]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
s390x assembly pack: allow specifying the tag after aad in aes-ccm
[thirdparty/openssl.git] / crypto / evp / e_aes.c
CommitLineData
aa6bb135 1/*
5516c19b 2 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
deb2c1a1 3 *
4a8b0c55 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
aa6bb135
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
deb2c1a1
DSH		 8 */
9
8c84b677 10#include <openssl/opensslconf.h>
5158c763
MC		 11#include <openssl/crypto.h>
12#include <openssl/evp.h>
13#include <openssl/err.h>
14#include <string.h>
15#include <assert.h>
16#include <openssl/aes.h>
17#include "internal/evp_int.h"
39147079 18#include "internal/cryptlib.h"
5158c763
MC		 19#include "modes_lcl.h"
20#include <openssl/rand.h>
b1ceb439 21#include <openssl/cmac.h>
7141ba31 22#include "evp_locl.h"
0f113f3e
MC		 23
24typedef struct {
25 union {
39147079 26 OSSL_UNION_ALIGN;
0f113f3e
MC		 27 AES_KEY ks;
28 } ks;
29 block128_f block;
30 union {
31 cbc128_f cbc;
32 ctr128_f ctr;
33 } stream;
34} EVP_AES_KEY;
35
36typedef struct {
37 union {
39147079 38 OSSL_UNION_ALIGN;
0f113f3e
MC		 39 AES_KEY ks;
40 } ks; /* AES key schedule to use */
41 int key_set; /* Set if key initialised */
42 int iv_set; /* Set if an iv is set */
43 GCM128_CONTEXT gcm;
44 unsigned char *iv; /* Temporary IV store */
45 int ivlen; /* IV length */
46 int taglen;
47 int iv_gen; /* It is OK to generate IVs */
bcf082d1 48 int iv_gen_rand; /* No IV was specified, so generate a rand IV */
0f113f3e 49 int tls_aad_len; /* TLS AAD length */
d6b34570 50 uint64_t tls_enc_records; /* Number of TLS records encrypted */
0f113f3e
MC		 51 ctr128_f ctr;
52} EVP_AES_GCM_CTX;
53
54typedef struct {
55 union {
39147079 56 OSSL_UNION_ALIGN;
0f113f3e
MC		 57 AES_KEY ks;
58 } ks1, ks2; /* AES key schedules to use */
59 XTS128_CONTEXT xts;
60 void (*stream) (const unsigned char *in,
61 unsigned char *out, size_t length,
62 const AES_KEY *key1, const AES_KEY *key2,
63 const unsigned char iv[16]);
64} EVP_AES_XTS_CTX;
65
66typedef struct {
67 union {
39147079 68 OSSL_UNION_ALIGN;
0f113f3e
MC		 69 AES_KEY ks;
70 } ks; /* AES key schedule to use */
71 int key_set; /* Set if key initialised */
72 int iv_set; /* Set if an iv is set */
73 int tag_set; /* Set if tag is valid */
74 int len_set; /* Set if message length set */
75 int L, M; /* L and M parameters from RFC3610 */
e75c5a79 76 int tls_aad_len; /* TLS AAD length */
0f113f3e
MC		 77 CCM128_CONTEXT ccm;
78 ccm128_f str;
79} EVP_AES_CCM_CTX;
80
5158c763 81#ifndef OPENSSL_NO_OCB
0f113f3e 82typedef struct {
bdc985b1 83 union {
39147079 84 OSSL_UNION_ALIGN;
bdc985b1
AP		 85 AES_KEY ks;
86 } ksenc; /* AES key schedule to use for encryption */
87 union {
39147079 88 OSSL_UNION_ALIGN;
bdc985b1
AP		 89 AES_KEY ks;
90 } ksdec; /* AES key schedule to use for decryption */
0f113f3e
MC		 91 int key_set; /* Set if key initialised */
92 int iv_set; /* Set if an iv is set */
93 OCB128_CONTEXT ocb;
94 unsigned char *iv; /* Temporary IV store */
95 unsigned char tag[16];
96 unsigned char data_buf[16]; /* Store partial data blocks */
97 unsigned char aad_buf[16]; /* Store partial AAD blocks */
98 int data_buf_len;
99 int aad_buf_len;
100 int ivlen; /* IV length */
101 int taglen;
102} EVP_AES_OCB_CTX;
5158c763 103#endif
e6b336ef 104
5158c763 105#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
17f121de 106
5158c763 107#ifdef VPAES_ASM
8ca28da0 108int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 109 AES_KEY *key);
8ca28da0 110int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 111 AES_KEY *key);
8ca28da0
AP		 112
113void vpaes_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 114 const AES_KEY *key);
8ca28da0 115void vpaes_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 116 const AES_KEY *key);
8ca28da0
AP		 117
118void vpaes_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 119 unsigned char *out,
120 size_t length,
121 const AES_KEY *key, unsigned char *ivec, int enc);
5158c763
MC		 122#endif
123#ifdef BSAES_ASM
a75a52a4 124void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 125 size_t length, const AES_KEY *key,
126 unsigned char ivec[16], int enc);
993adc05 127void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 128 size_t len, const AES_KEY *key,
129 const unsigned char ivec[16]);
60d4e99c 130void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 131 size_t len, const AES_KEY *key1,
132 const AES_KEY *key2, const unsigned char iv[16]);
60d4e99c 133void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
0f113f3e
MC		 134 size_t len, const AES_KEY *key1,
135 const AES_KEY *key2, const unsigned char iv[16]);
5158c763
MC		 136#endif
137#ifdef AES_CTR_ASM
07904e0c 138void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 139 size_t blocks, const AES_KEY *key,
140 const unsigned char ivec[AES_BLOCK_SIZE]);
5158c763
MC		 141#endif
142#ifdef AES_XTS_ASM
96cce820 143void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 144 const AES_KEY *key1, const AES_KEY *key2,
145 const unsigned char iv[16]);
96cce820 146void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
0f113f3e
MC		 147 const AES_KEY *key1, const AES_KEY *key2,
148 const unsigned char iv[16]);
5158c763 149#endif
8ca28da0 150
03a5e5ae
PS		 151/* increment counter (64-bit int) by 1 */
152static void ctr64_inc(unsigned char *counter)
153{
154 int n = 8;
155 unsigned char c;
156
157 do {
158 --n;
159 c = counter[n];
160 ++c;
161 counter[n] = c;
162 if (c)
163 return;
164 } while (n);
165}
166
6944565b 167#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
5158c763
MC		 168# include "ppc_arch.h"
169# ifdef VPAES_ASM
170# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
de51e830 171# endif
5158c763
MC		 172# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
173# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
174# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
175# define HWAES_encrypt aes_p8_encrypt
176# define HWAES_decrypt aes_p8_decrypt
177# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
178# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
46f047d7
AP		 179# define HWAES_xts_encrypt aes_p8_xts_encrypt
180# define HWAES_xts_decrypt aes_p8_xts_decrypt
5158c763 181#endif
07f3e4f3 182
5158c763 183#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
0f113f3e
MC		 184 ((defined(__i386) || defined(__i386__) || \
185 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
186 defined(__x86_64) || defined(__x86_64__) || \
b1a07c38 187 defined(_M_AMD64) || defined(_M_X64) )
8ca28da0 188
c5f6da54 189extern unsigned int OPENSSL_ia32cap_P[];
8ca28da0 190
5158c763
MC		 191# ifdef VPAES_ASM
192# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
193# endif
194# ifdef BSAES_ASM
195# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
196# endif
17f121de
AP		 197/*
198 * AES-NI section
199 */
5158c763 200# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
d1fff483
AP		 201
202int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
0f113f3e 203 AES_KEY *key);
d1fff483 204int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
0f113f3e 205 AES_KEY *key);
d1fff483
AP		 206
207void aesni_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 208 const AES_KEY *key);
d1fff483 209void aesni_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 210 const AES_KEY *key);
d1fff483
AP		 211
212void aesni_ecb_encrypt(const unsigned char *in,
0f113f3e
MC		 213 unsigned char *out,
214 size_t length, const AES_KEY *key, int enc);
d1fff483 215void aesni_cbc_encrypt(const unsigned char *in,
0f113f3e
MC		 216 unsigned char *out,
217 size_t length,
218 const AES_KEY *key, unsigned char *ivec, int enc);
d1fff483
AP		 219
220void aesni_ctr32_encrypt_blocks(const unsigned char *in,
0f113f3e
MC		 221 unsigned char *out,
222 size_t blocks,
223 const void *key, const unsigned char *ivec);
17f121de
AP		 224
225void aesni_xts_encrypt(const unsigned char *in,
0f113f3e
MC		 226 unsigned char *out,
227 size_t length,
228 const AES_KEY *key1, const AES_KEY *key2,
229 const unsigned char iv[16]);
17f121de
AP		 230
231void aesni_xts_decrypt(const unsigned char *in,
0f113f3e
MC		 232 unsigned char *out,
233 size_t length,
234 const AES_KEY *key1, const AES_KEY *key2,
235 const unsigned char iv[16]);
236
237void aesni_ccm64_encrypt_blocks(const unsigned char *in,
238 unsigned char *out,
239 size_t blocks,
240 const void *key,
241 const unsigned char ivec[16],
242 unsigned char cmac[16]);
243
244void aesni_ccm64_decrypt_blocks(const unsigned char *in,
245 unsigned char *out,
246 size_t blocks,
247 const void *key,
248 const unsigned char ivec[16],
249 unsigned char cmac[16]);
250
5158c763 251# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
4e049c52 252size_t aesni_gcm_encrypt(const unsigned char *in,
0f113f3e
MC		 253 unsigned char *out,
254 size_t len,
255 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 256# define AES_gcm_encrypt aesni_gcm_encrypt
4e049c52 257size_t aesni_gcm_decrypt(const unsigned char *in,
0f113f3e
MC		 258 unsigned char *out,
259 size_t len,
260 const void *key, unsigned char ivec[16], u64 *Xi);
5158c763 261# define AES_gcm_decrypt aesni_gcm_decrypt
0f113f3e
MC		 262void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
263 size_t len);
5158c763 264# define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
0f113f3e 265 gctx->gcm.ghash==gcm_ghash_avx)
5158c763 266# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
0f113f3e 267 gctx->gcm.ghash==gcm_ghash_avx)
5158c763
MC		 268# undef AES_GCM_ASM2 /* minor size optimization */
269# endif
4e049c52 270
17f121de 271static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 272 const unsigned char *iv, int enc)
273{
274 int ret, mode;
6435f0f6 275 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 276
6435f0f6 277 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e
MC		 278 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
279 && !enc) {
6435f0f6
RL		 280 ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
281 &dat->ks.ks);
0f113f3e
MC		 282 dat->block = (block128_f) aesni_decrypt;
283 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
284 (cbc128_f) aesni_cbc_encrypt : NULL;
285 } else {
6435f0f6
RL		 286 ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
287 &dat->ks.ks);
0f113f3e
MC		 288 dat->block = (block128_f) aesni_encrypt;
289 if (mode == EVP_CIPH_CBC_MODE)
290 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
291 else if (mode == EVP_CIPH_CTR_MODE)
292 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
293 else
294 dat->stream.cbc = NULL;
295 }
296
297 if (ret < 0) {
298 EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
299 return 0;
300 }
301
302 return 1;
303}
304
305static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
306 const unsigned char *in, size_t len)
d1fff483 307{
6435f0f6
RL		 308 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
309 EVP_CIPHER_CTX_iv_noconst(ctx),
310 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 311
0f113f3e 312 return 1;
d1fff483
AP		 313}
314
0f113f3e
MC		 315static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
316 const unsigned char *in, size_t len)
d1fff483 317{
6435f0f6 318 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
d1fff483 319
0f113f3e
MC		 320 if (len < bl)
321 return 1;
d1fff483 322
6435f0f6
RL		 323 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
324 EVP_CIPHER_CTX_encrypting(ctx));
d1fff483 325
0f113f3e 326 return 1;
d1fff483
AP		 327}
328
5158c763 329# define aesni_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 330static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
331 const unsigned char *in, size_t len);
d1fff483 332
5158c763 333# define aesni_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 334static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
335 const unsigned char *in, size_t len);
d1fff483 336
5158c763 337# define aesni_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 338static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
339 const unsigned char *in, size_t len);
d1fff483 340
5158c763 341# define aesni_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 342static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
343 const unsigned char *in, size_t len);
d1fff483 344
5158c763 345# define aesni_ctr_cipher aes_ctr_cipher
17f121de 346static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 347 const unsigned char *in, size_t len);
d1fff483 348
17f121de 349static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 350 const unsigned char *iv, int enc)
351{
6435f0f6 352 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 353 if (!iv && !key)
354 return 1;
355 if (key) {
6435f0f6
RL		 356 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
357 &gctx->ks.ks);
0f113f3e
MC		 358 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
359 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
360 /*
361 * If we have an iv can set it directly, otherwise use saved IV.
