2 * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * This file uses the low-level AES functions (which are deprecated for
12 * non-internal use) in order to implement the EVP AES ciphers.
14 #include "internal/deprecated.h"
18 #include <openssl/opensslconf.h>
19 #include <openssl/crypto.h>
20 #include <openssl/evp.h>
21 #include <openssl/err.h>
22 #include <openssl/aes.h>
23 #include <openssl/rand.h>
24 #include <openssl/cmac.h>
25 #include "crypto/evp.h"
26 #include "internal/cryptlib.h"
27 #include "crypto/modes.h"
28 #include "crypto/siv.h"
29 #include "crypto/aes_platform.h"
30 #include "evp_local.h"
48 } ks
; /* AES key schedule to use */
49 int key_set
; /* Set if key initialised */
50 int iv_set
; /* Set if an iv is set */
52 unsigned char *iv
; /* Temporary IV store */
53 int ivlen
; /* IV length */
55 int iv_gen
; /* It is OK to generate IVs */
56 int iv_gen_rand
; /* No IV was specified, so generate a rand IV */
57 int tls_aad_len
; /* TLS AAD length */
58 uint64_t tls_enc_records
; /* Number of TLS records encrypted */
66 } ks1
, ks2
; /* AES key schedules to use */
68 void (*stream
) (const unsigned char *in
,
69 unsigned char *out
, size_t length
,
70 const AES_KEY
*key1
, const AES_KEY
*key2
,
71 const unsigned char iv
[16]);
75 static const int allow_insecure_decrypt
= 0;
77 static const int allow_insecure_decrypt
= 1;
84 } ks
; /* AES key schedule to use */
85 int key_set
; /* Set if key initialised */
86 int iv_set
; /* Set if an iv is set */
87 int tag_set
; /* Set if tag is valid */
88 int len_set
; /* Set if message length set */
89 int L
, M
; /* L and M parameters from RFC3610 */
90 int tls_aad_len
; /* TLS AAD length */
95 #ifndef OPENSSL_NO_OCB
100 } ksenc
; /* AES key schedule to use for encryption */
104 } ksdec
; /* AES key schedule to use for decryption */
105 int key_set
; /* Set if key initialised */
106 int iv_set
; /* Set if an iv is set */
108 unsigned char *iv
; /* Temporary IV store */
109 unsigned char tag
[16];
110 unsigned char data_buf
[16]; /* Store partial data blocks */
111 unsigned char aad_buf
[16]; /* Store partial AAD blocks */
114 int ivlen
; /* IV length */
119 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
121 /* increment counter (64-bit int) by 1 */
122 static void ctr64_inc(unsigned char *counter
)
137 #if defined(AESNI_CAPABLE)
138 # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
139 # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
140 gctx->gcm.ghash==gcm_ghash_avx)
141 # undef AES_GCM_ASM2 /* minor size optimization */
144 static int aesni_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
145 const unsigned char *iv
, int enc
)
148 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
149 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
152 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
155 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
156 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
158 ret
= aesni_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
159 dat
->block
= (block128_f
) aesni_decrypt
;
160 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
161 (cbc128_f
) aesni_cbc_encrypt
: NULL
;
163 ret
= aesni_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
164 dat
->block
= (block128_f
) aesni_encrypt
;
165 if (mode
== EVP_CIPH_CBC_MODE
)
166 dat
->stream
.cbc
= (cbc128_f
) aesni_cbc_encrypt
;
167 else if (mode
== EVP_CIPH_CTR_MODE
)
168 dat
->stream
.ctr
= (ctr128_f
) aesni_ctr32_encrypt_blocks
;
170 dat
->stream
.cbc
= NULL
;
174 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
181 static int aesni_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
182 const unsigned char *in
, size_t len
)
184 aesni_cbc_encrypt(in
, out
, len
, &EVP_C_DATA(EVP_AES_KEY
,ctx
)->ks
.ks
,
185 ctx
->iv
, EVP_CIPHER_CTX_is_encrypting(ctx
));
190 static int aesni_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
191 const unsigned char *in
, size_t len
)
193 size_t bl
= EVP_CIPHER_CTX_get_block_size(ctx
);
198 aesni_ecb_encrypt(in
, out
, len
, &EVP_C_DATA(EVP_AES_KEY
,ctx
)->ks
.ks
,
199 EVP_CIPHER_CTX_is_encrypting(ctx
));
204 # define aesni_ofb_cipher aes_ofb_cipher
205 static int aesni_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
206 const unsigned char *in
, size_t len
);
208 # define aesni_cfb_cipher aes_cfb_cipher
209 static int aesni_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
210 const unsigned char *in
, size_t len
);
212 # define aesni_cfb8_cipher aes_cfb8_cipher
213 static int aesni_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
214 const unsigned char *in
, size_t len
);
216 # define aesni_cfb1_cipher aes_cfb1_cipher
217 static int aesni_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
218 const unsigned char *in
, size_t len
);
220 # define aesni_ctr_cipher aes_ctr_cipher
221 static int aesni_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
222 const unsigned char *in
, size_t len
);
224 static int aesni_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
225 const unsigned char *iv
, int enc
)
227 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
, ctx
);
229 if (iv
== NULL
&& key
== NULL
)
233 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
236 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
239 aesni_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
240 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
, (block128_f
) aesni_encrypt
);
241 gctx
->ctr
= (ctr128_f
) aesni_ctr32_encrypt_blocks
;
243 * If we have an iv can set it directly, otherwise use saved IV.
245 if (iv
== NULL
&& gctx
->iv_set
)
248 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
253 /* If key set use IV, otherwise copy */
255 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
257 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
264 # define aesni_gcm_cipher aes_gcm_cipher
265 static int aesni_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
266 const unsigned char *in
, size_t len
);
268 static int aesni_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
269 const unsigned char *iv
, int enc
)
271 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
273 if (iv
== NULL
&& key
== NULL
)
277 /* The key is two half length keys in reality */
278 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
279 const int bytes
= keylen
/ 2;
280 const int bits
= bytes
* 8;
283 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
287 * Verify that the two keys are different.
289 * This addresses Rogaway's vulnerability.
290 * See comment in aes_xts_init_key() below.
292 if ((!allow_insecure_decrypt
|| enc
)
293 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
294 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
298 /* key_len is two AES keys */
300 aesni_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
301 xctx
->xts
.block1
= (block128_f
) aesni_encrypt
;
302 xctx
->stream
= aesni_xts_encrypt
;
304 aesni_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
305 xctx
->xts
.block1
= (block128_f
) aesni_decrypt
;
306 xctx
->stream
= aesni_xts_decrypt
;
309 aesni_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
310 xctx
->xts
.block2
= (block128_f
) aesni_encrypt
;
312 xctx
->xts
.key1
= &xctx
->ks1
;
316 xctx
->xts
.key2
= &xctx
->ks2
;
317 memcpy(ctx
->iv
, iv
, 16);
323 # define aesni_xts_cipher aes_xts_cipher
324 static int aesni_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
325 const unsigned char *in
, size_t len
);
327 static int aesni_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
328 const unsigned char *iv
, int enc
)
330 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
332 if (iv
== NULL
&& key
== NULL
)
336 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
339 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
342 aesni_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
343 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
344 &cctx
->ks
, (block128_f
) aesni_encrypt
);
345 cctx
->str
= enc
? (ccm128_f
) aesni_ccm64_encrypt_blocks
:
346 (ccm128_f
) aesni_ccm64_decrypt_blocks
;
350 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
356 # define aesni_ccm_cipher aes_ccm_cipher
357 static int aesni_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
358 const unsigned char *in
, size_t len
);
360 # ifndef OPENSSL_NO_OCB
361 static int aesni_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
362 const unsigned char *iv
, int enc
)
364 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
366 if (iv
== NULL
&& key
== NULL
)
370 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
373 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
378 * We set both the encrypt and decrypt key here because decrypt
379 * needs both. We could possibly optimise to remove setting the
380 * decrypt for an encryption operation.
382 aesni_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
383 aesni_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
384 if (!CRYPTO_ocb128_init(&octx
->ocb
,
385 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
386 (block128_f
) aesni_encrypt
,
387 (block128_f
) aesni_decrypt
,
388 enc
? aesni_ocb_encrypt
389 : aesni_ocb_decrypt
))
395 * If we have an iv we can set it directly, otherwise use saved IV.
397 if (iv
== NULL
&& octx
->iv_set
)
400 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
407 /* If key set use IV, otherwise copy */
409 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
411 memcpy(octx
->iv
, iv
, octx
->ivlen
);
417 # define aesni_ocb_cipher aes_ocb_cipher
418 static int aesni_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
419 const unsigned char *in
, size_t len
);
420 # endif /* OPENSSL_NO_OCB */
422 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
423 static const EVP_CIPHER aesni_##keylen##_##mode = { \
424 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
425 flags|EVP_CIPH_##MODE##_MODE, \
428 aesni_##mode##_cipher, \
430 sizeof(EVP_AES_KEY), \
431 NULL,NULL,NULL,NULL }; \
432 static const EVP_CIPHER aes_##keylen##_##mode = { \
433 nid##_##keylen##_##nmode,blocksize, \
435 flags|EVP_CIPH_##MODE##_MODE, \
438 aes_##mode##_cipher, \
440 sizeof(EVP_AES_KEY), \
441 NULL,NULL,NULL,NULL }; \
442 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
443 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
445 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
446 static const EVP_CIPHER aesni_##keylen##_##mode = { \
447 nid##_##keylen##_##mode,blocksize, \
448 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
450 flags|EVP_CIPH_##MODE##_MODE, \
452 aesni_##mode##_init_key, \
453 aesni_##mode##_cipher, \
454 aes_##mode##_cleanup, \
455 sizeof(EVP_AES_##MODE##_CTX), \
456 NULL,NULL,aes_##mode##_ctrl,NULL }; \
457 static const EVP_CIPHER aes_##keylen##_##mode = { \
458 nid##_##keylen##_##mode,blocksize, \
459 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
461 flags|EVP_CIPH_##MODE##_MODE, \
463 aes_##mode##_init_key, \
464 aes_##mode##_cipher, \
465 aes_##mode##_cleanup, \
466 sizeof(EVP_AES_##MODE##_CTX), \
467 NULL,NULL,aes_##mode##_ctrl,NULL }; \
468 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
469 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
471 #elif defined(SPARC_AES_CAPABLE)
473 static int aes_t4_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
474 const unsigned char *iv
, int enc
)
477 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
479 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
480 bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
482 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
485 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
488 aes_t4_set_decrypt_key(key
, bits
, &dat
->ks
.ks
);
489 dat
->block
= (block128_f
) aes_t4_decrypt
;
492 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
493 (cbc128_f
) aes128_t4_cbc_decrypt
: NULL
;
496 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
497 (cbc128_f
) aes192_t4_cbc_decrypt
: NULL
;
500 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
501 (cbc128_f
) aes256_t4_cbc_decrypt
: NULL
;
508 aes_t4_set_encrypt_key(key
, bits
, &dat
->ks
.ks
);
509 dat
->block
= (block128_f
) aes_t4_encrypt
;
512 if (mode
== EVP_CIPH_CBC_MODE
)
513 dat
->stream
.cbc
= (cbc128_f
) aes128_t4_cbc_encrypt
;
514 else if (mode
== EVP_CIPH_CTR_MODE
)
515 dat
->stream
.ctr
= (ctr128_f
) aes128_t4_ctr32_encrypt
;
517 dat
->stream
.cbc
= NULL
;
520 if (mode
== EVP_CIPH_CBC_MODE
)
521 dat
->stream
.cbc
= (cbc128_f
) aes192_t4_cbc_encrypt
;
522 else if (mode
== EVP_CIPH_CTR_MODE
)
523 dat
->stream
.ctr
= (ctr128_f
) aes192_t4_ctr32_encrypt
;
525 dat
->stream
.cbc
= NULL
;
528 if (mode
== EVP_CIPH_CBC_MODE
)
529 dat
->stream
.cbc
= (cbc128_f
) aes256_t4_cbc_encrypt
;
530 else if (mode
== EVP_CIPH_CTR_MODE
)
531 dat
->stream
.ctr
= (ctr128_f
) aes256_t4_ctr32_encrypt
;
533 dat
->stream
.cbc
= NULL
;
541 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
548 # define aes_t4_cbc_cipher aes_cbc_cipher
549 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
550 const unsigned char *in
, size_t len
);
552 # define aes_t4_ecb_cipher aes_ecb_cipher
553 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
554 const unsigned char *in
, size_t len
);
556 # define aes_t4_ofb_cipher aes_ofb_cipher
557 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
558 const unsigned char *in
, size_t len
);
560 # define aes_t4_cfb_cipher aes_cfb_cipher
561 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
562 const unsigned char *in
, size_t len
);
564 # define aes_t4_cfb8_cipher aes_cfb8_cipher
565 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
566 const unsigned char *in
, size_t len
);
568 # define aes_t4_cfb1_cipher aes_cfb1_cipher
569 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
570 const unsigned char *in
, size_t len
);
572 # define aes_t4_ctr_cipher aes_ctr_cipher
573 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
574 const unsigned char *in
, size_t len
);
576 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
577 const unsigned char *iv
, int enc
)
579 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
581 if (iv
== NULL
&& key
== NULL
)
584 const int bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
587 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
590 aes_t4_set_encrypt_key(key
, bits
, &gctx
->ks
.ks
);
591 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
592 (block128_f
) aes_t4_encrypt
);
595 gctx
->ctr
= (ctr128_f
) aes128_t4_ctr32_encrypt
;
598 gctx
->ctr
= (ctr128_f
) aes192_t4_ctr32_encrypt
;
601 gctx
->ctr
= (ctr128_f
) aes256_t4_ctr32_encrypt
;
607 * If we have an iv can set it directly, otherwise use saved IV.
