padding: tag appended to record */
2813 return EVP_GCM_TLS_TAG_LEN;
2814
2815 case EVP_CTRL_COPY:
2816 {
2817 EVP_CIPHER_CTX *out = ptr;
6435f0f6 2818 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
0f113f3e
MC		 2819 if (gctx->gcm.key) {
2820 if (gctx->gcm.key != &gctx->ks)
2821 return 0;
2822 gctx_out->gcm.key = &gctx_out->ks;
2823 }
6435f0f6
RL		 2824 if (gctx->iv == EVP_CIPHER_CTX_iv_noconst(c))
2825 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
0f113f3e
MC		 2826 else {
2827 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
90945fa3 2828 if (gctx_out->iv == NULL)
0f113f3e
MC		 2829 return 0;
2830 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
2831 }
2832 return 1;
2833 }
2834
2835 default:
2836 return -1;
2837
2838 }
2839}
bdaa5415
DSH		 2840
2841static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2842 const unsigned char *iv, int enc)
2843{
6435f0f6 2844 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 2845 if (!iv && !key)
2846 return 1;
2847 if (key) {
2848 do {
5158c763 2849#ifdef HWAES_CAPABLE
0f113f3e 2850 if (HWAES_CAPABLE) {
6435f0f6
RL		 2851 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2852 &gctx->ks.ks);
0f113f3e
MC		 2853 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2854 (block128_f) HWAES_encrypt);
5158c763 2855# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e 2856 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
5158c763 2857# else
0f113f3e 2858 gctx->ctr = NULL;
5158c763 2859# endif
0f113f3e
MC		 2860 break;
2861 } else
5158c763
MC		 2862#endif
2863#ifdef BSAES_CAPABLE
0f113f3e 2864 if (BSAES_CAPABLE) {
6435f0f6
RL		 2865 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2866 &gctx->ks.ks);
0f113f3e
MC		 2867 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2868 (block128_f) AES_encrypt);
2869 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
2870 break;
2871 } else
5158c763
MC		 2872#endif
2873#ifdef VPAES_CAPABLE
0f113f3e 2874 if (VPAES_CAPABLE) {
6435f0f6
RL		 2875 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2876 &gctx->ks.ks);
0f113f3e
MC		 2877 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2878 (block128_f) vpaes_encrypt);
2879 gctx->ctr = NULL;
2880 break;
2881 } else
5158c763 2882#endif
0f113f3e
MC		 2883 (void)0; /* terminate potentially open 'else' */
2884
6435f0f6
RL		 2885 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2886 &gctx->ks.ks);
0f113f3e
MC		 2887 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2888 (block128_f) AES_encrypt);
5158c763 2889#ifdef AES_CTR_ASM
0f113f3e 2890 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 2891#else
0f113f3e 2892 gctx->ctr = NULL;
5158c763 2893#endif
0f113f3e
MC		 2894 } while (0);
2895
2896 /*
2897 * If we have an iv can set it directly, otherwise use saved IV.
2898 */
2899 if (iv == NULL && gctx->iv_set)
2900 iv = gctx->iv;
2901 if (iv) {
2902 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
2903 gctx->iv_set = 1;
2904 }
2905 gctx->key_set = 1;
2906 } else {
2907 /* If key set use IV, otherwise copy */
2908 if (gctx->key_set)
2909 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
2910 else
2911 memcpy(gctx->iv, iv, gctx->ivlen);
2912 gctx->iv_set = 1;
2913 gctx->iv_gen = 0;
2914 }
2915 return 1;
2916}
2917
2918/*
2919 * Handle TLS GCM packet format. This consists of the last portion of the IV
28dd49fa
DSH		 2920 * followed by the payload and finally the tag. On encrypt generate IV,
2921 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
2922 * and verify tag.
2923 */
2924
2925static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 2926 const unsigned char *in, size_t len)
2927{
6435f0f6 2928 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 2929 int rv = -1;
2930 /* Encrypt/decrypt must be performed in place */
2931 if (out != in
2932 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
2933 return -1;
2934 /*
2935 * Set IV from start of buffer or generate IV and write to start of
2936 * buffer.
2937 */
6435f0f6 2938 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ?