362 */
363 if (iv == NULL && gctx->iv_set)
364 iv = gctx->iv;
365 if (iv) {
366 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
367 gctx->iv_set = 1;
368 }
369 gctx->key_set = 1;
370 } else {
371 /* If key set use IV, otherwise copy */
372 if (gctx->key_set)
373 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
374 else
375 memcpy(gctx->iv, iv, gctx->ivlen);
376 gctx->iv_set = 1;
377 gctx->iv_gen = 0;
378 }
379 return 1;
380}
381
5158c763 382# define aesni_gcm_cipher aes_gcm_cipher
17f121de 383static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 384 const unsigned char *in, size_t len);
17f121de
AP		 385
386static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 387 const unsigned char *iv, int enc)
388{
6435f0f6 389 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 390 if (!iv && !key)
391 return 1;
392
393 if (key) {
3538b0f7
P		 394 /* The key is two half length keys in reality */
395 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
396 const int bits = bytes * 8;
397
398 /*
399 * Verify that the two keys are different.
400 *
401 * This addresses Rogaway's vulnerability.
402 * See comment in aes_xts_init_key() below.
403 */
404 if (memcmp(key, key + bytes, bytes) == 0) {
405 EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
406 return 0;
407 }
408
0f113f3e
MC		 409 /* key_len is two AES keys */
410 if (enc) {
3538b0f7 411 aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 412 xctx->xts.block1 = (block128_f) aesni_encrypt;
413 xctx->stream = aesni_xts_encrypt;
414 } else {
3538b0f7 415 aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 416 xctx->xts.block1 = (block128_f) aesni_decrypt;
417 xctx->stream = aesni_xts_decrypt;
418 }
419
3538b0f7 420 aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 421 xctx->xts.block2 = (block128_f) aesni_encrypt;
422
423 xctx->xts.key1 = &xctx->ks1;
424 }
425
426 if (iv) {
427 xctx->xts.key2 = &xctx->ks2;
6435f0f6 428 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 429 }
430
431 return 1;
432}
433
5158c763 434# define aesni_xts_cipher aes_xts_cipher
17f121de 435static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 436 const unsigned char *in, size_t len);
17f121de
AP		 437
438static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 439 const unsigned char *iv, int enc)
440{
6435f0f6 441 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 442 if (!iv && !key)
443 return 1;
444 if (key) {
6435f0f6
RL		 445 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
446 &cctx->ks.ks);
0f113f3e
MC		 447 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
448 &cctx->ks, (block128_f) aesni_encrypt);
449 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
450 (ccm128_f) aesni_ccm64_decrypt_blocks;
451 cctx->key_set = 1;
452 }
453 if (iv) {
6435f0f6 454 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 455 cctx->iv_set = 1;
456 }
457 return 1;
458}
459
5158c763 460# define aesni_ccm_cipher aes_ccm_cipher
17f121de 461static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 462 const unsigned char *in, size_t len);
17f121de 463
5158c763 464# ifndef OPENSSL_NO_OCB
bd30091c
AP		 465void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
466 size_t blocks, const void *key,
467 size_t start_block_num,
468 unsigned char offset_i[16],
469 const unsigned char L_[][16],
470 unsigned char checksum[16]);
471void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
472 size_t blocks, const void *key,
473 size_t start_block_num,
474 unsigned char offset_i[16],
475 const unsigned char L_[][16],
476 unsigned char checksum[16]);
477
e6b336ef 478static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 479 const unsigned char *iv, int enc)
480{
6435f0f6 481 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 482 if (!iv && !key)
483 return 1;
484 if (key) {
485 do {
486 /*
487 * We set both the encrypt and decrypt key here because decrypt
488 * needs both. We could possibly optimise to remove setting the
489 * decrypt for an encryption operation.
490 */
6435f0f6
RL		 491 aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
492 &octx->ksenc.ks);
493 aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
494 &octx->ksdec.ks);
bdc985b1
AP		 495 if (!CRYPTO_ocb128_init(&octx->ocb,
496 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 497 (block128_f) aesni_encrypt,
bd30091c
AP		 498 (block128_f) aesni_decrypt,
499 enc ? aesni_ocb_encrypt
500 : aesni_ocb_decrypt))
0f113f3e
MC		 501 return 0;
502 }
503 while (0);
504
505 /*
506 * If we have an iv we can set it directly, otherwise use saved IV.
507 */
508 if (iv == NULL && octx->iv_set)
509 iv = octx->iv;
510 if (iv) {
511 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
512 != 1)
513 return 0;
514 octx->iv_set = 1;
515 }
516 octx->key_set = 1;
517 } else {
518 /* If key set use IV, otherwise copy */
519 if (octx->key_set)
520 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
521 else
522 memcpy(octx->iv, iv, octx->ivlen);
523 octx->iv_set = 1;
524 }
525 return 1;
526}
527
5158c763 528# define aesni_ocb_cipher aes_ocb_cipher
e6b336ef 529static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 530 const unsigned char *in, size_t len);
5158c763 531# endif /* OPENSSL_NO_OCB */
e6b336ef 532
5158c763 533# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 534static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e
MC		 535 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
536 flags|EVP_CIPH_##MODE##_MODE, \
537 aesni_init_key, \
538 aesni_##mode##_cipher, \
539 NULL, \
540 sizeof(EVP_AES_KEY), \
541 NULL,NULL,NULL,NULL }; \
17f121de 542static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 543 nid##_##keylen##_##nmode,blocksize, \
544 keylen/8,ivlen, \
545 flags|EVP_CIPH_##MODE##_MODE, \
546 aes_init_key, \
547 aes_##mode##_cipher, \
548 NULL, \
549 sizeof(EVP_AES_KEY), \
550 NULL,NULL,NULL,NULL }; \
17f121de 551const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 552{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
17f121de 553
5158c763 554# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 555static const EVP_CIPHER aesni_##keylen##_##mode = { \
0f113f3e 556 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 557 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
558 ivlen, \
0f113f3e
MC		 559 flags|EVP_CIPH_##MODE##_MODE, \
560 aesni_##mode##_init_key, \
561 aesni_##mode##_cipher, \
562 aes_##mode##_cleanup, \
563 sizeof(EVP_AES_##MODE##_CTX), \
564 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 565static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 566 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 567 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
568 ivlen, \
0f113f3e
MC		 569 flags|EVP_CIPH_##MODE##_MODE, \
570 aes_##mode##_init_key, \
571 aes_##mode##_cipher, \
572 aes_##mode##_cleanup, \
573 sizeof(EVP_AES_##MODE##_CTX), \
574 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de 575const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
8ca28da0 576{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
d1fff483 577
5158c763 578#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
c5f6da54 579
5158c763 580# include "sparc_arch.h"
c5f6da54
AP		 581
582extern unsigned int OPENSSL_sparcv9cap_P[];
583
6944565b
AP		 584/*
585 * Initial Fujitsu SPARC64 X support
586 */
587# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
588# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
589# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
590# define HWAES_encrypt aes_fx_encrypt
591# define HWAES_decrypt aes_fx_decrypt
365f95ad
AP		 592# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
593# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
6944565b 594
5158c763 595# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
c5f6da54 596
0f113f3e
MC		 597void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
598void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
599void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
600 const AES_KEY *key);
601void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
602 const AES_KEY *key);
c5f6da54
AP		 603/*
604 * Key-length specific subroutines were chosen for following reason.
605 * Each SPARC T4 core can execute up to 8 threads which share core's
606 * resources. Loading as much key material to registers allows to
607 * minimize references to shared memory interface, as well as amount
608 * of instructions in inner loops [much needed on T4]. But then having
609 * non-key-length specific routines would require conditional branches
610 * either in inner loops or on subroutines' entries. Former is hardly
611 * acceptable, while latter means code size increase to size occupied
0d4fb843 612 * by multiple key-length specific subroutines, so why fight?
c5f6da54 613 */
0f113f3e
MC		 614void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
615 size_t len, const AES_KEY *key,
616 unsigned char *ivec);
617void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
618 size_t len, const AES_KEY *key,
619 unsigned char *ivec);
620void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
621 size_t len, const AES_KEY *key,
622 unsigned char *ivec);
623void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
624 size_t len, const AES_KEY *key,
625 unsigned char *ivec);
626void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
627 size_t len, const AES_KEY *key,
628 unsigned char *ivec);
629void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
630 size_t len, const AES_KEY *key,
631 unsigned char *ivec);
632void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
633 size_t blocks, const AES_KEY *key,
634 unsigned char *ivec);
635void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
636 size_t blocks, const AES_KEY *key,
637 unsigned char *ivec);
638void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
639 size_t blocks, const AES_KEY *key,
640 unsigned char *ivec);
641void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
642 size_t blocks, const AES_KEY *key1,
643 const AES_KEY *key2, const unsigned char *ivec);
644void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
645 size_t blocks, const AES_KEY *key1,
646 const AES_KEY *key2, const unsigned char *ivec);
647void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
648 size_t blocks, const AES_KEY *key1,
649 const AES_KEY *key2, const unsigned char *ivec);
650void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
651 size_t blocks, const AES_KEY *key1,
652 const AES_KEY *key2, const unsigned char *ivec);
c5f6da54
AP		 653
654static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 655 const unsigned char *iv, int enc)
656{
657 int ret, mode, bits;
6435f0f6 658 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 659
6435f0f6
RL		 660 mode = EVP_CIPHER_CTX_mode(ctx);
661 bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 662 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
663 && !enc) {
664 ret = 0;
6435f0f6 665 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 666 dat->block = (block128_f) aes_t4_decrypt;
667 switch (bits) {
668 case 128:
669 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
670 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
671 break;
672 case 192:
673 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
674 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
675 break;
676 case 256:
677 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
678 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
679 break;
680 default:
681 ret = -1;
682 }
683 } else {
684 ret = 0;
6435f0f6 685 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
0f113f3e
MC		 686 dat->block = (block128_f) aes_t4_encrypt;
687 switch (bits) {
688 case 128:
689 if (mode == EVP_CIPH_CBC_MODE)
690 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
691 else if (mode == EVP_CIPH_CTR_MODE)
692 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
693 else
694 dat->stream.cbc = NULL;
695 break;
696 case 192:
697 if (mode == EVP_CIPH_CBC_MODE)
698 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
699 else if (mode == EVP_CIPH_CTR_MODE)
700 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
701 else
702 dat->stream.cbc = NULL;
703 break;
704 case 256:
705 if (mode == EVP_CIPH_CBC_MODE)
706 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
707 else if (mode == EVP_CIPH_CTR_MODE)
708 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
709 else
710 dat->stream.cbc = NULL;
711 break;
712 default:
713 ret = -1;
714 }
715 }
716
717 if (ret < 0) {
718 EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
719 return 0;
720 }
721
722 return 1;
723}
724
5158c763 725# define aes_t4_cbc_cipher aes_cbc_cipher
0f113f3e
MC		 726static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
727 const unsigned char *in, size_t len);
728
5158c763 729# define aes_t4_ecb_cipher aes_ecb_cipher
0f113f3e
MC		 730static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
731 const unsigned char *in, size_t len);
732
5158c763 733# define aes_t4_ofb_cipher aes_ofb_cipher
0f113f3e
MC		 734static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
735 const unsigned char *in, size_t len);
736
5158c763 737# define aes_t4_cfb_cipher aes_cfb_cipher
0f113f3e
MC		 738static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
739 const unsigned char *in, size_t len);
740
5158c763 741# define aes_t4_cfb8_cipher aes_cfb8_cipher
0f113f3e
MC		 742static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
743 const unsigned char *in, size_t len);
744
5158c763 745# define aes_t4_cfb1_cipher aes_cfb1_cipher
0f113f3e
MC		 746static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
747 const unsigned char *in, size_t len);
748
5158c763 749# define aes_t4_ctr_cipher aes_ctr_cipher
c5f6da54 750static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 751 const unsigned char *in, size_t len);
c5f6da54
AP		 752
753static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 754 const unsigned char *iv, int enc)
755{
6435f0f6 756 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 757 if (!iv && !key)
758 return 1;
759 if (key) {
6435f0f6 760 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 761 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
762 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
763 (block128_f) aes_t4_encrypt);
764 switch (bits) {
765 case 128:
766 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
767 break;
768 case 192:
769 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
770 break;
771 case 256:
772 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
773 break;
774 default:
775 return 0;
776 }
777 /*
778 * If we have an iv can set it directly, otherwise use saved IV.