609 if (iv
== NULL
&& gctx
->iv_set
)
612 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
617 /* If key set use IV, otherwise copy */
619 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
621 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
628 # define aes_t4_gcm_cipher aes_gcm_cipher
629 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
630 const unsigned char *in
, size_t len
);
632 static int aes_t4_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
633 const unsigned char *iv
, int enc
)
635 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
641 /* The key is two half length keys in reality */
642 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
643 const int bytes
= keylen
/ 2;
644 const int bits
= bytes
* 8;
647 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
651 * Verify that the two keys are different.
653 * This addresses Rogaway's vulnerability.
654 * See comment in aes_xts_init_key() below.
656 if ((!allow_insecure_decrypt
|| enc
)
657 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
658 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
663 /* key_len is two AES keys */
665 aes_t4_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
666 xctx
->xts
.block1
= (block128_f
) aes_t4_encrypt
;
669 xctx
->stream
= aes128_t4_xts_encrypt
;
672 xctx
->stream
= aes256_t4_xts_encrypt
;
678 aes_t4_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
679 xctx
->xts
.block1
= (block128_f
) aes_t4_decrypt
;
682 xctx
->stream
= aes128_t4_xts_decrypt
;
685 xctx
->stream
= aes256_t4_xts_decrypt
;
692 aes_t4_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
693 xctx
->xts
.block2
= (block128_f
) aes_t4_encrypt
;
695 xctx
->xts
.key1
= &xctx
->ks1
;
699 xctx
->xts
.key2
= &xctx
->ks2
;
700 memcpy(ctx
->iv
, iv
, 16);
706 # define aes_t4_xts_cipher aes_xts_cipher
707 static int aes_t4_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
708 const unsigned char *in
, size_t len
);
710 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
711 const unsigned char *iv
, int enc
)
713 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
715 if (iv
== NULL
&& key
== NULL
)
719 const int bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
722 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
725 aes_t4_set_encrypt_key(key
, bits
, &cctx
->ks
.ks
);
726 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
727 &cctx
->ks
, (block128_f
) aes_t4_encrypt
);
732 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
738 # define aes_t4_ccm_cipher aes_ccm_cipher
739 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
740 const unsigned char *in
, size_t len
);
742 # ifndef OPENSSL_NO_OCB
743 static int aes_t4_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
744 const unsigned char *iv
, int enc
)
746 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
748 if (iv
== NULL
&& key
== NULL
)
752 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
755 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
760 * We set both the encrypt and decrypt key here because decrypt
761 * needs both. We could possibly optimise to remove setting the
762 * decrypt for an encryption operation.
764 aes_t4_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
765 aes_t4_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
766 if (!CRYPTO_ocb128_init(&octx
->ocb
,
767 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
768 (block128_f
) aes_t4_encrypt
,
769 (block128_f
) aes_t4_decrypt
,
776 * If we have an iv we can set it directly, otherwise use saved IV.
778 if (iv
== NULL
&& octx
->iv_set
)
781 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
788 /* If key set use IV, otherwise copy */
790 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
792 memcpy(octx
->iv
, iv
, octx
->ivlen
);
798 # define aes_t4_ocb_cipher aes_ocb_cipher
799 static int aes_t4_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
800 const unsigned char *in
, size_t len
);
801 # endif /* OPENSSL_NO_OCB */
803 # ifndef OPENSSL_NO_SIV
804 # define aes_t4_siv_init_key aes_siv_init_key
805 # define aes_t4_siv_cipher aes_siv_cipher
806 # endif /* OPENSSL_NO_SIV */
808 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
809 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
810 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
811 flags|EVP_CIPH_##MODE##_MODE, \
814 aes_t4_##mode##_cipher, \
816 sizeof(EVP_AES_KEY), \
817 NULL,NULL,NULL,NULL }; \
818 static const EVP_CIPHER aes_##keylen##_##mode = { \
819 nid##_##keylen##_##nmode,blocksize, \
821 flags|EVP_CIPH_##MODE##_MODE, \
824 aes_##mode##_cipher, \
826 sizeof(EVP_AES_KEY), \
827 NULL,NULL,NULL,NULL }; \
828 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
829 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
831 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
832 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
833 nid##_##keylen##_##mode,blocksize, \
834 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
836 flags|EVP_CIPH_##MODE##_MODE, \
838 aes_t4_##mode##_init_key, \
839 aes_t4_##mode##_cipher, \
840 aes_##mode##_cleanup, \
841 sizeof(EVP_AES_##MODE##_CTX), \
842 NULL,NULL,aes_##mode##_ctrl,NULL }; \
843 static const EVP_CIPHER aes_##keylen##_##mode = { \
844 nid##_##keylen##_##mode,blocksize, \
845 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
847 flags|EVP_CIPH_##MODE##_MODE, \
849 aes_##mode##_init_key, \
850 aes_##mode##_cipher, \
851 aes_##mode##_cleanup, \
852 sizeof(EVP_AES_##MODE##_CTX), \
853 NULL,NULL,aes_##mode##_ctrl,NULL }; \
854 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
855 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
857 #elif defined(S390X_aes_128_CAPABLE)
858 /* IBM S390X support */
863 * KM-AES parameter block - begin
864 * (see z/Architecture Principles of Operation >= SA22-7832-06)
869 /* KM-AES parameter block - end */
878 * KMO-AES parameter block - begin
879 * (see z/Architecture Principles of Operation >= SA22-7832-08)
882 unsigned char cv
[16];
885 /* KMO-AES parameter block - end */
894 * KMF-AES parameter block - begin
895 * (see z/Architecture Principles of Operation >= SA22-7832-08)
898 unsigned char cv
[16];
901 /* KMF-AES parameter block - end */
910 * KMA-GCM-AES parameter block - begin
911 * (see z/Architecture Principles of Operation >= SA22-7832-11)
914 unsigned char reserved
[12];
920 unsigned long long g
[2];
924 unsigned long long taadl
;
925 unsigned long long tpcl
;
927 unsigned long long g
[2];
932 /* KMA-GCM-AES parameter block - end */
944 unsigned char ares
[16];
945 unsigned char mres
[16];
946 unsigned char kres
[16];
952 uint64_t tls_enc_records
; /* Number of TLS records encrypted */
959 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
960 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
961 * rounds field is used to store the function code and that the key
962 * schedule is not stored (if aes hardware support is detected).
965 unsigned char pad
[16];
971 * KMAC-AES parameter block - begin
972 * (see z/Architecture Principles of Operation >= SA22-7832-08)
976 unsigned long long g
[2];
981 /* KMAC-AES parameter block - end */
984 unsigned long long g
[2];
988 unsigned long long g
[2];
992 unsigned long long blocks
;
1001 unsigned char pad
[140];
1005 } S390X_AES_CCM_CTX
;
1007 # define s390x_aes_init_key aes_init_key
1008 static int s390x_aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
1009 const unsigned char *iv
, int enc
);
1011 # define S390X_AES_CBC_CTX EVP_AES_KEY
1013 # define s390x_aes_cbc_init_key aes_init_key
1015 # define s390x_aes_cbc_cipher aes_cbc_cipher
1016 static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1017 const unsigned char *in
, size_t len
);
1019 static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX
*ctx
,
1020 const unsigned char *key
,
1021 const unsigned char *iv
, int enc
)
1023 S390X_AES_ECB_CTX
*cctx
= EVP_C_DATA(S390X_AES_ECB_CTX
, ctx
);
1024 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1027 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1030 cctx
->fc
= S390X_AES_FC(keylen
);
1032 cctx
->fc
|= S390X_DECRYPT
;
1034 memcpy(cctx
->km
.param
.k
, key
, keylen
);
1038 static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1039 const unsigned char *in
, size_t len
)
1041 S390X_AES_ECB_CTX
*cctx
= EVP_C_DATA(S390X_AES_ECB_CTX
, ctx
);
1043 s390x_km(in
, len
, out
, cctx
->fc
, &cctx
->km
.param
);
1047 static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX
*ctx
,
1048 const unsigned char *key
,
1049 const unsigned char *ivec
, int enc
)
1051 S390X_AES_OFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_OFB_CTX
, ctx
);
1052 const unsigned char *iv
= ctx
->oiv
;
1053 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1054 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1057 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1061 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1064 memcpy(cctx
->kmo
.param
.cv
, iv
, ivlen
);
1065 memcpy(cctx
->kmo
.param
.k
, key
, keylen
);
1066 cctx
->fc
= S390X_AES_FC(keylen
);
1070 static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1071 const unsigned char *in
, size_t len
)
1073 S390X_AES_OFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_OFB_CTX
, ctx
);
1074 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1075 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1079 memcpy(cctx
->kmo
.param
.cv
, iv
, ivlen
);
1081 *out
= *in
^ cctx
->kmo
.param
.cv
[n
];
1090 len
&= ~(size_t)0xf;
1092 s390x_kmo(in
, len
, out
, cctx
->fc
, &cctx
->kmo
.param
);
1099 s390x_km(cctx
->kmo
.param
.cv
, 16, cctx
->kmo
.param
.cv
, cctx
->fc
,
1103 out
[n
] = in
[n
] ^ cctx
->kmo
.param
.cv
[n
];
1108 memcpy(iv
, cctx
->kmo
.param
.cv
, ivlen
);
1113 static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX
*ctx
,
1114 const unsigned char *key
,
1115 const unsigned char *ivec
, int enc
)
1117 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1118 const unsigned char *iv
= ctx
->oiv
;
1119 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1120 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1123 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1127 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1130 cctx
->fc
= S390X_AES_FC(keylen
);
1131 cctx
->fc
|= 16 << 24; /* 16 bytes cipher feedback */
1133 cctx
->fc
|= S390X_DECRYPT
;
1135 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1136 memcpy(cctx
->kmf
.param
.k
, key
, keylen
);
1140 static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1141 const unsigned char *in
, size_t len
)
1143 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1144 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1145 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1146 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1147 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1153 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1157 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1160 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1163 *out
= cctx
->kmf
.param
.cv
[n
] ^ tmp
;
1164 cctx
->kmf
.param
.cv
[n
] = enc
? *out
: tmp
;
1173 len
&= ~(size_t)0xf;
1175 s390x_kmf(in
, len
, out
, cctx
->fc
, &cctx
->kmf
.param
);
1182 s390x_km(cctx
->kmf
.param
.cv
, 16, cctx
->kmf
.param
.cv
,
1183 S390X_AES_FC(keylen
), cctx
->kmf
.param
.k
);
1187 out
[n
] = cctx
->kmf
.param
.cv
[n
] ^ tmp
;
1188 cctx
->kmf
.param
.cv
[n
] = enc
? out
[n
] : tmp
;
1193 memcpy(iv
, cctx
->kmf
.param
.cv
, ivlen
);
1198 static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX
*ctx
,
1199 const unsigned char *key
,
1200 const unsigned char *ivec
, int enc
)
1202 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1203 const unsigned char *iv
= ctx
->oiv
;
1204 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1205 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1208 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1212 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1215 cctx
->fc
= S390X_AES_FC(keylen
);
1216 cctx
->fc
|= 1 << 24; /* 1 byte cipher feedback */
1218 cctx
->fc
|= S390X_DECRYPT
;
1220 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1221 memcpy(cctx
->kmf
.param
.k
, key
, keylen
);
1225 static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1226 const unsigned char *in
, size_t len
)
1228 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1229 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1230 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1232 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1233 s390x_kmf(in
, len
, out
, cctx
->fc
, &cctx
->kmf
.param
);
1234 memcpy(iv
, cctx
->kmf
.param
.cv
, ivlen
);
1238 # define s390x_aes_cfb1_init_key aes_init_key
1240 # define s390x_aes_cfb1_cipher aes_cfb1_cipher
1241 static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1242 const unsigned char *in
, size_t len
);
1244 # define S390X_AES_CTR_CTX EVP_AES_KEY
1246 # define s390x_aes_ctr_init_key aes_init_key
1248 # define s390x_aes_ctr_cipher aes_ctr_cipher
1249 static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1250 const unsigned char *in
, size_t len
);
1252 /* iv + padding length for iv lengths != 12 */
1253 # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1256 * Process additional authenticated data. Returns 0 on success. Code is
1259 static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX
*ctx
, const unsigned char *aad
,
1262 unsigned long long alen
;
1265 if (ctx
->kma
.param
.tpcl
)
1268 alen
= ctx
->kma
.param
.taadl
+ len
;
1269 if (alen
> (U64(1) << 61) || (sizeof(len
) == 8 && alen
< len
))
1271 ctx
->kma
.param
.taadl
= alen
;
1276 ctx
->ares
[n
] = *aad
;
1281 /* ctx->ares contains a complete block if offset has wrapped around */
1283 s390x_kma(ctx
->ares
, 16, NULL
, 0, NULL
, ctx
->fc
, &ctx
->kma
.param
);
1284 ctx
->fc
|= S390X_KMA_HS
;
1291 len
&= ~(size_t)0xf;
1293 s390x_kma(aad
, len
, NULL
, 0, NULL
, ctx
->fc
, &ctx
->kma
.param
);
1295 ctx
->fc
|= S390X_KMA_HS
;
1303 ctx
->ares
[rem
] = aad
[rem
];
1310 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1311 * success. Code is big-endian.
