2 * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * This file uses the low level AES functions (which are deprecated for
12 * non-internal use) in order to implement the EVP AES ciphers.
14 #include "internal/deprecated.h"
18 #include <openssl/opensslconf.h>
19 #include <openssl/crypto.h>
20 #include <openssl/evp.h>
21 #include <openssl/err.h>
22 #include <openssl/aes.h>
23 #include <openssl/rand.h>
24 #include <openssl/cmac.h>
25 #include "crypto/evp.h"
26 #include "internal/cryptlib.h"
27 #include "crypto/modes.h"
28 #include "crypto/siv.h"
29 #include "crypto/aes_platform.h"
30 #include "evp_local.h"
48 } ks
; /* AES key schedule to use */
49 int key_set
; /* Set if key initialised */
50 int iv_set
; /* Set if an iv is set */
52 unsigned char *iv
; /* Temporary IV store */
53 int ivlen
; /* IV length */
55 int iv_gen
; /* It is OK to generate IVs */
56 int iv_gen_rand
; /* No IV was specified, so generate a rand IV */
57 int tls_aad_len
; /* TLS AAD length */
58 uint64_t tls_enc_records
; /* Number of TLS records encrypted */
66 } ks1
, ks2
; /* AES key schedules to use */
68 void (*stream
) (const unsigned char *in
,
69 unsigned char *out
, size_t length
,
70 const AES_KEY
*key1
, const AES_KEY
*key2
,
71 const unsigned char iv
[16]);
75 static const int allow_insecure_decrypt
= 0;
77 static const int allow_insecure_decrypt
= 1;
84 } ks
; /* AES key schedule to use */
85 int key_set
; /* Set if key initialised */
86 int iv_set
; /* Set if an iv is set */
87 int tag_set
; /* Set if tag is valid */
88 int len_set
; /* Set if message length set */
89 int L
, M
; /* L and M parameters from RFC3610 */
90 int tls_aad_len
; /* TLS AAD length */
95 #ifndef OPENSSL_NO_OCB
100 } ksenc
; /* AES key schedule to use for encryption */
104 } ksdec
; /* AES key schedule to use for decryption */
105 int key_set
; /* Set if key initialised */
106 int iv_set
; /* Set if an iv is set */
108 unsigned char *iv
; /* Temporary IV store */
109 unsigned char tag
[16];
110 unsigned char data_buf
[16]; /* Store partial data blocks */
111 unsigned char aad_buf
[16]; /* Store partial AAD blocks */
114 int ivlen
; /* IV length */
119 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
121 /* increment counter (64-bit int) by 1 */
122 static void ctr64_inc(unsigned char *counter
)
137 #if defined(AESNI_CAPABLE)
138 # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
139 # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
140 gctx->gcm.ghash==gcm_ghash_avx)
141 # undef AES_GCM_ASM2 /* minor size optimization */
144 static int aesni_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
145 const unsigned char *iv
, int enc
)
148 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
149 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
152 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
155 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
156 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
158 ret
= aesni_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
159 dat
->block
= (block128_f
) aesni_decrypt
;
160 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
161 (cbc128_f
) aesni_cbc_encrypt
: NULL
;
163 ret
= aesni_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
164 dat
->block
= (block128_f
) aesni_encrypt
;
165 if (mode
== EVP_CIPH_CBC_MODE
)
166 dat
->stream
.cbc
= (cbc128_f
) aesni_cbc_encrypt
;
167 else if (mode
== EVP_CIPH_CTR_MODE
)
168 dat
->stream
.ctr
= (ctr128_f
) aesni_ctr32_encrypt_blocks
;
170 dat
->stream
.cbc
= NULL
;
174 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
181 static int aesni_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
182 const unsigned char *in
, size_t len
)
184 aesni_cbc_encrypt(in
, out
, len
, &EVP_C_DATA(EVP_AES_KEY
,ctx
)->ks
.ks
,
185 ctx
->iv
, EVP_CIPHER_CTX_is_encrypting(ctx
));
190 static int aesni_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
191 const unsigned char *in
, size_t len
)
193 size_t bl
= EVP_CIPHER_CTX_get_block_size(ctx
);
198 aesni_ecb_encrypt(in
, out
, len
, &EVP_C_DATA(EVP_AES_KEY
,ctx
)->ks
.ks
,
199 EVP_CIPHER_CTX_is_encrypting(ctx
));
204 # define aesni_ofb_cipher aes_ofb_cipher
205 static int aesni_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
206 const unsigned char *in
, size_t len
);
208 # define aesni_cfb_cipher aes_cfb_cipher
209 static int aesni_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
210 const unsigned char *in
, size_t len
);
212 # define aesni_cfb8_cipher aes_cfb8_cipher
213 static int aesni_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
214 const unsigned char *in
, size_t len
);
216 # define aesni_cfb1_cipher aes_cfb1_cipher
217 static int aesni_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
218 const unsigned char *in
, size_t len
);
220 # define aesni_ctr_cipher aes_ctr_cipher
221 static int aesni_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
222 const unsigned char *in
, size_t len
);
224 static int aesni_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
225 const unsigned char *iv
, int enc
)
227 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
, ctx
);
229 if (iv
== NULL
&& key
== NULL
)
233 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
236 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
239 aesni_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
240 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
, (block128_f
) aesni_encrypt
);
241 gctx
->ctr
= (ctr128_f
) aesni_ctr32_encrypt_blocks
;
243 * If we have an iv can set it directly, otherwise use saved IV.
245 if (iv
== NULL
&& gctx
->iv_set
)
248 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
253 /* If key set use IV, otherwise copy */
255 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
257 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
264 # define aesni_gcm_cipher aes_gcm_cipher
265 static int aesni_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
266 const unsigned char *in
, size_t len
);
268 static int aesni_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
269 const unsigned char *iv
, int enc
)
271 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
273 if (iv
== NULL
&& key
== NULL
)
277 /* The key is two half length keys in reality */
278 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
279 const int bytes
= keylen
/ 2;
280 const int bits
= bytes
* 8;
283 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
287 * Verify that the two keys are different.
289 * This addresses Rogaway's vulnerability.
290 * See comment in aes_xts_init_key() below.
292 if ((!allow_insecure_decrypt
|| enc
)
293 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
294 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
298 /* key_len is two AES keys */
300 aesni_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
301 xctx
->xts
.block1
= (block128_f
) aesni_encrypt
;
302 xctx
->stream
= aesni_xts_encrypt
;
304 aesni_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
305 xctx
->xts
.block1
= (block128_f
) aesni_decrypt
;
306 xctx
->stream
= aesni_xts_decrypt
;
309 aesni_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
310 xctx
->xts
.block2
= (block128_f
) aesni_encrypt
;
312 xctx
->xts
.key1
= &xctx
->ks1
;
316 xctx
->xts
.key2
= &xctx
->ks2
;
317 memcpy(ctx
->iv
, iv
, 16);
323 # define aesni_xts_cipher aes_xts_cipher
324 static int aesni_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
325 const unsigned char *in
, size_t len
);
327 static int aesni_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
328 const unsigned char *iv
, int enc
)
330 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
332 if (iv
== NULL
&& key
== NULL
)
336 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
339 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
342 aesni_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
343 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
344 &cctx
->ks
, (block128_f
) aesni_encrypt
);
345 cctx
->str
= enc
? (ccm128_f
) aesni_ccm64_encrypt_blocks
:
346 (ccm128_f
) aesni_ccm64_decrypt_blocks
;
350 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
356 # define aesni_ccm_cipher aes_ccm_cipher
357 static int aesni_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
358 const unsigned char *in
, size_t len
);
360 # ifndef OPENSSL_NO_OCB
361 static int aesni_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
362 const unsigned char *iv
, int enc
)
364 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
366 if (iv
== NULL
&& key
== NULL
)
370 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
373 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
378 * We set both the encrypt and decrypt key here because decrypt
379 * needs both. We could possibly optimise to remove setting the
380 * decrypt for an encryption operation.
382 aesni_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
383 aesni_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
384 if (!CRYPTO_ocb128_init(&octx
->ocb
,
385 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
386 (block128_f
) aesni_encrypt
,
387 (block128_f
) aesni_decrypt
,
388 enc
? aesni_ocb_encrypt
389 : aesni_ocb_decrypt
))
395 * If we have an iv we can set it directly, otherwise use saved IV.
397 if (iv
== NULL
&& octx
->iv_set
)
400 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
407 /* If key set use IV, otherwise copy */
409 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
411 memcpy(octx
->iv
, iv
, octx
->ivlen
);
417 # define aesni_ocb_cipher aes_ocb_cipher
418 static int aesni_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
419 const unsigned char *in
, size_t len
);
420 # endif /* OPENSSL_NO_OCB */
422 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
423 static const EVP_CIPHER aesni_##keylen##_##mode = { \
424 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
425 flags|EVP_CIPH_##MODE##_MODE, \
428 aesni_##mode##_cipher, \
430 sizeof(EVP_AES_KEY), \
431 NULL,NULL,NULL,NULL }; \
432 static const EVP_CIPHER aes_##keylen##_##mode = { \
433 nid##_##keylen##_##nmode,blocksize, \
435 flags|EVP_CIPH_##MODE##_MODE, \
438 aes_##mode##_cipher, \
440 sizeof(EVP_AES_KEY), \
441 NULL,NULL,NULL,NULL }; \
442 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
443 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
445 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
446 static const EVP_CIPHER aesni_##keylen##_##mode = { \
447 nid##_##keylen##_##mode,blocksize, \
448 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
450 flags|EVP_CIPH_##MODE##_MODE, \
452 aesni_##mode##_init_key, \
453 aesni_##mode##_cipher, \
454 aes_##mode##_cleanup, \
455 sizeof(EVP_AES_##MODE##_CTX), \
456 NULL,NULL,aes_##mode##_ctrl,NULL }; \
457 static const EVP_CIPHER aes_##keylen##_##mode = { \
458 nid##_##keylen##_##mode,blocksize, \
459 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
461 flags|EVP_CIPH_##MODE##_MODE, \
463 aes_##mode##_init_key, \
464 aes_##mode##_cipher, \
465 aes_##mode##_cleanup, \
466 sizeof(EVP_AES_##MODE##_CTX), \
467 NULL,NULL,aes_##mode##_ctrl,NULL }; \
468 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
469 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
471 #elif defined(SPARC_AES_CAPABLE)
473 static int aes_t4_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
474 const unsigned char *iv
, int enc
)
477 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
479 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
480 bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
482 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
485 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
488 aes_t4_set_decrypt_key(key
, bits
, &dat
->ks
.ks
);
489 dat
->block
= (block128_f
) aes_t4_decrypt
;
492 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
493 (cbc128_f
) aes128_t4_cbc_decrypt
: NULL
;
496 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
497 (cbc128_f
) aes192_t4_cbc_decrypt
: NULL
;
500 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
501 (cbc128_f
) aes256_t4_cbc_decrypt
: NULL
;
508 aes_t4_set_encrypt_key(key
, bits
, &dat
->ks
.ks
);
509 dat
->block
= (block128_f
) aes_t4_encrypt
;
512 if (mode
== EVP_CIPH_CBC_MODE
)
513 dat
->stream
.cbc
= (cbc128_f
) aes128_t4_cbc_encrypt
;
514 else if (mode
== EVP_CIPH_CTR_MODE
)
515 dat
->stream
.ctr
= (ctr128_f
) aes128_t4_ctr32_encrypt
;
517 dat
->stream
.cbc
= NULL
;
520 if (mode
== EVP_CIPH_CBC_MODE
)
521 dat
->stream
.cbc
= (cbc128_f
) aes192_t4_cbc_encrypt
;
522 else if (mode
== EVP_CIPH_CTR_MODE
)
523 dat
->stream
.ctr
= (ctr128_f
) aes192_t4_ctr32_encrypt
;
525 dat
->stream
.cbc
= NULL
;
528 if (mode
== EVP_CIPH_CBC_MODE
)
529 dat
->stream
.cbc
= (cbc128_f
) aes256_t4_cbc_encrypt
;
530 else if (mode
== EVP_CIPH_CTR_MODE
)
531 dat
->stream
.ctr
= (ctr128_f
) aes256_t4_ctr32_encrypt
;
533 dat
->stream
.cbc
= NULL
;
541 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
548 # define aes_t4_cbc_cipher aes_cbc_cipher
549 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
550 const unsigned char *in
, size_t len
);
552 # define aes_t4_ecb_cipher aes_ecb_cipher
553 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
554 const unsigned char *in
, size_t len
);
556 # define aes_t4_ofb_cipher aes_ofb_cipher
557 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
558 const unsigned char *in
, size_t len
);
560 # define aes_t4_cfb_cipher aes_cfb_cipher
561 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
562 const unsigned char *in
, size_t len
);
564 # define aes_t4_cfb8_cipher aes_cfb8_cipher
565 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
566 const unsigned char *in
, size_t len
);
568 # define aes_t4_cfb1_cipher aes_cfb1_cipher
569 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
570 const unsigned char *in
, size_t len
);
572 # define aes_t4_ctr_cipher aes_ctr_cipher
573 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
574 const unsigned char *in
, size_t len
);
576 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
577 const unsigned char *iv
, int enc
)
579 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
581 if (iv
== NULL
&& key
== NULL
)
584 const int bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
587 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
590 aes_t4_set_encrypt_key(key
, bits
, &gctx
->ks
.ks
);
591 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
592 (block128_f
) aes_t4_encrypt
);
595 gctx
->ctr
= (ctr128_f
) aes128_t4_ctr32_encrypt
;
598 gctx
->ctr
= (ctr128_f
) aes192_t4_ctr32_encrypt
;
601 gctx
->ctr
= (ctr128_f
) aes256_t4_ctr32_encrypt
;
607 * If we have an iv can set it directly, otherwise use saved IV.