779 */
780 if (iv == NULL && gctx->iv_set)
781 iv = gctx->iv;
782 if (iv) {
783 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
784 gctx->iv_set = 1;
785 }
786 gctx->key_set = 1;
787 } else {
788 /* If key set use IV, otherwise copy */
789 if (gctx->key_set)
790 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
791 else
792 memcpy(gctx->iv, iv, gctx->ivlen);
793 gctx->iv_set = 1;
794 gctx->iv_gen = 0;
795 }
796 return 1;
797}
798
5158c763 799# define aes_t4_gcm_cipher aes_gcm_cipher
c5f6da54 800static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 801 const unsigned char *in, size_t len);
c5f6da54
AP		 802
803static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 804 const unsigned char *iv, int enc)
805{
6435f0f6 806 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 807 if (!iv && !key)
808 return 1;
809
810 if (key) {
3538b0f7
P		 811 /* The key is two half length keys in reality */
812 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
813 const int bits = bytes * 8;
814
815 /*
816 * Verify that the two keys are different.
817 *
818 * This addresses Rogaway's vulnerability.
819 * See comment in aes_xts_init_key() below.
820 */
821 if (memcmp(key, key + bytes, bytes) == 0) {
822 EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
823 return 0;
824 }
825
0f113f3e
MC		 826 xctx->stream = NULL;
827 /* key_len is two AES keys */
828 if (enc) {
829 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
830 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
831 switch (bits) {
832 case 128:
833 xctx->stream = aes128_t4_xts_encrypt;
834 break;
0f113f3e
MC		 835 case 256:
836 xctx->stream = aes256_t4_xts_encrypt;
837 break;
838 default:
839 return 0;
840 }
841 } else {
3538b0f7 842 aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 843 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
844 switch (bits) {
845 case 128:
846 xctx->stream = aes128_t4_xts_decrypt;
847 break;
0f113f3e
MC		 848 case 256:
849 xctx->stream = aes256_t4_xts_decrypt;
850 break;
851 default:
852 return 0;
853 }
854 }
855
3538b0f7 856 aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 857 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
858
859 xctx->xts.key1 = &xctx->ks1;
860 }
861
862 if (iv) {
863 xctx->xts.key2 = &xctx->ks2;
6435f0f6 864 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 865 }
866
867 return 1;
868}
869
5158c763 870# define aes_t4_xts_cipher aes_xts_cipher
c5f6da54 871static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 872 const unsigned char *in, size_t len);
c5f6da54
AP		 873
874static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 875 const unsigned char *iv, int enc)
876{
6435f0f6 877 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 878 if (!iv && !key)
879 return 1;
880 if (key) {
6435f0f6 881 int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
0f113f3e
MC		 882 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
883 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
884 &cctx->ks, (block128_f) aes_t4_encrypt);
bdc985b1 885 cctx->str = NULL;
0f113f3e
MC		 886 cctx->key_set = 1;
887 }
888 if (iv) {
6435f0f6 889 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 890 cctx->iv_set = 1;
891 }
892 return 1;
893}
894
5158c763 895# define aes_t4_ccm_cipher aes_ccm_cipher
c5f6da54 896static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 897 const unsigned char *in, size_t len);
c5f6da54 898
5158c763 899# ifndef OPENSSL_NO_OCB
e6b336ef 900static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 901 const unsigned char *iv, int enc)
902{
6435f0f6 903 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 904 if (!iv && !key)
905 return 1;
906 if (key) {
907 do {
908 /*
909 * We set both the encrypt and decrypt key here because decrypt
910 * needs both. We could possibly optimise to remove setting the
911 * decrypt for an encryption operation.
912 */
6435f0f6
RL		 913 aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
914 &octx->ksenc.ks);
915 aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
916 &octx->ksdec.ks);
bdc985b1
AP		 917 if (!CRYPTO_ocb128_init(&octx->ocb,
918 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 919 (block128_f) aes_t4_encrypt,
02dc0b82
AP		 920 (block128_f) aes_t4_decrypt,
921 NULL))
0f113f3e
MC		 922 return 0;
923 }
924 while (0);
925
926 /*
927 * If we have an iv we can set it directly, otherwise use saved IV.
928 */
929 if (iv == NULL && octx->iv_set)
930 iv = octx->iv;
931 if (iv) {
932 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
933 != 1)
934 return 0;
935 octx->iv_set = 1;
936 }
937 octx->key_set = 1;
938 } else {
939 /* If key set use IV, otherwise copy */
940 if (octx->key_set)
941 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
942 else
943 memcpy(octx->iv, iv, octx->ivlen);
944 octx->iv_set = 1;
945 }
946 return 1;
947}
948
5158c763 949# define aes_t4_ocb_cipher aes_ocb_cipher
e6b336ef 950static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e 951 const unsigned char *in, size_t len);
5158c763 952# endif /* OPENSSL_NO_OCB */
e6b336ef 953
87d06aed
MC		 954# ifndef OPENSSL_NO_SIV
955# define aes_t4_siv_init_key aes_siv_init_key
956# define aes_t4_siv_cipher aes_siv_cipher
957# endif /* OPENSSL_NO_SIV */
958
5158c763 959# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
c5f6da54 960static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e
MC		 961 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
962 flags|EVP_CIPH_##MODE##_MODE, \
963 aes_t4_init_key, \
964 aes_t4_##mode##_cipher, \
965 NULL, \
966 sizeof(EVP_AES_KEY), \
967 NULL,NULL,NULL,NULL }; \
c5f6da54 968static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 969 nid##_##keylen##_##nmode,blocksize, \
970 keylen/8,ivlen, \
971 flags|EVP_CIPH_##MODE##_MODE, \
972 aes_init_key, \
973 aes_##mode##_cipher, \
974 NULL, \
975 sizeof(EVP_AES_KEY), \
976 NULL,NULL,NULL,NULL }; \
c5f6da54
AP		 977const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
978{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
979
5158c763 980# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
c5f6da54 981static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
0f113f3e 982 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 983 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
984 ivlen, \
0f113f3e
MC		 985 flags|EVP_CIPH_##MODE##_MODE, \
986 aes_t4_##mode##_init_key, \
987 aes_t4_##mode##_cipher, \
988 aes_##mode##_cleanup, \
989 sizeof(EVP_AES_##MODE##_CTX), \
990 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54 991static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 992 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 993 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
994 ivlen, \
0f113f3e
MC		 995 flags|EVP_CIPH_##MODE##_MODE, \
996 aes_##mode##_init_key, \
997 aes_##mode##_cipher, \
998 aes_##mode##_cleanup, \
999 sizeof(EVP_AES_##MODE##_CTX), \
1000 NULL,NULL,aes_##mode##_ctrl,NULL }; \
c5f6da54
AP		 1001const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
1002{ return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
1003
96530eea
PS		 1004#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
1005/*
1006 * IBM S390X support
1007 */
1008# include "s390x_arch.h"
1009
55bd169f
PS		 1010typedef struct {
1011 union {
39147079 1012 OSSL_UNION_ALIGN;
55bd169f
PS		 1013 /*-
1014 * KM-AES parameter block - begin
1015 * (see z/Architecture Principles of Operation >= SA22-7832-06)
1016 */
1017 struct {
1018 unsigned char k[32];
1019 } param;
1020 /* KM-AES parameter block - end */
1021 } km;
1022 unsigned int fc;
1023} S390X_AES_ECB_CTX;
1024
dacd2a87
PS		 1025typedef struct {
1026 union {
39147079 1027 OSSL_UNION_ALIGN;
dacd2a87
PS		 1028 /*-
1029 * KMO-AES parameter block - begin
1030 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1031 */
1032 struct {
1033 unsigned char cv[16];
1034 unsigned char k[32];
1035 } param;
1036 /* KMO-AES parameter block - end */
1037 } kmo;
1038 unsigned int fc;
1039
1040 int res;
1041} S390X_AES_OFB_CTX;
1042
74d38a86
PS		 1043typedef struct {
1044 union {
39147079 1045 OSSL_UNION_ALIGN;
74d38a86
PS		 1046 /*-
1047 * KMF-AES parameter block - begin
1048 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1049 */
1050 struct {
1051 unsigned char cv[16];
1052 unsigned char k[32];
1053 } param;
1054 /* KMF-AES parameter block - end */
1055 } kmf;
1056 unsigned int fc;
1057
1058 int res;
1059} S390X_AES_CFB_CTX;
1060
96530eea
PS		 1061typedef struct {
1062 union {
39147079 1063 OSSL_UNION_ALIGN;
96530eea 1064 /*-
5d2a6f4b
PS		 1065 * KMA-GCM-AES parameter block - begin
1066 * (see z/Architecture Principles of Operation >= SA22-7832-11)
96530eea
PS		 1067 */
1068 struct {
1069 unsigned char reserved[12];
1070 union {
1071 unsigned int w;
1072 unsigned char b[4];
1073 } cv;
1074 union {
1075 unsigned long long g[2];
1076 unsigned char b[16];
1077 } t;
1078 unsigned char h[16];
1079 unsigned long long taadl;
1080 unsigned long long tpcl;
1081 union {
1082 unsigned long long g[2];
1083 unsigned int w[4];
1084 } j0;
1085 unsigned char k[32];
1086 } param;
5d2a6f4b 1087 /* KMA-GCM-AES parameter block - end */
96530eea
PS		 1088 } kma;
1089 unsigned int fc;
1090 int key_set;
1091
1092 unsigned char *iv;
1093 int ivlen;
1094 int iv_set;
1095 int iv_gen;
1096
1097 int taglen;
1098
1099 unsigned char ares[16];
1100 unsigned char mres[16];
1101 unsigned char kres[16];
1102 int areslen;
1103 int mreslen;
1104 int kreslen;
1105
1106 int tls_aad_len;
d6b34570 1107 uint64_t tls_enc_records; /* Number of TLS records encrypted */
96530eea
PS		 1108} S390X_AES_GCM_CTX;
1109
39f5b069
PS		 1110typedef struct {
1111 union {
39147079 1112 OSSL_UNION_ALIGN;
39f5b069
PS		 1113 /*-
1114 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
1115 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
1116 * rounds field is used to store the function code and that the key
1117 * schedule is not stored (if aes hardware support is detected).