1313 static int s390x_aes_gcm(S390X_AES_GCM_CTX
*ctx
, const unsigned char *in
,
1314 unsigned char *out
, size_t len
)
1316 const unsigned char *inptr
;
1317 unsigned long long mlen
;
1320 unsigned char b
[16];
1325 mlen
= ctx
->kma
.param
.tpcl
+ len
;
1326 if (mlen
> ((U64(1) << 36) - 32) || (sizeof(len
) == 8 && mlen
< len
))
1328 ctx
->kma
.param
.tpcl
= mlen
;
1334 while (n
&& inlen
) {
1335 ctx
->mres
[n
] = *inptr
;
1340 /* ctx->mres contains a complete block if offset has wrapped around */
1342 s390x_kma(ctx
->ares
, ctx
->areslen
, ctx
->mres
, 16, buf
.b
,
1343 ctx
->fc
| S390X_KMA_LAAD
, &ctx
->kma
.param
);
1344 ctx
->fc
|= S390X_KMA_HS
;
1347 /* previous call already encrypted/decrypted its remainder,
1348 * see comment below */
1363 len
&= ~(size_t)0xf;
1365 s390x_kma(ctx
->ares
, ctx
->areslen
, in
, len
, out
,
1366 ctx
->fc
| S390X_KMA_LAAD
, &ctx
->kma
.param
);
1369 ctx
->fc
|= S390X_KMA_HS
;
1374 * If there is a remainder, it has to be saved such that it can be
1375 * processed by kma later. However, we also have to do the for-now
1376 * unauthenticated encryption/decryption part here and now...
1379 if (!ctx
->mreslen
) {
1380 buf
.w
[0] = ctx
->kma
.param
.j0
.w
[0];
1381 buf
.w
[1] = ctx
->kma
.param
.j0
.w
[1];
1382 buf
.w
[2] = ctx
->kma
.param
.j0
.w
[2];
1383 buf
.w
[3] = ctx
->kma
.param
.cv
.w
+ 1;
1384 s390x_km(buf
.b
, 16, ctx
->kres
, ctx
->fc
& 0x1f, &ctx
->kma
.param
.k
);
1388 for (i
= 0; i
< rem
; i
++) {
1389 ctx
->mres
[n
+ i
] = in
[i
];
1390 out
[i
] = in
[i
] ^ ctx
->kres
[n
+ i
];
1393 ctx
->mreslen
+= rem
;
1399 * Initialize context structure. Code is big-endian.
1401 static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX
*ctx
,
1402 const unsigned char *iv
)
1404 ctx
->kma
.param
.t
.g
[0] = 0;
1405 ctx
->kma
.param
.t
.g
[1] = 0;
1406 ctx
->kma
.param
.tpcl
= 0;
1407 ctx
->kma
.param
.taadl
= 0;
1412 if (ctx
->ivlen
== 12) {
1413 memcpy(&ctx
->kma
.param
.j0
, iv
, ctx
->ivlen
);
1414 ctx
->kma
.param
.j0
.w
[3] = 1;
1415 ctx
->kma
.param
.cv
.w
= 1;
1417 /* ctx->iv has the right size and is already padded. */
1418 memcpy(ctx
->iv
, iv
, ctx
->ivlen
);
1419 s390x_kma(ctx
->iv
, S390X_gcm_ivpadlen(ctx
->ivlen
), NULL
, 0, NULL
,
1420 ctx
->fc
, &ctx
->kma
.param
);
1421 ctx
->fc
|= S390X_KMA_HS
;
1423 ctx
->kma
.param
.j0
.g
[0] = ctx
->kma
.param
.t
.g
[0];
1424 ctx
->kma
.param
.j0
.g
[1] = ctx
->kma
.param
.t
.g
[1];
1425 ctx
->kma
.param
.cv
.w
= ctx
->kma
.param
.j0
.w
[3];
1426 ctx
->kma
.param
.t
.g
[0] = 0;
1427 ctx
->kma
.param
.t
.g
[1] = 0;
1432 * Performs various operations on the context structure depending on control
1433 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1434 * Code is big-endian.
1436 static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
1438 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, c
);
1439 S390X_AES_GCM_CTX
*gctx_out
;
1440 EVP_CIPHER_CTX
*out
;
1442 int ivlen
, enc
, len
;
1446 ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
1449 gctx
->ivlen
= ivlen
;
1453 gctx
->tls_aad_len
= -1;
1456 case EVP_CTRL_GET_IVLEN
:
1457 *(int *)ptr
= gctx
->ivlen
;
1460 case EVP_CTRL_AEAD_SET_IVLEN
:
1465 len
= S390X_gcm_ivpadlen(arg
);
1467 /* Allocate memory for iv if needed. */
1468 if (gctx
->ivlen
== 12 || len
> S390X_gcm_ivpadlen(gctx
->ivlen
)) {
1469 if (gctx
->iv
!= c
->iv
)
1470 OPENSSL_free(gctx
->iv
);
1472 if ((gctx
->iv
= OPENSSL_malloc(len
)) == NULL
)
1476 memset(gctx
->iv
+ arg
, 0, len
- arg
- 8);
1477 *((unsigned long long *)(gctx
->iv
+ len
- 8)) = arg
<< 3;
1482 case EVP_CTRL_AEAD_SET_TAG
:
1483 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
1484 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1485 if (arg
<= 0 || arg
> 16 || enc
)
1488 memcpy(buf
, ptr
, arg
);
1492 case EVP_CTRL_AEAD_GET_TAG
:
1493 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1494 if (arg
<= 0 || arg
> 16 || !enc
|| gctx
->taglen
< 0)
1497 memcpy(ptr
, gctx
->kma
.param
.t
.b
, arg
);
1500 case EVP_CTRL_GCM_SET_IV_FIXED
:
1501 /* Special case: -1 length restores whole iv */
1503 memcpy(gctx
->iv
, ptr
, gctx
->ivlen
);
1508 * Fixed field must be at least 4 bytes and invocation field at least
1511 if ((arg
< 4) || (gctx
->ivlen
- arg
) < 8)
1515 memcpy(gctx
->iv
, ptr
, arg
);
1517 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1518 if (enc
&& RAND_bytes(gctx
->iv
+ arg
, gctx
->ivlen
- arg
) <= 0)
1524 case EVP_CTRL_GCM_IV_GEN
:
1525 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0)
1528 s390x_aes_gcm_setiv(gctx
, gctx
->iv
);
1530 if (arg
<= 0 || arg
> gctx
->ivlen
)
1533 memcpy(ptr
, gctx
->iv
+ gctx
->ivlen
- arg
, arg
);
1535 * Invocation field will be at least 8 bytes in size and so no need
1536 * to check wrap around or increment more than last 8 bytes.
1538 ctr64_inc(gctx
->iv
+ gctx
->ivlen
- 8);
1542 case EVP_CTRL_GCM_SET_IV_INV
:
1543 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1544 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0 || enc
)
1547 memcpy(gctx
->iv
+ gctx
->ivlen
- arg
, ptr
, arg
);
1548 s390x_aes_gcm_setiv(gctx
, gctx
->iv
);
1552 case EVP_CTRL_AEAD_TLS1_AAD
:
1553 /* Save the aad for later use. */
1554 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
1557 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
1558 memcpy(buf
, ptr
, arg
);
1559 gctx
->tls_aad_len
= arg
;
1560 gctx
->tls_enc_records
= 0;
1562 len
= buf
[arg
- 2] << 8 | buf
[arg
- 1];
1563 /* Correct length for explicit iv. */
1564 if (len
< EVP_GCM_TLS_EXPLICIT_IV_LEN
)
1566 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1568 /* If decrypting correct for tag too. */
1569 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1571 if (len
< EVP_GCM_TLS_TAG_LEN
)
1573 len
-= EVP_GCM_TLS_TAG_LEN
;
1575 buf
[arg
- 2] = len
>> 8;
1576 buf
[arg
- 1] = len
& 0xff;
1577 /* Extra padding: tag appended to record. */
1578 return EVP_GCM_TLS_TAG_LEN
;
1582 gctx_out
= EVP_C_DATA(S390X_AES_GCM_CTX
, out
);
1584 if (gctx
->iv
== c
->iv
) {
1585 gctx_out
->iv
= out
->iv
;
1587 len
= S390X_gcm_ivpadlen(gctx
->ivlen
);
1589 if ((gctx_out
->iv
= OPENSSL_malloc(len
)) == NULL
)
1592 memcpy(gctx_out
->iv
, gctx
->iv
, len
);
1602 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1604 static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX
*ctx
,
1605 const unsigned char *key
,
1606 const unsigned char *iv
, int enc
)
1608 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1611 if (iv
== NULL
&& key
== NULL
)
1615 keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1617 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1621 memcpy(&gctx
->kma
.param
.k
, key
, keylen
);
1623 gctx
->fc
= S390X_AES_FC(keylen
);
1625 gctx
->fc
|= S390X_DECRYPT
;
1627 if (iv
== NULL
&& gctx
->iv_set
)
1631 s390x_aes_gcm_setiv(gctx
, iv
);
1637 s390x_aes_gcm_setiv(gctx
, iv
);
1639 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
1648 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1649 * if successful. Otherwise -1 is returned. Code is big-endian.
1651 static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1652 const unsigned char *in
, size_t len
)
1654 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1655 const unsigned char *buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1656 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1659 if (out
!= in
|| len
< (EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
))
1663 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
1664 * Requirements from SP 800-38D". The requirements is for one party to the
1665 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
1668 if (enc
&& ++gctx
->tls_enc_records
== 0) {
1669 ERR_raise(ERR_LIB_EVP
, EVP_R_TOO_MANY_RECORDS
);
1673 if (EVP_CIPHER_CTX_ctrl(ctx
, enc
? EVP_CTRL_GCM_IV_GEN
1674 : EVP_CTRL_GCM_SET_IV_INV
,
1675 EVP_GCM_TLS_EXPLICIT_IV_LEN
, out
) <= 0)
1678 in
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1679 out
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1680 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
1682 gctx
->kma
.param
.taadl
= gctx
->tls_aad_len
<< 3;
1683 gctx
->kma
.param
.tpcl
= len
<< 3;
1684 s390x_kma(buf
, gctx
->tls_aad_len
, in
, len
, out
,
1685 gctx
->fc
| S390X_KMA_LAAD
| S390X_KMA_LPC
, &gctx
->kma
.param
);
1688 memcpy(out
+ len
, gctx
->kma
.param
.t
.b
, EVP_GCM_TLS_TAG_LEN
);
1689 rv
= len
+ EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
1691 if (CRYPTO_memcmp(gctx
->kma
.param
.t
.b
, in
+ len
,
1692 EVP_GCM_TLS_TAG_LEN
)) {
1693 OPENSSL_cleanse(out
, len
);
1700 gctx
->tls_aad_len
= -1;
1705 * Called from EVP layer to initialize context, process additional
1706 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1707 * ciphertext or process a TLS packet, depending on context. Returns bytes
1708 * written on success. Otherwise -1 is returned. Code is big-endian.