609 if (iv
== NULL
&& gctx
->iv_set
)
612 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
617 /* If key set use IV, otherwise copy */
619 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
621 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
628 # define aes_t4_gcm_cipher aes_gcm_cipher
629 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
630 const unsigned char *in
, size_t len
);
632 static int aes_t4_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
633 const unsigned char *iv
, int enc
)
635 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
641 /* The key is two half length keys in reality */
642 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
643 const int bytes
= keylen
/ 2;
644 const int bits
= bytes
* 8;
647 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
651 * Verify that the two keys are different.
653 * This addresses Rogaway's vulnerability.
654 * See comment in aes_xts_init_key() below.
656 if ((!allow_insecure_decrypt
|| enc
)
657 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
658 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
663 /* key_len is two AES keys */
665 aes_t4_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
666 xctx
->xts
.block1
= (block128_f
) aes_t4_encrypt
;
669 xctx
->stream
= aes128_t4_xts_encrypt
;
672 xctx
->stream
= aes256_t4_xts_encrypt
;
678 aes_t4_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
679 xctx
->xts
.block1
= (block128_f
) aes_t4_decrypt
;
682 xctx
->stream
= aes128_t4_xts_decrypt
;
685 xctx
->stream
= aes256_t4_xts_decrypt
;
692 aes_t4_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
693 xctx
->xts
.block2
= (block128_f
) aes_t4_encrypt
;
695 xctx
->xts
.key1
= &xctx
->ks1
;
699 xctx
->xts
.key2
= &xctx
->ks2
;
700 memcpy(ctx
->iv
, iv
, 16);
706 # define aes_t4_xts_cipher aes_xts_cipher
707 static int aes_t4_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
708 const unsigned char *in
, size_t len
);
710 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
711 const unsigned char *iv
, int enc
)
713 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
715 if (iv
== NULL
&& key
== NULL
)
719 const int bits
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
722 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
725 aes_t4_set_encrypt_key(key
, bits
, &cctx
->ks
.ks
);
726 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
727 &cctx
->ks
, (block128_f
) aes_t4_encrypt
);
732 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
738 # define aes_t4_ccm_cipher aes_ccm_cipher
739 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
740 const unsigned char *in
, size_t len
);
742 # ifndef OPENSSL_NO_OCB
743 static int aes_t4_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
744 const unsigned char *iv
, int enc
)
746 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
748 if (iv
== NULL
&& key
== NULL
)
752 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
755 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
760 * We set both the encrypt and decrypt key here because decrypt
761 * needs both. We could possibly optimise to remove setting the
762 * decrypt for an encryption operation.
764 aes_t4_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
765 aes_t4_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
766 if (!CRYPTO_ocb128_init(&octx
->ocb
,
767 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
768 (block128_f
) aes_t4_encrypt
,
769 (block128_f
) aes_t4_decrypt
,
776 * If we have an iv we can set it directly, otherwise use saved IV.
778 if (iv
== NULL
&& octx
->iv_set
)
781 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
788 /* If key set use IV, otherwise copy */
790 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
792 memcpy(octx
->iv
, iv
, octx
->ivlen
);
798 # define aes_t4_ocb_cipher aes_ocb_cipher
799 static int aes_t4_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
800 const unsigned char *in
, size_t len
);
801 # endif /* OPENSSL_NO_OCB */
803 # ifndef OPENSSL_NO_SIV
804 # define aes_t4_siv_init_key aes_siv_init_key
805 # define aes_t4_siv_cipher aes_siv_cipher
806 # endif /* OPENSSL_NO_SIV */
808 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
809 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
810 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
811 flags|EVP_CIPH_##MODE##_MODE, \
814 aes_t4_##mode##_cipher, \
816 sizeof(EVP_AES_KEY), \
817 NULL,NULL,NULL,NULL }; \
818 static const EVP_CIPHER aes_##keylen##_##mode = { \
819 nid##_##keylen##_##nmode,blocksize, \
821 flags|EVP_CIPH_##MODE##_MODE, \
824 aes_##mode##_cipher, \
826 sizeof(EVP_AES_KEY), \
827 NULL,NULL,NULL,NULL }; \
828 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
829 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
831 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
832 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
833 nid##_##keylen##_##mode,blocksize, \
834 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
836 flags|EVP_CIPH_##MODE##_MODE, \
838 aes_t4_##mode##_init_key, \
839 aes_t4_##mode##_cipher, \
840 aes_##mode##_cleanup, \
841 sizeof(EVP_AES_##MODE##_CTX), \
842 NULL,NULL,aes_##mode##_ctrl,NULL }; \
843 static const EVP_CIPHER aes_##keylen##_##mode = { \
844 nid##_##keylen##_##mode,blocksize, \
845 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
847 flags|EVP_CIPH_##MODE##_MODE, \
849 aes_##mode##_init_key, \
850 aes_##mode##_cipher, \
851 aes_##mode##_cleanup, \
852 sizeof(EVP_AES_##MODE##_CTX), \
853 NULL,NULL,aes_##mode##_ctrl,NULL }; \
854 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
855 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
857 #elif defined(S390X_aes_128_CAPABLE)
858 /* IBM S390X support */
863 * KM-AES parameter block - begin
864 * (see z/Architecture Principles of Operation >= SA22-7832-06)
869 /* KM-AES parameter block - end */
878 * KMO-AES parameter block - begin
879 * (see z/Architecture Principles of Operation >= SA22-7832-08)
882 unsigned char cv
[16];
885 /* KMO-AES parameter block - end */
896 * KMF-AES parameter block - begin
897 * (see z/Architecture Principles of Operation >= SA22-7832-08)
900 unsigned char cv
[16];
903 /* KMF-AES parameter block - end */
914 * KMA-GCM-AES parameter block - begin
915 * (see z/Architecture Principles of Operation >= SA22-7832-11)
918 unsigned char reserved
[12];
924 unsigned long long g
[2];
928 unsigned long long taadl
;
929 unsigned long long tpcl
;
931 unsigned long long g
[2];
936 /* KMA-GCM-AES parameter block - end */
948 unsigned char ares
[16];
949 unsigned char mres
[16];
950 unsigned char kres
[16];
956 uint64_t tls_enc_records
; /* Number of TLS records encrypted */
963 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
964 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
965 * rounds field is used to store the function code and that the key
966 * schedule is not stored (if aes hardware support is detected).
969 unsigned char pad
[16];
975 * KMAC-AES parameter block - begin
976 * (see z/Architecture Principles of Operation >= SA22-7832-08)
980 unsigned long long g
[2];
985 /* KMAC-AES parameter block - end */
988 unsigned long long g
[2];
992 unsigned long long g
[2];
996 unsigned long long blocks
;
1005 unsigned char pad
[140];
1009 } S390X_AES_CCM_CTX
;
1011 # define s390x_aes_init_key aes_init_key
1012 static int s390x_aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
1013 const unsigned char *iv
, int enc
);
1015 # define S390X_AES_CBC_CTX EVP_AES_KEY
1017 # define s390x_aes_cbc_init_key aes_init_key
1019 # define s390x_aes_cbc_cipher aes_cbc_cipher
1020 static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1021 const unsigned char *in
, size_t len
);
1023 static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX
*ctx
,
1024 const unsigned char *key
,
1025 const unsigned char *iv
, int enc
)
1027 S390X_AES_ECB_CTX
*cctx
= EVP_C_DATA(S390X_AES_ECB_CTX
, ctx
);
1028 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1031 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1034 cctx
->fc
= S390X_AES_FC(keylen
);
1036 cctx
->fc
|= S390X_DECRYPT
;
1038 memcpy(cctx
->km
.param
.k
, key
, keylen
);
1042 static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1043 const unsigned char *in
, size_t len
)
1045 S390X_AES_ECB_CTX
*cctx
= EVP_C_DATA(S390X_AES_ECB_CTX
, ctx
);
1047 s390x_km(in
, len
, out
, cctx
->fc
, &cctx
->km
.param
);
1051 static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX
*ctx
,
1052 const unsigned char *key
,
1053 const unsigned char *ivec
, int enc
)
1055 S390X_AES_OFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_OFB_CTX
, ctx
);
1056 const unsigned char *iv
= ctx
->oiv
;
1057 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1058 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1061 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1065 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1068 memcpy(cctx
->kmo
.param
.cv
, iv
, ivlen
);
1069 memcpy(cctx
->kmo
.param
.k
, key
, keylen
);
1070 cctx
->fc
= S390X_AES_FC(keylen
);
1075 static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1076 const unsigned char *in
, size_t len
)
1078 S390X_AES_OFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_OFB_CTX
, ctx
);
1079 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1080 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1084 memcpy(cctx
->kmo
.param
.cv
, iv
, ivlen
);
1086 *out
= *in
^ cctx
->kmo
.param
.cv
[n
];
1095 len
&= ~(size_t)0xf;
1097 s390x_kmo(in
, len
, out
, cctx
->fc
, &cctx
->kmo
.param
);
1104 s390x_km(cctx
->kmo
.param
.cv
, 16, cctx
->kmo
.param
.cv
, cctx
->fc
,
1108 out
[n
] = in
[n
] ^ cctx
->kmo
.param
.cv
[n
];
1113 memcpy(iv
, cctx
->kmo
.param
.cv
, ivlen
);
1118 static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX
*ctx
,
1119 const unsigned char *key
,
1120 const unsigned char *ivec
, int enc
)
1122 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1123 const unsigned char *iv
= ctx
->oiv
;
1124 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1125 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1128 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1132 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1135 cctx
->fc
= S390X_AES_FC(keylen
);
1136 cctx
->fc
|= 16 << 24; /* 16 bytes cipher feedback */
1138 cctx
->fc
|= S390X_DECRYPT
;
1141 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1142 memcpy(cctx
->kmf
.param
.k
, key
, keylen
);
1146 static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1147 const unsigned char *in
, size_t len
)
1149 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1150 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1151 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1152 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1153 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1159 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1163 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1166 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1169 *out
= cctx
->kmf
.param
.cv
[n
] ^ tmp
;
1170 cctx
->kmf
.param
.cv
[n
] = enc
? *out
: tmp
;
1179 len
&= ~(size_t)0xf;
1181 s390x_kmf(in
, len
, out
, cctx
->fc
, &cctx
->kmf
.param
);
1188 s390x_km(cctx
->kmf
.param
.cv
, 16, cctx
->kmf
.param
.cv
,
1189 S390X_AES_FC(keylen
), cctx
->kmf
.param
.k
);
1193 out
[n
] = cctx
->kmf
.param
.cv
[n
] ^ tmp
;
1194 cctx
->kmf
.param
.cv
[n
] = enc
? out
[n
] : tmp
;
1199 memcpy(iv
, cctx
->kmf
.param
.cv
, ivlen
);
1204 static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX
*ctx
,
1205 const unsigned char *key
,
1206 const unsigned char *ivec
, int enc
)
1208 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1209 const unsigned char *iv
= ctx
->oiv
;
1210 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1211 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1214 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1218 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_IV_LENGTH
);
1221 cctx
->fc
= S390X_AES_FC(keylen
);
1222 cctx
->fc
|= 1 << 24; /* 1 byte cipher feedback */
1224 cctx
->fc
|= S390X_DECRYPT
;
1226 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1227 memcpy(cctx
->kmf
.param
.k
, key
, keylen
);
1231 static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1232 const unsigned char *in
, size_t len
)
1234 S390X_AES_CFB_CTX
*cctx
= EVP_C_DATA(S390X_AES_CFB_CTX
, ctx
);
1235 const int ivlen
= EVP_CIPHER_CTX_get_iv_length(ctx
);
1236 unsigned char *iv
= EVP_CIPHER_CTX_iv_noconst(ctx
);
1238 memcpy(cctx
->kmf
.param
.cv
, iv
, ivlen
);
1239 s390x_kmf(in
, len
, out
, cctx
->fc
, &cctx
->kmf
.param
);
1240 memcpy(iv
, cctx
->kmf
.param
.cv
, ivlen
);
1244 # define s390x_aes_cfb1_init_key aes_init_key
1246 # define s390x_aes_cfb1_cipher aes_cfb1_cipher
1247 static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1248 const unsigned char *in
, size_t len
);
1250 # define S390X_AES_CTR_CTX EVP_AES_KEY
1252 # define s390x_aes_ctr_init_key aes_init_key
1254 # define s390x_aes_ctr_cipher aes_ctr_cipher
1255 static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1256 const unsigned char *in
, size_t len
);
1258 /* iv + padding length for iv lengths != 12 */
1259 # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1262 * Process additional authenticated data. Returns 0 on success. Code is
1265 static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX
*ctx
, const unsigned char *aad
,
1268 unsigned long long alen
;
1271 if (ctx
->kma
.param
.tpcl
)
1274 alen
= ctx
->kma
.param
.taadl
+ len
;
1275 if (alen
> (U64(1) << 61) || (sizeof(len
) == 8 && alen
< len
))
1277 ctx
->kma
.param
.taadl
= alen
;
1282 ctx
->ares
[n
] = *aad
;
1287 /* ctx->ares contains a complete block if offset has wrapped around */
1289 s390x_kma(ctx
->ares
, 16, NULL
, 0, NULL
, ctx
->fc
, &ctx
->kma
.param
);
1290 ctx
->fc
|= S390X_KMA_HS
;
1297 len
&= ~(size_t)0xf;
1299 s390x_kma(aad
, len
, NULL
, 0, NULL
, ctx
->fc
, &ctx
->kma
.param
);
1301 ctx
->fc
|= S390X_KMA_HS
;
1309 ctx
->ares
[rem
] = aad
[rem
];
1316 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1317 * success. Code is big-endian.