1118 */
1119 struct {
1120 unsigned char pad[16];
1121 AES_KEY k;
1122 } key;
1123
1124 struct {
1125 /*-
1126 * KMAC-AES parameter block - begin
1127 * (see z/Architecture Principles of Operation >= SA22-7832-08)
1128 */
1129 struct {
1130 union {
1131 unsigned long long g[2];
1132 unsigned char b[16];
1133 } icv;
1134 unsigned char k[32];
1135 } kmac_param;
1136 /* KMAC-AES paramater block - end */
1137
1138 union {
1139 unsigned long long g[2];
1140 unsigned char b[16];
1141 } nonce;
1142 union {
1143 unsigned long long g[2];
1144 unsigned char b[16];
1145 } buf;
1146
1147 unsigned long long blocks;
1148 int l;
1149 int m;
1150 int tls_aad_len;
1151 int iv_set;
1152 int tag_set;
1153 int len_set;
1154 int key_set;
1155
1156 unsigned char pad[140];
1157 unsigned int fc;
1158 } ccm;
1159 } aes;
1160} S390X_AES_CCM_CTX;
1161
55bd169f
PS		 1162/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
1163# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
1164
1165/* Most modes of operation need km for partial block processing. */
1166# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1167 S390X_CAPBIT(S390X_AES_128))
1168# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1169 S390X_CAPBIT(S390X_AES_192))
1170# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
1171 S390X_CAPBIT(S390X_AES_256))
96530eea
PS		 1172
1173# define s390x_aes_init_key aes_init_key
1174static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1175 const unsigned char *iv, int enc);
1176
1177# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
1178# define S390X_aes_192_cbc_CAPABLE 1
1179# define S390X_aes_256_cbc_CAPABLE 1
55bd169f
PS		 1180# define S390X_AES_CBC_CTX EVP_AES_KEY
1181
1182# define s390x_aes_cbc_init_key aes_init_key
96530eea
PS		 1183
1184# define s390x_aes_cbc_cipher aes_cbc_cipher
1185static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1186 const unsigned char *in, size_t len);
1187
55bd169f
PS		 1188# define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
1189# define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
1190# define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
1191
1192static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
1193 const unsigned char *key,
1194 const unsigned char *iv, int enc)
1195{
1196 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1197 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1198
1199 cctx->fc = S390X_AES_FC(keylen);
1200 if (!enc)
1201 cctx->fc |= S390X_DECRYPT;
1202
1203 memcpy(cctx->km.param.k, key, keylen);
1204 return 1;
1205}
96530eea 1206
96530eea 1207static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
55bd169f
PS		 1208 const unsigned char *in, size_t len)
1209{
1210 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1211
1212 s390x_km(in, len, out, cctx->fc, &cctx->km.param);
1213 return 1;
1214}
96530eea 1215
dacd2a87
PS		 1216# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
1217 (OPENSSL_s390xcap_P.kmo[0] & \
1218 S390X_CAPBIT(S390X_AES_128)))
1219# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
1220 (OPENSSL_s390xcap_P.kmo[0] & \
1221 S390X_CAPBIT(S390X_AES_192)))
1222# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
1223 (OPENSSL_s390xcap_P.kmo[0] & \
1224 S390X_CAPBIT(S390X_AES_256)))
1225
1226static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
1227 const unsigned char *key,
1228 const unsigned char *ivec, int enc)
1229{
1230 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1231 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1232 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1233 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
55bd169f 1234
dacd2a87
PS		 1235 memcpy(cctx->kmo.param.cv, iv, ivlen);
1236 memcpy(cctx->kmo.param.k, key, keylen);
1237 cctx->fc = S390X_AES_FC(keylen);
1238 cctx->res = 0;
1239 return 1;
1240}
96530eea 1241
96530eea 1242static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
dacd2a87
PS		 1243 const unsigned char *in, size_t len)
1244{
1245 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1246 int n = cctx->res;
1247 int rem;
1248
1249 while (n && len) {
1250 *out = *in ^ cctx->kmo.param.cv[n];
1251 n = (n + 1) & 0xf;
1252 --len;
1253 ++in;
1254 ++out;
1255 }
1256
1257 rem = len & 0xf;
1258
1259 len &= ~(size_t)0xf;
1260 if (len) {
1261 s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
1262
1263 out += len;
1264 in += len;
1265 }
1266
1267 if (rem) {
1268 s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
1269 cctx->kmo.param.k);
1270
1271 while (rem--) {
1272 out[n] = in[n] ^ cctx->kmo.param.cv[n];
1273 ++n;
1274 }
1275 }
1276
1277 cctx->res = n;
1278 return 1;
1279}
96530eea 1280
74d38a86
PS		 1281# define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE && \
1282 (OPENSSL_s390xcap_P.kmf[0] & \
1283 S390X_CAPBIT(S390X_AES_128)))
1284# define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE && \
1285 (OPENSSL_s390xcap_P.kmf[0] & \
1286 S390X_CAPBIT(S390X_AES_192)))
1287# define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE && \
1288 (OPENSSL_s390xcap_P.kmf[0] & \
1289 S390X_CAPBIT(S390X_AES_256)))
1290
1291static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
1292 const unsigned char *key,
1293 const unsigned char *ivec, int enc)
1294{
1295 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1296 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1297 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1298 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
1299
1300 cctx->fc = S390X_AES_FC(keylen);
1301 cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
1302 if (!enc)
1303 cctx->fc |= S390X_DECRYPT;
55bd169f 1304
74d38a86
PS		 1305 cctx->res = 0;
1306 memcpy(cctx->kmf.param.cv, iv, ivlen);
1307 memcpy(cctx->kmf.param.k, key, keylen);
1308 return 1;
1309}
96530eea 1310
96530eea 1311static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
74d38a86
PS		 1312 const unsigned char *in, size_t len)
1313{
1314 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1315 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1316 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1317 int n = cctx->res;
1318 int rem;
1319 unsigned char tmp;
1320
1321 while (n && len) {
1322 tmp = *in;
1323 *out = cctx->kmf.param.cv[n] ^ tmp;
1324 cctx->kmf.param.cv[n] = enc ? *out : tmp;
1325 n = (n + 1) & 0xf;
1326 --len;
1327 ++in;
1328 ++out;
1329 }
1330
1331 rem = len & 0xf;
1332
1333 len &= ~(size_t)0xf;
1334 if (len) {
1335 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1336
1337 out += len;
1338 in += len;
1339 }
1340
1341 if (rem) {
1342 s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
1343 S390X_AES_FC(keylen), cctx->kmf.param.k);
1344
1345 while (rem--) {
1346 tmp = in[n];
1347 out[n] = cctx->kmf.param.cv[n] ^ tmp;
1348 cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
1349 ++n;
1350 }
1351 }
96530eea 1352
74d38a86
PS		 1353 cctx->res = n;
1354 return 1;
1355}
1356
1357# define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1358 S390X_CAPBIT(S390X_AES_128))
1359# define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1360 S390X_CAPBIT(S390X_AES_192))
1361# define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
1362 S390X_CAPBIT(S390X_AES_256))
1363
1364static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
1365 const unsigned char *key,
1366 const unsigned char *ivec, int enc)
1367{
1368 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1369 const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
1370 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
1371 const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
1372
1373 cctx->fc = S390X_AES_FC(keylen);
1374 cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
1375 if (!enc)
1376 cctx->fc |= S390X_DECRYPT;
96530eea 1377
74d38a86
PS		 1378 memcpy(cctx->kmf.param.cv, iv, ivlen);
1379 memcpy(cctx->kmf.param.k, key, keylen);
1380 return 1;
1381}
55bd169f 1382
96530eea 1383static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
74d38a86
PS		 1384 const unsigned char *in, size_t len)
1385{
1386 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1387
1388 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1389 return 1;
1390}
96530eea
PS		 1391
1392# define S390X_aes_128_cfb1_CAPABLE 0
1393# define S390X_aes_192_cfb1_CAPABLE 0
1394# define S390X_aes_256_cfb1_CAPABLE 0
1395
55bd169f
PS		 1396# define s390x_aes_cfb1_init_key aes_init_key
1397
96530eea
PS		 1398# define s390x_aes_cfb1_cipher aes_cfb1_cipher
1399static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1400 const unsigned char *in, size_t len);
1401
1402# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
1403# define S390X_aes_192_ctr_CAPABLE 1
1404# define S390X_aes_256_ctr_CAPABLE 1
55bd169f
PS		 1405# define S390X_AES_CTR_CTX EVP_AES_KEY
1406
1407# define s390x_aes_ctr_init_key aes_init_key
96530eea
PS		 1408
1409# define s390x_aes_ctr_cipher aes_ctr_cipher
1410static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1411 const unsigned char *in, size_t len);
1412
1413# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
1414 (OPENSSL_s390xcap_P.kma[0] & \
1415 S390X_CAPBIT(S390X_AES_128)))
1416# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
1417 (OPENSSL_s390xcap_P.kma[0] & \
1418 S390X_CAPBIT(S390X_AES_192)))
1419# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
1420 (OPENSSL_s390xcap_P.kma[0] & \
1421 S390X_CAPBIT(S390X_AES_256)))
1422
bcf082d1 1423/* iv + padding length for iv lengths != 12 */
96530eea
PS		 1424# define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1425
5d2a6f4b
PS		 1426/*-
1427 * Process additional authenticated data. Returns 0 on success. Code is
1428 * big-endian.
1429 */
96530eea
PS		 1430static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
1431 size_t len)
1432{
1433 unsigned long long alen;
1434 int n, rem;
1435
1436 if (ctx->kma.param.tpcl)
1437 return -2;
1438
1439 alen = ctx->kma.param.taadl + len;
1440 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
1441 return -1;
1442 ctx->kma.param.taadl = alen;
1443
1444 n = ctx->areslen;
1445 if (n) {
1446 while (n && len) {
1447 ctx->ares[n] = *aad;
1448 n = (n + 1) & 0xf;
1449 ++aad;
1450 --len;
1451 }
1452 /* ctx->ares contains a complete block if offset has wrapped around */
1453 if (!n) {
1454 s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1455 ctx->fc |= S390X_KMA_HS;
1456 }
1457 ctx->areslen = n;
1458 }
1459
1460 rem = len & 0xf;
1461
25868993 1462 len &= ~(size_t)0xf;
96530eea
PS		 1463 if (len) {
1464 s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1465 aad += len;
1466 ctx->fc |= S390X_KMA_HS;
1467 }
1468
1469 if (rem) {
1470 ctx->areslen = rem;
1471
1472 do {
1473 --rem;
1474 ctx->ares[rem] = aad[rem];
1475 } while (rem);
1476 }
1477 return 0;
1478}
1479
5d2a6f4b
PS		 1480/*-
1481 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1482 * success. Code is big-endian.
1483 */
96530eea
PS		 1484static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
1485 unsigned char *out, size_t len)
1486{
1487 const unsigned char *inptr;
1488 unsigned long long mlen;
1489 union {
1490 unsigned int w[4];
1491 unsigned char b[16];
1492 } buf;
1493 size_t inlen;
1494 int n, rem, i;
1495
1496 mlen = ctx->kma.param.tpcl + len;
1497 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1498 return -1;
1499 ctx->kma.param.tpcl = mlen;
1500
1501 n = ctx->mreslen;
1502 if (n) {
1503 inptr = in;
1504 inlen = len;
1505 while (n && inlen) {
1506 ctx->mres[n] = *inptr;
1507 n = (n + 1) & 0xf;
1508 ++inptr;
1509 --inlen;
1510 }
1511 /* ctx->mres contains a complete block if offset has wrapped around */
1512 if (!n) {
1513 s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
1514 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1515 ctx->fc |= S390X_KMA_HS;
1516 ctx->areslen = 0;
1517
1518 /* previous call already encrypted/decrypted its remainder,
1519 * see comment below */
1520 n = ctx->mreslen;
1521 while (n) {
1522 *out = buf.b[n];
1523 n = (n + 1) & 0xf;
1524 ++out;
1525 ++in;
1526 --len;
1527 }
1528 ctx->mreslen = 0;
1529 }
1530 }
1531
1532 rem = len & 0xf;
1533
25868993 1534 len &= ~(size_t)0xf;
96530eea
PS		 1535 if (len) {
1536 s390x_kma(ctx->ares, ctx->areslen, in, len, out,
1537 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1538 in += len;
1539 out += len;
1540 ctx->fc |= S390X_KMA_HS;
1541 ctx->areslen = 0;
1542 }
1543
1544 /*-
1545 * If there is a remainder, it has to be saved such that it can be
1546 * processed by kma later. However, we also have to do the for-now
1547 * unauthenticated encryption/decryption part here and now...
1548 */
1549 if (rem) {
1550 if (!ctx->mreslen) {
1551 buf.w[0] = ctx->kma.param.j0.w[0];
1552 buf.w[1] = ctx->kma.param.j0.w[1];
1553 buf.w[2] = ctx->kma.param.j0.w[2];
1554 buf.w[3] = ctx->kma.param.cv.w + 1;
1555 s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
1556 }
1557
1558 n = ctx->mreslen;
1559 for (i = 0; i < rem; i++) {
1560 ctx->mres[n + i] = in[i];
1561 out[i] = in[i] ^ ctx->kres[n + i];
1562 }
1563
1564 ctx->mreslen += rem;
1565 }
1566 return 0;
1567}
1568
5d2a6f4b
PS		 1569/*-
1570 * Initialize context structure. Code is big-endian.
1571 */
96530eea
PS		 1572static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
1573 const unsigned char *iv)
1574{
1575 ctx->kma.param.t.g[0] = 0;
1576 ctx->kma.param.t.g[1] = 0;
1577 ctx->kma.param.tpcl = 0;
1578 ctx->kma.param.taadl = 0;
1579 ctx->mreslen = 0;
1580 ctx->areslen = 0;
1581 ctx->kreslen = 0;
1582
1583 if (ctx->ivlen == 12) {
1584 memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
1585 ctx->kma.param.j0.w[3] = 1;
1586 ctx->kma.param.cv.w = 1;
1587 } else {
1588 /* ctx->iv has the right size and is already padded. */
1589 memcpy(ctx->iv, iv, ctx->ivlen);
1590 s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
1591 ctx->fc, &ctx->kma.param);
1592 ctx->fc |= S390X_KMA_HS;
1593
1594 ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
1595 ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
1596 ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
1597 ctx->kma.param.t.g[0] = 0;
1598 ctx->kma.param.t.g[1] = 0;
1599 }
1600}
1601
5d2a6f4b
PS		 1602/*-
1603 * Performs various operations on the context structure depending on control
1604 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1605 * Code is big-endian.