1710 static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1711 const unsigned char *in
, size_t len
)
1713 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1714 unsigned char *buf
, tmp
[16];
1720 if (gctx
->tls_aad_len
>= 0)
1721 return s390x_aes_gcm_tls_cipher(ctx
, out
, in
, len
);
1728 if (s390x_aes_gcm_aad(gctx
, in
, len
))
1731 if (s390x_aes_gcm(gctx
, in
, out
, len
))
1736 gctx
->kma
.param
.taadl
<<= 3;
1737 gctx
->kma
.param
.tpcl
<<= 3;
1738 s390x_kma(gctx
->ares
, gctx
->areslen
, gctx
->mres
, gctx
->mreslen
, tmp
,
1739 gctx
->fc
| S390X_KMA_LAAD
| S390X_KMA_LPC
, &gctx
->kma
.param
);
1740 /* recall that we already did en-/decrypt gctx->mres
1741 * and returned it to caller... */
1742 OPENSSL_cleanse(tmp
, gctx
->mreslen
);
1745 enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1749 if (gctx
->taglen
< 0)
1752 buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1753 if (CRYPTO_memcmp(buf
, gctx
->kma
.param
.t
.b
, gctx
->taglen
))
1760 static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX
*c
)
1762 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, c
);
1767 if (gctx
->iv
!= c
->iv
)
1768 OPENSSL_free(gctx
->iv
);
1770 OPENSSL_cleanse(gctx
, sizeof(*gctx
));
1774 # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1776 # define s390x_aes_xts_init_key aes_xts_init_key
1777 static int s390x_aes_xts_init_key(EVP_CIPHER_CTX
*ctx
,
1778 const unsigned char *key
,
1779 const unsigned char *iv
, int enc
);
1780 # define s390x_aes_xts_cipher aes_xts_cipher
1781 static int s390x_aes_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1782 const unsigned char *in
, size_t len
);
1783 # define s390x_aes_xts_ctrl aes_xts_ctrl
1784 static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX
*, int type
, int arg
, void *ptr
);
1785 # define s390x_aes_xts_cleanup aes_xts_cleanup
1788 * Set nonce and length fields. Code is big-endian.
1790 static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX
*ctx
,
1791 const unsigned char *nonce
,
1794 ctx
->aes
.ccm
.nonce
.b
[0] &= ~S390X_CCM_AAD_FLAG
;
1795 ctx
->aes
.ccm
.nonce
.g
[1] = mlen
;
1796 memcpy(ctx
->aes
.ccm
.nonce
.b
+ 1, nonce
, 15 - ctx
->aes
.ccm
.l
);
1800 * Process additional authenticated data. Code is big-endian.
1802 static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX
*ctx
, const unsigned char *aad
,
1811 ctx
->aes
.ccm
.nonce
.b
[0] |= S390X_CCM_AAD_FLAG
;
1813 /* Suppress 'type-punned pointer dereference' warning. */
1814 ptr
= ctx
->aes
.ccm
.buf
.b
;
1816 if (alen
< ((1 << 16) - (1 << 8))) {
1817 *(uint16_t *)ptr
= alen
;
1819 } else if (sizeof(alen
) == 8
1820 && alen
>= (size_t)1 << (32 % (sizeof(alen
) * 8))) {
1821 *(uint16_t *)ptr
= 0xffff;
1822 *(uint64_t *)(ptr
+ 2) = alen
;
1825 *(uint16_t *)ptr
= 0xfffe;
1826 *(uint32_t *)(ptr
+ 2) = alen
;
1830 while (i
< 16 && alen
) {
1831 ctx
->aes
.ccm
.buf
.b
[i
] = *aad
;
1837 ctx
->aes
.ccm
.buf
.b
[i
] = 0;
1841 ctx
->aes
.ccm
.kmac_param
.icv
.g
[0] = 0;
1842 ctx
->aes
.ccm
.kmac_param
.icv
.g
[1] = 0;
1843 s390x_kmac(ctx
->aes
.ccm
.nonce
.b
, 32, ctx
->aes
.ccm
.fc
,
1844 &ctx
->aes
.ccm
.kmac_param
);
1845 ctx
->aes
.ccm
.blocks
+= 2;
1848 alen
&= ~(size_t)0xf;
1850 s390x_kmac(aad
, alen
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1851 ctx
->aes
.ccm
.blocks
+= alen
>> 4;
1855 for (i
= 0; i
< rem
; i
++)
1856 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= aad
[i
];
1858 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1859 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1860 ctx
->aes
.ccm
.kmac_param
.k
);
1861 ctx
->aes
.ccm
.blocks
++;
1866 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
1869 static int s390x_aes_ccm(S390X_AES_CCM_CTX
*ctx
, const unsigned char *in
,
1870 unsigned char *out
, size_t len
, int enc
)
1873 unsigned int i
, l
, num
;
1874 unsigned char flags
;
1876 flags
= ctx
->aes
.ccm
.nonce
.b
[0];
1877 if (!(flags
& S390X_CCM_AAD_FLAG
)) {
1878 s390x_km(ctx
->aes
.ccm
.nonce
.b
, 16, ctx
->aes
.ccm
.kmac_param
.icv
.b
,
1879 ctx
->aes
.ccm
.fc
, ctx
->aes
.ccm
.kmac_param
.k
);
1880 ctx
->aes
.ccm
.blocks
++;
1883 ctx
->aes
.ccm
.nonce
.b
[0] = l
;
1886 * Reconstruct length from encoded length field
1887 * and initialize it with counter value.
1890 for (i
= 15 - l
; i
< 15; i
++) {
1891 n
|= ctx
->aes
.ccm
.nonce
.b
[i
];
1892 ctx
->aes
.ccm
.nonce
.b
[i
] = 0;
1895 n
|= ctx
->aes
.ccm
.nonce
.b
[15];
1896 ctx
->aes
.ccm
.nonce
.b
[15] = 1;
1899 return -1; /* length mismatch */
1902 /* Two operations per block plus one for tag encryption */
1903 ctx
->aes
.ccm
.blocks
+= (((len
+ 15) >> 4) << 1) + 1;
1904 if (ctx
->aes
.ccm
.blocks
> (1ULL << 61))
1905 return -2; /* too much data */
1910 len
&= ~(size_t)0xf;
1913 /* mac-then-encrypt */
1915 s390x_kmac(in
, len
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1917 for (i
= 0; i
< rem
; i
++)
1918 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= in
[len
+ i
];
1920 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1921 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1922 ctx
->aes
.ccm
.kmac_param
.k
);
1925 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
+ rem
, &ctx
->aes
.key
.k
,
1926 ctx
->aes
.ccm
.nonce
.b
, ctx
->aes
.ccm
.buf
.b
,
1927 &num
, (ctr128_f
)AES_ctr32_encrypt
);
1929 /* decrypt-then-mac */
1930 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
+ rem
, &ctx
->aes
.key
.k
,
1931 ctx
->aes
.ccm
.nonce
.b
, ctx
->aes
.ccm
.buf
.b
,
1932 &num
, (ctr128_f
)AES_ctr32_encrypt
);
1935 s390x_kmac(out
, len
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1937 for (i
= 0; i
< rem
; i
++)
1938 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= out
[len
+ i
];
1940 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1941 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1942 ctx
->aes
.ccm
.kmac_param
.k
);
1946 for (i
= 15 - l
; i
< 16; i
++)
1947 ctx
->aes
.ccm
.nonce
.b
[i
] = 0;
1949 s390x_km(ctx
->aes
.ccm
.nonce
.b
, 16, ctx
->aes
.ccm
.buf
.b
, ctx
->aes
.ccm
.fc
,
1950 ctx
->aes
.ccm
.kmac_param
.k
);
1951 ctx
->aes
.ccm
.kmac_param
.icv
.g
[0] ^= ctx
->aes
.ccm
.buf
.g
[0];
1952 ctx
->aes
.ccm
.kmac_param
.icv
.g
[1] ^= ctx
->aes
.ccm
.buf
.g
[1];
1954 ctx
->aes
.ccm
.nonce
.b
[0] = flags
; /* restore flags field */
1959 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1960 * if successful. Otherwise -1 is returned.
1962 static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1963 const unsigned char *in
, size_t len
)
1965 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
1966 unsigned char *ivec
= ctx
->iv
;
1967 unsigned char *buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1968 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1971 || len
< (EVP_CCM_TLS_EXPLICIT_IV_LEN
+ (size_t)cctx
->aes
.ccm
.m
))
1975 /* Set explicit iv (sequence number). */
1976 memcpy(out
, buf
, EVP_CCM_TLS_EXPLICIT_IV_LEN
);
1979 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->aes
.ccm
.m
;
1981 * Get explicit iv (sequence number). We already have fixed iv
1982 * (server/client_write_iv) here.
1984 memcpy(ivec
+ EVP_CCM_TLS_FIXED_IV_LEN
, in
, EVP_CCM_TLS_EXPLICIT_IV_LEN
);
1985 s390x_aes_ccm_setiv(cctx
, ivec
, len
);
1987 /* Process aad (sequence number|type|version|length) */
1988 s390x_aes_ccm_aad(cctx
, buf
, cctx
->aes
.ccm
.tls_aad_len
);
1990 in
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1991 out
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
1994 if (s390x_aes_ccm(cctx
, in
, out
, len
, enc
))
1997 memcpy(out
+ len
, cctx
->aes
.ccm
.kmac_param
.icv
.b
, cctx
->aes
.ccm
.m
);
1998 return len
+ EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->aes
.ccm
.m
;
2000 if (!s390x_aes_ccm(cctx
, in
, out
, len
, enc
)) {
2001 if (!CRYPTO_memcmp(cctx
->aes
.ccm
.kmac_param
.icv
.b
, in
+ len
,
2006 OPENSSL_cleanse(out
, len
);
2012 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2015 static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX
*ctx
,
2016 const unsigned char *key
,
2017 const unsigned char *iv
, int enc
)
2019 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
2022 if (iv
== NULL
&& key
== NULL
)
2026 keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
2028 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2032 cctx
->aes
.ccm
.fc
= S390X_AES_FC(keylen
);
2033 memcpy(cctx
->aes
.ccm
.kmac_param
.k
, key
, keylen
);
2035 /* Store encoded m and l. */
2036 cctx
->aes
.ccm
.nonce
.b
[0] = ((cctx
->aes
.ccm
.l
- 1) & 0x7)
2037 | (((cctx
->aes
.ccm
.m
- 2) >> 1) & 0x7) << 3;
2038 memset(cctx
->aes
.ccm
.nonce
.b
+ 1, 0,
2039 sizeof(cctx
->aes
.ccm
.nonce
.b
));
2040 cctx
->aes
.ccm
.blocks
= 0;
2042 cctx
->aes
.ccm
.key_set
= 1;
2046 memcpy(ctx
->iv
, iv
, 15 - cctx
->aes
.ccm
.l
);
2048 cctx
->aes
.ccm
.iv_set
= 1;
2055 * Called from EVP layer to initialize context, process additional
2056 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2057 * plaintext or process a TLS packet, depending on context. Returns bytes
2058 * written on success. Otherwise -1 is returned.
2060 static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2061 const unsigned char *in
, size_t len
)
2063 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
2064 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
2068 if (!cctx
->aes
.ccm
.key_set
)
2071 if (cctx
->aes
.ccm
.tls_aad_len
>= 0)
2072 return s390x_aes_ccm_tls_cipher(ctx
, out
, in
, len
);
2075 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2076 * so integrity must be checked already at Update() i.e., before
2077 * potentially corrupted data is output.
2079 if (in
== NULL
&& out
!= NULL
)
2082 if (!cctx
->aes
.ccm
.iv_set
)
2086 /* Update(): Pass message length. */
2088 s390x_aes_ccm_setiv(cctx
, ctx
->iv
, len
);
2090 cctx
->aes
.ccm
.len_set
= 1;
2094 /* Update(): Process aad. */
2095 if (!cctx
->aes
.ccm
.len_set
&& len
)
2098 s390x_aes_ccm_aad(cctx
, in
, len
);
2102 /* The tag must be set before actually decrypting data */
2103 if (!enc
&& !cctx
->aes
.ccm
.tag_set
)
2106 /* Update(): Process message. */
2108 if (!cctx
->aes
.ccm
.len_set
) {
2110 * In case message length was not previously set explicitly via
2111 * Update(), set it now.
2113 s390x_aes_ccm_setiv(cctx
, ctx
->iv
, len
);
2115 cctx
->aes
.ccm
.len_set
= 1;
2119 if (s390x_aes_ccm(cctx
, in
, out
, len
, enc
))
2122 cctx
->aes
.ccm
.tag_set
= 1;
2127 if (!s390x_aes_ccm(cctx
, in
, out
, len
, enc
)) {
2128 buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
2129 if (!CRYPTO_memcmp(cctx
->aes
.ccm
.kmac_param
.icv
.b
, buf
,
2135 OPENSSL_cleanse(out
, len
);
2137 cctx
->aes
.ccm
.iv_set
= 0;
2138 cctx
->aes
.ccm
.tag_set
= 0;
2139 cctx
->aes
.ccm
.len_set
= 0;
2145 * Performs various operations on the context structure depending on control
2146 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2147 * Code is big-endian.