1319 static int s390x_aes_gcm(S390X_AES_GCM_CTX
*ctx
, const unsigned char *in
,
1320 unsigned char *out
, size_t len
)
1322 const unsigned char *inptr
;
1323 unsigned long long mlen
;
1326 unsigned char b
[16];
1331 mlen
= ctx
->kma
.param
.tpcl
+ len
;
1332 if (mlen
> ((U64(1) << 36) - 32) || (sizeof(len
) == 8 && mlen
< len
))
1334 ctx
->kma
.param
.tpcl
= mlen
;
1340 while (n
&& inlen
) {
1341 ctx
->mres
[n
] = *inptr
;
1346 /* ctx->mres contains a complete block if offset has wrapped around */
1348 s390x_kma(ctx
->ares
, ctx
->areslen
, ctx
->mres
, 16, buf
.b
,
1349 ctx
->fc
| S390X_KMA_LAAD
, &ctx
->kma
.param
);
1350 ctx
->fc
|= S390X_KMA_HS
;
1353 /* previous call already encrypted/decrypted its remainder,
1354 * see comment below */
1369 len
&= ~(size_t)0xf;
1371 s390x_kma(ctx
->ares
, ctx
->areslen
, in
, len
, out
,
1372 ctx
->fc
| S390X_KMA_LAAD
, &ctx
->kma
.param
);
1375 ctx
->fc
|= S390X_KMA_HS
;
1380 * If there is a remainder, it has to be saved such that it can be
1381 * processed by kma later. However, we also have to do the for-now
1382 * unauthenticated encryption/decryption part here and now...
1385 if (!ctx
->mreslen
) {
1386 buf
.w
[0] = ctx
->kma
.param
.j0
.w
[0];
1387 buf
.w
[1] = ctx
->kma
.param
.j0
.w
[1];
1388 buf
.w
[2] = ctx
->kma
.param
.j0
.w
[2];
1389 buf
.w
[3] = ctx
->kma
.param
.cv
.w
+ 1;
1390 s390x_km(buf
.b
, 16, ctx
->kres
, ctx
->fc
& 0x1f, &ctx
->kma
.param
.k
);
1394 for (i
= 0; i
< rem
; i
++) {
1395 ctx
->mres
[n
+ i
] = in
[i
];
1396 out
[i
] = in
[i
] ^ ctx
->kres
[n
+ i
];
1399 ctx
->mreslen
+= rem
;
1405 * Initialize context structure. Code is big-endian.
1407 static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX
*ctx
,
1408 const unsigned char *iv
)
1410 ctx
->kma
.param
.t
.g
[0] = 0;
1411 ctx
->kma
.param
.t
.g
[1] = 0;
1412 ctx
->kma
.param
.tpcl
= 0;
1413 ctx
->kma
.param
.taadl
= 0;
1418 if (ctx
->ivlen
== 12) {
1419 memcpy(&ctx
->kma
.param
.j0
, iv
, ctx
->ivlen
);
1420 ctx
->kma
.param
.j0
.w
[3] = 1;
1421 ctx
->kma
.param
.cv
.w
= 1;
1423 /* ctx->iv has the right size and is already padded. */
1424 memcpy(ctx
->iv
, iv
, ctx
->ivlen
);
1425 s390x_kma(ctx
->iv
, S390X_gcm_ivpadlen(ctx
->ivlen
), NULL
, 0, NULL
,
1426 ctx
->fc
, &ctx
->kma
.param
);
1427 ctx
->fc
|= S390X_KMA_HS
;
1429 ctx
->kma
.param
.j0
.g
[0] = ctx
->kma
.param
.t
.g
[0];
1430 ctx
->kma
.param
.j0
.g
[1] = ctx
->kma
.param
.t
.g
[1];
1431 ctx
->kma
.param
.cv
.w
= ctx
->kma
.param
.j0
.w
[3];
1432 ctx
->kma
.param
.t
.g
[0] = 0;
1433 ctx
->kma
.param
.t
.g
[1] = 0;
1438 * Performs various operations on the context structure depending on control
1439 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1440 * Code is big-endian.
1442 static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
1444 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, c
);
1445 S390X_AES_GCM_CTX
*gctx_out
;
1446 EVP_CIPHER_CTX
*out
;
1448 int ivlen
, enc
, len
;
1452 ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
1455 gctx
->ivlen
= ivlen
;
1459 gctx
->tls_aad_len
= -1;
1462 case EVP_CTRL_GET_IVLEN
:
1463 *(int *)ptr
= gctx
->ivlen
;
1466 case EVP_CTRL_AEAD_SET_IVLEN
:
1471 len
= S390X_gcm_ivpadlen(arg
);
1473 /* Allocate memory for iv if needed. */
1474 if (gctx
->ivlen
== 12 || len
> S390X_gcm_ivpadlen(gctx
->ivlen
)) {
1475 if (gctx
->iv
!= c
->iv
)
1476 OPENSSL_free(gctx
->iv
);
1478 if ((gctx
->iv
= OPENSSL_malloc(len
)) == NULL
) {
1479 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
1484 memset(gctx
->iv
+ arg
, 0, len
- arg
- 8);
1485 *((unsigned long long *)(gctx
->iv
+ len
- 8)) = arg
<< 3;
1490 case EVP_CTRL_AEAD_SET_TAG
:
1491 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
1492 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1493 if (arg
<= 0 || arg
> 16 || enc
)
1496 memcpy(buf
, ptr
, arg
);
1500 case EVP_CTRL_AEAD_GET_TAG
:
1501 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1502 if (arg
<= 0 || arg
> 16 || !enc
|| gctx
->taglen
< 0)
1505 memcpy(ptr
, gctx
->kma
.param
.t
.b
, arg
);
1508 case EVP_CTRL_GCM_SET_IV_FIXED
:
1509 /* Special case: -1 length restores whole iv */
1511 memcpy(gctx
->iv
, ptr
, gctx
->ivlen
);
1516 * Fixed field must be at least 4 bytes and invocation field at least
1519 if ((arg
< 4) || (gctx
->ivlen
- arg
) < 8)
1523 memcpy(gctx
->iv
, ptr
, arg
);
1525 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1526 if (enc
&& RAND_bytes(gctx
->iv
+ arg
, gctx
->ivlen
- arg
) <= 0)
1532 case EVP_CTRL_GCM_IV_GEN
:
1533 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0)
1536 s390x_aes_gcm_setiv(gctx
, gctx
->iv
);
1538 if (arg
<= 0 || arg
> gctx
->ivlen
)
1541 memcpy(ptr
, gctx
->iv
+ gctx
->ivlen
- arg
, arg
);
1543 * Invocation field will be at least 8 bytes in size and so no need
1544 * to check wrap around or increment more than last 8 bytes.
1546 ctr64_inc(gctx
->iv
+ gctx
->ivlen
- 8);
1550 case EVP_CTRL_GCM_SET_IV_INV
:
1551 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1552 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0 || enc
)
1555 memcpy(gctx
->iv
+ gctx
->ivlen
- arg
, ptr
, arg
);
1556 s390x_aes_gcm_setiv(gctx
, gctx
->iv
);
1560 case EVP_CTRL_AEAD_TLS1_AAD
:
1561 /* Save the aad for later use. */
1562 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
1565 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
1566 memcpy(buf
, ptr
, arg
);
1567 gctx
->tls_aad_len
= arg
;
1568 gctx
->tls_enc_records
= 0;
1570 len
= buf
[arg
- 2] << 8 | buf
[arg
- 1];
1571 /* Correct length for explicit iv. */
1572 if (len
< EVP_GCM_TLS_EXPLICIT_IV_LEN
)
1574 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1576 /* If decrypting correct for tag too. */
1577 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
1579 if (len
< EVP_GCM_TLS_TAG_LEN
)
1581 len
-= EVP_GCM_TLS_TAG_LEN
;
1583 buf
[arg
- 2] = len
>> 8;
1584 buf
[arg
- 1] = len
& 0xff;
1585 /* Extra padding: tag appended to record. */
1586 return EVP_GCM_TLS_TAG_LEN
;
1590 gctx_out
= EVP_C_DATA(S390X_AES_GCM_CTX
, out
);
1592 if (gctx
->iv
== c
->iv
) {
1593 gctx_out
->iv
= out
->iv
;
1595 len
= S390X_gcm_ivpadlen(gctx
->ivlen
);
1597 if ((gctx_out
->iv
= OPENSSL_malloc(len
)) == NULL
) {
1598 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
1602 memcpy(gctx_out
->iv
, gctx
->iv
, len
);
1612 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1614 static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX
*ctx
,
1615 const unsigned char *key
,
1616 const unsigned char *iv
, int enc
)
1618 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1621 if (iv
== NULL
&& key
== NULL
)
1625 keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
1627 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
1631 memcpy(&gctx
->kma
.param
.k
, key
, keylen
);
1633 gctx
->fc
= S390X_AES_FC(keylen
);
1635 gctx
->fc
|= S390X_DECRYPT
;
1637 if (iv
== NULL
&& gctx
->iv_set
)
1641 s390x_aes_gcm_setiv(gctx
, iv
);
1647 s390x_aes_gcm_setiv(gctx
, iv
);
1649 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
1658 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1659 * if successful. Otherwise -1 is returned. Code is big-endian.
1661 static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1662 const unsigned char *in
, size_t len
)
1664 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1665 const unsigned char *buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1666 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1669 if (out
!= in
|| len
< (EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
))
1673 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
1674 * Requirements from SP 800-38D". The requirements is for one party to the
1675 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
1678 if (enc
&& ++gctx
->tls_enc_records
== 0) {
1679 ERR_raise(ERR_LIB_EVP
, EVP_R_TOO_MANY_RECORDS
);
1683 if (EVP_CIPHER_CTX_ctrl(ctx
, enc
? EVP_CTRL_GCM_IV_GEN
1684 : EVP_CTRL_GCM_SET_IV_INV
,
1685 EVP_GCM_TLS_EXPLICIT_IV_LEN
, out
) <= 0)
1688 in
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1689 out
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1690 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
1692 gctx
->kma
.param
.taadl
= gctx
->tls_aad_len
<< 3;
1693 gctx
->kma
.param
.tpcl
= len
<< 3;
1694 s390x_kma(buf
, gctx
->tls_aad_len
, in
, len
, out
,
1695 gctx
->fc
| S390X_KMA_LAAD
| S390X_KMA_LPC
, &gctx
->kma
.param
);
1698 memcpy(out
+ len
, gctx
->kma
.param
.t
.b
, EVP_GCM_TLS_TAG_LEN
);
1699 rv
= len
+ EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
1701 if (CRYPTO_memcmp(gctx
->kma
.param
.t
.b
, in
+ len
,
1702 EVP_GCM_TLS_TAG_LEN
)) {
1703 OPENSSL_cleanse(out
, len
);
1710 gctx
->tls_aad_len
= -1;
1715 * Called from EVP layer to initialize context, process additional
1716 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1717 * ciphertext or process a TLS packet, depending on context. Returns bytes
1718 * written on success. Otherwise -1 is returned. Code is big-endian.
1720 static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1721 const unsigned char *in
, size_t len
)
1723 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, ctx
);
1724 unsigned char *buf
, tmp
[16];
1730 if (gctx
->tls_aad_len
>= 0)
1731 return s390x_aes_gcm_tls_cipher(ctx
, out
, in
, len
);
1738 if (s390x_aes_gcm_aad(gctx
, in
, len
))
1741 if (s390x_aes_gcm(gctx
, in
, out
, len
))
1746 gctx
->kma
.param
.taadl
<<= 3;
1747 gctx
->kma
.param
.tpcl
<<= 3;
1748 s390x_kma(gctx
->ares
, gctx
->areslen
, gctx
->mres
, gctx
->mreslen
, tmp
,
1749 gctx
->fc
| S390X_KMA_LAAD
| S390X_KMA_LPC
, &gctx
->kma
.param
);
1750 /* recall that we already did en-/decrypt gctx->mres
1751 * and returned it to caller... */
1752 OPENSSL_cleanse(tmp
, gctx
->mreslen
);
1755 enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1759 if (gctx
->taglen
< 0)
1762 buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1763 if (CRYPTO_memcmp(buf
, gctx
->kma
.param
.t
.b
, gctx
->taglen
))
1770 static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX
*c
)
1772 S390X_AES_GCM_CTX
*gctx
= EVP_C_DATA(S390X_AES_GCM_CTX
, c
);
1777 if (gctx
->iv
!= c
->iv
)
1778 OPENSSL_free(gctx
->iv
);
1780 OPENSSL_cleanse(gctx
, sizeof(*gctx
));
1784 # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1786 # define s390x_aes_xts_init_key aes_xts_init_key
1787 static int s390x_aes_xts_init_key(EVP_CIPHER_CTX
*ctx
,
1788 const unsigned char *key
,
1789 const unsigned char *iv
, int enc
);
1790 # define s390x_aes_xts_cipher aes_xts_cipher
1791 static int s390x_aes_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1792 const unsigned char *in
, size_t len
);
1793 # define s390x_aes_xts_ctrl aes_xts_ctrl
1794 static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX
*, int type
, int arg
, void *ptr
);
1795 # define s390x_aes_xts_cleanup aes_xts_cleanup
1798 * Set nonce and length fields. Code is big-endian.