1606 */
96530eea
PS		 1607static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1608{
1609 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1610 S390X_AES_GCM_CTX *gctx_out;
1611 EVP_CIPHER_CTX *out;
1612 unsigned char *buf, *iv;
1613 int ivlen, enc, len;
1614
1615 switch (type) {
1616 case EVP_CTRL_INIT:
1617 ivlen = EVP_CIPHER_CTX_iv_length(c);
1618 iv = EVP_CIPHER_CTX_iv_noconst(c);
1619 gctx->key_set = 0;
1620 gctx->iv_set = 0;
1621 gctx->ivlen = ivlen;
1622 gctx->iv = iv;
1623 gctx->taglen = -1;
1624 gctx->iv_gen = 0;
1625 gctx->tls_aad_len = -1;
1626 return 1;
1627
1628 case EVP_CTRL_AEAD_SET_IVLEN:
1629 if (arg <= 0)
1630 return 0;
1631
1632 if (arg != 12) {
1633 iv = EVP_CIPHER_CTX_iv_noconst(c);
1634 len = S390X_gcm_ivpadlen(arg);
1635
1636 /* Allocate memory for iv if needed. */
1637 if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
1638 if (gctx->iv != iv)
1639 OPENSSL_free(gctx->iv);
1640
cdb10bae
RS		 1641 if ((gctx->iv = OPENSSL_malloc(len)) == NULL) {
1642 EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
96530eea 1643 return 0;
cdb10bae 1644 }
96530eea
PS		 1645 }
1646 /* Add padding. */
1647 memset(gctx->iv + arg, 0, len - arg - 8);
1648 *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
1649 }
1650 gctx->ivlen = arg;
1651 return 1;
1652
1653 case EVP_CTRL_AEAD_SET_TAG:
1654 buf = EVP_CIPHER_CTX_buf_noconst(c);
1655 enc = EVP_CIPHER_CTX_encrypting(c);
1656 if (arg <= 0 || arg > 16 || enc)
1657 return 0;
1658
1659 memcpy(buf, ptr, arg);
1660 gctx->taglen = arg;
1661 return 1;
1662
1663 case EVP_CTRL_AEAD_GET_TAG:
1664 enc = EVP_CIPHER_CTX_encrypting(c);
1665 if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
1666 return 0;
1667
1668 memcpy(ptr, gctx->kma.param.t.b, arg);
1669 return 1;
1670
1671 case EVP_CTRL_GCM_SET_IV_FIXED:
1672 /* Special case: -1 length restores whole iv */
1673 if (arg == -1) {
1674 memcpy(gctx->iv, ptr, gctx->ivlen);
1675 gctx->iv_gen = 1;
1676 return 1;
1677 }
1678 /*
1679 * Fixed field must be at least 4 bytes and invocation field at least
1680 * 8.
1681 */
1682 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1683 return 0;
1684
1685 if (arg)
1686 memcpy(gctx->iv, ptr, arg);
1687
1688 enc = EVP_CIPHER_CTX_encrypting(c);
16cfc2c9
KR		 1689 if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1690 return 0;
96530eea
PS		 1691
1692 gctx->iv_gen = 1;
1693 return 1;
1694
1695 case EVP_CTRL_GCM_IV_GEN:
1696 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1697 return 0;
1698
1699 s390x_aes_gcm_setiv(gctx, gctx->iv);
1700
1701 if (arg <= 0 || arg > gctx->ivlen)
1702 arg = gctx->ivlen;
1703
1704 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1705 /*
1706 * Invocation field will be at least 8 bytes in size and so no need
1707 * to check wrap around or increment more than last 8 bytes.
1708 */
03a5e5ae 1709 ctr64_inc(gctx->iv + gctx->ivlen - 8);
96530eea
PS		 1710 gctx->iv_set = 1;
1711 return 1;
1712
1713 case EVP_CTRL_GCM_SET_IV_INV:
1714 enc = EVP_CIPHER_CTX_encrypting(c);
1715 if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
1716 return 0;
1717
1718 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1719 s390x_aes_gcm_setiv(gctx, gctx->iv);
1720 gctx->iv_set = 1;
1721 return 1;
1722
1723 case EVP_CTRL_AEAD_TLS1_AAD:
1724 /* Save the aad for later use. */
1725 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1726 return 0;
1727
1728 buf = EVP_CIPHER_CTX_buf_noconst(c);
1729 memcpy(buf, ptr, arg);
1730 gctx->tls_aad_len = arg;
d6b34570 1731 gctx->tls_enc_records = 0;
96530eea
PS		 1732
1733 len = buf[arg - 2] << 8 | buf[arg - 1];
1734 /* Correct length for explicit iv. */
1735 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1736 return 0;
1737 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1738
1739 /* If decrypting correct for tag too. */
1740 enc = EVP_CIPHER_CTX_encrypting(c);
1741 if (!enc) {
1742 if (len < EVP_GCM_TLS_TAG_LEN)
1743 return 0;
1744 len -= EVP_GCM_TLS_TAG_LEN;
1745 }
1746 buf[arg - 2] = len >> 8;
1747 buf[arg - 1] = len & 0xff;
1748 /* Extra padding: tag appended to record. */
1749 return EVP_GCM_TLS_TAG_LEN;
1750
1751 case EVP_CTRL_COPY:
1752 out = ptr;
1753 gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
1754 iv = EVP_CIPHER_CTX_iv_noconst(c);
1755
1756 if (gctx->iv == iv) {
1757 gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
1758 } else {
1759 len = S390X_gcm_ivpadlen(gctx->ivlen);
1760
cdb10bae
RS		 1761 if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL) {
1762 EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
96530eea 1763 return 0;
cdb10bae 1764 }
96530eea
PS		 1765
1766 memcpy(gctx_out->iv, gctx->iv, len);
1767 }
1768 return 1;
1769
1770 default:
1771 return -1;
1772 }
1773}
1774
5d2a6f4b
PS		 1775/*-
1776 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1777 */
96530eea
PS		 1778static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
1779 const unsigned char *key,
1780 const unsigned char *iv, int enc)
1781{
1782 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1783 int keylen;
1784
1785 if (iv == NULL && key == NULL)
1786 return 1;
1787
1788 if (key != NULL) {
1789 keylen = EVP_CIPHER_CTX_key_length(ctx);
1790 memcpy(&gctx->kma.param.k, key, keylen);
1791
8eb399fb 1792 gctx->fc = S390X_AES_FC(keylen);
96530eea
PS		 1793 if (!enc)
1794 gctx->fc |= S390X_DECRYPT;
1795
1796 if (iv == NULL && gctx->iv_set)
1797 iv = gctx->iv;
1798
1799 if (iv != NULL) {
1800 s390x_aes_gcm_setiv(gctx, iv);
1801 gctx->iv_set = 1;
1802 }
1803 gctx->key_set = 1;
1804 } else {
1805 if (gctx->key_set)
1806 s390x_aes_gcm_setiv(gctx, iv);
1807 else
1808 memcpy(gctx->iv, iv, gctx->ivlen);
1809
1810 gctx->iv_set = 1;
1811 gctx->iv_gen = 0;
1812 }
1813 return 1;
1814}
1815
5d2a6f4b
PS		 1816/*-
1817 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1818 * if successful. Otherwise -1 is returned. Code is big-endian.
1819 */
96530eea
PS		 1820static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1821 const unsigned char *in, size_t len)
1822{
1823 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1824 const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1825 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
1826 int rv = -1;
1827
1828 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1829 return -1;
1830
d6b34570
P		 1831 /*
1832 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
1833 * Requirements from SP 800-38D". The requirements is for one party to the
1834 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
1835 * side only.
1836 */
1837 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
1838 EVPerr(EVP_F_S390X_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
1839 goto err;
1840 }
1841
96530eea
PS		 1842 if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
1843 : EVP_CTRL_GCM_SET_IV_INV,
1844 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1845 goto err;
1846
1847 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1848 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1849 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1850
1851 gctx->kma.param.taadl = gctx->tls_aad_len << 3;
1852 gctx->kma.param.tpcl = len << 3;
1853 s390x_kma(buf, gctx->tls_aad_len, in, len, out,
1854 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1855
1856 if (enc) {
1857 memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
1858 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1859 } else {
1860 if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
1861 EVP_GCM_TLS_TAG_LEN)) {
1862 OPENSSL_cleanse(out, len);
1863 goto err;
1864 }
1865 rv = len;
1866 }
1867err:
1868 gctx->iv_set = 0;
1869 gctx->tls_aad_len = -1;
1870 return rv;
1871}
1872
5d2a6f4b
PS		 1873/*-
1874 * Called from EVP layer to initialize context, process additional
1875 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1876 * ciphertext or process a TLS packet, depending on context. Returns bytes
1877 * written on success. Otherwise -1 is returned. Code is big-endian.
1878 */
96530eea
PS		 1879static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1880 const unsigned char *in, size_t len)
1881{
1882 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1883 unsigned char *buf, tmp[16];
1884 int enc;
1885
1886 if (!gctx->key_set)
1887 return -1;
1888
1889 if (gctx->tls_aad_len >= 0)
1890 return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
1891
1892 if (!gctx->iv_set)
1893 return -1;
1894
1895 if (in != NULL) {
1896 if (out == NULL) {
1897 if (s390x_aes_gcm_aad(gctx, in, len))
1898 return -1;
1899 } else {
1900 if (s390x_aes_gcm(gctx, in, out, len))
1901 return -1;
1902 }
1903 return len;
1904 } else {
1905 gctx->kma.param.taadl <<= 3;
1906 gctx->kma.param.tpcl <<= 3;
1907 s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
1908 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1909 /* recall that we already did en-/decrypt gctx->mres
1910 * and returned it to caller... */
1911 OPENSSL_cleanse(tmp, gctx->mreslen);
1912 gctx->iv_set = 0;
1913
1914 enc = EVP_CIPHER_CTX_encrypting(ctx);
1915 if (enc) {
1916 gctx->taglen = 16;
1917 } else {
1918 if (gctx->taglen < 0)
1919 return -1;
1920
1921 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1922 if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
1923 return -1;
1924 }
1925 return 0;
1926 }
1927}
1928
1929static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1930{
1931 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1932 const unsigned char *iv;
1933
1934 if (gctx == NULL)
1935 return 0;
1936
1937 iv = EVP_CIPHER_CTX_iv(c);
1938 if (iv != gctx->iv)
1939 OPENSSL_free(gctx->iv);
1940
1941 OPENSSL_cleanse(gctx, sizeof(*gctx));
1942 return 1;
1943}
1944
1945# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1946# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
1947# define S390X_aes_256_xts_CAPABLE 1
1948
1949# define s390x_aes_xts_init_key aes_xts_init_key
1950static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
1951 const unsigned char *key,
1952 const unsigned char *iv, int enc);
1953# define s390x_aes_xts_cipher aes_xts_cipher
1954static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1955 const unsigned char *in, size_t len);
1956# define s390x_aes_xts_ctrl aes_xts_ctrl
1957static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
1958# define s390x_aes_xts_cleanup aes_xts_cleanup
1959
39f5b069
PS		 1960# define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
1961 (OPENSSL_s390xcap_P.kmac[0] & \
1962 S390X_CAPBIT(S390X_AES_128)))
1963# define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
1964 (OPENSSL_s390xcap_P.kmac[0] & \
1965 S390X_CAPBIT(S390X_AES_192)))
1966# define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
1967 (OPENSSL_s390xcap_P.kmac[0] & \
1968 S390X_CAPBIT(S390X_AES_256)))
1969
1970# define S390X_CCM_AAD_FLAG 0x40
1971
1972/*-
1973 * Set nonce and length fields. Code is big-endian.
1974 */
1975static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
1976 const unsigned char *nonce,
1977 size_t mlen)
1978{
1979 ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
1980 ctx->aes.ccm.nonce.g[1] = mlen;
1981 memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
1982}
1983
1984/*-
1985 * Process additional authenticated data. Code is big-endian.
1986 */
1987static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
1988 size_t alen)
1989{
1990 unsigned char *ptr;
1991 int i, rem;
1992
1993 if (!alen)
1994 return;
1995
1996 ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
1997
1998 /* Suppress 'type-punned pointer dereference' warning. */
1999 ptr = ctx->aes.ccm.buf.b;
2000
2001 if (alen < ((1 << 16) - (1 << 8))) {
2002 *(uint16_t *)ptr = alen;
2003 i = 2;
2004 } else if (sizeof(alen) == 8
2005 && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
2006 *(uint16_t *)ptr = 0xffff;
2007 *(uint64_t *)(ptr + 2) = alen;
2008 i = 10;
2009 } else {
2010 *(uint16_t *)ptr = 0xfffe;
2011 *(uint32_t *)(ptr + 2) = alen;
2012 i = 6;
2013 }
2014
2015 while (i < 16 && alen) {
2016 ctx->aes.ccm.buf.b[i] = *aad;
2017 ++aad;
2018 --alen;
2019 ++i;
2020 }
2021 while (i < 16) {
2022 ctx->aes.ccm.buf.b[i] = 0;
2023 ++i;
2024 }
2025
2026 ctx->aes.ccm.kmac_param.icv.g[0] = 0;
2027 ctx->aes.ccm.kmac_param.icv.g[1] = 0;
2028 s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
2029 &ctx->aes.ccm.kmac_param);
2030 ctx->aes.ccm.blocks += 2;
2031
2032 rem = alen & 0xf;
25868993 2033 alen &= ~(size_t)0xf;
39f5b069
PS		 2034 if (alen) {
2035 s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2036 ctx->aes.ccm.blocks += alen >> 4;
2037 aad += alen;
2038 }
2039 if (rem) {
2040 for (i = 0; i < rem; i++)
2041 ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
2042
2043 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2044 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2045 ctx->aes.ccm.kmac_param.k);
2046 ctx->aes.ccm.blocks++;
2047 }
2048}
2049
2050/*-
2051 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
2052 * success.