2149 static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
2151 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, c
);
2157 cctx
->aes
.ccm
.key_set
= 0;
2158 cctx
->aes
.ccm
.iv_set
= 0;
2159 cctx
->aes
.ccm
.l
= 8;
2160 cctx
->aes
.ccm
.m
= 12;
2161 cctx
->aes
.ccm
.tag_set
= 0;
2162 cctx
->aes
.ccm
.len_set
= 0;
2163 cctx
->aes
.ccm
.tls_aad_len
= -1;
2166 case EVP_CTRL_GET_IVLEN
:
2167 *(int *)ptr
= 15 - cctx
->aes
.ccm
.l
;
2170 case EVP_CTRL_AEAD_TLS1_AAD
:
2171 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
2174 /* Save the aad for later use. */
2175 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
2176 memcpy(buf
, ptr
, arg
);
2177 cctx
->aes
.ccm
.tls_aad_len
= arg
;
2179 len
= buf
[arg
- 2] << 8 | buf
[arg
- 1];
2180 if (len
< EVP_CCM_TLS_EXPLICIT_IV_LEN
)
2183 /* Correct length for explicit iv. */
2184 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
2186 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2188 if (len
< cctx
->aes
.ccm
.m
)
2191 /* Correct length for tag. */
2192 len
-= cctx
->aes
.ccm
.m
;
2195 buf
[arg
- 2] = len
>> 8;
2196 buf
[arg
- 1] = len
& 0xff;
2198 /* Extra padding: tag appended to record. */
2199 return cctx
->aes
.ccm
.m
;
2201 case EVP_CTRL_CCM_SET_IV_FIXED
:
2202 if (arg
!= EVP_CCM_TLS_FIXED_IV_LEN
)
2205 /* Copy to first part of the iv. */
2206 memcpy(c
->iv
, ptr
, arg
);
2209 case EVP_CTRL_AEAD_SET_IVLEN
:
2213 case EVP_CTRL_CCM_SET_L
:
2214 if (arg
< 2 || arg
> 8)
2217 cctx
->aes
.ccm
.l
= arg
;
2220 case EVP_CTRL_AEAD_SET_TAG
:
2221 if ((arg
& 1) || arg
< 4 || arg
> 16)
2224 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2229 cctx
->aes
.ccm
.tag_set
= 1;
2230 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
2231 memcpy(buf
, ptr
, arg
);
2234 cctx
->aes
.ccm
.m
= arg
;
2237 case EVP_CTRL_AEAD_GET_TAG
:
2238 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2239 if (!enc
|| !cctx
->aes
.ccm
.tag_set
)
2242 if (arg
< cctx
->aes
.ccm
.m
)
2245 memcpy(ptr
, cctx
->aes
.ccm
.kmac_param
.icv
.b
, cctx
->aes
.ccm
.m
);
2246 cctx
->aes
.ccm
.tag_set
= 0;
2247 cctx
->aes
.ccm
.iv_set
= 0;
2248 cctx
->aes
.ccm
.len_set
= 0;
2259 # define s390x_aes_ccm_cleanup aes_ccm_cleanup
2261 # ifndef OPENSSL_NO_OCB
2262 # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2264 # define s390x_aes_ocb_init_key aes_ocb_init_key
2265 static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2266 const unsigned char *iv
, int enc
);
2267 # define s390x_aes_ocb_cipher aes_ocb_cipher
2268 static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2269 const unsigned char *in
, size_t len
);
2270 # define s390x_aes_ocb_cleanup aes_ocb_cleanup
2271 static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX
*);
2272 # define s390x_aes_ocb_ctrl aes_ocb_ctrl
2273 static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX
*, int type
, int arg
, void *ptr
);
2276 # ifndef OPENSSL_NO_SIV
2277 # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
2279 # define s390x_aes_siv_init_key aes_siv_init_key
2280 # define s390x_aes_siv_cipher aes_siv_cipher
2281 # define s390x_aes_siv_cleanup aes_siv_cleanup
2282 # define s390x_aes_siv_ctrl aes_siv_ctrl
2285 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2287 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2288 nid##_##keylen##_##nmode,blocksize, \
2291 flags | EVP_CIPH_##MODE##_MODE, \
2293 s390x_aes_##mode##_init_key, \
2294 s390x_aes_##mode##_cipher, \
2296 sizeof(S390X_AES_##MODE##_CTX), \
2302 static const EVP_CIPHER aes_##keylen##_##mode = { \
2303 nid##_##keylen##_##nmode, \
2307 flags | EVP_CIPH_##MODE##_MODE, \
2310 aes_##mode##_cipher, \
2312 sizeof(EVP_AES_KEY), \
2318 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2320 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2321 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2324 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2325 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2326 nid##_##keylen##_##mode, \
2328 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2330 flags | EVP_CIPH_##MODE##_MODE, \
2332 s390x_aes_##mode##_init_key, \
2333 s390x_aes_##mode##_cipher, \
2334 s390x_aes_##mode##_cleanup, \
2335 sizeof(S390X_AES_##MODE##_CTX), \
2338 s390x_aes_##mode##_ctrl, \
2341 static const EVP_CIPHER aes_##keylen##_##mode = { \
2342 nid##_##keylen##_##mode,blocksize, \
2343 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2345 flags | EVP_CIPH_##MODE##_MODE, \
2347 aes_##mode##_init_key, \
2348 aes_##mode##_cipher, \
2349 aes_##mode##_cleanup, \
2350 sizeof(EVP_AES_##MODE##_CTX), \
2353 aes_##mode##_ctrl, \
2356 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2358 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2359 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2364 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
2365 static const EVP_CIPHER aes_##keylen##_##mode = { \
2366 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2367 flags|EVP_CIPH_##MODE##_MODE, \
2370 aes_##mode##_cipher, \
2372 sizeof(EVP_AES_KEY), \
2373 NULL,NULL,NULL,NULL }; \
2374 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2375 { return &aes_##keylen##_##mode; }
2377 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
2378 static const EVP_CIPHER aes_##keylen##_##mode = { \
2379 nid##_##keylen##_##mode,blocksize, \
2380 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
2382 flags|EVP_CIPH_##MODE##_MODE, \
2384 aes_##mode##_init_key, \
2385 aes_##mode##_cipher, \
2386 aes_##mode##_cleanup, \
2387 sizeof(EVP_AES_##MODE##_CTX), \
2388 NULL,NULL,aes_##mode##_ctrl,NULL }; \
2389 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2390 { return &aes_##keylen##_##mode; }
2394 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
2395 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2396 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2397 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2398 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2399 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2400 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2401 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
2403 static int aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2404 const unsigned char *iv
, int enc
)
2407 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2408 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
2411 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2415 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
2416 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
2418 #ifdef HWAES_CAPABLE
2419 if (HWAES_CAPABLE
) {
2420 ret
= HWAES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2421 dat
->block
= (block128_f
) HWAES_decrypt
;
2422 dat
->stream
.cbc
= NULL
;
2423 # ifdef HWAES_cbc_encrypt
2424 if (mode
== EVP_CIPH_CBC_MODE
)
2425 dat
->stream
.cbc
= (cbc128_f
) HWAES_cbc_encrypt
;
2429 #ifdef BSAES_CAPABLE
2430 if (BSAES_CAPABLE
&& mode
== EVP_CIPH_CBC_MODE
) {
2431 ret
= AES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2432 dat
->block
= (block128_f
) AES_decrypt
;
2433 dat
->stream
.cbc
= (cbc128_f
) ossl_bsaes_cbc_encrypt
;
2436 #ifdef VPAES_CAPABLE
2437 if (VPAES_CAPABLE
) {
2438 ret
= vpaes_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2439 dat
->block
= (block128_f
) vpaes_decrypt
;
2440 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2441 (cbc128_f
) vpaes_cbc_encrypt
: NULL
;
2445 ret
= AES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2446 dat
->block
= (block128_f
) AES_decrypt
;
2447 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2448 (cbc128_f
) AES_cbc_encrypt
: NULL
;
2451 #ifdef HWAES_CAPABLE
2452 if (HWAES_CAPABLE
) {
2453 ret
= HWAES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2454 dat
->block
= (block128_f
) HWAES_encrypt
;
2455 dat
->stream
.cbc
= NULL
;
2456 # ifdef HWAES_cbc_encrypt
2457 if (mode
== EVP_CIPH_CBC_MODE
)
2458 dat
->stream
.cbc
= (cbc128_f
) HWAES_cbc_encrypt
;
2461 # ifdef HWAES_ctr32_encrypt_blocks
2462 if (mode
== EVP_CIPH_CTR_MODE
)
2463 dat
->stream
.ctr
= (ctr128_f
) HWAES_ctr32_encrypt_blocks
;
2466 (void)0; /* terminate potentially open 'else' */
2469 #ifdef BSAES_CAPABLE
2470 if (BSAES_CAPABLE
&& mode
== EVP_CIPH_CTR_MODE
) {
2471 ret
= AES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2472 dat
->block
= (block128_f
) AES_encrypt
;
2473 dat
->stream
.ctr
= (ctr128_f
) ossl_bsaes_ctr32_encrypt_blocks
;
2476 #ifdef VPAES_CAPABLE
2477 if (VPAES_CAPABLE
) {
2478 ret
= vpaes_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2479 dat
->block
= (block128_f
) vpaes_encrypt
;
2480 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2481 (cbc128_f
) vpaes_cbc_encrypt
: NULL
;
2485 ret
= AES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2486 dat
->block
= (block128_f
) AES_encrypt
;
2487 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2488 (cbc128_f
) AES_cbc_encrypt
: NULL
;
2490 if (mode
== EVP_CIPH_CTR_MODE
)
2491 dat
->stream
.ctr
= (ctr128_f
) AES_ctr32_encrypt
;
2496 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
2503 static int aes_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2504 const unsigned char *in
, size_t len
)
2506 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2508 if (dat
->stream
.cbc
)
2509 (*dat
->stream
.cbc
) (in
, out
, len
, &dat
->ks
, ctx
->iv
,
2510 EVP_CIPHER_CTX_is_encrypting(ctx
));
2511 else if (EVP_CIPHER_CTX_is_encrypting(ctx
))
2512 CRYPTO_cbc128_encrypt(in
, out
, len
, &dat
->ks
, ctx
->iv
,
2515 CRYPTO_cbc128_decrypt(in
, out
, len
, &dat
->ks
,
2516 ctx
->iv
, dat
->block
);
2521 static int aes_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2522 const unsigned char *in
, size_t len
)
2524 size_t bl
= EVP_CIPHER_CTX_get_block_size(ctx
);
2526 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2531 for (i
= 0, len
-= bl
; i
<= len
; i
+= bl
)
2532 (*dat
->block
) (in
+ i
, out
+ i
, &dat
->ks
);
2537 static int aes_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2538 const unsigned char *in
, size_t len
)
2540 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2542 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2543 CRYPTO_ofb128_encrypt(in
, out
, len
, &dat
->ks
,
2544 ctx
->iv
, &num
, dat
->block
);
2545 EVP_CIPHER_CTX_set_num(ctx
, num
);
2549 static int aes_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2550 const unsigned char *in
, size_t len
)
2552 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2554 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2555 CRYPTO_cfb128_encrypt(in
, out
, len
, &dat
->ks
,
2557 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2558 EVP_CIPHER_CTX_set_num(ctx
, num
);
2562 static int aes_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2563 const unsigned char *in
, size_t len
)
2565 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2567 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2568 CRYPTO_cfb128_8_encrypt(in
, out
, len
, &dat
->ks
,
2570 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2571 EVP_CIPHER_CTX_set_num(ctx
, num
);
2575 static int aes_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2576 const unsigned char *in
, size_t len
)
2578 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2580 if (EVP_CIPHER_CTX_test_flags(ctx
, EVP_CIPH_FLAG_LENGTH_BITS
)) {
2581 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2582 CRYPTO_cfb128_1_encrypt(in
, out
, len
, &dat
->ks
,
2584 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2585 EVP_CIPHER_CTX_set_num(ctx
, num
);
2589 while (len
>= MAXBITCHUNK
) {
2590 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2591 CRYPTO_cfb128_1_encrypt(in
, out
, MAXBITCHUNK
* 8, &dat
->ks
,
2593 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2594 EVP_CIPHER_CTX_set_num(ctx
, num
);
2600 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2601 CRYPTO_cfb128_1_encrypt(in
, out
, len
* 8, &dat
->ks
,
2603 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2604 EVP_CIPHER_CTX_set_num(ctx
, num
);
2610 static int aes_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2611 const unsigned char *in
, size_t len
)
2613 int n
= EVP_CIPHER_CTX_get_num(ctx
);
2615 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2619 num
= (unsigned int)n
;
2621 if (dat
->stream
.ctr
)
2622 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
, &dat
->ks
,
2624 EVP_CIPHER_CTX_buf_noconst(ctx
),
2625 &num
, dat
->stream
.ctr
);
2627 CRYPTO_ctr128_encrypt(in
, out
, len
, &dat
->ks
,
2629 EVP_CIPHER_CTX_buf_noconst(ctx
), &num
,
2631 EVP_CIPHER_CTX_set_num(ctx
, num
);
2635 BLOCK_CIPHER_generic_pack(NID_aes
, 128, 0)
2636 BLOCK_CIPHER_generic_pack(NID_aes
, 192, 0)
2637 BLOCK_CIPHER_generic_pack(NID_aes
, 256, 0)
2639 static int aes_gcm_cleanup(EVP_CIPHER_CTX
*c
)
2641 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,c
);
2644 OPENSSL_cleanse(&gctx
->gcm
, sizeof(gctx
->gcm
));
2645 if (gctx
->iv
!= c
->iv
)
2646 OPENSSL_free(gctx
->iv
);
2650 static int aes_gcm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
2652 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,c
);
2657 gctx
->ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
2661 gctx
->tls_aad_len
= -1;
2664 case EVP_CTRL_GET_IVLEN
:
2665 *(int *)ptr
= gctx
->ivlen
;
2668 case EVP_CTRL_AEAD_SET_IVLEN
:
2671 /* Allocate memory for IV if needed */
2672 if ((arg
> EVP_MAX_IV_LENGTH
) && (arg
> gctx
->ivlen
)) {
2673 if (gctx
->iv
!= c
->iv
)
2674 OPENSSL_free(gctx
->iv
);
2675 if ((gctx
->iv
= OPENSSL_malloc(arg
)) == NULL
)
2681 case EVP_CTRL_AEAD_SET_TAG
:
2682 if (arg
<= 0 || arg
> 16 || c
->encrypt
)
2684 memcpy(c
->buf
, ptr
, arg
);
2688 case EVP_CTRL_AEAD_GET_TAG
:
2689 if (arg
<= 0 || arg
> 16 || !c
->encrypt
2690 || gctx
->taglen
< 0)
2692 memcpy(ptr
, c
->buf
, arg
);
2695 case EVP_CTRL_GCM_SET_IV_FIXED
:
2696 /* Special case: -1 length restores whole IV */
2698 memcpy(gctx
->iv
, ptr
, gctx
->ivlen
);
2703 * Fixed field must be at least 4 bytes and invocation field at least
2706 if ((arg
< 4) || (gctx
->ivlen
- arg
) < 8)
2709 memcpy(gctx
->iv
, ptr
, arg
);
2710 if (c
->encrypt
&& RAND_bytes(gctx
->iv
+ arg
, gctx
->ivlen
- arg
) <= 0)
2715 case EVP_CTRL_GCM_IV_GEN
:
2716 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0)
2718 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
2719 if (arg
<= 0 || arg
> gctx
->ivlen
)
2721 memcpy(ptr
, gctx
->iv
+ gctx
->ivlen
- arg
, arg
);
2723 * Invocation field will be at least 8 bytes in size and so no need
2724 * to check wrap around or increment more than last 8 bytes.