0f113f3e
MC		 2939 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
2940 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
2941 goto err;
2942 /* Use saved AAD */
6435f0f6
RL		 2943 if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
2944 gctx->tls_aad_len))
0f113f3e
MC		 2945 goto err;
2946 /* Fix buffer and length to point to payload */
2947 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
2948 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
2949 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
6435f0f6 2950 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 2951 /* Encrypt payload */
2952 if (gctx->ctr) {
2953 size_t bulk = 0;
5158c763 2954#if defined(AES_GCM_ASM)
0f113f3e
MC		 2955 if (len >= 32 && AES_GCM_ASM(gctx)) {
2956 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
2957 return -1;
2958
2959 bulk = AES_gcm_encrypt(in, out, len,
2960 gctx->gcm.key,
2961 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2962 gctx->gcm.len.u[1] += bulk;
2963 }
5158c763 2964#endif
0f113f3e
MC		 2965 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
2966 in + bulk,
2967 out + bulk,
2968 len - bulk, gctx->ctr))
2969 goto err;
2970 } else {
2971 size_t bulk = 0;
5158c763 2972#if defined(AES_GCM_ASM2)
0f113f3e
MC		 2973 if (len >= 32 && AES_GCM_ASM2(gctx)) {
2974 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
2975 return -1;
2976
2977 bulk = AES_gcm_encrypt(in, out, len,
2978 gctx->gcm.key,
2979 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2980 gctx->gcm.len.u[1] += bulk;
2981 }
5158c763 2982#endif
0f113f3e
MC		 2983 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
2984 in + bulk, out + bulk, len - bulk))
2985 goto err;
2986 }
2987 out += len;
2988 /* Finally write tag */
2989 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
2990 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
2991 } else {
2992 /* Decrypt */
2993 if (gctx->ctr) {
2994 size_t bulk = 0;
5158c763 2995#if defined(AES_GCM_ASM)
0f113f3e
MC		 2996 if (len >= 16 && AES_GCM_ASM(gctx)) {
2997 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
2998 return -1;
2999
3000 bulk = AES_gcm_decrypt(in, out, len,
3001 gctx->gcm.key,
3002 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3003 gctx->gcm.len.u[1] += bulk;
3004 }
5158c763 3005#endif
0f113f3e
MC		 3006 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3007 in + bulk,
3008 out + bulk,
3009 len - bulk, gctx->ctr))
3010 goto err;
3011 } else {
3012 size_t bulk = 0;
5158c763 3013#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3014 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3015 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
3016 return -1;
3017
3018 bulk = AES_gcm_decrypt(in, out, len,
3019 gctx->gcm.key,
3020 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3021 gctx->gcm.len.u[1] += bulk;
3022 }
5158c763 3023#endif
0f113f3e
MC		 3024 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3025 in + bulk, out + bulk, len - bulk))
3026 goto err;
3027 }
3028 /* Retrieve tag */
6435f0f6
RL		 3029 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
3030 EVP_GCM_TLS_TAG_LEN);
0f113f3e 3031 /* If tag mismatch wipe buffer */
6435f0f6
RL		 3032 if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
3033 EVP_GCM_TLS_TAG_LEN)) {
0f113f3e
MC		 3034 OPENSSL_cleanse(out, len);
3035 goto err;
3036 }
3037 rv = len;
3038 }
3039
3040 err:
3041 gctx->iv_set = 0;
3042 gctx->tls_aad_len = -1;
3043 return rv;
3044}
28dd49fa 3045
17f121de 3046static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3047 const unsigned char *in, size_t len)
3048{
6435f0f6 3049 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 3050 /* If not set up, return error */
3051 if (!gctx->key_set)
3052 return -1;
3053
3054 if (gctx->tls_aad_len >= 0)
3055 return aes_gcm_tls_cipher(ctx, out, in, len);
3056
3057 if (!gctx->iv_set)
3058 return -1;
3059 if (in) {
3060 if (out == NULL) {
3061 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
3062 return -1;
6435f0f6 3063 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3064 if (gctx->ctr) {
3065 size_t bulk = 0;
5158c763 3066#if defined(AES_GCM_ASM)
0f113f3e
MC		 3067 if (len >= 32 && AES_GCM_ASM(gctx)) {
3068 size_t res = (16 - gctx->gcm.mres) % 16;
3069
3070 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3071 return -1;
3072
3073 bulk = AES_gcm_encrypt(in + res,
3074 out + res, len - res,
3075 gctx->gcm.key, gctx->gcm.Yi.c,
3076 gctx->gcm.Xi.u);
3077 gctx->gcm.len.u[1] += bulk;
3078 bulk += res;
3079 }
5158c763 3080#endif
0f113f3e
MC		 3081 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3082 in + bulk,
3083 out + bulk,
3084 len - bulk, gctx->ctr))
3085 return -1;
3086 } else {
3087 size_t bulk = 0;
5158c763 3088#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3089 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3090 size_t res = (16 - gctx->gcm.mres) % 16;
3091
3092 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3093 return -1;
3094
3095 bulk = AES_gcm_encrypt(in + res,
3096 out + res, len - res,
3097 gctx->gcm.key, gctx->gcm.Yi.c,
3098 gctx->gcm.Xi.u);
3099 gctx->gcm.len.u[1] += bulk;
3100 bulk += res;
3101 }
5158c763 3102#endif
0f113f3e
MC		 3103 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3104 in + bulk, out + bulk, len - bulk))
3105 return -1;
3106 }
3107 } else {
3108 if (gctx->ctr) {
3109 size_t bulk = 0;
5158c763 3110#if defined(AES_GCM_ASM)
0f113f3e
MC		 3111 if (len >= 16 && AES_GCM_ASM(gctx)) {
3112 size_t res = (16 - gctx->gcm.mres) % 16;
3113
3114 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3115 return -1;
3116
3117 bulk = AES_gcm_decrypt(in + res,
3118 out + res, len - res,
3119 gctx->gcm.key,
3120 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3121 gctx->gcm.len.u[1] += bulk;
3122 bulk += res;
3123 }
5158c763 3124#endif
0f113f3e
MC		 3125 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3126 in + bulk,
3127 out + bulk,
3128 len - bulk, gctx->ctr))
3129 return -1;
3130 } else {
3131 size_t bulk = 0;