2053 */
2054static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
2055 unsigned char *out, size_t len, int enc)
2056{
2057 size_t n, rem;
2058 unsigned int i, l, num;
2059 unsigned char flags;
2060
2061 flags = ctx->aes.ccm.nonce.b[0];
2062 if (!(flags & S390X_CCM_AAD_FLAG)) {
2063 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
2064 ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
2065 ctx->aes.ccm.blocks++;
2066 }
2067 l = flags & 0x7;
2068 ctx->aes.ccm.nonce.b[0] = l;
2069
2070 /*-
2071 * Reconstruct length from encoded length field
2072 * and initialize it with counter value.
2073 */
2074 n = 0;
2075 for (i = 15 - l; i < 15; i++) {
2076 n |= ctx->aes.ccm.nonce.b[i];
2077 ctx->aes.ccm.nonce.b[i] = 0;
2078 n <<= 8;
2079 }
2080 n |= ctx->aes.ccm.nonce.b[15];
2081 ctx->aes.ccm.nonce.b[15] = 1;
2082
2083 if (n != len)
2084 return -1; /* length mismatch */
2085
2086 if (enc) {
2087 /* Two operations per block plus one for tag encryption */
2088 ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
2089 if (ctx->aes.ccm.blocks > (1ULL << 61))
2090 return -2; /* too much data */
2091 }
2092
2093 num = 0;
2094 rem = len & 0xf;
25868993 2095 len &= ~(size_t)0xf;
39f5b069
PS		 2096
2097 if (enc) {
2098 /* mac-then-encrypt */
2099 if (len)
2100 s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2101 if (rem) {
2102 for (i = 0; i < rem; i++)
2103 ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
2104
2105 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2106 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2107 ctx->aes.ccm.kmac_param.k);
2108 }
2109
2110 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
2111 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
2112 &num, (ctr128_f)AES_ctr32_encrypt);
2113 } else {
2114 /* decrypt-then-mac */
2115 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
2116 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
2117 &num, (ctr128_f)AES_ctr32_encrypt);
2118
2119 if (len)
2120 s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
2121 if (rem) {
2122 for (i = 0; i < rem; i++)
2123 ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
2124
2125 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
2126 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
2127 ctx->aes.ccm.kmac_param.k);
2128 }
2129 }
2130 /* encrypt tag */
2131 for (i = 15 - l; i < 16; i++)
2132 ctx->aes.ccm.nonce.b[i] = 0;
2133
2134 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
2135 ctx->aes.ccm.kmac_param.k);
2136 ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
2137 ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
2138
2139 ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
2140 return 0;
2141}
2142
2143/*-
2144 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
2145 * if successful. Otherwise -1 is returned.
2146 */
2147static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2148 const unsigned char *in, size_t len)
2149{
2150 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2151 unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2152 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2153 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
2154
2155 if (out != in
2156 || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
2157 return -1;
2158
2159 if (enc) {
2160 /* Set explicit iv (sequence number). */
2161 memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
2162 }
2163
2164 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2165 /*-
2166 * Get explicit iv (sequence number). We already have fixed iv
2167 * (server/client_write_iv) here.
2168 */
2169 memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
2170 s390x_aes_ccm_setiv(cctx, ivec, len);
2171
2172 /* Process aad (sequence number|type|version|length) */
2173 s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
2174
2175 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2176 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
96530eea 2177
39f5b069
PS		 2178 if (enc) {
2179 if (s390x_aes_ccm(cctx, in, out, len, enc))
2180 return -1;
2181
2182 memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2183 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2184 } else {
2185 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2186 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
2187 cctx->aes.ccm.m))
2188 return len;
2189 }
2190
2191 OPENSSL_cleanse(out, len);
2192 return -1;
2193 }
2194}
2195
2196/*-
2197 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2198 * returned.
2199 */
96530eea
PS		 2200static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
2201 const unsigned char *key,
39f5b069
PS		 2202 const unsigned char *iv, int enc)
2203{
2204 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2205 unsigned char *ivec;
2206 int keylen;
2207
2208 if (iv == NULL && key == NULL)
2209 return 1;
2210
2211 if (key != NULL) {
2212 keylen = EVP_CIPHER_CTX_key_length(ctx);
8eb399fb 2213 cctx->aes.ccm.fc = S390X_AES_FC(keylen);
39f5b069
PS		 2214 memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
2215
2216 /* Store encoded m and l. */
2217 cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
2218 | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
2219 memset(cctx->aes.ccm.nonce.b + 1, 0,
2220 sizeof(cctx->aes.ccm.nonce.b));
2221 cctx->aes.ccm.blocks = 0;
2222
2223 cctx->aes.ccm.key_set = 1;
2224 }
2225
2226 if (iv != NULL) {
2227 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2228 memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
2229
2230 cctx->aes.ccm.iv_set = 1;
2231 }
2232
2233 return 1;
2234}
2235
2236/*-
2237 * Called from EVP layer to initialize context, process additional
2238 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2239 * plaintext or process a TLS packet, depending on context. Returns bytes
2240 * written on success. Otherwise -1 is returned.
2241 */
96530eea 2242static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
39f5b069
PS		 2243 const unsigned char *in, size_t len)
2244{
2245 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2246 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
2247 int rv;
2248 unsigned char *buf, *ivec;
2249
2250 if (!cctx->aes.ccm.key_set)
2251 return -1;
2252
2253 if (cctx->aes.ccm.tls_aad_len >= 0)
2254 return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
2255
2256 /*-
2257 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2258 * so integrity must be checked already at Update() i.e., before
2259 * potentially corrupted data is output.
2260 */
2261 if (in == NULL && out != NULL)
2262 return 0;
2263
2264 if (!cctx->aes.ccm.iv_set)
2265 return -1;
2266
39f5b069
PS		 2267 if (out == NULL) {
2268 /* Update(): Pass message length. */
2269 if (in == NULL) {
2270 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2271 s390x_aes_ccm_setiv(cctx, ivec, len);
2272
2273 cctx->aes.ccm.len_set = 1;
2274 return len;
2275 }
2276
2277 /* Update(): Process aad. */
2278 if (!cctx->aes.ccm.len_set && len)
2279 return -1;
2280
2281 s390x_aes_ccm_aad(cctx, in, len);
2282 return len;
2283 }
2284
887e22dd
PS		 2285 /* The tag must be set before actually decrypting data */
2286 if (!enc && !cctx->aes.ccm.tag_set)
2287 return -1;
2288
39f5b069
PS		 2289 /* Update(): Process message. */
2290
2291 if (!cctx->aes.ccm.len_set) {
2292 /*-
46d08509 2293 * In case message length was not previously set explicitly via
39f5b069
PS		 2294 * Update(), set it now.
2295 */
2296 ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
2297 s390x_aes_ccm_setiv(cctx, ivec, len);
2298
2299 cctx->aes.ccm.len_set = 1;
2300 }
2301
2302 if (enc) {
2303 if (s390x_aes_ccm(cctx, in, out, len, enc))
2304 return -1;
2305
2306 cctx->aes.ccm.tag_set = 1;
2307 return len;
2308 } else {
2309 rv = -1;
2310
2311 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2312 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2313 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
2314 cctx->aes.ccm.m))
2315 rv = len;
2316 }
2317
2318 if (rv == -1)
2319 OPENSSL_cleanse(out, len);
2320
2321 cctx->aes.ccm.iv_set = 0;
2322 cctx->aes.ccm.tag_set = 0;
2323 cctx->aes.ccm.len_set = 0;
2324 return rv;
2325 }
2326}
2327
2328/*-
2329 * Performs various operations on the context structure depending on control
2330 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2331 * Code is big-endian.
2332 */
2333static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2334{
2335 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
2336 unsigned char *buf, *iv;
2337 int enc, len;
2338
2339 switch (type) {
2340 case EVP_CTRL_INIT:
2341 cctx->aes.ccm.key_set = 0;
2342 cctx->aes.ccm.iv_set = 0;
2343 cctx->aes.ccm.l = 8;
2344 cctx->aes.ccm.m = 12;
2345 cctx->aes.ccm.tag_set = 0;
2346 cctx->aes.ccm.len_set = 0;
2347 cctx->aes.ccm.tls_aad_len = -1;
2348 return 1;
2349
2350 case EVP_CTRL_AEAD_TLS1_AAD:
2351 if (arg != EVP_AEAD_TLS1_AAD_LEN)
2352 return 0;
2353
2354 /* Save the aad for later use. */
2355 buf = EVP_CIPHER_CTX_buf_noconst(c);
2356 memcpy(buf, ptr, arg);
2357 cctx->aes.ccm.tls_aad_len = arg;
2358
03a5e5ae 2359 len = buf[arg - 2] << 8 | buf[arg - 1];
39f5b069
PS		 2360 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
2361 return 0;
2362
2363 /* Correct length for explicit iv. */
2364 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
2365
2366 enc = EVP_CIPHER_CTX_encrypting(c);
2367 if (!enc) {
2368 if (len < cctx->aes.ccm.m)
2369 return 0;
2370
2371 /* Correct length for tag. */
2372 len -= cctx->aes.ccm.m;
2373 }
2374
03a5e5ae
PS		 2375 buf[arg - 2] = len >> 8;
2376 buf[arg - 1] = len & 0xff;
2377
39f5b069
PS		 2378 /* Extra padding: tag appended to record. */
2379 return cctx->aes.ccm.m;
2380
2381 case EVP_CTRL_CCM_SET_IV_FIXED:
2382 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
2383 return 0;
2384
2385 /* Copy to first part of the iv. */
2386 iv = EVP_CIPHER_CTX_iv_noconst(c);
2387 memcpy(iv, ptr, arg);
2388 return 1;
2389
2390 case EVP_CTRL_AEAD_SET_IVLEN:
2391 arg = 15 - arg;
2392 /* fall-through */
2393
2394 case EVP_CTRL_CCM_SET_L:
2395 if (arg < 2 || arg > 8)
2396 return 0;
2397
2398 cctx->aes.ccm.l = arg;
2399 return 1;
2400
2401 case EVP_CTRL_AEAD_SET_TAG:
2402 if ((arg & 1) || arg < 4 || arg > 16)
2403 return 0;
2404
2405 enc = EVP_CIPHER_CTX_encrypting(c);
2406 if (enc && ptr)
2407 return 0;
2408
2409 if (ptr) {
2410 cctx->aes.ccm.tag_set = 1;
2411 buf = EVP_CIPHER_CTX_buf_noconst(c);
2412 memcpy(buf, ptr, arg);
2413 }
2414
2415 cctx->aes.ccm.m = arg;
2416 return 1;
2417
2418 case EVP_CTRL_AEAD_GET_TAG:
2419 enc = EVP_CIPHER_CTX_encrypting(c);
2420 if (!enc || !cctx->aes.ccm.tag_set)
2421 return 0;
2422
2423 if(arg < cctx->aes.ccm.m)
2424 return 0;
2425
2426 memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2427 cctx->aes.ccm.tag_set = 0;
2428 cctx->aes.ccm.iv_set = 0;
2429 cctx->aes.ccm.len_set = 0;
2430 return 1;
2431
2432 case EVP_CTRL_COPY:
2433 return 1;
2434
2435 default:
2436 return -1;
2437 }
2438}
2439
96530eea
PS		 2440# define s390x_aes_ccm_cleanup aes_ccm_cleanup
2441
2442# ifndef OPENSSL_NO_OCB
2443# define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2444# define S390X_aes_128_ocb_CAPABLE 0
2445# define S390X_aes_192_ocb_CAPABLE 0
2446# define S390X_aes_256_ocb_CAPABLE 0
2447
2448# define s390x_aes_ocb_init_key aes_ocb_init_key
2449static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2450 const unsigned char *iv, int enc);
2451# define s390x_aes_ocb_cipher aes_ocb_cipher
2452static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2453 const unsigned char *in, size_t len);
2454# define s390x_aes_ocb_cleanup aes_ocb_cleanup
2455static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
2456# define s390x_aes_ocb_ctrl aes_ocb_ctrl
2457static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
2458# endif
2459
e74be3d4
RL		 2460# ifndef OPENSSL_NO_SIV
2461# define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
2462# define S390X_aes_128_siv_CAPABLE 0
2463# define S390X_aes_192_siv_CAPABLE 0
2464# define S390X_aes_256_siv_CAPABLE 0
2465
2466# define s390x_aes_siv_init_key aes_siv_init_key
2467# define s390x_aes_siv_cipher aes_siv_cipher
2468# define s390x_aes_siv_cleanup aes_siv_cleanup
2469# define s390x_aes_siv_ctrl aes_siv_ctrl