2726 ctr64_inc(gctx
->iv
+ gctx
->ivlen
- 8);
2730 case EVP_CTRL_GCM_SET_IV_INV
:
2731 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0 || c
->encrypt
)
2733 memcpy(gctx
->iv
+ gctx
->ivlen
- arg
, ptr
, arg
);
2734 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
2738 case EVP_CTRL_AEAD_TLS1_AAD
:
2739 /* Save the AAD for later use */
2740 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
2742 memcpy(c
->buf
, ptr
, arg
);
2743 gctx
->tls_aad_len
= arg
;
2744 gctx
->tls_enc_records
= 0;
2746 unsigned int len
= c
->buf
[arg
- 2] << 8 | c
->buf
[arg
- 1];
2747 /* Correct length for explicit IV */
2748 if (len
< EVP_GCM_TLS_EXPLICIT_IV_LEN
)
2750 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2751 /* If decrypting correct for tag too */
2753 if (len
< EVP_GCM_TLS_TAG_LEN
)
2755 len
-= EVP_GCM_TLS_TAG_LEN
;
2757 c
->buf
[arg
- 2] = len
>> 8;
2758 c
->buf
[arg
- 1] = len
& 0xff;
2760 /* Extra padding: tag appended to record */
2761 return EVP_GCM_TLS_TAG_LEN
;
2765 EVP_CIPHER_CTX
*out
= ptr
;
2766 EVP_AES_GCM_CTX
*gctx_out
= EVP_C_DATA(EVP_AES_GCM_CTX
,out
);
2767 if (gctx
->gcm
.key
) {
2768 if (gctx
->gcm
.key
!= &gctx
->ks
)
2770 gctx_out
->gcm
.key
= &gctx_out
->ks
;
2772 if (gctx
->iv
== c
->iv
)
2773 gctx_out
->iv
= out
->iv
;
2775 if ((gctx_out
->iv
= OPENSSL_malloc(gctx
->ivlen
)) == NULL
)
2777 memcpy(gctx_out
->iv
, gctx
->iv
, gctx
->ivlen
);
2788 static int aes_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2789 const unsigned char *iv
, int enc
)
2791 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
2793 if (iv
== NULL
&& key
== NULL
)
2797 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
2800 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2804 #ifdef HWAES_CAPABLE
2805 if (HWAES_CAPABLE
) {
2806 HWAES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2807 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2808 (block128_f
) HWAES_encrypt
);
2809 # ifdef HWAES_ctr32_encrypt_blocks
2810 gctx
->ctr
= (ctr128_f
) HWAES_ctr32_encrypt_blocks
;
2817 #ifdef BSAES_CAPABLE
2818 if (BSAES_CAPABLE
) {
2819 AES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2820 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2821 (block128_f
) AES_encrypt
);
2822 gctx
->ctr
= (ctr128_f
) ossl_bsaes_ctr32_encrypt_blocks
;
2826 #ifdef VPAES_CAPABLE
2827 if (VPAES_CAPABLE
) {
2828 vpaes_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2829 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2830 (block128_f
) vpaes_encrypt
);
2835 (void)0; /* terminate potentially open 'else' */
2837 AES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2838 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2839 (block128_f
) AES_encrypt
);
2841 gctx
->ctr
= (ctr128_f
) AES_ctr32_encrypt
;
2848 * If we have an iv can set it directly, otherwise use saved IV.
2850 if (iv
== NULL
&& gctx
->iv_set
)
2853 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
2858 /* If key set use IV, otherwise copy */
2860 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
2862 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
2870 * Handle TLS GCM packet format. This consists of the last portion of the IV
2871 * followed by the payload and finally the tag. On encrypt generate IV,
2872 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
2876 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2877 const unsigned char *in
, size_t len
)
2879 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
2881 /* Encrypt/decrypt must be performed in place */
2883 || len
< (EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
))
2887 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
2888 * Requirements from SP 800-38D". The requirements is for one party to the
2889 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
2892 if (EVP_CIPHER_CTX_is_encrypting(ctx
) && ++gctx
->tls_enc_records
== 0) {
2893 ERR_raise(ERR_LIB_EVP
, EVP_R_TOO_MANY_RECORDS
);
2898 * Set IV from start of buffer or generate IV and write to start of
2901 if (EVP_CIPHER_CTX_ctrl(ctx
,
2902 EVP_CIPHER_CTX_is_encrypting(ctx
) ?
2903 EVP_CTRL_GCM_IV_GEN
: EVP_CTRL_GCM_SET_IV_INV
,
2904 EVP_GCM_TLS_EXPLICIT_IV_LEN
, out
) <= 0)
2907 if (CRYPTO_gcm128_aad(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
2910 /* Fix buffer and length to point to payload */
2911 in
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2912 out
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2913 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
2914 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
2915 /* Encrypt payload */
2918 #if defined(AES_GCM_ASM)
2919 if (len
>= 32 && AES_GCM_ASM(gctx
)) {
2920 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2923 bulk
= AES_gcm_encrypt(in
, out
, len
,
2925 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2926 gctx
->gcm
.len
.u
[1] += bulk
;
2929 if (CRYPTO_gcm128_encrypt_ctr32(&gctx
->gcm
,
2932 len
- bulk
, gctx
->ctr
))
2936 #if defined(AES_GCM_ASM2)
2937 if (len
>= 32 && AES_GCM_ASM2(gctx
)) {
2938 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2941 bulk
= AES_gcm_encrypt(in
, out
, len
,
2943 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2944 gctx
->gcm
.len
.u
[1] += bulk
;
2947 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
,
2948 in
+ bulk
, out
+ bulk
, len
- bulk
))
2952 /* Finally write tag */
2953 CRYPTO_gcm128_tag(&gctx
->gcm
, out
, EVP_GCM_TLS_TAG_LEN
);
2954 rv
= len
+ EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
2959 #if defined(AES_GCM_ASM)
2960 if (len
>= 16 && AES_GCM_ASM(gctx
)) {
2961 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2964 bulk
= AES_gcm_decrypt(in
, out
, len
,
2966 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2967 gctx
->gcm
.len
.u
[1] += bulk
;
2970 if (CRYPTO_gcm128_decrypt_ctr32(&gctx
->gcm
,
2973 len
- bulk
, gctx
->ctr
))
2977 #if defined(AES_GCM_ASM2)
2978 if (len
>= 16 && AES_GCM_ASM2(gctx
)) {
2979 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2982 bulk
= AES_gcm_decrypt(in
, out
, len
,
2984 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2985 gctx
->gcm
.len
.u
[1] += bulk
;
2988 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
,
2989 in
+ bulk
, out
+ bulk
, len
- bulk
))
2993 CRYPTO_gcm128_tag(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
2994 EVP_GCM_TLS_TAG_LEN
);
2995 /* If tag mismatch wipe buffer */
2996 if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx
), in
+ len
,
2997 EVP_GCM_TLS_TAG_LEN
)) {
2998 OPENSSL_cleanse(out
, len
);
3006 gctx
->tls_aad_len
= -1;
3012 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
3014 * See also 8.2.2 RBG-based construction.
3015 * Random construction consists of a free field (which can be NULL) and a
3016 * random field which will use a DRBG that can return at least 96 bits of
3017 * entropy strength. (The DRBG must be seeded by the FIPS module).
3019 static int aes_gcm_iv_generate(EVP_AES_GCM_CTX
*gctx
, int offset
)
3021 int sz
= gctx
->ivlen
- offset
;
3023 /* Must be at least 96 bits */
3024 if (sz
<= 0 || gctx
->ivlen
< 12)
3027 /* Use DRBG to generate random iv */
3028 if (RAND_bytes(gctx
->iv
+ offset
, sz
) <= 0)
3032 #endif /* FIPS_MODULE */
3034 static int aes_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3035 const unsigned char *in
, size_t len
)
3037 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
3039 /* If not set up, return error */
3043 if (gctx
->tls_aad_len
>= 0)
3044 return aes_gcm_tls_cipher(ctx
, out
, in
, len
);
3048 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
3049 * The IV can still be set externally (the security policy will state that
3050 * this is not FIPS compliant). There are some applications
3051 * where setting the IV externally is the only option available.