1800 static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX
*ctx
,
1801 const unsigned char *nonce
,
1804 ctx
->aes
.ccm
.nonce
.b
[0] &= ~S390X_CCM_AAD_FLAG
;
1805 ctx
->aes
.ccm
.nonce
.g
[1] = mlen
;
1806 memcpy(ctx
->aes
.ccm
.nonce
.b
+ 1, nonce
, 15 - ctx
->aes
.ccm
.l
);
1810 * Process additional authenticated data. Code is big-endian.
1812 static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX
*ctx
, const unsigned char *aad
,
1821 ctx
->aes
.ccm
.nonce
.b
[0] |= S390X_CCM_AAD_FLAG
;
1823 /* Suppress 'type-punned pointer dereference' warning. */
1824 ptr
= ctx
->aes
.ccm
.buf
.b
;
1826 if (alen
< ((1 << 16) - (1 << 8))) {
1827 *(uint16_t *)ptr
= alen
;
1829 } else if (sizeof(alen
) == 8
1830 && alen
>= (size_t)1 << (32 % (sizeof(alen
) * 8))) {
1831 *(uint16_t *)ptr
= 0xffff;
1832 *(uint64_t *)(ptr
+ 2) = alen
;
1835 *(uint16_t *)ptr
= 0xfffe;
1836 *(uint32_t *)(ptr
+ 2) = alen
;
1840 while (i
< 16 && alen
) {
1841 ctx
->aes
.ccm
.buf
.b
[i
] = *aad
;
1847 ctx
->aes
.ccm
.buf
.b
[i
] = 0;
1851 ctx
->aes
.ccm
.kmac_param
.icv
.g
[0] = 0;
1852 ctx
->aes
.ccm
.kmac_param
.icv
.g
[1] = 0;
1853 s390x_kmac(ctx
->aes
.ccm
.nonce
.b
, 32, ctx
->aes
.ccm
.fc
,
1854 &ctx
->aes
.ccm
.kmac_param
);
1855 ctx
->aes
.ccm
.blocks
+= 2;
1858 alen
&= ~(size_t)0xf;
1860 s390x_kmac(aad
, alen
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1861 ctx
->aes
.ccm
.blocks
+= alen
>> 4;
1865 for (i
= 0; i
< rem
; i
++)
1866 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= aad
[i
];
1868 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1869 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1870 ctx
->aes
.ccm
.kmac_param
.k
);
1871 ctx
->aes
.ccm
.blocks
++;
1876 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
1879 static int s390x_aes_ccm(S390X_AES_CCM_CTX
*ctx
, const unsigned char *in
,
1880 unsigned char *out
, size_t len
, int enc
)
1883 unsigned int i
, l
, num
;
1884 unsigned char flags
;
1886 flags
= ctx
->aes
.ccm
.nonce
.b
[0];
1887 if (!(flags
& S390X_CCM_AAD_FLAG
)) {
1888 s390x_km(ctx
->aes
.ccm
.nonce
.b
, 16, ctx
->aes
.ccm
.kmac_param
.icv
.b
,
1889 ctx
->aes
.ccm
.fc
, ctx
->aes
.ccm
.kmac_param
.k
);
1890 ctx
->aes
.ccm
.blocks
++;
1893 ctx
->aes
.ccm
.nonce
.b
[0] = l
;
1896 * Reconstruct length from encoded length field
1897 * and initialize it with counter value.
1900 for (i
= 15 - l
; i
< 15; i
++) {
1901 n
|= ctx
->aes
.ccm
.nonce
.b
[i
];
1902 ctx
->aes
.ccm
.nonce
.b
[i
] = 0;
1905 n
|= ctx
->aes
.ccm
.nonce
.b
[15];
1906 ctx
->aes
.ccm
.nonce
.b
[15] = 1;
1909 return -1; /* length mismatch */
1912 /* Two operations per block plus one for tag encryption */
1913 ctx
->aes
.ccm
.blocks
+= (((len
+ 15) >> 4) << 1) + 1;
1914 if (ctx
->aes
.ccm
.blocks
> (1ULL << 61))
1915 return -2; /* too much data */
1920 len
&= ~(size_t)0xf;
1923 /* mac-then-encrypt */
1925 s390x_kmac(in
, len
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1927 for (i
= 0; i
< rem
; i
++)
1928 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= in
[len
+ i
];
1930 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1931 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1932 ctx
->aes
.ccm
.kmac_param
.k
);
1935 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
+ rem
, &ctx
->aes
.key
.k
,
1936 ctx
->aes
.ccm
.nonce
.b
, ctx
->aes
.ccm
.buf
.b
,
1937 &num
, (ctr128_f
)AES_ctr32_encrypt
);
1939 /* decrypt-then-mac */
1940 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
+ rem
, &ctx
->aes
.key
.k
,
1941 ctx
->aes
.ccm
.nonce
.b
, ctx
->aes
.ccm
.buf
.b
,
1942 &num
, (ctr128_f
)AES_ctr32_encrypt
);
1945 s390x_kmac(out
, len
, ctx
->aes
.ccm
.fc
, &ctx
->aes
.ccm
.kmac_param
);
1947 for (i
= 0; i
< rem
; i
++)
1948 ctx
->aes
.ccm
.kmac_param
.icv
.b
[i
] ^= out
[len
+ i
];
1950 s390x_km(ctx
->aes
.ccm
.kmac_param
.icv
.b
, 16,
1951 ctx
->aes
.ccm
.kmac_param
.icv
.b
, ctx
->aes
.ccm
.fc
,
1952 ctx
->aes
.ccm
.kmac_param
.k
);
1956 for (i
= 15 - l
; i
< 16; i
++)
1957 ctx
->aes
.ccm
.nonce
.b
[i
] = 0;
1959 s390x_km(ctx
->aes
.ccm
.nonce
.b
, 16, ctx
->aes
.ccm
.buf
.b
, ctx
->aes
.ccm
.fc
,
1960 ctx
->aes
.ccm
.kmac_param
.k
);
1961 ctx
->aes
.ccm
.kmac_param
.icv
.g
[0] ^= ctx
->aes
.ccm
.buf
.g
[0];
1962 ctx
->aes
.ccm
.kmac_param
.icv
.g
[1] ^= ctx
->aes
.ccm
.buf
.g
[1];
1964 ctx
->aes
.ccm
.nonce
.b
[0] = flags
; /* restore flags field */
1969 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1970 * if successful. Otherwise -1 is returned.
1972 static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
1973 const unsigned char *in
, size_t len
)
1975 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
1976 unsigned char *ivec
= ctx
->iv
;
1977 unsigned char *buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
1978 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
1981 || len
< (EVP_CCM_TLS_EXPLICIT_IV_LEN
+ (size_t)cctx
->aes
.ccm
.m
))
1985 /* Set explicit iv (sequence number). */
1986 memcpy(out
, buf
, EVP_CCM_TLS_EXPLICIT_IV_LEN
);
1989 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->aes
.ccm
.m
;
1991 * Get explicit iv (sequence number). We already have fixed iv
1992 * (server/client_write_iv) here.
1994 memcpy(ivec
+ EVP_CCM_TLS_FIXED_IV_LEN
, in
, EVP_CCM_TLS_EXPLICIT_IV_LEN
);
1995 s390x_aes_ccm_setiv(cctx
, ivec
, len
);
1997 /* Process aad (sequence number|type|version|length) */
1998 s390x_aes_ccm_aad(cctx
, buf
, cctx
->aes
.ccm
.tls_aad_len
);
2000 in
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
2001 out
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
2004 if (s390x_aes_ccm(cctx
, in
, out
, len
, enc
))
2007 memcpy(out
+ len
, cctx
->aes
.ccm
.kmac_param
.icv
.b
, cctx
->aes
.ccm
.m
);
2008 return len
+ EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->aes
.ccm
.m
;
2010 if (!s390x_aes_ccm(cctx
, in
, out
, len
, enc
)) {
2011 if (!CRYPTO_memcmp(cctx
->aes
.ccm
.kmac_param
.icv
.b
, in
+ len
,
2016 OPENSSL_cleanse(out
, len
);
2022 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2025 static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX
*ctx
,
2026 const unsigned char *key
,
2027 const unsigned char *iv
, int enc
)
2029 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
2032 if (iv
== NULL
&& key
== NULL
)
2036 keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
2038 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2042 cctx
->aes
.ccm
.fc
= S390X_AES_FC(keylen
);
2043 memcpy(cctx
->aes
.ccm
.kmac_param
.k
, key
, keylen
);
2045 /* Store encoded m and l. */
2046 cctx
->aes
.ccm
.nonce
.b
[0] = ((cctx
->aes
.ccm
.l
- 1) & 0x7)
2047 | (((cctx
->aes
.ccm
.m
- 2) >> 1) & 0x7) << 3;
2048 memset(cctx
->aes
.ccm
.nonce
.b
+ 1, 0,
2049 sizeof(cctx
->aes
.ccm
.nonce
.b
));
2050 cctx
->aes
.ccm
.blocks
= 0;
2052 cctx
->aes
.ccm
.key_set
= 1;
2056 memcpy(ctx
->iv
, iv
, 15 - cctx
->aes
.ccm
.l
);
2058 cctx
->aes
.ccm
.iv_set
= 1;
2065 * Called from EVP layer to initialize context, process additional
2066 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2067 * plaintext or process a TLS packet, depending on context. Returns bytes
2068 * written on success. Otherwise -1 is returned.
2070 static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2071 const unsigned char *in
, size_t len
)
2073 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, ctx
);
2074 const int enc
= EVP_CIPHER_CTX_is_encrypting(ctx
);
2078 if (!cctx
->aes
.ccm
.key_set
)
2081 if (cctx
->aes
.ccm
.tls_aad_len
>= 0)
2082 return s390x_aes_ccm_tls_cipher(ctx
, out
, in
, len
);
2085 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2086 * so integrity must be checked already at Update() i.e., before
2087 * potentially corrupted data is output.
2089 if (in
== NULL
&& out
!= NULL
)
2092 if (!cctx
->aes
.ccm
.iv_set
)
2096 /* Update(): Pass message length. */
2098 s390x_aes_ccm_setiv(cctx
, ctx
->iv
, len
);
2100 cctx
->aes
.ccm
.len_set
= 1;
2104 /* Update(): Process aad. */
2105 if (!cctx
->aes
.ccm
.len_set
&& len
)
2108 s390x_aes_ccm_aad(cctx
, in
, len
);
2112 /* The tag must be set before actually decrypting data */
2113 if (!enc
&& !cctx
->aes
.ccm
.tag_set
)
2116 /* Update(): Process message. */
2118 if (!cctx
->aes
.ccm
.len_set
) {
2120 * In case message length was not previously set explicitly via
2121 * Update(), set it now.
2123 s390x_aes_ccm_setiv(cctx
, ctx
->iv
, len
);
2125 cctx
->aes
.ccm
.len_set
= 1;
2129 if (s390x_aes_ccm(cctx
, in
, out
, len
, enc
))
2132 cctx
->aes
.ccm
.tag_set
= 1;
2137 if (!s390x_aes_ccm(cctx
, in
, out
, len
, enc
)) {
2138 buf
= EVP_CIPHER_CTX_buf_noconst(ctx
);
2139 if (!CRYPTO_memcmp(cctx
->aes
.ccm
.kmac_param
.icv
.b
, buf
,
2145 OPENSSL_cleanse(out
, len
);
2147 cctx
->aes
.ccm
.iv_set
= 0;
2148 cctx
->aes
.ccm
.tag_set
= 0;
2149 cctx
->aes
.ccm
.len_set
= 0;
2155 * Performs various operations on the context structure depending on control
2156 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2157 * Code is big-endian.