2470# endif
2471
96530eea
PS		 2472# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2473 MODE,flags) \
2474static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2475 nid##_##keylen##_##nmode,blocksize, \
2476 keylen / 8, \
2477 ivlen, \
2478 flags | EVP_CIPH_##MODE##_MODE, \
55bd169f 2479 s390x_aes_##mode##_init_key, \
96530eea
PS		 2480 s390x_aes_##mode##_cipher, \
2481 NULL, \
55bd169f 2482 sizeof(S390X_AES_##MODE##_CTX), \
96530eea
PS		 2483 NULL, \
2484 NULL, \
2485 NULL, \
2486 NULL \
2487}; \
2488static const EVP_CIPHER aes_##keylen##_##mode = { \
2489 nid##_##keylen##_##nmode, \
2490 blocksize, \
2491 keylen / 8, \
2492 ivlen, \
2493 flags | EVP_CIPH_##MODE##_MODE, \
2494 aes_init_key, \
2495 aes_##mode##_cipher, \
2496 NULL, \
2497 sizeof(EVP_AES_KEY), \
55bd169f
PS		 2498 NULL, \
2499 NULL, \
2500 NULL, \
2501 NULL \
96530eea
PS		 2502}; \
2503const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2504{ \
2505 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2506 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2507}
2508
2509# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2510static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2511 nid##_##keylen##_##mode, \
2512 blocksize, \
e74be3d4 2513 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
96530eea
PS		 2514 ivlen, \
2515 flags | EVP_CIPH_##MODE##_MODE, \
2516 s390x_aes_##mode##_init_key, \
2517 s390x_aes_##mode##_cipher, \
2518 s390x_aes_##mode##_cleanup, \
2519 sizeof(S390X_AES_##MODE##_CTX), \
2520 NULL, \
2521 NULL, \
2522 s390x_aes_##mode##_ctrl, \
2523 NULL \
2524}; \
2525static const EVP_CIPHER aes_##keylen##_##mode = { \
2526 nid##_##keylen##_##mode,blocksize, \
e74be3d4 2527 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
96530eea
PS		 2528 ivlen, \
2529 flags | EVP_CIPH_##MODE##_MODE, \
2530 aes_##mode##_init_key, \
2531 aes_##mode##_cipher, \
2532 aes_##mode##_cleanup, \
2533 sizeof(EVP_AES_##MODE##_CTX), \
2534 NULL, \
2535 NULL, \
2536 aes_##mode##_ctrl, \
2537 NULL \
2538}; \
2539const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2540{ \
2541 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2542 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2543}
2544
5158c763 2545#else
17f121de 2546
5158c763 2547# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
17f121de 2548static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e
MC		 2549 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2550 flags|EVP_CIPH_##MODE##_MODE, \
2551 aes_init_key, \
2552 aes_##mode##_cipher, \
2553 NULL, \
2554 sizeof(EVP_AES_KEY), \
2555 NULL,NULL,NULL,NULL }; \
17f121de
AP		 2556const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2557{ return &aes_##keylen##_##mode; }
d1fff483 2558
5158c763 2559# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
17f121de 2560static const EVP_CIPHER aes_##keylen##_##mode = { \
0f113f3e 2561 nid##_##keylen##_##mode,blocksize, \
b1ceb439
TS		 2562 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
2563 ivlen, \
0f113f3e
MC		 2564 flags|EVP_CIPH_##MODE##_MODE, \
2565 aes_##mode##_init_key, \
2566 aes_##mode##_cipher, \
2567 aes_##mode##_cleanup, \
2568 sizeof(EVP_AES_##MODE##_CTX), \
2569 NULL,NULL,aes_##mode##_ctrl,NULL }; \
17f121de
AP		 2570const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2571{ return &aes_##keylen##_##mode; }
9575d1a9 2572
5158c763 2573#endif
9575d1a9 2574
5158c763
MC		 2575#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
2576# include "arm_arch.h"
2577# if __ARM_MAX_ARCH__>=7
2578# if defined(BSAES_ASM)
2579# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
2580# endif
2581# if defined(VPAES_ASM)
2582# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
0f113f3e 2583# endif
5158c763
MC		 2584# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
2585# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
2586# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
2587# define HWAES_encrypt aes_v8_encrypt
2588# define HWAES_decrypt aes_v8_decrypt
2589# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
2590# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
ddacb8f2 2591# endif
5158c763 2592#endif
d1fff483 2593
5158c763 2594#if defined(HWAES_CAPABLE)
ddacb8f2 2595int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2596 AES_KEY *key);
ddacb8f2 2597int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
0f113f3e 2598 AES_KEY *key);
ddacb8f2 2599void HWAES_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2600 const AES_KEY *key);
ddacb8f2 2601void HWAES_decrypt(const unsigned char *in, unsigned char *out,
0f113f3e 2602 const AES_KEY *key);
ddacb8f2 2603void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2604 size_t length, const AES_KEY *key,
2605 unsigned char *ivec, const int enc);
ddacb8f2 2606void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
0f113f3e
MC		 2607 size_t len, const AES_KEY *key,
2608 const unsigned char ivec[16]);
46f047d7
AP		 2609void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
2610 size_t len, const AES_KEY *key1,
2611 const AES_KEY *key2, const unsigned char iv[16]);
2612void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
2613 size_t len, const AES_KEY *key1,
2614 const AES_KEY *key2, const unsigned char iv[16]);
5158c763 2615#endif
ddacb8f2 2616
5158c763 2617#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
0f113f3e
MC		 2618 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2619 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2620 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2621 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2622 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2623 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2624 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
d1fff483
AP		 2625
2626static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 2627 const unsigned char *iv, int enc)
2628{
2629 int ret, mode;
6435f0f6 2630 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2631
6435f0f6 2632 mode = EVP_CIPHER_CTX_mode(ctx);
0f113f3e 2633 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
c01a3c6d 2634 && !enc) {
5158c763 2635#ifdef HWAES_CAPABLE
0f113f3e 2636 if (HWAES_CAPABLE) {
6435f0f6
RL		 2637 ret = HWAES_set_decrypt_key(key,
2638 EVP_CIPHER_CTX_key_length(ctx) * 8,
2639 &dat->ks.ks);
0f113f3e
MC		 2640 dat->block = (block128_f) HWAES_decrypt;
2641 dat->stream.cbc = NULL;
5158c763 2642# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2643 if (mode == EVP_CIPH_CBC_MODE)
2644 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
0f113f3e 2645# endif
5158c763
MC		 2646 } else
2647#endif
2648#ifdef BSAES_CAPABLE
0f113f3e 2649 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
6435f0f6
RL		 2650 ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2651 &dat->ks.ks);
0f113f3e
MC		 2652 dat->block = (block128_f) AES_decrypt;
2653 dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
2654 } else
5158c763
MC		 2655#endif
2656#ifdef VPAES_CAPABLE
0f113f3e 2657 if (VPAES_CAPABLE) {
6435f0f6
RL		 2658 ret = vpaes_set_decrypt_key(key,
2659 EVP_CIPHER_CTX_key_length(ctx) * 8,
2660 &dat->ks.ks);
0f113f3e
MC		 2661 dat->block = (block128_f) vpaes_decrypt;
2662 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2663 (cbc128_f) vpaes_cbc_encrypt : NULL;
2664 } else
5158c763 2665#endif
0f113f3e 2666 {
6435f0f6
RL		 2667 ret = AES_set_decrypt_key(key,
2668 EVP_CIPHER_CTX_key_length(ctx) * 8,
2669 &dat->ks.ks);
0f113f3e
MC		 2670 dat->block = (block128_f) AES_decrypt;
2671 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2672 (cbc128_f) AES_cbc_encrypt : NULL;
c01a3c6d 2673 }
0f113f3e 2674 } else
5158c763 2675#ifdef HWAES_CAPABLE
0f113f3e 2676 if (HWAES_CAPABLE) {
6435f0f6
RL		 2677 ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2678 &dat->ks.ks);
0f113f3e
MC		 2679 dat->block = (block128_f) HWAES_encrypt;
2680 dat->stream.cbc = NULL;
5158c763 2681# ifdef HWAES_cbc_encrypt
0f113f3e
MC		 2682 if (mode == EVP_CIPH_CBC_MODE)
2683 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
2684 else
5158c763
MC		 2685# endif
2686# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e
MC		 2687 if (mode == EVP_CIPH_CTR_MODE)
2688 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
2689 else
5158c763 2690# endif
0f113f3e
MC		 2691 (void)0; /* terminate potentially open 'else' */
2692 } else
5158c763
MC		 2693#endif
2694#ifdef BSAES_CAPABLE
0f113f3e 2695 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
6435f0f6
RL		 2696 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2697 &dat->ks.ks);
0f113f3e
MC		 2698 dat->block = (block128_f) AES_encrypt;
2699 dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
2700 } else
5158c763
MC		 2701#endif
2702#ifdef VPAES_CAPABLE
0f113f3e 2703 if (VPAES_CAPABLE) {
6435f0f6
RL		 2704 ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2705 &dat->ks.ks);
0f113f3e
MC		 2706 dat->block = (block128_f) vpaes_encrypt;
2707 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2708 (cbc128_f) vpaes_cbc_encrypt : NULL;
2709 } else
5158c763 2710#endif
0f113f3e 2711 {
6435f0f6
RL		 2712 ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
2713 &dat->ks.ks);
0f113f3e
MC		 2714 dat->block = (block128_f) AES_encrypt;
2715 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2716 (cbc128_f) AES_cbc_encrypt : NULL;
5158c763 2717#ifdef AES_CTR_ASM
0f113f3e
MC		 2718 if (mode == EVP_CIPH_CTR_MODE)
2719 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 2720#endif
0f113f3e 2721 }
d1fff483 2722
0f113f3e
MC		 2723 if (ret < 0) {
2724 EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
2725 return 0;
2726 }
d1fff483 2727
0f113f3e
MC		 2728 return 1;
2729}
d1fff483 2730
0f113f3e
MC		 2731static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2732 const unsigned char *in, size_t len)
17f121de 2733{
6435f0f6 2734 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2735
0f113f3e 2736 if (dat->stream.cbc)
6435f0f6
RL		 2737 (*dat->stream.cbc) (in, out, len, &dat->ks,
2738 EVP_CIPHER_CTX_iv_noconst(ctx),
2739 EVP_CIPHER_CTX_encrypting(ctx));
2740 else if (EVP_CIPHER_CTX_encrypting(ctx))
2741 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
2742 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
0f113f3e 2743 else
6435f0f6
RL		 2744 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
2745 EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
17f121de 2746
0f113f3e 2747 return 1;
17f121de
AP		 2748}
2749
0f113f3e
MC		 2750static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2751 const unsigned char *in, size_t len)
17f121de 2752{
6435f0f6 2753 size_t bl = EVP_CIPHER_CTX_block_size(ctx);
0f113f3e 2754 size_t i;
6435f0f6 2755 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
17f121de 2756
0f113f3e
MC		 2757 if (len < bl)
2758 return 1;
17f121de 2759
0f113f3e
MC		 2760 for (i = 0, len -= bl; i <= len; i += bl)
2761 (*dat->block) (in + i, out + i, &dat->ks);
17f121de 2762
0f113f3e 2763 return 1;
17f121de 2764}
deb2c1a1 2765
0f113f3e
MC		 2766static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2767 const unsigned char *in, size_t len)
17f121de 2768{
6435f0f6 2769 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2770
6435f0f6 2771 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2772 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2773 EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
2774 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2775 return 1;
17f121de 2776}
deb2c1a1 2777
0f113f3e
MC		 2778static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2779 const unsigned char *in, size_t len)
17f121de 2780{
6435f0f6 2781 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2782
6435f0f6 2783 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2784 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2785 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2786 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2787 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2788 return 1;
17f121de
AP		 2789}
2790
0f113f3e
MC		 2791static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2792 const unsigned char *in, size_t len)
17f121de 2793{
6435f0f6 2794 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