5158c763 3132#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3133 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3134 size_t res = (16 - gctx->gcm.mres) % 16;
3135
3136 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3137 return -1;
3138
3139 bulk = AES_gcm_decrypt(in + res,
3140 out + res, len - res,
3141 gctx->gcm.key,
3142 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3143 gctx->gcm.len.u[1] += bulk;
3144 bulk += res;
3145 }
5158c763 3146#endif
0f113f3e
MC		 3147 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3148 in + bulk, out + bulk, len - bulk))
3149 return -1;
3150 }
3151 }
3152 return len;
3153 } else {
6435f0f6 3154 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3155 if (gctx->taglen < 0)
3156 return -1;
6435f0f6
RL		 3157 if (CRYPTO_gcm128_finish(&gctx->gcm,
3158 EVP_CIPHER_CTX_buf_noconst(ctx),
3159 gctx->taglen) != 0)
0f113f3e
MC		 3160 return -1;
3161 gctx->iv_set = 0;
3162 return 0;
3163 }
6435f0f6 3164 CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
0f113f3e
MC		 3165 gctx->taglen = 16;
3166 /* Don't reuse the IV */
3167 gctx->iv_set = 0;
3168 return 0;
3169 }
3170
3171}
3172
5158c763 3173#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
0f113f3e
MC		 3174 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3175 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3176 | EVP_CIPH_CUSTOM_COPY)
3177
3178BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
3179 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3180 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
3181 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3182 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
3183 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
32a2d8dd
DSH		 3184
3185static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3186{
6435f0f6 3187 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
0f113f3e
MC		 3188 if (type == EVP_CTRL_COPY) {
3189 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3190 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
0f113f3e
MC		 3191 if (xctx->xts.key1) {
3192 if (xctx->xts.key1 != &xctx->ks1)
3193 return 0;
3194 xctx_out->xts.key1 = &xctx_out->ks1;
3195 }
3196 if (xctx->xts.key2) {
3197 if (xctx->xts.key2 != &xctx->ks2)
3198 return 0;
3199 xctx_out->xts.key2 = &xctx_out->ks2;
3200 }
3201 return 1;
3202 } else if (type != EVP_CTRL_INIT)
3203 return -1;
3204 /* key1 and key2 are used as an indicator both key and IV are set */
3205 xctx->xts.key1 = NULL;
3206 xctx->xts.key2 = NULL;
3207 return 1;
3208}
32a2d8dd
DSH		 3209
3210static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3211 const unsigned char *iv, int enc)
3212{
6435f0f6 3213 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 3214 if (!iv && !key)
3215 return 1;
3216
3217 if (key)
3218 do {
5158c763 3219#ifdef AES_XTS_ASM
0f113f3e 3220 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
5158c763 3221#else
0f113f3e 3222 xctx->stream = NULL;
5158c763 3223#endif
0f113f3e 3224 /* key_len is two AES keys */
5158c763 3225#ifdef HWAES_CAPABLE
0f113f3e
MC		 3226 if (HWAES_CAPABLE) {
3227 if (enc) {
6435f0f6
RL		 3228 HWAES_set_encrypt_key(key,
3229 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 3230 &xctx->ks1.ks);
3231 xctx->xts.block1 = (block128_f) HWAES_encrypt;
46f047d7
AP		 3232# ifdef HWAES_xts_encrypt
3233 xctx->stream = HWAES_xts_encrypt;
3234# endif
0f113f3e 3235 } else {
6435f0f6
RL		 3236 HWAES_set_decrypt_key(key,
3237 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 3238 &xctx->ks1.ks);
3239 xctx->xts.block1 = (block128_f) HWAES_decrypt;
46f047d7
AP		 3240# ifdef HWAES_xts_decrypt
3241 xctx->stream = HWAES_xts_decrypt;
3242#endif
0f113f3e
MC		 3243 }
3244
6435f0f6
RL		 3245 HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
3246 EVP_CIPHER_CTX_key_length(ctx) * 4,
3247 &xctx->ks2.ks);
0f113f3e
MC		 3248 xctx->xts.block2 = (block128_f) HWAES_encrypt;
3249
3250 xctx->xts.key1 = &xctx->ks1;
3251 break;
3252 } else
5158c763
MC		 3253#endif
3254#ifdef BSAES_CAPABLE
0f113f3e
MC		 3255 if (BSAES_CAPABLE)
3256 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
3257 else
5158c763
MC		 3258#endif
3259#ifdef VPAES_CAPABLE
0f113f3e
MC		 3260 if (VPAES_CAPABLE) {
3261 if (enc) {
6435f0f6
RL		 3262 vpaes_set_encrypt_key(key,
3263 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 3264 &xctx->ks1.ks);
3265 xctx->xts.block1 = (block128_f) vpaes_encrypt;
3266 } else {
6435f0f6
RL		 3267 vpaes_set_decrypt_key(key,
3268 EVP_CIPHER_CTX_key_length(ctx) * 4,
0f113f3e
MC		 3269 &xctx->ks1.ks);
3270 xctx->xts.block1 = (block128_f) vpaes_decrypt;
3271 }
3272
6435f0f6
RL		 3273 vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
3274 EVP_CIPHER_CTX_key_length(ctx) * 4,
3275 &xctx->ks2.ks);
0f113f3e
MC		 3276 xctx->xts.block2 = (block128_f) vpaes_encrypt;
3277
3278 xctx->xts.key1 = &xctx->ks1;
3279 break;
3280 } else
5158c763 3281#endif
0f113f3e
MC		 3282 (void)0; /* terminate potentially open 'else' */
3283
3284 if (enc) {
6435f0f6
RL		 3285 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
3286 &xctx->ks1.ks);
0f113f3e
MC		 3287 xctx->xts.block1 = (block128_f) AES_encrypt;
3288 } else {
6435f0f6
RL		 3289 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
3290 &xctx->ks1.ks);
0f113f3e
MC		 3291 xctx->xts.block1 = (block128_f) AES_decrypt;
3292 }
3293
6435f0f6
RL		 3294 AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
3295 EVP_CIPHER_CTX_key_length(ctx) * 4,
3296 &xctx->ks2.ks);
0f113f3e
MC		 3297 xctx->xts.block2 = (block128_f) AES_encrypt;
3298
3299 xctx->xts.key1 = &xctx->ks1;
3300 } while (0);
3301
3302 if (iv) {
3303 xctx->xts.key2 = &xctx->ks2;
6435f0f6 3304 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 3305 }
3306
3307 return 1;
3308}
32a2d8dd 3309
17f121de 3310static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3311 const unsigned char *in, size_t len)
3312{
6435f0f6 3313 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 3314 if (!xctx->xts.key1 || !xctx->xts.key2)
3315 return 0;