2159 static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
2161 S390X_AES_CCM_CTX
*cctx
= EVP_C_DATA(S390X_AES_CCM_CTX
, c
);
2167 cctx
->aes
.ccm
.key_set
= 0;
2168 cctx
->aes
.ccm
.iv_set
= 0;
2169 cctx
->aes
.ccm
.l
= 8;
2170 cctx
->aes
.ccm
.m
= 12;
2171 cctx
->aes
.ccm
.tag_set
= 0;
2172 cctx
->aes
.ccm
.len_set
= 0;
2173 cctx
->aes
.ccm
.tls_aad_len
= -1;
2176 case EVP_CTRL_GET_IVLEN
:
2177 *(int *)ptr
= 15 - cctx
->aes
.ccm
.l
;
2180 case EVP_CTRL_AEAD_TLS1_AAD
:
2181 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
2184 /* Save the aad for later use. */
2185 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
2186 memcpy(buf
, ptr
, arg
);
2187 cctx
->aes
.ccm
.tls_aad_len
= arg
;
2189 len
= buf
[arg
- 2] << 8 | buf
[arg
- 1];
2190 if (len
< EVP_CCM_TLS_EXPLICIT_IV_LEN
)
2193 /* Correct length for explicit iv. */
2194 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
2196 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2198 if (len
< cctx
->aes
.ccm
.m
)
2201 /* Correct length for tag. */
2202 len
-= cctx
->aes
.ccm
.m
;
2205 buf
[arg
- 2] = len
>> 8;
2206 buf
[arg
- 1] = len
& 0xff;
2208 /* Extra padding: tag appended to record. */
2209 return cctx
->aes
.ccm
.m
;
2211 case EVP_CTRL_CCM_SET_IV_FIXED
:
2212 if (arg
!= EVP_CCM_TLS_FIXED_IV_LEN
)
2215 /* Copy to first part of the iv. */
2216 memcpy(c
->iv
, ptr
, arg
);
2219 case EVP_CTRL_AEAD_SET_IVLEN
:
2223 case EVP_CTRL_CCM_SET_L
:
2224 if (arg
< 2 || arg
> 8)
2227 cctx
->aes
.ccm
.l
= arg
;
2230 case EVP_CTRL_AEAD_SET_TAG
:
2231 if ((arg
& 1) || arg
< 4 || arg
> 16)
2234 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2239 cctx
->aes
.ccm
.tag_set
= 1;
2240 buf
= EVP_CIPHER_CTX_buf_noconst(c
);
2241 memcpy(buf
, ptr
, arg
);
2244 cctx
->aes
.ccm
.m
= arg
;
2247 case EVP_CTRL_AEAD_GET_TAG
:
2248 enc
= EVP_CIPHER_CTX_is_encrypting(c
);
2249 if (!enc
|| !cctx
->aes
.ccm
.tag_set
)
2252 if (arg
< cctx
->aes
.ccm
.m
)
2255 memcpy(ptr
, cctx
->aes
.ccm
.kmac_param
.icv
.b
, cctx
->aes
.ccm
.m
);
2256 cctx
->aes
.ccm
.tag_set
= 0;
2257 cctx
->aes
.ccm
.iv_set
= 0;
2258 cctx
->aes
.ccm
.len_set
= 0;
2269 # define s390x_aes_ccm_cleanup aes_ccm_cleanup
2271 # ifndef OPENSSL_NO_OCB
2272 # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2274 # define s390x_aes_ocb_init_key aes_ocb_init_key
2275 static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2276 const unsigned char *iv
, int enc
);
2277 # define s390x_aes_ocb_cipher aes_ocb_cipher
2278 static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2279 const unsigned char *in
, size_t len
);
2280 # define s390x_aes_ocb_cleanup aes_ocb_cleanup
2281 static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX
*);
2282 # define s390x_aes_ocb_ctrl aes_ocb_ctrl
2283 static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX
*, int type
, int arg
, void *ptr
);
2286 # ifndef OPENSSL_NO_SIV
2287 # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
2289 # define s390x_aes_siv_init_key aes_siv_init_key
2290 # define s390x_aes_siv_cipher aes_siv_cipher
2291 # define s390x_aes_siv_cleanup aes_siv_cleanup
2292 # define s390x_aes_siv_ctrl aes_siv_ctrl
2295 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2297 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2298 nid##_##keylen##_##nmode,blocksize, \
2301 flags | EVP_CIPH_##MODE##_MODE, \
2303 s390x_aes_##mode##_init_key, \
2304 s390x_aes_##mode##_cipher, \
2306 sizeof(S390X_AES_##MODE##_CTX), \
2312 static const EVP_CIPHER aes_##keylen##_##mode = { \
2313 nid##_##keylen##_##nmode, \
2317 flags | EVP_CIPH_##MODE##_MODE, \
2320 aes_##mode##_cipher, \
2322 sizeof(EVP_AES_KEY), \
2328 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2330 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2331 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2334 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2335 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2336 nid##_##keylen##_##mode, \
2338 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2340 flags | EVP_CIPH_##MODE##_MODE, \
2342 s390x_aes_##mode##_init_key, \
2343 s390x_aes_##mode##_cipher, \
2344 s390x_aes_##mode##_cleanup, \
2345 sizeof(S390X_AES_##MODE##_CTX), \
2348 s390x_aes_##mode##_ctrl, \
2351 static const EVP_CIPHER aes_##keylen##_##mode = { \
2352 nid##_##keylen##_##mode,blocksize, \
2353 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2355 flags | EVP_CIPH_##MODE##_MODE, \
2357 aes_##mode##_init_key, \
2358 aes_##mode##_cipher, \
2359 aes_##mode##_cleanup, \
2360 sizeof(EVP_AES_##MODE##_CTX), \
2363 aes_##mode##_ctrl, \
2366 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2368 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2369 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2374 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
2375 static const EVP_CIPHER aes_##keylen##_##mode = { \
2376 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2377 flags|EVP_CIPH_##MODE##_MODE, \
2380 aes_##mode##_cipher, \
2382 sizeof(EVP_AES_KEY), \
2383 NULL,NULL,NULL,NULL }; \
2384 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2385 { return &aes_##keylen##_##mode; }
2387 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
2388 static const EVP_CIPHER aes_##keylen##_##mode = { \
2389 nid##_##keylen##_##mode,blocksize, \
2390 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
2392 flags|EVP_CIPH_##MODE##_MODE, \
2394 aes_##mode##_init_key, \
2395 aes_##mode##_cipher, \
2396 aes_##mode##_cleanup, \
2397 sizeof(EVP_AES_##MODE##_CTX), \
2398 NULL,NULL,aes_##mode##_ctrl,NULL }; \
2399 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2400 { return &aes_##keylen##_##mode; }
2404 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
2405 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2406 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2407 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2408 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2409 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2410 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2411 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
2413 static int aes_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2414 const unsigned char *iv
, int enc
)
2417 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2418 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
2421 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2425 mode
= EVP_CIPHER_CTX_get_mode(ctx
);
2426 if ((mode
== EVP_CIPH_ECB_MODE
|| mode
== EVP_CIPH_CBC_MODE
)
2428 #ifdef HWAES_CAPABLE
2429 if (HWAES_CAPABLE
) {
2430 ret
= HWAES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2431 dat
->block
= (block128_f
) HWAES_decrypt
;
2432 dat
->stream
.cbc
= NULL
;
2433 # ifdef HWAES_cbc_encrypt
2434 if (mode
== EVP_CIPH_CBC_MODE
)
2435 dat
->stream
.cbc
= (cbc128_f
) HWAES_cbc_encrypt
;
2439 #ifdef BSAES_CAPABLE
2440 if (BSAES_CAPABLE
&& mode
== EVP_CIPH_CBC_MODE
) {
2441 ret
= AES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2442 dat
->block
= (block128_f
) AES_decrypt
;
2443 dat
->stream
.cbc
= (cbc128_f
) ossl_bsaes_cbc_encrypt
;
2446 #ifdef VPAES_CAPABLE
2447 if (VPAES_CAPABLE
) {
2448 ret
= vpaes_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2449 dat
->block
= (block128_f
) vpaes_decrypt
;
2450 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2451 (cbc128_f
) vpaes_cbc_encrypt
: NULL
;
2455 ret
= AES_set_decrypt_key(key
, keylen
, &dat
->ks
.ks
);
2456 dat
->block
= (block128_f
) AES_decrypt
;
2457 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2458 (cbc128_f
) AES_cbc_encrypt
: NULL
;
2461 #ifdef HWAES_CAPABLE
2462 if (HWAES_CAPABLE
) {
2463 ret
= HWAES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2464 dat
->block
= (block128_f
) HWAES_encrypt
;
2465 dat
->stream
.cbc
= NULL
;
2466 # ifdef HWAES_cbc_encrypt
2467 if (mode
== EVP_CIPH_CBC_MODE
)
2468 dat
->stream
.cbc
= (cbc128_f
) HWAES_cbc_encrypt
;
2471 # ifdef HWAES_ctr32_encrypt_blocks
2472 if (mode
== EVP_CIPH_CTR_MODE
)
2473 dat
->stream
.ctr
= (ctr128_f
) HWAES_ctr32_encrypt_blocks
;
2476 (void)0; /* terminate potentially open 'else' */
2479 #ifdef BSAES_CAPABLE
2480 if (BSAES_CAPABLE
&& mode
== EVP_CIPH_CTR_MODE
) {
2481 ret
= AES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2482 dat
->block
= (block128_f
) AES_encrypt
;
2483 dat
->stream
.ctr
= (ctr128_f
) ossl_bsaes_ctr32_encrypt_blocks
;
2486 #ifdef VPAES_CAPABLE
2487 if (VPAES_CAPABLE
) {
2488 ret
= vpaes_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2489 dat
->block
= (block128_f
) vpaes_encrypt
;
2490 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2491 (cbc128_f
) vpaes_cbc_encrypt
: NULL
;
2495 ret
= AES_set_encrypt_key(key
, keylen
, &dat
->ks
.ks
);
2496 dat
->block
= (block128_f
) AES_encrypt
;
2497 dat
->stream
.cbc
= mode
== EVP_CIPH_CBC_MODE
?
2498 (cbc128_f
) AES_cbc_encrypt
: NULL
;
2500 if (mode
== EVP_CIPH_CTR_MODE
)
2501 dat
->stream
.ctr
= (ctr128_f
) AES_ctr32_encrypt
;
2506 ERR_raise(ERR_LIB_EVP
, EVP_R_AES_KEY_SETUP_FAILED
);
2513 static int aes_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2514 const unsigned char *in
, size_t len
)
2516 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2518 if (dat
->stream
.cbc
)
2519 (*dat
->stream
.cbc
) (in
, out
, len
, &dat
->ks
, ctx
->iv
,
2520 EVP_CIPHER_CTX_is_encrypting(ctx
));
2521 else if (EVP_CIPHER_CTX_is_encrypting(ctx
))
2522 CRYPTO_cbc128_encrypt(in
, out
, len
, &dat
->ks
, ctx
->iv
,
2525 CRYPTO_cbc128_decrypt(in
, out
, len
, &dat
->ks
,
2526 ctx
->iv
, dat
->block
);
2531 static int aes_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2532 const unsigned char *in
, size_t len
)
2534 size_t bl
= EVP_CIPHER_CTX_get_block_size(ctx
);
2536 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2541 for (i
= 0, len
-= bl
; i
<= len
; i
+= bl
)
2542 (*dat
->block
) (in
+ i
, out
+ i
, &dat
->ks
);
2547 static int aes_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2548 const unsigned char *in
, size_t len
)
2550 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2552 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2553 CRYPTO_ofb128_encrypt(in
, out
, len
, &dat
->ks
,
2554 ctx
->iv
, &num
, dat
->block
);
2555 EVP_CIPHER_CTX_set_num(ctx
, num
);
2559 static int aes_cfb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2560 const unsigned char *in
, size_t len
)
2562 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2564 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2565 CRYPTO_cfb128_encrypt(in
, out
, len
, &dat
->ks
,
2567 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2568 EVP_CIPHER_CTX_set_num(ctx
, num
);
2572 static int aes_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2573 const unsigned char *in
, size_t len
)
2575 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2577 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2578 CRYPTO_cfb128_8_encrypt(in
, out
, len
, &dat
->ks
,
2580 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2581 EVP_CIPHER_CTX_set_num(ctx
, num
);
2585 static int aes_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2586 const unsigned char *in
, size_t len
)
2588 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2590 if (EVP_CIPHER_CTX_test_flags(ctx
, EVP_CIPH_FLAG_LENGTH_BITS
)) {
2591 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2592 CRYPTO_cfb128_1_encrypt(in
, out
, len
, &dat
->ks
,
2594 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2595 EVP_CIPHER_CTX_set_num(ctx
, num
);
2599 while (len
>= MAXBITCHUNK
) {
2600 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2601 CRYPTO_cfb128_1_encrypt(in
, out
, MAXBITCHUNK
* 8, &dat
->ks
,
2603 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2604 EVP_CIPHER_CTX_set_num(ctx
, num
);
2610 int num
= EVP_CIPHER_CTX_get_num(ctx
);
2611 CRYPTO_cfb128_1_encrypt(in
, out
, len
* 8, &dat
->ks
,
2613 EVP_CIPHER_CTX_is_encrypting(ctx
), dat
->block
);
2614 EVP_CIPHER_CTX_set_num(ctx
, num
);
2620 static int aes_ctr_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2621 const unsigned char *in
, size_t len
)
2623 int n
= EVP_CIPHER_CTX_get_num(ctx
);
2625 EVP_AES_KEY
*dat
= EVP_C_DATA(EVP_AES_KEY
,ctx
);
2629 num
= (unsigned int)n
;
2631 if (dat
->stream
.ctr
)
2632 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
, &dat
->ks
,
2634 EVP_CIPHER_CTX_buf_noconst(ctx
),
2635 &num
, dat
->stream
.ctr
);
2637 CRYPTO_ctr128_encrypt(in
, out
, len
, &dat
->ks
,
2639 EVP_CIPHER_CTX_buf_noconst(ctx
), &num
,
2641 EVP_CIPHER_CTX_set_num(ctx
, num
);
2645 BLOCK_CIPHER_generic_pack(NID_aes
, 128, 0)
2646 BLOCK_CIPHER_generic_pack(NID_aes
, 192, 0)
2647 BLOCK_CIPHER_generic_pack(NID_aes
, 256, 0)
2649 static int aes_gcm_cleanup(EVP_CIPHER_CTX
*c
)
2651 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,c
);
2654 OPENSSL_cleanse(&gctx
->gcm
, sizeof(gctx
->gcm
));
2655 if (gctx
->iv
!= c
->iv
)
2656 OPENSSL_free(gctx
->iv
);
2660 static int aes_gcm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
2662 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,c
);
2667 gctx
->ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
2671 gctx
->tls_aad_len
= -1;
2674 case EVP_CTRL_GET_IVLEN
:
2675 *(int *)ptr
= gctx
->ivlen
;
2678 case EVP_CTRL_AEAD_SET_IVLEN
:
2681 /* Allocate memory for IV if needed */
2682 if ((arg
> EVP_MAX_IV_LENGTH
) && (arg
> gctx
->ivlen
)) {
2683 if (gctx
->iv
!= c
->iv
)
2684 OPENSSL_free(gctx
->iv
);
2685 if ((gctx
->iv
= OPENSSL_malloc(arg
)) == NULL
) {
2686 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
2693 case EVP_CTRL_AEAD_SET_TAG
:
2694 if (arg
<= 0 || arg
> 16 || c
->encrypt
)
2696 memcpy(c
->buf
, ptr
, arg
);
2700 case EVP_CTRL_AEAD_GET_TAG
:
2701 if (arg
<= 0 || arg
> 16 || !c
->encrypt
2702 || gctx
->taglen
< 0)
2704 memcpy(ptr
, c
->buf
, arg
);
2707 case EVP_CTRL_GCM_SET_IV_FIXED
:
2708 /* Special case: -1 length restores whole IV */
2710 memcpy(gctx
->iv
, ptr
, gctx
->ivlen
);
2715 * Fixed field must be at least 4 bytes and invocation field at least
2718 if ((arg
< 4) || (gctx
->ivlen
- arg
) < 8)
2721 memcpy(gctx
->iv
, ptr
, arg
);
2722 if (c
->encrypt
&& RAND_bytes(gctx
->iv
+ arg
, gctx
->ivlen
- arg
) <= 0)
2727 case EVP_CTRL_GCM_IV_GEN
:
2728 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0)
2730 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
2731 if (arg
<= 0 || arg
> gctx
->ivlen
)
2733 memcpy(ptr
, gctx
->iv
+ gctx
->ivlen
- arg
, arg
);
2735 * Invocation field will be at least 8 bytes in size and so no need
2736 * to check wrap around or increment more than last 8 bytes.