3053 if (!gctx
->iv_set
) {
3054 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) || !aes_gcm_iv_generate(gctx
, 0))
3056 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
3058 gctx
->iv_gen_rand
= 1;
3063 #endif /* FIPS_MODULE */
3067 if (CRYPTO_gcm128_aad(&gctx
->gcm
, in
, len
))
3069 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3072 #if defined(AES_GCM_ASM)
3073 if (len
>= 32 && AES_GCM_ASM(gctx
)) {
3074 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3076 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, in
, out
, res
))
3079 bulk
= AES_gcm_encrypt(in
+ res
,
3080 out
+ res
, len
- res
,
3081 gctx
->gcm
.key
, gctx
->gcm
.Yi
.c
,
3083 gctx
->gcm
.len
.u
[1] += bulk
;
3087 if (CRYPTO_gcm128_encrypt_ctr32(&gctx
->gcm
,
3090 len
- bulk
, gctx
->ctr
))
3094 #if defined(AES_GCM_ASM2)
3095 if (len
>= 32 && AES_GCM_ASM2(gctx
)) {
3096 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3098 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, in
, out
, res
))
3101 bulk
= AES_gcm_encrypt(in
+ res
,
3102 out
+ res
, len
- res
,
3103 gctx
->gcm
.key
, gctx
->gcm
.Yi
.c
,
3105 gctx
->gcm
.len
.u
[1] += bulk
;
3109 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
,
3110 in
+ bulk
, out
+ bulk
, len
- bulk
))
3116 #if defined(AES_GCM_ASM)
3117 if (len
>= 16 && AES_GCM_ASM(gctx
)) {
3118 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3120 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, in
, out
, res
))
3123 bulk
= AES_gcm_decrypt(in
+ res
,
3124 out
+ res
, len
- res
,
3126 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
3127 gctx
->gcm
.len
.u
[1] += bulk
;
3131 if (CRYPTO_gcm128_decrypt_ctr32(&gctx
->gcm
,
3134 len
- bulk
, gctx
->ctr
))
3138 #if defined(AES_GCM_ASM2)
3139 if (len
>= 16 && AES_GCM_ASM2(gctx
)) {
3140 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3142 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, in
, out
, res
))
3145 bulk
= AES_gcm_decrypt(in
+ res
,
3146 out
+ res
, len
- res
,
3148 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
3149 gctx
->gcm
.len
.u
[1] += bulk
;
3153 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
,
3154 in
+ bulk
, out
+ bulk
, len
- bulk
))
3160 if (!EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3161 if (gctx
->taglen
< 0)
3163 if (CRYPTO_gcm128_finish(&gctx
->gcm
,
3164 EVP_CIPHER_CTX_buf_noconst(ctx
),
3170 CRYPTO_gcm128_tag(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
), 16);
3172 /* Don't reuse the IV */
3179 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
3180 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3181 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3182 | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
3184 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 12, gcm
, GCM
,
3185 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3186 BLOCK_CIPHER_custom(NID_aes
, 192, 1, 12, gcm
, GCM
,
3187 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3188 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 12, gcm
, GCM
,
3189 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3191 static int aes_xts_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3193 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
, c
);
3195 if (type
== EVP_CTRL_COPY
) {
3196 EVP_CIPHER_CTX
*out
= ptr
;
3197 EVP_AES_XTS_CTX
*xctx_out
= EVP_C_DATA(EVP_AES_XTS_CTX
,out
);
3199 if (xctx
->xts
.key1
) {
3200 if (xctx
->xts
.key1
!= &xctx
->ks1
)
3202 xctx_out
->xts
.key1
= &xctx_out
->ks1
;
3204 if (xctx
->xts
.key2
) {
3205 if (xctx
->xts
.key2
!= &xctx
->ks2
)
3207 xctx_out
->xts
.key2
= &xctx_out
->ks2
;
3210 } else if (type
!= EVP_CTRL_INIT
)
3212 /* key1 and key2 are used as an indicator both key and IV are set */
3213 xctx
->xts
.key1
= NULL
;
3214 xctx
->xts
.key2
= NULL
;
3218 static int aes_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3219 const unsigned char *iv
, int enc
)
3221 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
3223 if (iv
== NULL
&& key
== NULL
)
3228 /* The key is two half length keys in reality */
3229 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
3230 const int bytes
= keylen
/ 2;
3231 const int bits
= bytes
* 8;
3234 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3238 * Verify that the two keys are different.
3240 * This addresses the vulnerability described in Rogaway's
3241 * September 2004 paper:
3243 * "Efficient Instantiations of Tweakable Blockciphers and
3244 * Refinements to Modes OCB and PMAC".
3245 * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
3247 * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
3249 * "The check for Key_1 != Key_2 shall be done at any place
3250 * BEFORE using the keys in the XTS-AES algorithm to process
3253 if ((!allow_insecure_decrypt
|| enc
)
3254 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
3255 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
3260 xctx
->stream
= enc
? AES_xts_encrypt
: AES_xts_decrypt
;
3262 xctx
->stream
= NULL
;
3264 /* key_len is two AES keys */
3265 #ifdef HWAES_CAPABLE
3266 if (HWAES_CAPABLE
) {
3268 HWAES_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3269 xctx
->xts
.block1
= (block128_f
) HWAES_encrypt
;
3270 # ifdef HWAES_xts_encrypt
3271 xctx
->stream
= HWAES_xts_encrypt
;
3274 HWAES_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3275 xctx
->xts
.block1
= (block128_f
) HWAES_decrypt
;
3276 # ifdef HWAES_xts_decrypt
3277 xctx
->stream
= HWAES_xts_decrypt
;
3281 HWAES_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3282 xctx
->xts
.block2
= (block128_f
) HWAES_encrypt
;
3284 xctx
->xts
.key1
= &xctx
->ks1
;
3288 #ifdef BSAES_CAPABLE
3290 xctx
->stream
= enc
? ossl_bsaes_xts_encrypt
: ossl_bsaes_xts_decrypt
;
3293 #ifdef VPAES_CAPABLE
3294 if (VPAES_CAPABLE
) {
3296 vpaes_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3297 xctx
->xts
.block1
= (block128_f
) vpaes_encrypt
;
3299 vpaes_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3300 xctx
->xts
.block1
= (block128_f
) vpaes_decrypt
;
3303 vpaes_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3304 xctx
->xts
.block2
= (block128_f
) vpaes_encrypt
;
3306 xctx
->xts
.key1
= &xctx
->ks1
;
3310 (void)0; /* terminate potentially open 'else' */
3313 AES_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3314 xctx
->xts
.block1
= (block128_f
) AES_encrypt
;
3316 AES_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3317 xctx
->xts
.block1
= (block128_f
) AES_decrypt
;
3320 AES_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3321 xctx
->xts
.block2
= (block128_f
) AES_encrypt
;
3323 xctx
->xts
.key1
= &xctx
->ks1
;
3328 xctx
->xts
.key2
= &xctx
->ks2
;
3329 memcpy(ctx
->iv
, iv
, 16);
3335 static int aes_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3336 const unsigned char *in
, size_t len
)
3338 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
3340 if (xctx
->xts
.key1
== NULL
3341 || xctx
->xts
.key2
== NULL
3344 || len
< AES_BLOCK_SIZE
)
3348 * Impose a limit of 2^20 blocks per data unit as specified by
3349 * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
3350 * indicated that this was a SHOULD NOT rather than a MUST NOT.
3351 * NIST SP 800-38E mandates the same limit.
3353 if (len
> XTS_MAX_BLOCKS_PER_DATA_UNIT
* AES_BLOCK_SIZE
) {
3354 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE
);
3359 (*xctx
->stream
) (in
, out
, len
,
3360 xctx
->xts
.key1
, xctx
->xts
.key2
,
3362 else if (CRYPTO_xts128_encrypt(&xctx
->xts
, ctx
->iv
, in
, out
, len
,
3363 EVP_CIPHER_CTX_is_encrypting(ctx
)))
3368 #define aes_xts_cleanup NULL
3370 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
3371 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3372 | EVP_CIPH_CUSTOM_COPY)
3374 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 16, xts
, XTS
, XTS_FLAGS
)
3375 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 16, xts
, XTS
, XTS_FLAGS
)
3377 static int aes_ccm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3379 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,c
);
3388 cctx
->tls_aad_len
= -1;
3391 case EVP_CTRL_GET_IVLEN
:
3392 *(int *)ptr
= 15 - cctx
->L
;
3395 case EVP_CTRL_AEAD_TLS1_AAD
:
3396 /* Save the AAD for later use */
3397 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
3399 memcpy(EVP_CIPHER_CTX_buf_noconst(c
), ptr
, arg
);
3400 cctx
->tls_aad_len
= arg
;
3403 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 2] << 8
3404 | EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 1];
3405 /* Correct length for explicit IV */
3406 if (len
< EVP_CCM_TLS_EXPLICIT_IV_LEN
)
3408 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3409 /* If decrypting correct for tag too */
3410 if (!EVP_CIPHER_CTX_is_encrypting(c
)) {
3415 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 2] = len
>> 8;
3416 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 1] = len
& 0xff;
3418 /* Extra padding: tag appended to record */
3421 case EVP_CTRL_CCM_SET_IV_FIXED
:
3422 /* Sanity check length */
3423 if (arg
!= EVP_CCM_TLS_FIXED_IV_LEN
)
3425 /* Just copy to first part of IV */
3426 memcpy(c
->iv
, ptr
, arg
);
3429 case EVP_CTRL_AEAD_SET_IVLEN
:
3432 case EVP_CTRL_CCM_SET_L
:
3433 if (arg
< 2 || arg
> 8)
3438 case EVP_CTRL_AEAD_SET_TAG
:
3439 if ((arg
& 1) || arg
< 4 || arg
> 16)
3441 if (EVP_CIPHER_CTX_is_encrypting(c
) && ptr
)
3445 memcpy(EVP_CIPHER_CTX_buf_noconst(c
), ptr
, arg
);
3450 case EVP_CTRL_AEAD_GET_TAG
:
3451 if (!EVP_CIPHER_CTX_is_encrypting(c
) || !cctx
->tag_set
)
3453 if (!CRYPTO_ccm128_tag(&cctx
->ccm
, ptr
, (size_t)arg
))
3462 EVP_CIPHER_CTX
*out
= ptr
;
3463 EVP_AES_CCM_CTX
*cctx_out
= EVP_C_DATA(EVP_AES_CCM_CTX
,out
);
3464 if (cctx
->ccm
.key
) {
3465 if (cctx
->ccm
.key
!= &cctx
->ks
)
3467 cctx_out
->ccm
.key
= &cctx_out
->ks
;
3478 static int aes_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3479 const unsigned char *iv
, int enc
)
3481 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3483 if (iv
== NULL
&& key
== NULL
)
3487 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3490 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3494 #ifdef HWAES_CAPABLE
3495 if (HWAES_CAPABLE
) {
3496 HWAES_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3498 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3499 &cctx
->ks
, (block128_f
) HWAES_encrypt
);
3505 #ifdef VPAES_CAPABLE
3506 if (VPAES_CAPABLE
) {
3507 vpaes_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3508 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3509 &cctx
->ks
, (block128_f
) vpaes_encrypt
);
3515 AES_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3516 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3517 &cctx
->ks
, (block128_f
) AES_encrypt
);
3523 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
3529 static int aes_ccm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3530 const unsigned char *in
, size_t len
)
3532 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3533 CCM128_CONTEXT
*ccm
= &cctx
->ccm
;
3534 /* Encrypt/decrypt must be performed in place */
3535 if (out
!= in
|| len
< (EVP_CCM_TLS_EXPLICIT_IV_LEN
+ (size_t)cctx
->M
))
3537 /* If encrypting set explicit IV from sequence number (start of AAD) */
3538 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3539 memcpy(out
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3540 EVP_CCM_TLS_EXPLICIT_IV_LEN
);
3541 /* Get rest of IV from explicit IV */
3542 memcpy(ctx
->iv
+ EVP_CCM_TLS_FIXED_IV_LEN
, in
,
3543 EVP_CCM_TLS_EXPLICIT_IV_LEN
);
3544 /* Correct length value */
3545 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->M
;
3546 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
, 15 - cctx
->L
,
3550 CRYPTO_ccm128_aad(ccm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3552 /* Fix buffer to point to payload */
3553 in
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3554 out
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3555 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3556 if (cctx
->str
? CRYPTO_ccm128_encrypt_ccm64(ccm
, in
, out
, len
,
3558 CRYPTO_ccm128_encrypt(ccm
, in
, out
, len
))
3560 if (!CRYPTO_ccm128_tag(ccm
, out
+ len
, cctx
->M
))
3562 return len
+ EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->M
;
3564 if (cctx
->str
? !CRYPTO_ccm128_decrypt_ccm64(ccm
, in
, out
, len
,
3566 !CRYPTO_ccm128_decrypt(ccm
, in
, out
, len
)) {
3567 unsigned char tag
[16];
3568 if (CRYPTO_ccm128_tag(ccm
, tag
, cctx
->M
)) {
3569 if (!CRYPTO_memcmp(tag
, in
+ len
, cctx
->M
))
3573 OPENSSL_cleanse(out
, len
);
3578 static int aes_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3579 const unsigned char *in
, size_t len
)
3581 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3582 CCM128_CONTEXT
*ccm
= &cctx
->ccm
;
3583 /* If not set up, return error */
3587 if (cctx
->tls_aad_len
>= 0)
3588 return aes_ccm_tls_cipher(ctx
, out
, in
, len
);
3590 /* EVP_*Final() doesn't return any data */
3591 if (in
== NULL
&& out
!= NULL
)
3599 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
,
3605 /* If have AAD need message length */
3606 if (!cctx
->len_set
&& len
)
3608 CRYPTO_ccm128_aad(ccm
, in
, len
);
3612 /* The tag must be set before actually decrypting data */
3613 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) && !cctx
->tag_set
)
3616 /* If not set length yet do it */
3617 if (!cctx
->len_set
) {
3618 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
, 15 - cctx
->L
, len
))
3622 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3623 if (cctx
->str
? CRYPTO_ccm128_encrypt_ccm64(ccm
, in
, out
, len
,
3625 CRYPTO_ccm128_encrypt(ccm
, in
, out
, len
))
3631 if (cctx
->str
? !CRYPTO_ccm128_decrypt_ccm64(ccm
, in
, out
, len
,
3633 !CRYPTO_ccm128_decrypt(ccm
, in
, out
, len
)) {
3634 unsigned char tag
[16];
3635 if (CRYPTO_ccm128_tag(ccm
, tag
, cctx
->M
)) {
3636 if (!CRYPTO_memcmp(tag
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3642 OPENSSL_cleanse(out
, len
);
3650 #define aes_ccm_cleanup NULL
3652 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 12, ccm
, CCM
,
3653 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3654 BLOCK_CIPHER_custom(NID_aes
, 192, 1, 12, ccm
, CCM
,
3655 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3656 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 12, ccm
, CCM
,
3657 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3664 /* Indicates if IV has been set */
3668 static int aes_wrap_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3669 const unsigned char *iv
, int enc
)
3672 EVP_AES_WRAP_CTX
*wctx
= EVP_C_DATA(EVP_AES_WRAP_CTX
,ctx
);
3674 if (iv
== NULL
&& key
== NULL
)
3677 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3680 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3683 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3684 AES_set_encrypt_key(key
, keylen
, &wctx
->ks
.ks
);
3686 AES_set_decrypt_key(key
, keylen
, &wctx
->ks
.ks
);
3691 if ((len
= EVP_CIPHER_CTX_get_iv_length(ctx
)) < 0)
3693 memcpy(ctx
->iv
, iv
, len
);
3699 static int aes_wrap_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3700 const unsigned char *in
, size_t inlen
)
3702 EVP_AES_WRAP_CTX
*wctx
= EVP_C_DATA(EVP_AES_WRAP_CTX
,ctx
);
3704 /* AES wrap with padding has IV length of 4, without padding 8 */
3705 int pad
= EVP_CIPHER_CTX_get_iv_length(ctx
) == 4;
3706 /* No final operation so always return zero length */
3709 /* Input length must always be non-zero */
3712 /* If decrypting need at least 16 bytes and multiple of 8 */
3713 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) && (inlen
< 16 || inlen
& 0x7))
3715 /* If not padding input must be multiple of 8 */
3716 if (!pad
&& inlen
& 0x7)
3718 if (ossl_is_partially_overlapping(out
, in
, inlen
)) {
3719 ERR_raise(ERR_LIB_EVP
, EVP_R_PARTIALLY_OVERLAPPING
);
3723 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3724 /* If padding round up to multiple of 8 */
3726 inlen
= (inlen
+ 7) / 8 * 8;
3731 * If not padding output will be exactly 8 bytes smaller than
3732 * input. If padding it will be at least 8 bytes smaller but we
3733 * don't know how much.