3316 if (!out || !in || len < AES_BLOCK_SIZE)
3317 return 0;
3318 if (xctx->stream)
3319 (*xctx->stream) (in, out, len,
6435f0f6
RL		 3320 xctx->xts.key1, xctx->xts.key2,
3321 EVP_CIPHER_CTX_iv_noconst(ctx));
3322 else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
3323 in, out, len,
3324 EVP_CIPHER_CTX_encrypting(ctx)))
0f113f3e
MC		 3325 return 0;
3326 return 1;
3327}
3328
5158c763 3329#define aes_xts_cleanup NULL
0f113f3e 3330
5158c763 3331#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
0f113f3e
MC		 3332 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3333 | EVP_CIPH_CUSTOM_COPY)
3334
3335BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
3336 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
23916810
DSH		 3337
3338static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3339{
6435f0f6 3340 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
0f113f3e
MC		 3341 switch (type) {
3342 case EVP_CTRL_INIT:
3343 cctx->key_set = 0;
3344 cctx->iv_set = 0;
3345 cctx->L = 8;
3346 cctx->M = 12;
3347 cctx->tag_set = 0;
3348 cctx->len_set = 0;
e75c5a79
DSH		 3349 cctx->tls_aad_len = -1;
3350 return 1;
3351
3352 case EVP_CTRL_AEAD_TLS1_AAD:
3353 /* Save the AAD for later use */
3354 if (arg != EVP_AEAD_TLS1_AAD_LEN)
3355 return 0;
6435f0f6 3356 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
e75c5a79
DSH		 3357 cctx->tls_aad_len = arg;
3358 {
6435f0f6
RL		 3359 uint16_t len =
3360 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
3361 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
e75c5a79 3362 /* Correct length for explicit IV */
2198b3a5
AP		 3363 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
3364 return 0;
e75c5a79
DSH		 3365 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
3366 /* If decrypting correct for tag too */
2198b3a5
AP		 3367 if (!EVP_CIPHER_CTX_encrypting(c)) {
3368 if (len < cctx->M)
3369 return 0;
e75c5a79 3370 len -= cctx->M;
2198b3a5 3371 }
6435f0f6
RL		 3372 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
3373 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
e75c5a79
DSH		 3374 }
3375 /* Extra padding: tag appended to record */
3376 return cctx->M;
3377
3378 case EVP_CTRL_CCM_SET_IV_FIXED:
3379 /* Sanity check length */
3380 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
3381 return 0;
3382 /* Just copy to first part of IV */
6435f0f6 3383 memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
0f113f3e
MC		 3384 return 1;
3385
e640fa02 3386 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e 3387 arg = 15 - arg;
018fcbec 3388 /* fall thru */
0f113f3e
MC		 3389 case EVP_CTRL_CCM_SET_L:
3390 if (arg < 2 || arg > 8)
3391 return 0;
3392 cctx->L = arg;
3393 return 1;
3394
e640fa02 3395 case EVP_CTRL_AEAD_SET_TAG:
0f113f3e
MC		 3396 if ((arg & 1) || arg < 4 || arg > 16)
3397 return 0;
6435f0f6 3398 if (EVP_CIPHER_CTX_encrypting(c) && ptr)
0f113f3e
MC		 3399 return 0;
3400 if (ptr) {
3401 cctx->tag_set = 1;
6435f0f6 3402 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 3403 }
3404 cctx->M = arg;
3405 return 1;
3406
e640fa02 3407 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 3408 if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
0f113f3e
MC		 3409 return 0;
3410 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
3411 return 0;
3412 cctx->tag_set = 0;
3413 cctx->iv_set = 0;
3414 cctx->len_set = 0;
3415 return 1;
3416
3417 case EVP_CTRL_COPY:
3418 {
3419 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3420 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
0f113f3e
MC		 3421 if (cctx->ccm.key) {
3422 if (cctx->ccm.key != &cctx->ks)
3423 return 0;
3424 cctx_out->ccm.key = &cctx_out->ks;
3425 }
3426 return 1;
3427 }
3428
3429 default:
3430 return -1;
3431
3432 }
3433}
23916810
DSH		 3434
3435static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3436 const unsigned char *iv, int enc)
3437{
6435f0f6 3438 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3439 if (!iv && !key)
3440 return 1;
3441 if (key)
3442 do {
5158c763 3443#ifdef HWAES_CAPABLE
0f113f3e 3444 if (HWAES_CAPABLE) {
6435f0f6
RL		 3445 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3446 &cctx->ks.ks);
0f113f3e
MC		 3447
3448 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3449 &cctx->ks, (block128_f) HWAES_encrypt);
3450 cctx->str = NULL;
3451 cctx->key_set = 1;
3452 break;
3453 } else
5158c763
MC		 3454#endif
3455#ifdef VPAES_CAPABLE
0f113f3e 3456 if (VPAES_CAPABLE) {
6435f0f6
RL		 3457 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3458 &cctx->ks.ks);
0f113f3e
MC		 3459 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3460 &cctx->ks, (block128_f) vpaes_encrypt);
3461 cctx->str = NULL;
3462 cctx->key_set = 1;
3463 break;
3464 }
5158c763 3465#endif
6435f0f6
RL		 3466 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3467 &cctx->ks.ks);
0f113f3e
MC		 3468 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3469 &cctx->ks, (block128_f) AES_encrypt);
3470 cctx->str = NULL;
3471 cctx->key_set = 1;
3472 } while (0);
3473 if (iv) {
6435f0f6 3474 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 3475 cctx->iv_set = 1;
3476 }
3477 return 1;
3478}
23916810 3479
e75c5a79
DSH		 3480static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3481 const unsigned char *in, size_t len)
3482{
6435f0f6 3483 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
e75c5a79
DSH		 3484 CCM128_CONTEXT *ccm = &cctx->ccm;
3485 /* Encrypt/decrypt must be performed in place */
3486 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
3487 return -1;
3488 /* If encrypting set explicit IV from sequence number (start of AAD) */
6435f0f6
RL		 3489 if (EVP_CIPHER_CTX_encrypting(ctx))
3490 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
3491 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79 3492 /* Get rest of IV from explicit IV */
6435f0f6
RL		 3493 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
3494 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79
DSH		 3495 /* Correct length value */