2738 ctr64_inc(gctx
->iv
+ gctx
->ivlen
- 8);
2742 case EVP_CTRL_GCM_SET_IV_INV
:
2743 if (gctx
->iv_gen
== 0 || gctx
->key_set
== 0 || c
->encrypt
)
2745 memcpy(gctx
->iv
+ gctx
->ivlen
- arg
, ptr
, arg
);
2746 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
2750 case EVP_CTRL_AEAD_TLS1_AAD
:
2751 /* Save the AAD for later use */
2752 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
2754 memcpy(c
->buf
, ptr
, arg
);
2755 gctx
->tls_aad_len
= arg
;
2756 gctx
->tls_enc_records
= 0;
2758 unsigned int len
= c
->buf
[arg
- 2] << 8 | c
->buf
[arg
- 1];
2759 /* Correct length for explicit IV */
2760 if (len
< EVP_GCM_TLS_EXPLICIT_IV_LEN
)
2762 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2763 /* If decrypting correct for tag too */
2765 if (len
< EVP_GCM_TLS_TAG_LEN
)
2767 len
-= EVP_GCM_TLS_TAG_LEN
;
2769 c
->buf
[arg
- 2] = len
>> 8;
2770 c
->buf
[arg
- 1] = len
& 0xff;
2772 /* Extra padding: tag appended to record */
2773 return EVP_GCM_TLS_TAG_LEN
;
2777 EVP_CIPHER_CTX
*out
= ptr
;
2778 EVP_AES_GCM_CTX
*gctx_out
= EVP_C_DATA(EVP_AES_GCM_CTX
,out
);
2779 if (gctx
->gcm
.key
) {
2780 if (gctx
->gcm
.key
!= &gctx
->ks
)
2782 gctx_out
->gcm
.key
= &gctx_out
->ks
;
2784 if (gctx
->iv
== c
->iv
)
2785 gctx_out
->iv
= out
->iv
;
2787 if ((gctx_out
->iv
= OPENSSL_malloc(gctx
->ivlen
)) == NULL
) {
2788 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
2791 memcpy(gctx_out
->iv
, gctx
->iv
, gctx
->ivlen
);
2802 static int aes_gcm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
2803 const unsigned char *iv
, int enc
)
2805 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
2807 if (iv
== NULL
&& key
== NULL
)
2811 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
2814 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
2818 #ifdef HWAES_CAPABLE
2819 if (HWAES_CAPABLE
) {
2820 HWAES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2821 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2822 (block128_f
) HWAES_encrypt
);
2823 # ifdef HWAES_ctr32_encrypt_blocks
2824 gctx
->ctr
= (ctr128_f
) HWAES_ctr32_encrypt_blocks
;
2831 #ifdef BSAES_CAPABLE
2832 if (BSAES_CAPABLE
) {
2833 AES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2834 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2835 (block128_f
) AES_encrypt
);
2836 gctx
->ctr
= (ctr128_f
) ossl_bsaes_ctr32_encrypt_blocks
;
2840 #ifdef VPAES_CAPABLE
2841 if (VPAES_CAPABLE
) {
2842 vpaes_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2843 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2844 (block128_f
) vpaes_encrypt
);
2849 (void)0; /* terminate potentially open 'else' */
2851 AES_set_encrypt_key(key
, keylen
, &gctx
->ks
.ks
);
2852 CRYPTO_gcm128_init(&gctx
->gcm
, &gctx
->ks
,
2853 (block128_f
) AES_encrypt
);
2855 gctx
->ctr
= (ctr128_f
) AES_ctr32_encrypt
;
2862 * If we have an iv can set it directly, otherwise use saved IV.
2864 if (iv
== NULL
&& gctx
->iv_set
)
2867 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
2872 /* If key set use IV, otherwise copy */
2874 CRYPTO_gcm128_setiv(&gctx
->gcm
, iv
, gctx
->ivlen
);
2876 memcpy(gctx
->iv
, iv
, gctx
->ivlen
);
2884 * Handle TLS GCM packet format. This consists of the last portion of the IV
2885 * followed by the payload and finally the tag. On encrypt generate IV,
2886 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
2890 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
2891 const unsigned char *in
, size_t len
)
2893 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
2895 /* Encrypt/decrypt must be performed in place */
2897 || len
< (EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
))
2901 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
2902 * Requirements from SP 800-38D". The requirements is for one party to the
2903 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
2906 if (EVP_CIPHER_CTX_is_encrypting(ctx
) && ++gctx
->tls_enc_records
== 0) {
2907 ERR_raise(ERR_LIB_EVP
, EVP_R_TOO_MANY_RECORDS
);
2912 * Set IV from start of buffer or generate IV and write to start of
2915 if (EVP_CIPHER_CTX_ctrl(ctx
,
2916 EVP_CIPHER_CTX_is_encrypting(ctx
) ?
2917 EVP_CTRL_GCM_IV_GEN
: EVP_CTRL_GCM_SET_IV_INV
,
2918 EVP_GCM_TLS_EXPLICIT_IV_LEN
, out
) <= 0)
2921 if (CRYPTO_gcm128_aad(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
2924 /* Fix buffer and length to point to payload */
2925 in
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2926 out
+= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
2927 len
-= EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
2928 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
2929 /* Encrypt payload */
2932 #if defined(AES_GCM_ASM)
2933 if (len
>= 32 && AES_GCM_ASM(gctx
)) {
2934 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2937 bulk
= AES_gcm_encrypt(in
, out
, len
,
2939 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2940 gctx
->gcm
.len
.u
[1] += bulk
;
2943 if (CRYPTO_gcm128_encrypt_ctr32(&gctx
->gcm
,
2946 len
- bulk
, gctx
->ctr
))
2950 #if defined(AES_GCM_ASM2)
2951 if (len
>= 32 && AES_GCM_ASM2(gctx
)) {
2952 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2955 bulk
= AES_gcm_encrypt(in
, out
, len
,
2957 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2958 gctx
->gcm
.len
.u
[1] += bulk
;
2961 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
,
2962 in
+ bulk
, out
+ bulk
, len
- bulk
))
2966 /* Finally write tag */
2967 CRYPTO_gcm128_tag(&gctx
->gcm
, out
, EVP_GCM_TLS_TAG_LEN
);
2968 rv
= len
+ EVP_GCM_TLS_EXPLICIT_IV_LEN
+ EVP_GCM_TLS_TAG_LEN
;
2973 #if defined(AES_GCM_ASM)
2974 if (len
>= 16 && AES_GCM_ASM(gctx
)) {
2975 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2978 bulk
= AES_gcm_decrypt(in
, out
, len
,
2980 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2981 gctx
->gcm
.len
.u
[1] += bulk
;
2984 if (CRYPTO_gcm128_decrypt_ctr32(&gctx
->gcm
,
2987 len
- bulk
, gctx
->ctr
))
2991 #if defined(AES_GCM_ASM2)
2992 if (len
>= 16 && AES_GCM_ASM2(gctx
)) {
2993 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, NULL
, NULL
, 0))
2996 bulk
= AES_gcm_decrypt(in
, out
, len
,
2998 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
2999 gctx
->gcm
.len
.u
[1] += bulk
;
3002 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
,
3003 in
+ bulk
, out
+ bulk
, len
- bulk
))
3007 CRYPTO_gcm128_tag(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3008 EVP_GCM_TLS_TAG_LEN
);
3009 /* If tag mismatch wipe buffer */
3010 if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx
), in
+ len
,
3011 EVP_GCM_TLS_TAG_LEN
)) {
3012 OPENSSL_cleanse(out
, len
);
3020 gctx
->tls_aad_len
= -1;
3026 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
3028 * See also 8.2.2 RBG-based construction.
3029 * Random construction consists of a free field (which can be NULL) and a
3030 * random field which will use a DRBG that can return at least 96 bits of
3031 * entropy strength. (The DRBG must be seeded by the FIPS module).
3033 static int aes_gcm_iv_generate(EVP_AES_GCM_CTX
*gctx
, int offset
)
3035 int sz
= gctx
->ivlen
- offset
;
3037 /* Must be at least 96 bits */
3038 if (sz
<= 0 || gctx
->ivlen
< 12)
3041 /* Use DRBG to generate random iv */
3042 if (RAND_bytes(gctx
->iv
+ offset
, sz
) <= 0)
3046 #endif /* FIPS_MODULE */
3048 static int aes_gcm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3049 const unsigned char *in
, size_t len
)
3051 EVP_AES_GCM_CTX
*gctx
= EVP_C_DATA(EVP_AES_GCM_CTX
,ctx
);
3053 /* If not set up, return error */
3057 if (gctx
->tls_aad_len
>= 0)
3058 return aes_gcm_tls_cipher(ctx
, out
, in
, len
);
3062 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
3063 * The IV can still be set externally (the security policy will state that
3064 * this is not FIPS compliant). There are some applications
3065 * where setting the IV externally is the only option available.
3067 if (!gctx
->iv_set
) {
3068 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) || !aes_gcm_iv_generate(gctx
, 0))
3070 CRYPTO_gcm128_setiv(&gctx
->gcm
, gctx
->iv
, gctx
->ivlen
);
3072 gctx
->iv_gen_rand
= 1;
3077 #endif /* FIPS_MODULE */
3081 if (CRYPTO_gcm128_aad(&gctx
->gcm
, in
, len
))
3083 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3086 #if defined(AES_GCM_ASM)
3087 if (len
>= 32 && AES_GCM_ASM(gctx
)) {
3088 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3090 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, in
, out
, res
))
3093 bulk
= AES_gcm_encrypt(in
+ res
,
3094 out
+ res
, len
- res
,
3095 gctx
->gcm
.key
, gctx
->gcm
.Yi
.c
,
3097 gctx
->gcm
.len
.u
[1] += bulk
;
3101 if (CRYPTO_gcm128_encrypt_ctr32(&gctx
->gcm
,
3104 len
- bulk
, gctx
->ctr
))
3108 #if defined(AES_GCM_ASM2)
3109 if (len
>= 32 && AES_GCM_ASM2(gctx
)) {
3110 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3112 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
, in
, out
, res
))
3115 bulk
= AES_gcm_encrypt(in
+ res
,
3116 out
+ res
, len
- res
,
3117 gctx
->gcm
.key
, gctx
->gcm
.Yi
.c
,
3119 gctx
->gcm
.len
.u
[1] += bulk
;
3123 if (CRYPTO_gcm128_encrypt(&gctx
->gcm
,
3124 in
+ bulk
, out
+ bulk
, len
- bulk
))
3130 #if defined(AES_GCM_ASM)
3131 if (len
>= 16 && AES_GCM_ASM(gctx
)) {
3132 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3134 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, in
, out
, res
))
3137 bulk
= AES_gcm_decrypt(in
+ res
,
3138 out
+ res
, len
- res
,
3140 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
3141 gctx
->gcm
.len
.u
[1] += bulk
;
3145 if (CRYPTO_gcm128_decrypt_ctr32(&gctx
->gcm
,
3148 len
- bulk
, gctx
->ctr
))
3152 #if defined(AES_GCM_ASM2)
3153 if (len
>= 16 && AES_GCM_ASM2(gctx
)) {
3154 size_t res
= (16 - gctx
->gcm
.mres
) % 16;
3156 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
, in
, out
, res
))
3159 bulk
= AES_gcm_decrypt(in
+ res
,
3160 out
+ res
, len
- res
,
3162 gctx
->gcm
.Yi
.c
, gctx
->gcm
.Xi
.u
);
3163 gctx
->gcm
.len
.u
[1] += bulk
;
3167 if (CRYPTO_gcm128_decrypt(&gctx
->gcm
,
3168 in
+ bulk
, out
+ bulk
, len
- bulk
))
3174 if (!EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3175 if (gctx
->taglen
< 0)
3177 if (CRYPTO_gcm128_finish(&gctx
->gcm
,
3178 EVP_CIPHER_CTX_buf_noconst(ctx
),
3184 CRYPTO_gcm128_tag(&gctx
->gcm
, EVP_CIPHER_CTX_buf_noconst(ctx
), 16);
3186 /* Don't reuse the IV */
3193 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
3194 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3195 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3196 | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
3198 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 12, gcm
, GCM
,
3199 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3200 BLOCK_CIPHER_custom(NID_aes
, 192, 1, 12, gcm
, GCM
,
3201 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3202 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 12, gcm
, GCM
,
3203 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3205 static int aes_xts_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3207 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
, c
);
3209 if (type
== EVP_CTRL_COPY
) {
3210 EVP_CIPHER_CTX
*out
= ptr
;
3211 EVP_AES_XTS_CTX
*xctx_out
= EVP_C_DATA(EVP_AES_XTS_CTX
,out
);
3213 if (xctx
->xts
.key1
) {
3214 if (xctx
->xts
.key1
!= &xctx
->ks1
)
3216 xctx_out
->xts
.key1
= &xctx_out
->ks1
;
3218 if (xctx
->xts
.key2
) {
3219 if (xctx
->xts
.key2
!= &xctx
->ks2
)
3221 xctx_out
->xts
.key2
= &xctx_out
->ks2
;
3224 } else if (type
!= EVP_CTRL_INIT
)
3226 /* key1 and key2 are used as an indicator both key and IV are set */
3227 xctx
->xts
.key1
= NULL
;
3228 xctx
->xts
.key2
= NULL
;
3232 static int aes_xts_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3233 const unsigned char *iv
, int enc
)
3235 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
3237 if (iv
== NULL
&& key
== NULL
)
3242 /* The key is two half length keys in reality */
3243 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
);
3244 const int bytes
= keylen
/ 2;
3245 const int bits
= bytes
* 8;
3248 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3252 * Verify that the two keys are different.