3739 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3740 rv
= CRYPTO_128_wrap_pad(&wctx
->ks
.ks
, wctx
->iv
,
3742 (block128_f
) AES_encrypt
);
3744 rv
= CRYPTO_128_unwrap_pad(&wctx
->ks
.ks
, wctx
->iv
,
3746 (block128_f
) AES_decrypt
);
3748 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3749 rv
= CRYPTO_128_wrap(&wctx
->ks
.ks
, wctx
->iv
,
3750 out
, in
, inlen
, (block128_f
) AES_encrypt
);
3752 rv
= CRYPTO_128_unwrap(&wctx
->ks
.ks
, wctx
->iv
,
3753 out
, in
, inlen
, (block128_f
) AES_decrypt
);
3755 return rv
? (int)rv
: -1;
3758 #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
3759 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3760 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
3762 static const EVP_CIPHER aes_128_wrap
= {
3764 8, 16, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3765 aes_wrap_init_key
, aes_wrap_cipher
,
3767 sizeof(EVP_AES_WRAP_CTX
),
3768 NULL
, NULL
, NULL
, NULL
3771 const EVP_CIPHER
*EVP_aes_128_wrap(void)
3773 return &aes_128_wrap
;
3776 static const EVP_CIPHER aes_192_wrap
= {
3778 8, 24, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3779 aes_wrap_init_key
, aes_wrap_cipher
,
3781 sizeof(EVP_AES_WRAP_CTX
),
3782 NULL
, NULL
, NULL
, NULL
3785 const EVP_CIPHER
*EVP_aes_192_wrap(void)
3787 return &aes_192_wrap
;
3790 static const EVP_CIPHER aes_256_wrap
= {
3792 8, 32, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3793 aes_wrap_init_key
, aes_wrap_cipher
,
3795 sizeof(EVP_AES_WRAP_CTX
),
3796 NULL
, NULL
, NULL
, NULL
3799 const EVP_CIPHER
*EVP_aes_256_wrap(void)
3801 return &aes_256_wrap
;
3804 static const EVP_CIPHER aes_128_wrap_pad
= {
3805 NID_id_aes128_wrap_pad
,
3806 8, 16, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3807 aes_wrap_init_key
, aes_wrap_cipher
,
3809 sizeof(EVP_AES_WRAP_CTX
),
3810 NULL
, NULL
, NULL
, NULL
3813 const EVP_CIPHER
*EVP_aes_128_wrap_pad(void)
3815 return &aes_128_wrap_pad
;
3818 static const EVP_CIPHER aes_192_wrap_pad
= {
3819 NID_id_aes192_wrap_pad
,
3820 8, 24, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3821 aes_wrap_init_key
, aes_wrap_cipher
,
3823 sizeof(EVP_AES_WRAP_CTX
),
3824 NULL
, NULL
, NULL
, NULL
3827 const EVP_CIPHER
*EVP_aes_192_wrap_pad(void)
3829 return &aes_192_wrap_pad
;
3832 static const EVP_CIPHER aes_256_wrap_pad
= {
3833 NID_id_aes256_wrap_pad
,
3834 8, 32, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3835 aes_wrap_init_key
, aes_wrap_cipher
,
3837 sizeof(EVP_AES_WRAP_CTX
),
3838 NULL
, NULL
, NULL
, NULL
3841 const EVP_CIPHER
*EVP_aes_256_wrap_pad(void)
3843 return &aes_256_wrap_pad
;
3846 #ifndef OPENSSL_NO_OCB
3847 static int aes_ocb_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3849 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,c
);
3850 EVP_CIPHER_CTX
*newc
;
3851 EVP_AES_OCB_CTX
*new_octx
;
3857 octx
->ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
3860 octx
->data_buf_len
= 0;
3861 octx
->aad_buf_len
= 0;
3864 case EVP_CTRL_GET_IVLEN
:
3865 *(int *)ptr
= octx
->ivlen
;
3868 case EVP_CTRL_AEAD_SET_IVLEN
:
3869 /* IV len must be 1 to 15 */
3870 if (arg
<= 0 || arg
> 15)
3876 case EVP_CTRL_AEAD_SET_TAG
:
3878 /* Tag len must be 0 to 16 */
3879 if (arg
< 0 || arg
> 16)
3885 if (arg
!= octx
->taglen
|| EVP_CIPHER_CTX_is_encrypting(c
))
3887 memcpy(octx
->tag
, ptr
, arg
);
3890 case EVP_CTRL_AEAD_GET_TAG
:
3891 if (arg
!= octx
->taglen
|| !EVP_CIPHER_CTX_is_encrypting(c
))
3894 memcpy(ptr
, octx
->tag
, arg
);
3898 newc
= (EVP_CIPHER_CTX
*)ptr
;
3899 new_octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,newc
);
3900 return CRYPTO_ocb128_copy_ctx(&new_octx
->ocb
, &octx
->ocb
,
3901 &new_octx
->ksenc
.ks
,
3902 &new_octx
->ksdec
.ks
);
3910 static int aes_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3911 const unsigned char *iv
, int enc
)
3913 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
3915 if (iv
== NULL
&& key
== NULL
)
3919 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3922 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3927 * We set both the encrypt and decrypt key here because decrypt
3928 * needs both. We could possibly optimise to remove setting the
3929 * decrypt for an encryption operation.
3931 # ifdef HWAES_CAPABLE
3932 if (HWAES_CAPABLE
) {
3933 HWAES_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3934 HWAES_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3935 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3936 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3937 (block128_f
) HWAES_encrypt
,
3938 (block128_f
) HWAES_decrypt
,
3939 enc
? HWAES_ocb_encrypt
3940 : HWAES_ocb_decrypt
))
3945 # ifdef VPAES_CAPABLE
3946 if (VPAES_CAPABLE
) {
3947 vpaes_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3948 vpaes_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3949 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3950 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3951 (block128_f
) vpaes_encrypt
,
3952 (block128_f
) vpaes_decrypt
,
3958 AES_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3959 AES_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3960 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3961 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3962 (block128_f
) AES_encrypt
,
3963 (block128_f
) AES_decrypt
,
3970 * If we have an iv we can set it directly, otherwise use saved IV.
3972 if (iv
== NULL
&& octx
->iv_set
)
3975 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
3982 /* If key set use IV, otherwise copy */
3984 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
3986 memcpy(octx
->iv
, iv
, octx
->ivlen
);
3992 static int aes_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3993 const unsigned char *in
, size_t len
)
3997 int written_len
= 0;
3998 size_t trailing_len
;
3999 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
4001 /* If IV or Key not set then return error */
4010 * Need to ensure we are only passing full blocks to low-level OCB
4011 * routines. We do it here rather than in EVP_EncryptUpdate/
4012 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
4013 * and those routines don't support that
4016 /* Are we dealing with AAD or normal data here? */
4018 buf
= octx
->aad_buf
;
4019 buf_len
= &(octx
->aad_buf_len
);
4021 buf
= octx
->data_buf
;
4022 buf_len
= &(octx
->data_buf_len
);
4024 if (ossl_is_partially_overlapping(out
+ *buf_len
, in
, len
)) {
4025 ERR_raise(ERR_LIB_EVP
, EVP_R_PARTIALLY_OVERLAPPING
);
4031 * If we've got a partially filled buffer from a previous call then
4032 * use that data first
4035 unsigned int remaining
;
4037 remaining
= AES_BLOCK_SIZE
- (*buf_len
);
4038 if (remaining
> len
) {
4039 memcpy(buf
+ (*buf_len
), in
, len
);
4043 memcpy(buf
+ (*buf_len
), in
, remaining
);
4046 * If we get here we've filled the buffer, so process it
4051 if (!CRYPTO_ocb128_aad(&octx
->ocb
, buf
, AES_BLOCK_SIZE
))
4053 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4054 if (!CRYPTO_ocb128_encrypt(&octx
->ocb
, buf
, out
,
4058 if (!CRYPTO_ocb128_decrypt(&octx
->ocb
, buf
, out
,
4062 written_len
= AES_BLOCK_SIZE
;
4065 out
+= AES_BLOCK_SIZE
;
4068 /* Do we have a partial block to handle at the end? */
4069 trailing_len
= len
% AES_BLOCK_SIZE
;
4072 * If we've got some full blocks to handle, then process these first
4074 if (len
!= trailing_len
) {
4076 if (!CRYPTO_ocb128_aad(&octx
->ocb
, in
, len
- trailing_len
))
4078 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4079 if (!CRYPTO_ocb128_encrypt
4080 (&octx
->ocb
, in
, out
, len
- trailing_len
))
4083 if (!CRYPTO_ocb128_decrypt
4084 (&octx
->ocb
, in
, out
, len
- trailing_len
))
4087 written_len
+= len
- trailing_len
;
4088 in
+= len
- trailing_len
;
4091 /* Handle any trailing partial block */
4092 if (trailing_len
> 0) {
4093 memcpy(buf
, in
, trailing_len
);
4094 *buf_len
= trailing_len
;
4100 * First of all empty the buffer of any partial block that we might
4101 * have been provided - both for data and AAD
4103 if (octx
->data_buf_len
> 0) {
4104 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4105 if (!CRYPTO_ocb128_encrypt(&octx
->ocb
, octx
->data_buf
, out
,
4106 octx
->data_buf_len
))
4109 if (!CRYPTO_ocb128_decrypt(&octx
->ocb
, octx
->data_buf
, out
,
4110 octx
->data_buf_len
))
4113 written_len
= octx
->data_buf_len
;
4114 octx
->data_buf_len
= 0;
4116 if (octx
->aad_buf_len
> 0) {
4117 if (!CRYPTO_ocb128_aad
4118 (&octx
->ocb
, octx
->aad_buf
, octx
->aad_buf_len
))
4120 octx
->aad_buf_len
= 0;
4122 /* If decrypting then verify */
4123 if (!EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4124 if (octx
->taglen
< 0)
4126 if (CRYPTO_ocb128_finish(&octx
->ocb
,
4127 octx
->tag
, octx
->taglen
) != 0)
4132 /* If encrypting then just get the tag */
4133 if (CRYPTO_ocb128_tag(&octx
->ocb
, octx
->tag
, 16) != 1)
4135 /* Don't reuse the IV */
4141 static int aes_ocb_cleanup(EVP_CIPHER_CTX
*c
)
4143 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,c
);
4144 CRYPTO_ocb128_cleanup(&octx
->ocb
);
4148 BLOCK_CIPHER_custom(NID_aes
, 128, 16, 12, ocb
, OCB
,
4149 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4150 BLOCK_CIPHER_custom(NID_aes
, 192, 16, 12, ocb
, OCB
,
4151 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4152 BLOCK_CIPHER_custom(NID_aes
, 256, 16, 12, ocb
, OCB
,
4153 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4154 #endif /* OPENSSL_NO_OCB */