3496 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
6435f0f6
RL		 3497 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
3498 len))
e75c5a79
DSH		 3499 return -1;
3500 /* Use saved AAD */
6435f0f6 3501 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
e75c5a79
DSH		 3502 /* Fix buffer to point to payload */
3503 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
3504 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
6435f0f6 3505 if (EVP_CIPHER_CTX_encrypting(ctx)) {
e75c5a79
DSH		 3506 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3507 cctx->str) :
3508 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3509 return -1;
3510 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
3511 return -1;
3512 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
3513 } else {
3514 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3515 cctx->str) :
3516 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3517 unsigned char tag[16];
3518 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
3519 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
3520 return len;
3521 }
3522 }
3523 OPENSSL_cleanse(out, len);
3524 return -1;
3525 }
3526}
3527
17f121de 3528static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3529 const unsigned char *in, size_t len)
3530{
6435f0f6 3531 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3532 CCM128_CONTEXT *ccm = &cctx->ccm;
3533 /* If not set up, return error */
e75c5a79
DSH		 3534 if (!cctx->key_set)
3535 return -1;
3536
3537 if (cctx->tls_aad_len >= 0)
3538 return aes_ccm_tls_cipher(ctx, out, in, len);
3539
197421b1
DSH		 3540 /* EVP_*Final() doesn't return any data */
3541 if (in == NULL && out != NULL)
3542 return 0;
3543
e75c5a79 3544 if (!cctx->iv_set)
0f113f3e 3545 return -1;
e75c5a79 3546
6435f0f6 3547 if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
0f113f3e
MC		 3548 return -1;
3549 if (!out) {
3550 if (!in) {
6435f0f6
RL		 3551 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3552 15 - cctx->L, len))
0f113f3e
MC		 3553 return -1;
3554 cctx->len_set = 1;
3555 return len;
3556 }
3557 /* If have AAD need message length */
3558 if (!cctx->len_set && len)
3559 return -1;
3560 CRYPTO_ccm128_aad(ccm, in, len);
3561 return len;
3562 }
0f113f3e
MC		 3563 /* If not set length yet do it */
3564 if (!cctx->len_set) {
6435f0f6
RL		 3565 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3566 15 - cctx->L, len))
0f113f3e
MC		 3567 return -1;
3568 cctx->len_set = 1;
3569 }
6435f0f6 3570 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3571 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3572 cctx->str) :
3573 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3574 return -1;
3575 cctx->tag_set = 1;
3576 return len;
3577 } else {
3578 int rv = -1;
3579 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3580 cctx->str) :
3581 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3582 unsigned char tag[16];
3583 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
6435f0f6
RL		 3584 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
3585 cctx->M))
0f113f3e
MC		 3586 rv = len;
3587 }
3588 }
3589 if (rv == -1)
3590 OPENSSL_cleanse(out, len);
3591 cctx->iv_set = 0;
3592 cctx->tag_set = 0;
3593 cctx->len_set = 0;
3594 return rv;
3595 }
0f113f3e
MC		 3596}
3597
5158c763 3598#define aes_ccm_cleanup NULL
0f113f3e 3599
e75c5a79
DSH		 3600BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
3601 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3602 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
3603 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3604 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
3605 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
0f113f3e
MC		 3606
3607typedef struct {
3608 union {
3609 double align;
3610 AES_KEY ks;
3611 } ks;
3612 /* Indicates if IV has been set */
3613 unsigned char *iv;
3614} EVP_AES_WRAP_CTX;
97cf1f6c
DSH		 3615
3616static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3617 const unsigned char *iv, int enc)
3618{
6435f0f6 3619 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3620 if (!iv && !key)
3621 return 1;
3622 if (key) {
6435f0f6
RL		 3623 if (EVP_CIPHER_CTX_encrypting(ctx))
3624 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3625 &wctx->ks.ks);
0f113f3e 3626 else
6435f0f6
RL		 3627 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3628 &wctx->ks.ks);
0f113f3e
MC		 3629 if (!iv)
3630 wctx->iv = NULL;
3631 }
3632 if (iv) {
6435f0f6
RL		 3633 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
3634 wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
0f113f3e
MC		 3635 }
3636 return 1;
3637}
97cf1f6c
DSH		 3638
3639static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3640 const unsigned char *in, size_t inlen)
3641{
6435f0f6 3642 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3643 size_t rv;
3644 /* AES wrap with padding has IV length of 4, without padding 8 */
3645 int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
3646 /* No final operation so always return zero length */
3647 if (!in)
3648 return 0;
3649 /* Input length must always be non-zero */
3650 if (!inlen)
3651 return -1;
3652 /* If decrypting need at least 16 bytes and multiple of 8 */
6435f0f6 3653 if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
0f113f3e
MC		 3654 return -1;
3655 /* If not padding input must be multiple of 8 */
3656 if (!pad && inlen & 0x7)
3657 return -1;
7141ba31
MC		 3658 if (is_partially_overlapping(out, in, inlen)) {
3659 EVPerr(EVP_F_AES_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
3660 return 0;
3661 }
0f113f3e 3662 if (!out) {
6435f0f6 3663 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3664 /* If padding round up to multiple of 8 */
3665 if (pad)
3666 inlen = (inlen + 7) / 8 * 8;
3667 /* 8 byte prefix */
3668 return inlen + 8;
3669 } else {
3670 /*
3671 * If not padding output will be exactly 8 bytes smaller than
3672 * input. If padding it will be at least 8 bytes smaller but we
3673 * don't know how much.