3254 * This addresses the vulnerability described in Rogaway's
3255 * September 2004 paper:
3257 * "Efficient Instantiations of Tweakable Blockciphers and
3258 * Refinements to Modes OCB and PMAC".
3259 * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
3261 * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
3263 * "The check for Key_1 != Key_2 shall be done at any place
3264 * BEFORE using the keys in the XTS-AES algorithm to process
3267 if ((!allow_insecure_decrypt
|| enc
)
3268 && CRYPTO_memcmp(key
, key
+ bytes
, bytes
) == 0) {
3269 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DUPLICATED_KEYS
);
3274 xctx
->stream
= enc
? AES_xts_encrypt
: AES_xts_decrypt
;
3276 xctx
->stream
= NULL
;
3278 /* key_len is two AES keys */
3279 #ifdef HWAES_CAPABLE
3280 if (HWAES_CAPABLE
) {
3282 HWAES_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3283 xctx
->xts
.block1
= (block128_f
) HWAES_encrypt
;
3284 # ifdef HWAES_xts_encrypt
3285 xctx
->stream
= HWAES_xts_encrypt
;
3288 HWAES_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3289 xctx
->xts
.block1
= (block128_f
) HWAES_decrypt
;
3290 # ifdef HWAES_xts_decrypt
3291 xctx
->stream
= HWAES_xts_decrypt
;
3295 HWAES_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3296 xctx
->xts
.block2
= (block128_f
) HWAES_encrypt
;
3298 xctx
->xts
.key1
= &xctx
->ks1
;
3302 #ifdef BSAES_CAPABLE
3304 xctx
->stream
= enc
? ossl_bsaes_xts_encrypt
: ossl_bsaes_xts_decrypt
;
3307 #ifdef VPAES_CAPABLE
3308 if (VPAES_CAPABLE
) {
3310 vpaes_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3311 xctx
->xts
.block1
= (block128_f
) vpaes_encrypt
;
3313 vpaes_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3314 xctx
->xts
.block1
= (block128_f
) vpaes_decrypt
;
3317 vpaes_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3318 xctx
->xts
.block2
= (block128_f
) vpaes_encrypt
;
3320 xctx
->xts
.key1
= &xctx
->ks1
;
3324 (void)0; /* terminate potentially open 'else' */
3327 AES_set_encrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3328 xctx
->xts
.block1
= (block128_f
) AES_encrypt
;
3330 AES_set_decrypt_key(key
, bits
, &xctx
->ks1
.ks
);
3331 xctx
->xts
.block1
= (block128_f
) AES_decrypt
;
3334 AES_set_encrypt_key(key
+ bytes
, bits
, &xctx
->ks2
.ks
);
3335 xctx
->xts
.block2
= (block128_f
) AES_encrypt
;
3337 xctx
->xts
.key1
= &xctx
->ks1
;
3342 xctx
->xts
.key2
= &xctx
->ks2
;
3343 memcpy(ctx
->iv
, iv
, 16);
3349 static int aes_xts_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3350 const unsigned char *in
, size_t len
)
3352 EVP_AES_XTS_CTX
*xctx
= EVP_C_DATA(EVP_AES_XTS_CTX
,ctx
);
3354 if (xctx
->xts
.key1
== NULL
3355 || xctx
->xts
.key2
== NULL
3358 || len
< AES_BLOCK_SIZE
)
3362 * Impose a limit of 2^20 blocks per data unit as specified by
3363 * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
3364 * indicated that this was a SHOULD NOT rather than a MUST NOT.
3365 * NIST SP 800-38E mandates the same limit.
3367 if (len
> XTS_MAX_BLOCKS_PER_DATA_UNIT
* AES_BLOCK_SIZE
) {
3368 ERR_raise(ERR_LIB_EVP
, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE
);
3373 (*xctx
->stream
) (in
, out
, len
,
3374 xctx
->xts
.key1
, xctx
->xts
.key2
,
3376 else if (CRYPTO_xts128_encrypt(&xctx
->xts
, ctx
->iv
, in
, out
, len
,
3377 EVP_CIPHER_CTX_is_encrypting(ctx
)))
3382 #define aes_xts_cleanup NULL
3384 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
3385 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3386 | EVP_CIPH_CUSTOM_COPY)
3388 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 16, xts
, XTS
, XTS_FLAGS
)
3389 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 16, xts
, XTS
, XTS_FLAGS
)
3391 static int aes_ccm_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3393 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,c
);
3402 cctx
->tls_aad_len
= -1;
3405 case EVP_CTRL_GET_IVLEN
:
3406 *(int *)ptr
= 15 - cctx
->L
;
3409 case EVP_CTRL_AEAD_TLS1_AAD
:
3410 /* Save the AAD for later use */
3411 if (arg
!= EVP_AEAD_TLS1_AAD_LEN
)
3413 memcpy(EVP_CIPHER_CTX_buf_noconst(c
), ptr
, arg
);
3414 cctx
->tls_aad_len
= arg
;
3417 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 2] << 8
3418 | EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 1];
3419 /* Correct length for explicit IV */
3420 if (len
< EVP_CCM_TLS_EXPLICIT_IV_LEN
)
3422 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3423 /* If decrypting correct for tag too */
3424 if (!EVP_CIPHER_CTX_is_encrypting(c
)) {
3429 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 2] = len
>> 8;
3430 EVP_CIPHER_CTX_buf_noconst(c
)[arg
- 1] = len
& 0xff;
3432 /* Extra padding: tag appended to record */
3435 case EVP_CTRL_CCM_SET_IV_FIXED
:
3436 /* Sanity check length */
3437 if (arg
!= EVP_CCM_TLS_FIXED_IV_LEN
)
3439 /* Just copy to first part of IV */
3440 memcpy(c
->iv
, ptr
, arg
);
3443 case EVP_CTRL_AEAD_SET_IVLEN
:
3446 case EVP_CTRL_CCM_SET_L
:
3447 if (arg
< 2 || arg
> 8)
3452 case EVP_CTRL_AEAD_SET_TAG
:
3453 if ((arg
& 1) || arg
< 4 || arg
> 16)
3455 if (EVP_CIPHER_CTX_is_encrypting(c
) && ptr
)
3459 memcpy(EVP_CIPHER_CTX_buf_noconst(c
), ptr
, arg
);
3464 case EVP_CTRL_AEAD_GET_TAG
:
3465 if (!EVP_CIPHER_CTX_is_encrypting(c
) || !cctx
->tag_set
)
3467 if (!CRYPTO_ccm128_tag(&cctx
->ccm
, ptr
, (size_t)arg
))
3476 EVP_CIPHER_CTX
*out
= ptr
;
3477 EVP_AES_CCM_CTX
*cctx_out
= EVP_C_DATA(EVP_AES_CCM_CTX
,out
);
3478 if (cctx
->ccm
.key
) {
3479 if (cctx
->ccm
.key
!= &cctx
->ks
)
3481 cctx_out
->ccm
.key
= &cctx_out
->ks
;
3492 static int aes_ccm_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3493 const unsigned char *iv
, int enc
)
3495 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3497 if (iv
== NULL
&& key
== NULL
)
3501 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3504 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3508 #ifdef HWAES_CAPABLE
3509 if (HWAES_CAPABLE
) {
3510 HWAES_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3512 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3513 &cctx
->ks
, (block128_f
) HWAES_encrypt
);
3519 #ifdef VPAES_CAPABLE
3520 if (VPAES_CAPABLE
) {
3521 vpaes_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3522 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3523 &cctx
->ks
, (block128_f
) vpaes_encrypt
);
3529 AES_set_encrypt_key(key
, keylen
, &cctx
->ks
.ks
);
3530 CRYPTO_ccm128_init(&cctx
->ccm
, cctx
->M
, cctx
->L
,
3531 &cctx
->ks
, (block128_f
) AES_encrypt
);
3537 memcpy(ctx
->iv
, iv
, 15 - cctx
->L
);
3543 static int aes_ccm_tls_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3544 const unsigned char *in
, size_t len
)
3546 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3547 CCM128_CONTEXT
*ccm
= &cctx
->ccm
;
3548 /* Encrypt/decrypt must be performed in place */
3549 if (out
!= in
|| len
< (EVP_CCM_TLS_EXPLICIT_IV_LEN
+ (size_t)cctx
->M
))
3551 /* If encrypting set explicit IV from sequence number (start of AAD) */
3552 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3553 memcpy(out
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3554 EVP_CCM_TLS_EXPLICIT_IV_LEN
);
3555 /* Get rest of IV from explicit IV */
3556 memcpy(ctx
->iv
+ EVP_CCM_TLS_FIXED_IV_LEN
, in
,
3557 EVP_CCM_TLS_EXPLICIT_IV_LEN
);
3558 /* Correct length value */
3559 len
-= EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->M
;
3560 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
, 15 - cctx
->L
,
3564 CRYPTO_ccm128_aad(ccm
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3566 /* Fix buffer to point to payload */
3567 in
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3568 out
+= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
3569 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3570 if (cctx
->str
? CRYPTO_ccm128_encrypt_ccm64(ccm
, in
, out
, len
,
3572 CRYPTO_ccm128_encrypt(ccm
, in
, out
, len
))
3574 if (!CRYPTO_ccm128_tag(ccm
, out
+ len
, cctx
->M
))
3576 return len
+ EVP_CCM_TLS_EXPLICIT_IV_LEN
+ cctx
->M
;
3578 if (cctx
->str
? !CRYPTO_ccm128_decrypt_ccm64(ccm
, in
, out
, len
,
3580 !CRYPTO_ccm128_decrypt(ccm
, in
, out
, len
)) {
3581 unsigned char tag
[16];
3582 if (CRYPTO_ccm128_tag(ccm
, tag
, cctx
->M
)) {
3583 if (!CRYPTO_memcmp(tag
, in
+ len
, cctx
->M
))
3587 OPENSSL_cleanse(out
, len
);
3592 static int aes_ccm_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3593 const unsigned char *in
, size_t len
)
3595 EVP_AES_CCM_CTX
*cctx
= EVP_C_DATA(EVP_AES_CCM_CTX
,ctx
);
3596 CCM128_CONTEXT
*ccm
= &cctx
->ccm
;
3597 /* If not set up, return error */
3601 if (cctx
->tls_aad_len
>= 0)
3602 return aes_ccm_tls_cipher(ctx
, out
, in
, len
);
3604 /* EVP_*Final() doesn't return any data */
3605 if (in
== NULL
&& out
!= NULL
)
3613 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
,
3619 /* If have AAD need message length */
3620 if (!cctx
->len_set
&& len
)
3622 CRYPTO_ccm128_aad(ccm
, in
, len
);
3626 /* The tag must be set before actually decrypting data */
3627 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) && !cctx
->tag_set
)
3630 /* If not set length yet do it */
3631 if (!cctx
->len_set
) {
3632 if (CRYPTO_ccm128_setiv(ccm
, ctx
->iv
, 15 - cctx
->L
, len
))
3636 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3637 if (cctx
->str
? CRYPTO_ccm128_encrypt_ccm64(ccm
, in
, out
, len
,
3639 CRYPTO_ccm128_encrypt(ccm
, in
, out
, len
))
3645 if (cctx
->str
? !CRYPTO_ccm128_decrypt_ccm64(ccm
, in
, out
, len
,
3647 !CRYPTO_ccm128_decrypt(ccm
, in
, out
, len
)) {
3648 unsigned char tag
[16];
3649 if (CRYPTO_ccm128_tag(ccm
, tag
, cctx
->M
)) {
3650 if (!CRYPTO_memcmp(tag
, EVP_CIPHER_CTX_buf_noconst(ctx
),
3656 OPENSSL_cleanse(out
, len
);
3664 #define aes_ccm_cleanup NULL
3666 BLOCK_CIPHER_custom(NID_aes
, 128, 1, 12, ccm
, CCM
,
3667 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3668 BLOCK_CIPHER_custom(NID_aes
, 192, 1, 12, ccm
, CCM
,
3669 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3670 BLOCK_CIPHER_custom(NID_aes
, 256, 1, 12, ccm
, CCM
,
3671 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
3678 /* Indicates if IV has been set */
3682 static int aes_wrap_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3683 const unsigned char *iv
, int enc
)
3686 EVP_AES_WRAP_CTX
*wctx
= EVP_C_DATA(EVP_AES_WRAP_CTX
,ctx
);
3688 if (iv
== NULL
&& key
== NULL
)
3691 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3694 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3697 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3698 AES_set_encrypt_key(key
, keylen
, &wctx
->ks
.ks
);
3700 AES_set_decrypt_key(key
, keylen
, &wctx
->ks
.ks
);
3705 if ((len
= EVP_CIPHER_CTX_get_iv_length(ctx
)) < 0)
3707 memcpy(ctx
->iv
, iv
, len
);
3713 static int aes_wrap_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
3714 const unsigned char *in
, size_t inlen
)
3716 EVP_AES_WRAP_CTX
*wctx
= EVP_C_DATA(EVP_AES_WRAP_CTX
,ctx
);
3718 /* AES wrap with padding has IV length of 4, without padding 8 */
3719 int pad
= EVP_CIPHER_CTX_get_iv_length(ctx
) == 4;
3720 /* No final operation so always return zero length */
3723 /* Input length must always be non-zero */
3726 /* If decrypting need at least 16 bytes and multiple of 8 */
3727 if (!EVP_CIPHER_CTX_is_encrypting(ctx
) && (inlen
< 16 || inlen
& 0x7))
3729 /* If not padding input must be multiple of 8 */
3730 if (!pad
&& inlen
& 0x7)
3732 if (ossl_is_partially_overlapping(out
, in
, inlen
)) {
3733 ERR_raise(ERR_LIB_EVP
, EVP_R_PARTIALLY_OVERLAPPING
);
3737 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
3738 /* If padding round up to multiple of 8 */
3740 inlen
= (inlen
+ 7) / 8 * 8;
3745 * If not padding output will be exactly 8 bytes smaller than
3746 * input. If padding it will be at least 8 bytes smaller but we
3747 * don't know how much.