3674 */
3675 return inlen - 8;
3676 }
3677 }
3678 if (pad) {
6435f0f6 3679 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3680 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
3681 out, in, inlen,
3682 (block128_f) AES_encrypt);
3683 else
3684 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
3685 out, in, inlen,
3686 (block128_f) AES_decrypt);
3687 } else {
6435f0f6 3688 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3689 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
3690 out, in, inlen, (block128_f) AES_encrypt);
3691 else
3692 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
3693 out, in, inlen, (block128_f) AES_decrypt);
3694 }
3695 return rv ? (int)rv : -1;
3696}
3697
5158c763 3698#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
0f113f3e
MC		 3699 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3700 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
97cf1f6c
DSH		 3701
3702static const EVP_CIPHER aes_128_wrap = {
0f113f3e
MC		 3703 NID_id_aes128_wrap,
3704 8, 16, 8, WRAP_FLAGS,
3705 aes_wrap_init_key, aes_wrap_cipher,
3706 NULL,
3707 sizeof(EVP_AES_WRAP_CTX),
3708 NULL, NULL, NULL, NULL
3709};
97cf1f6c
DSH		 3710
3711const EVP_CIPHER *EVP_aes_128_wrap(void)
0f113f3e
MC		 3712{
3713 return &aes_128_wrap;
3714}
97cf1f6c
DSH		 3715
3716static const EVP_CIPHER aes_192_wrap = {
0f113f3e
MC		 3717 NID_id_aes192_wrap,
3718 8, 24, 8, WRAP_FLAGS,
3719 aes_wrap_init_key, aes_wrap_cipher,
3720 NULL,
3721 sizeof(EVP_AES_WRAP_CTX),
3722 NULL, NULL, NULL, NULL
3723};
97cf1f6c
DSH		 3724
3725const EVP_CIPHER *EVP_aes_192_wrap(void)
0f113f3e
MC		 3726{
3727 return &aes_192_wrap;
3728}
97cf1f6c
DSH		 3729
3730static const EVP_CIPHER aes_256_wrap = {
0f113f3e
MC		 3731 NID_id_aes256_wrap,
3732 8, 32, 8, WRAP_FLAGS,
3733 aes_wrap_init_key, aes_wrap_cipher,
3734 NULL,
3735 sizeof(EVP_AES_WRAP_CTX),
3736 NULL, NULL, NULL, NULL
3737};
97cf1f6c
DSH		 3738
3739const EVP_CIPHER *EVP_aes_256_wrap(void)
0f113f3e
MC		 3740{
3741 return &aes_256_wrap;
3742}
97cf1f6c 3743
d31fed73 3744static const EVP_CIPHER aes_128_wrap_pad = {
0f113f3e
MC		 3745 NID_id_aes128_wrap_pad,
3746 8, 16, 4, WRAP_FLAGS,
3747 aes_wrap_init_key, aes_wrap_cipher,
3748 NULL,
3749 sizeof(EVP_AES_WRAP_CTX),
3750 NULL, NULL, NULL, NULL
3751};
d31fed73
DSH		 3752
3753const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
0f113f3e
MC		 3754{
3755 return &aes_128_wrap_pad;
3756}
d31fed73
DSH		 3757
3758static const EVP_CIPHER aes_192_wrap_pad = {
0f113f3e
MC		 3759 NID_id_aes192_wrap_pad,
3760 8, 24, 4, WRAP_FLAGS,
3761 aes_wrap_init_key, aes_wrap_cipher,
3762 NULL,
3763 sizeof(EVP_AES_WRAP_CTX),
3764 NULL, NULL, NULL, NULL
3765};
d31fed73
DSH		 3766
3767const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
0f113f3e
MC		 3768{
3769 return &aes_192_wrap_pad;
3770}
d31fed73
DSH		 3771
3772static const EVP_CIPHER aes_256_wrap_pad = {
0f113f3e
MC		 3773 NID_id_aes256_wrap_pad,
3774 8, 32, 4, WRAP_FLAGS,
3775 aes_wrap_init_key, aes_wrap_cipher,
3776 NULL,
3777 sizeof(EVP_AES_WRAP_CTX),
3778 NULL, NULL, NULL, NULL
3779};
d31fed73
DSH		 3780
3781const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
0f113f3e
MC		 3782{
3783 return &aes_256_wrap_pad;
3784}
d31fed73 3785
5158c763 3786#ifndef OPENSSL_NO_OCB
e6b336ef 3787static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3788{
6435f0f6 3789 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 3790 EVP_CIPHER_CTX *newc;
3791 EVP_AES_OCB_CTX *new_octx;
3792
3793 switch (type) {
3794 case EVP_CTRL_INIT:
3795 octx->key_set = 0;
3796 octx->iv_set = 0;
6435f0f6
RL		 3797 octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
3798 octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 3799 octx->taglen = 16;
3800 octx->data_buf_len = 0;
3801 octx->aad_buf_len = 0;
3802 return 1;
3803
e640fa02 3804 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 3805 /* IV len must be 1 to 15 */
3806 if (arg <= 0 || arg > 15)
3807 return 0;
3808
3809 octx->ivlen = arg;
3810 return 1;
3811
e640fa02 3812 case EVP_CTRL_AEAD_SET_TAG:
d57d135c
MC		 3813 if (!ptr) {
3814 /* Tag len must be 0 to 16 */
3815 if (arg < 0 || arg > 16)
3816 return 0;
3817
3818 octx->taglen = arg;
3819 return 1;
3820 }
6435f0f6 3821 if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 3822 return 0;
3823 memcpy(octx->tag, ptr, arg);
3824 return 1;
3825
e640fa02 3826 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 3827 if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 3828 return 0;
3829
3830 memcpy(ptr, octx->tag, arg);
3831 return 1;
3832
3833 case EVP_CTRL_COPY:
3834 newc = (EVP_CIPHER_CTX *)ptr;
6435f0f6 3835 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
0f113f3e 3836 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
bdc985b1
AP		 3837 &new_octx->ksenc.ks,
3838 &new_octx->ksdec.ks);
0f113f3e
MC		 3839
3840 default:
3841 return -1;
3842
3843 }
3844}
e6b336ef 3845
5158c763
MC		 3846# ifdef HWAES_CAPABLE
3847# ifdef HWAES_ocb_encrypt
02dc0b82
AP		 3848void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
3849 size_t blocks, const void *key,
3850 size_t start_block_num,
3851 unsigned char offset_i[16],
3852 const unsigned char L_[][16],
3853 unsigned char checksum[16]);
5158c763 3854# else
365f95ad 3855# define HWAES_ocb_encrypt ((ocb128_f)NULL)
5158c763
MC		 3856# endif
3857# ifdef HWAES_ocb_decrypt
02dc0b82
AP		 3858void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
3859 size_t blocks, const void *key,
3860 size_t start_block_num,
3861 unsigned char offset_i[16],
3862 const unsigned char L_[][16],
3863 unsigned char checksum[16]);
5158c763 3864# else
365f95ad 3865# define HWAES_ocb_decrypt ((ocb128_f)NULL)
02dc0b82 3866# endif
5158c763 3867# endif
02dc0b82 3868
e6b336ef 3869static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3870 const unsigned char *iv, int enc)
3871{
6435f0f6 3872 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 3873 if (!iv && !key)
3874 return 1;
3875 if (key) {
3876 do {
3877 /*
3878 * We set both the encrypt and decrypt key here because decrypt
3879 * needs both. We could possibly optimise to remove setting the
3880 * decrypt for an encryption operation.
3881 */
5158c763 3882# ifdef HWAES_CAPABLE
02dc0b82 3883 if (HWAES_CAPABLE) {
6435f0f6
RL		 3884 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3885 &octx->ksenc.ks);
3886 HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3887 &octx->ksdec.ks);
02dc0b82
AP		 3888 if (!CRYPTO_ocb128_init(&octx->ocb,
3889 &octx->ksenc.ks, &octx->ksdec.ks,
3890 (block128_f) HWAES_encrypt,
3891 (block128_f) HWAES_decrypt,
3892 enc ? HWAES_ocb_encrypt
3893 : HWAES_ocb_decrypt))
3894 return 0;
3895 break;
3896 }
5158c763
MC		 3897# endif
3898# ifdef VPAES_CAPABLE
0f113f3e 3899 if (VPAES_CAPABLE) {
6435f0f6
RL		 3900 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3901 &octx->ksenc.ks);
3902 vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3903 &octx->ksdec.ks);
bdc985b1
AP		 3904 if (!CRYPTO_ocb128_init(&octx->ocb,
3905 &octx->ksenc.ks, &octx->ksdec.ks,
3906 (block128_f) vpaes_encrypt,
bd30091c
AP		 3907 (block128_f) vpaes_decrypt,
3908 NULL))
0f113f3e
MC		 3909 return 0;
3910 break;
3911 }
5158c763 3912# endif
6435f0f6
RL		 3913 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3914 &octx->ksenc.ks);
3915 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3916 &octx->ksdec.ks);
bdc985b1
AP		 3917 if (!CRYPTO_ocb128_init(&octx->ocb,
3918 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 3919 (block128_f) AES_encrypt,
bd30091c
AP		 3920 (block128_f) AES_decrypt,
3921 NULL))
0f113f3e
MC		 3922 return 0;
3923 }
3924 while (0);
3925
3926 /*
3927 * If we have an iv we can set it directly, otherwise use saved IV.