3753 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3754 rv
= CRYPTO_128_wrap_pad(&wctx
->ks
.ks
, wctx
->iv
,
3756 (block128_f
) AES_encrypt
);
3758 rv
= CRYPTO_128_unwrap_pad(&wctx
->ks
.ks
, wctx
->iv
,
3760 (block128_f
) AES_decrypt
);
3762 if (EVP_CIPHER_CTX_is_encrypting(ctx
))
3763 rv
= CRYPTO_128_wrap(&wctx
->ks
.ks
, wctx
->iv
,
3764 out
, in
, inlen
, (block128_f
) AES_encrypt
);
3766 rv
= CRYPTO_128_unwrap(&wctx
->ks
.ks
, wctx
->iv
,
3767 out
, in
, inlen
, (block128_f
) AES_decrypt
);
3769 return rv
? (int)rv
: -1;
3772 #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
3773 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3774 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
3776 static const EVP_CIPHER aes_128_wrap
= {
3778 8, 16, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3779 aes_wrap_init_key
, aes_wrap_cipher
,
3781 sizeof(EVP_AES_WRAP_CTX
),
3782 NULL
, NULL
, NULL
, NULL
3785 const EVP_CIPHER
*EVP_aes_128_wrap(void)
3787 return &aes_128_wrap
;
3790 static const EVP_CIPHER aes_192_wrap
= {
3792 8, 24, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3793 aes_wrap_init_key
, aes_wrap_cipher
,
3795 sizeof(EVP_AES_WRAP_CTX
),
3796 NULL
, NULL
, NULL
, NULL
3799 const EVP_CIPHER
*EVP_aes_192_wrap(void)
3801 return &aes_192_wrap
;
3804 static const EVP_CIPHER aes_256_wrap
= {
3806 8, 32, 8, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3807 aes_wrap_init_key
, aes_wrap_cipher
,
3809 sizeof(EVP_AES_WRAP_CTX
),
3810 NULL
, NULL
, NULL
, NULL
3813 const EVP_CIPHER
*EVP_aes_256_wrap(void)
3815 return &aes_256_wrap
;
3818 static const EVP_CIPHER aes_128_wrap_pad
= {
3819 NID_id_aes128_wrap_pad
,
3820 8, 16, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3821 aes_wrap_init_key
, aes_wrap_cipher
,
3823 sizeof(EVP_AES_WRAP_CTX
),
3824 NULL
, NULL
, NULL
, NULL
3827 const EVP_CIPHER
*EVP_aes_128_wrap_pad(void)
3829 return &aes_128_wrap_pad
;
3832 static const EVP_CIPHER aes_192_wrap_pad
= {
3833 NID_id_aes192_wrap_pad
,
3834 8, 24, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3835 aes_wrap_init_key
, aes_wrap_cipher
,
3837 sizeof(EVP_AES_WRAP_CTX
),
3838 NULL
, NULL
, NULL
, NULL
3841 const EVP_CIPHER
*EVP_aes_192_wrap_pad(void)
3843 return &aes_192_wrap_pad
;
3846 static const EVP_CIPHER aes_256_wrap_pad
= {
3847 NID_id_aes256_wrap_pad
,
3848 8, 32, 4, WRAP_FLAGS
, EVP_ORIG_GLOBAL
,
3849 aes_wrap_init_key
, aes_wrap_cipher
,
3851 sizeof(EVP_AES_WRAP_CTX
),
3852 NULL
, NULL
, NULL
, NULL
3855 const EVP_CIPHER
*EVP_aes_256_wrap_pad(void)
3857 return &aes_256_wrap_pad
;
3860 #ifndef OPENSSL_NO_OCB
3861 static int aes_ocb_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
)
3863 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,c
);
3864 EVP_CIPHER_CTX
*newc
;
3865 EVP_AES_OCB_CTX
*new_octx
;
3871 octx
->ivlen
= EVP_CIPHER_get_iv_length(c
->cipher
);
3874 octx
->data_buf_len
= 0;
3875 octx
->aad_buf_len
= 0;
3878 case EVP_CTRL_GET_IVLEN
:
3879 *(int *)ptr
= octx
->ivlen
;
3882 case EVP_CTRL_AEAD_SET_IVLEN
:
3883 /* IV len must be 1 to 15 */
3884 if (arg
<= 0 || arg
> 15)
3890 case EVP_CTRL_AEAD_SET_TAG
:
3892 /* Tag len must be 0 to 16 */
3893 if (arg
< 0 || arg
> 16)
3899 if (arg
!= octx
->taglen
|| EVP_CIPHER_CTX_is_encrypting(c
))
3901 memcpy(octx
->tag
, ptr
, arg
);
3904 case EVP_CTRL_AEAD_GET_TAG
:
3905 if (arg
!= octx
->taglen
|| !EVP_CIPHER_CTX_is_encrypting(c
))
3908 memcpy(ptr
, octx
->tag
, arg
);
3912 newc
= (EVP_CIPHER_CTX
*)ptr
;
3913 new_octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,newc
);
3914 return CRYPTO_ocb128_copy_ctx(&new_octx
->ocb
, &octx
->ocb
,
3915 &new_octx
->ksenc
.ks
,
3916 &new_octx
->ksdec
.ks
);
3924 static int aes_ocb_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
3925 const unsigned char *iv
, int enc
)
3927 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
3929 if (iv
== NULL
&& key
== NULL
)
3933 const int keylen
= EVP_CIPHER_CTX_get_key_length(ctx
) * 8;
3936 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_KEY_LENGTH
);
3941 * We set both the encrypt and decrypt key here because decrypt
3942 * needs both. We could possibly optimise to remove setting the
3943 * decrypt for an encryption operation.
3945 # ifdef HWAES_CAPABLE
3946 if (HWAES_CAPABLE
) {
3947 HWAES_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3948 HWAES_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3949 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3950 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3951 (block128_f
) HWAES_encrypt
,
3952 (block128_f
) HWAES_decrypt
,
3953 enc
? HWAES_ocb_encrypt
3954 : HWAES_ocb_decrypt
))
3959 # ifdef VPAES_CAPABLE
3960 if (VPAES_CAPABLE
) {
3961 vpaes_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3962 vpaes_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3963 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3964 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3965 (block128_f
) vpaes_encrypt
,
3966 (block128_f
) vpaes_decrypt
,
3972 AES_set_encrypt_key(key
, keylen
, &octx
->ksenc
.ks
);
3973 AES_set_decrypt_key(key
, keylen
, &octx
->ksdec
.ks
);
3974 if (!CRYPTO_ocb128_init(&octx
->ocb
,
3975 &octx
->ksenc
.ks
, &octx
->ksdec
.ks
,
3976 (block128_f
) AES_encrypt
,
3977 (block128_f
) AES_decrypt
,
3984 * If we have an iv we can set it directly, otherwise use saved IV.
3986 if (iv
== NULL
&& octx
->iv_set
)
3989 if (CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
)
3996 /* If key set use IV, otherwise copy */
3998 CRYPTO_ocb128_setiv(&octx
->ocb
, iv
, octx
->ivlen
, octx
->taglen
);
4000 memcpy(octx
->iv
, iv
, octx
->ivlen
);
4006 static int aes_ocb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
4007 const unsigned char *in
, size_t len
)
4011 int written_len
= 0;
4012 size_t trailing_len
;
4013 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,ctx
);
4015 /* If IV or Key not set then return error */
4024 * Need to ensure we are only passing full blocks to low level OCB
4025 * routines. We do it here rather than in EVP_EncryptUpdate/
4026 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
4027 * and those routines don't support that
4030 /* Are we dealing with AAD or normal data here? */
4032 buf
= octx
->aad_buf
;
4033 buf_len
= &(octx
->aad_buf_len
);
4035 buf
= octx
->data_buf
;
4036 buf_len
= &(octx
->data_buf_len
);
4038 if (ossl_is_partially_overlapping(out
+ *buf_len
, in
, len
)) {
4039 ERR_raise(ERR_LIB_EVP
, EVP_R_PARTIALLY_OVERLAPPING
);
4045 * If we've got a partially filled buffer from a previous call then
4046 * use that data first
4049 unsigned int remaining
;
4051 remaining
= AES_BLOCK_SIZE
- (*buf_len
);
4052 if (remaining
> len
) {
4053 memcpy(buf
+ (*buf_len
), in
, len
);
4057 memcpy(buf
+ (*buf_len
), in
, remaining
);
4060 * If we get here we've filled the buffer, so process it
4065 if (!CRYPTO_ocb128_aad(&octx
->ocb
, buf
, AES_BLOCK_SIZE
))
4067 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4068 if (!CRYPTO_ocb128_encrypt(&octx
->ocb
, buf
, out
,
4072 if (!CRYPTO_ocb128_decrypt(&octx
->ocb
, buf
, out
,
4076 written_len
= AES_BLOCK_SIZE
;
4079 out
+= AES_BLOCK_SIZE
;
4082 /* Do we have a partial block to handle at the end? */
4083 trailing_len
= len
% AES_BLOCK_SIZE
;
4086 * If we've got some full blocks to handle, then process these first
4088 if (len
!= trailing_len
) {
4090 if (!CRYPTO_ocb128_aad(&octx
->ocb
, in
, len
- trailing_len
))
4092 } else if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4093 if (!CRYPTO_ocb128_encrypt
4094 (&octx
->ocb
, in
, out
, len
- trailing_len
))
4097 if (!CRYPTO_ocb128_decrypt
4098 (&octx
->ocb
, in
, out
, len
- trailing_len
))
4101 written_len
+= len
- trailing_len
;
4102 in
+= len
- trailing_len
;
4105 /* Handle any trailing partial block */
4106 if (trailing_len
> 0) {
4107 memcpy(buf
, in
, trailing_len
);
4108 *buf_len
= trailing_len
;
4114 * First of all empty the buffer of any partial block that we might
4115 * have been provided - both for data and AAD
4117 if (octx
->data_buf_len
> 0) {
4118 if (EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4119 if (!CRYPTO_ocb128_encrypt(&octx
->ocb
, octx
->data_buf
, out
,
4120 octx
->data_buf_len
))
4123 if (!CRYPTO_ocb128_decrypt(&octx
->ocb
, octx
->data_buf
, out
,
4124 octx
->data_buf_len
))
4127 written_len
= octx
->data_buf_len
;
4128 octx
->data_buf_len
= 0;
4130 if (octx
->aad_buf_len
> 0) {
4131 if (!CRYPTO_ocb128_aad
4132 (&octx
->ocb
, octx
->aad_buf
, octx
->aad_buf_len
))
4134 octx
->aad_buf_len
= 0;
4136 /* If decrypting then verify */
4137 if (!EVP_CIPHER_CTX_is_encrypting(ctx
)) {
4138 if (octx
->taglen
< 0)
4140 if (CRYPTO_ocb128_finish(&octx
->ocb
,
4141 octx
->tag
, octx
->taglen
) != 0)
4146 /* If encrypting then just get the tag */
4147 if (CRYPTO_ocb128_tag(&octx
->ocb
, octx
->tag
, 16) != 1)
4149 /* Don't reuse the IV */
4155 static int aes_ocb_cleanup(EVP_CIPHER_CTX
*c
)
4157 EVP_AES_OCB_CTX
*octx
= EVP_C_DATA(EVP_AES_OCB_CTX
,c
);
4158 CRYPTO_ocb128_cleanup(&octx
->ocb
);
4162 BLOCK_CIPHER_custom(NID_aes
, 128, 16, 12, ocb
, OCB
,
4163 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4164 BLOCK_CIPHER_custom(NID_aes
, 192, 16, 12, ocb
, OCB
,
4165 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4166 BLOCK_CIPHER_custom(NID_aes
, 256, 16, 12, ocb
, OCB
,
4167 EVP_CIPH_FLAG_AEAD_CIPHER
| CUSTOM_FLAGS
)
4168 #endif /* OPENSSL_NO_OCB */