3928 */
3929 if (iv == NULL && octx->iv_set)
3930 iv = octx->iv;
3931 if (iv) {
3932 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
3933 != 1)
3934 return 0;
3935 octx->iv_set = 1;
3936 }
3937 octx->key_set = 1;
3938 } else {
3939 /* If key set use IV, otherwise copy */
3940 if (octx->key_set)
3941 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
3942 else
3943 memcpy(octx->iv, iv, octx->ivlen);
3944 octx->iv_set = 1;
3945 }
3946 return 1;
3947}
e6b336ef
MC		 3948
3949static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3950 const unsigned char *in, size_t len)
3951{
3952 unsigned char *buf;
3953 int *buf_len;
3954 int written_len = 0;
3955 size_t trailing_len;
6435f0f6 3956 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 3957
3958 /* If IV or Key not set then return error */
3959 if (!octx->iv_set)
3960 return -1;
3961
3962 if (!octx->key_set)
3963 return -1;
3964
0ba5a9ea 3965 if (in != NULL) {
0f113f3e
MC		 3966 /*
3967 * Need to ensure we are only passing full blocks to low level OCB
3968 * routines. We do it here rather than in EVP_EncryptUpdate/
3969 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
3970 * and those routines don't support that
3971 */
3972
3973 /* Are we dealing with AAD or normal data here? */
3974 if (out == NULL) {
3975 buf = octx->aad_buf;
3976 buf_len = &(octx->aad_buf_len);
3977 } else {
3978 buf = octx->data_buf;
3979 buf_len = &(octx->data_buf_len);
7141ba31
MC		 3980
3981 if (is_partially_overlapping(out + *buf_len, in, len)) {
3982 EVPerr(EVP_F_AES_OCB_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
3983 return 0;
3984 }
0f113f3e
MC		 3985 }
3986
3987 /*
3988 * If we've got a partially filled buffer from a previous call then
3989 * use that data first
3990 */
0ba5a9ea 3991 if (*buf_len > 0) {
0f113f3e
MC		 3992 unsigned int remaining;
3993
0ba5a9ea 3994 remaining = AES_BLOCK_SIZE - (*buf_len);
0f113f3e
MC		 3995 if (remaining > len) {
3996 memcpy(buf + (*buf_len), in, len);
3997 *(buf_len) += len;
3998 return 0;
3999 }
4000 memcpy(buf + (*buf_len), in, remaining);
4001
4002 /*
4003 * If we get here we've filled the buffer, so process it
4004 */
4005 len -= remaining;
4006 in += remaining;
4007 if (out == NULL) {
0ba5a9ea 4008 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
0f113f3e 4009 return -1;
6435f0f6 4010 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0ba5a9ea
MC		 4011 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
4012 AES_BLOCK_SIZE))
0f113f3e
MC		 4013 return -1;
4014 } else {
0ba5a9ea
MC		 4015 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
4016 AES_BLOCK_SIZE))
0f113f3e
MC		 4017 return -1;
4018 }
0ba5a9ea 4019 written_len = AES_BLOCK_SIZE;
0f113f3e 4020 *buf_len = 0;
7c12c7b6
MC		 4021 if (out != NULL)
4022 out += AES_BLOCK_SIZE;
0f113f3e
MC		 4023 }
4024
4025 /* Do we have a partial block to handle at the end? */
0ba5a9ea 4026 trailing_len = len % AES_BLOCK_SIZE;
0f113f3e
MC		 4027
4028 /*
4029 * If we've got some full blocks to handle, then process these first
4030 */
4031 if (len != trailing_len) {
4032 if (out == NULL) {
4033 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
4034 return -1;
6435f0f6 4035 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4036 if (!CRYPTO_ocb128_encrypt
4037 (&octx->ocb, in, out, len - trailing_len))
4038 return -1;
4039 } else {
4040 if (!CRYPTO_ocb128_decrypt
4041 (&octx->ocb, in, out, len - trailing_len))
4042 return -1;
4043 }
4044 written_len += len - trailing_len;
4045 in += len - trailing_len;
4046 }
4047
4048 /* Handle any trailing partial block */
0ba5a9ea 4049 if (trailing_len > 0) {
0f113f3e
MC		 4050 memcpy(buf, in, trailing_len);
4051 *buf_len = trailing_len;
4052 }
4053
4054 return written_len;
4055 } else {
4056 /*
4057 * First of all empty the buffer of any partial block that we might
4058 * have been provided - both for data and AAD
4059 */
0ba5a9ea 4060 if (octx->data_buf_len > 0) {
6435f0f6 4061 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4062 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
4063 octx->data_buf_len))
4064 return -1;
4065 } else {
4066 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
4067 octx->data_buf_len))
4068 return -1;
4069 }
4070 written_len = octx->data_buf_len;
4071 octx->data_buf_len = 0;
4072 }
0ba5a9ea 4073 if (octx->aad_buf_len > 0) {
0f113f3e
MC		 4074 if (!CRYPTO_ocb128_aad
4075 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
4076 return -1;
4077 octx->aad_buf_len = 0;
4078 }
4079 /* If decrypting then verify */
6435f0f6 4080 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4081 if (octx->taglen < 0)
4082 return -1;
4083 if (CRYPTO_ocb128_finish(&octx->ocb,
4084 octx->tag, octx->taglen) != 0)
4085 return -1;
4086 octx->iv_set = 0;
4087 return written_len;
4088 }
4089 /* If encrypting then just get the tag */
4090 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
4091 return -1;
4092 /* Don't reuse the IV */
4093 octx->iv_set = 0;
4094 return written_len;
4095 }
4096}
e6b336ef
MC		 4097
4098static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 4099{
6435f0f6 4100 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 4101 CRYPTO_ocb128_cleanup(&octx->ocb);
4102 return 1;
4103}
e6b336ef 4104
c4aede20
MC		 4105BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
4106 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4107BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
4108 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4109BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
4110 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
5158c763 4111#endif /* OPENSSL_NO_OCB */
A mirror of the official openssl repository