8ca28da0 2795
6435f0f6 2796 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2797 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2798 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2799 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2800 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2801 return 1;
17f121de 2802}
8d1ebe0b 2803
0f113f3e
MC		 2804static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2805 const unsigned char *in, size_t len)
17f121de 2806{
6435f0f6 2807 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e 2808
6435f0f6
RL		 2809 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
2810 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2811 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2812 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2813 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2814 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e
MC		 2815 return 1;
2816 }
2817
2818 while (len >= MAXBITCHUNK) {
6435f0f6 2819 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2820 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
6435f0f6
RL		 2821 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2822 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2823 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2824 len -= MAXBITCHUNK;
604e591e
BE		 2825 out += MAXBITCHUNK;
2826 in += MAXBITCHUNK;
0f113f3e 2827 }
6435f0f6
RL		 2828 if (len) {
2829 int num = EVP_CIPHER_CTX_num(ctx);
0f113f3e 2830 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
6435f0f6
RL		 2831 EVP_CIPHER_CTX_iv_noconst(ctx), &num,
2832 EVP_CIPHER_CTX_encrypting(ctx), dat->block);
2833 EVP_CIPHER_CTX_set_num(ctx, num);
2834 }
0f113f3e
MC		 2835
2836 return 1;
17f121de 2837}
8d1ebe0b 2838
0f113f3e
MC		 2839static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2840 const unsigned char *in, size_t len)
d976f992 2841{
6435f0f6
RL		 2842 unsigned int num = EVP_CIPHER_CTX_num(ctx);
2843 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
0f113f3e
MC		 2844
2845 if (dat->stream.ctr)
2846 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
6435f0f6
RL		 2847 EVP_CIPHER_CTX_iv_noconst(ctx),
2848 EVP_CIPHER_CTX_buf_noconst(ctx),
2849 &num, dat->stream.ctr);
0f113f3e
MC		 2850 else
2851 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
6435f0f6
RL		 2852 EVP_CIPHER_CTX_iv_noconst(ctx),
2853 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
2854 dat->block);
2855 EVP_CIPHER_CTX_set_num(ctx, num);
0f113f3e 2856 return 1;
d976f992
AP		 2857}
2858
0f113f3e
MC		 2859BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
2860 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
2861 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
bdaa5415
DSH		 2862
2863static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 2864{
6435f0f6 2865 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
273a0218
BE		 2866 if (gctx == NULL)
2867 return 0;
0f113f3e 2868 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
6435f0f6 2869 if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
0f113f3e
MC		 2870 OPENSSL_free(gctx->iv);
2871 return 1;
2872}
bdaa5415
DSH		 2873
2874static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 2875{
6435f0f6 2876 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
0f113f3e
MC		 2877 switch (type) {
2878 case EVP_CTRL_INIT:
2879 gctx->key_set = 0;
2880 gctx->iv_set = 0;
c5307d9c
AP		 2881 gctx->ivlen = c->cipher->iv_len;
2882 gctx->iv = c->iv;
0f113f3e
MC		 2883 gctx->taglen = -1;
2884 gctx->iv_gen = 0;
2885 gctx->tls_aad_len = -1;
2886 return 1;
2887
e640fa02 2888 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 2889 if (arg <= 0)
2890 return 0;
2891 /* Allocate memory for IV if needed */
2892 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
c5307d9c 2893 if (gctx->iv != c->iv)
0f113f3e 2894 OPENSSL_free(gctx->iv);
cdb10bae
RS		 2895 if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) {
2896 EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
0f113f3e 2897 return 0;
cdb10bae 2898 }
0f113f3e
MC		 2899 }
2900 gctx->ivlen = arg;
2901 return 1;
2902
e640fa02 2903 case EVP_CTRL_AEAD_SET_TAG:
c5307d9c 2904 if (arg <= 0 || arg > 16 || c->encrypt)
0f113f3e 2905 return 0;
c5307d9c 2906 memcpy(c->buf, ptr, arg);
0f113f3e
MC		 2907 gctx->taglen = arg;
2908 return 1;
2909
e640fa02 2910 case EVP_CTRL_AEAD_GET_TAG:
c5307d9c 2911 if (arg <= 0 || arg > 16 || !c->encrypt
6435f0f6 2912 || gctx->taglen < 0)
0f113f3e 2913 return 0;
c5307d9c 2914 memcpy(ptr, c->buf, arg);
0f113f3e
MC		 2915 return 1;
2916
ecd1557f 2917 case EVP_CTRL_GET_IV:
bcf082d1 2918 if (gctx->iv_gen != 1 && gctx->iv_gen_rand != 1)
ecd1557f
BP		 2919 return 0;
2920 if (gctx->ivlen != arg)
2921 return 0;
2922 memcpy(ptr, gctx->iv, arg);
2923 return 1;
2924
0f113f3e
MC		 2925 case EVP_CTRL_GCM_SET_IV_FIXED:
2926 /* Special case: -1 length restores whole IV */
2927 if (arg == -1) {
2928 memcpy(gctx->iv, ptr, gctx->ivlen);
2929 gctx->iv_gen = 1;
2930 return 1;
2931 }
2932 /*
2933 * Fixed field must be at least 4 bytes and invocation field at least
2934 * 8.
2935 */
2936 if ((arg < 4) || (gctx->ivlen - arg) < 8)
2937 return 0;
2938 if (arg)
2939 memcpy(gctx->iv, ptr, arg);
c5307d9c 2940 if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
16cfc2c9 2941 return 0;
0f113f3e
MC		 2942 gctx->iv_gen = 1;
2943 return 1;
2944
2945 case EVP_CTRL_GCM_IV_GEN:
2946 if (gctx->iv_gen == 0 || gctx->key_set == 0)
2947 return 0;
2948 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2949 if (arg <= 0 || arg > gctx->ivlen)
2950 arg = gctx->ivlen;
2951 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
2952 /*
2953 * Invocation field will be at least 8 bytes in size and so no need
2954 * to check wrap around or increment more than last 8 bytes.
2955 */
2956 ctr64_inc(gctx->iv + gctx->ivlen - 8);
2957 gctx->iv_set = 1;
2958 return 1;
2959
2960 case EVP_CTRL_GCM_SET_IV_INV:
c5307d9c 2961 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
0f113f3e
MC		 2962 return 0;
2963 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
2964 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2965 gctx->iv_set = 1;
2966 return 1;
2967
2968 case EVP_CTRL_AEAD_TLS1_AAD:
2969 /* Save the AAD for later use */
c8269881 2970 if (arg != EVP_AEAD_TLS1_AAD_LEN)
0f113f3e 2971 return 0;
c5307d9c 2972 memcpy(c->buf, ptr, arg);
0f113f3e 2973 gctx->tls_aad_len = arg;
d6b34570 2974 gctx->tls_enc_records = 0;
0f113f3e 2975 {
c5307d9c 2976 unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
0f113f3e 2977 /* Correct length for explicit IV */
2198b3a5
AP		 2978 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
2979 return 0;
0f113f3e
MC		 2980 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
2981 /* If decrypting correct for tag too */
c5307d9c 2982 if (!c->encrypt) {
2198b3a5
AP		 2983 if (len < EVP_GCM_TLS_TAG_LEN)
2984 return 0;
0f113f3e 2985 len -= EVP_GCM_TLS_TAG_LEN;
2198b3a5 2986 }
c5307d9c
AP		 2987 c->buf[arg - 2] = len >> 8;
2988 c->buf[arg - 1] = len & 0xff;
0f113f3e
MC		 2989 }
2990 /* Extra padding: tag appended to record */
2991 return EVP_GCM_TLS_TAG_LEN;
2992
2993 case EVP_CTRL_COPY:
2994 {
2995 EVP_CIPHER_CTX *out = ptr;
6435f0f6 2996 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
0f113f3e
MC		 2997 if (gctx->gcm.key) {
2998 if (gctx->gcm.key != &gctx->ks)
2999 return 0;
3000 gctx_out->gcm.key = &gctx_out->ks;
3001 }
c5307d9c
AP		 3002 if (gctx->iv == c->iv)
3003 gctx_out->iv = out->iv;
0f113f3e 3004 else {
cdb10bae
RS		 3005 if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) {
3006 EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
0f113f3e 3007 return 0;
cdb10bae 3008 }
0f113f3e
MC		 3009 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
3010 }
3011 return 1;
3012 }
3013
3014 default:
3015 return -1;
3016
3017 }
3018}
bdaa5415
DSH		 3019
3020static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3021 const unsigned char *iv, int enc)
3022{
6435f0f6 3023 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 3024 if (!iv && !key)
3025 return 1;
3026 if (key) {
3027 do {
5158c763 3028#ifdef HWAES_CAPABLE
0f113f3e 3029 if (HWAES_CAPABLE) {
c5307d9c 3030 HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3031 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3032 (block128_f) HWAES_encrypt);
5158c763 3033# ifdef HWAES_ctr32_encrypt_blocks
0f113f3e 3034 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
5158c763 3035# else
0f113f3e 3036 gctx->ctr = NULL;
5158c763 3037# endif
0f113f3e
MC		 3038 break;
3039 } else
5158c763
MC		 3040#endif
3041#ifdef BSAES_CAPABLE
0f113f3e 3042 if (BSAES_CAPABLE) {
c5307d9c 3043 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3044 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3045 (block128_f) AES_encrypt);
3046 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
3047 break;
3048 } else
5158c763
MC		 3049#endif
3050#ifdef VPAES_CAPABLE
0f113f3e 3051 if (VPAES_CAPABLE) {
c5307d9c 3052 vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3053 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3054 (block128_f) vpaes_encrypt);
3055 gctx->ctr = NULL;
3056 break;
3057 } else
5158c763 3058#endif
0f113f3e
MC		 3059 (void)0; /* terminate potentially open 'else' */
3060
c5307d9c 3061 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
0f113f3e
MC		 3062 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
3063 (block128_f) AES_encrypt);
5158c763 3064#ifdef AES_CTR_ASM
0f113f3e 3065 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
5158c763 3066#else
0f113f3e 3067 gctx->ctr = NULL;
5158c763 3068#endif
0f113f3e
MC		 3069 } while (0);
3070
3071 /*
3072 * If we have an iv can set it directly, otherwise use saved IV.
3073 */
3074 if (iv == NULL && gctx->iv_set)
3075 iv = gctx->iv;
3076 if (iv) {
3077 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
3078 gctx->iv_set = 1;
3079 }
3080 gctx->key_set = 1;
3081 } else {
3082 /* If key set use IV, otherwise copy */
3083 if (gctx->key_set)
3084 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
3085 else
3086 memcpy(gctx->iv, iv, gctx->ivlen);
3087 gctx->iv_set = 1;
3088 gctx->iv_gen = 0;
3089 }
3090 return 1;
3091}
3092
3093/*
3094 * Handle TLS GCM packet format. This consists of the last portion of the IV
28dd49fa
DSH		 3095 * followed by the payload and finally the tag. On encrypt generate IV,
3096 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
3097 * and verify tag.
3098 */
3099
3100static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3101 const unsigned char *in, size_t len)
3102{
6435f0f6 3103 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
0f113f3e
MC		 3104 int rv = -1;
3105 /* Encrypt/decrypt must be performed in place */
3106 if (out != in
3107 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
3108 return -1;
df443918 3109
d6b34570
P		 3110 /*
3111 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
3112 * Requirements from SP 800-38D". The requirements is for one party to the
3113 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
3114 * side only.
3115 */
3116 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
3117 EVPerr(EVP_F_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
3118 goto err;
3119 }
3120
0f113f3e
MC		 3121 /*
3122 * Set IV from start of buffer or generate IV and write to start of
3123 * buffer.
3124 */
c5307d9c
AP		 3125 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? EVP_CTRL_GCM_IV_GEN
3126 : EVP_CTRL_GCM_SET_IV_INV,
0f113f3e
MC		 3127 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
3128 goto err;
3129 /* Use saved AAD */
c5307d9c 3130 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
0f113f3e
MC		 3131 goto err;
3132 /* Fix buffer and length to point to payload */
3133 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
3134 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
3135 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
c5307d9c 3136 if (ctx->encrypt) {
0f113f3e
MC		 3137 /* Encrypt payload */
3138 if (gctx->ctr) {
3139 size_t bulk = 0;
5158c763 3140#if defined(AES_GCM_ASM)
0f113f3e
MC		 3141 if (len >= 32 && AES_GCM_ASM(gctx)) {
3142 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
3143 return -1;
3144
3145 bulk = AES_gcm_encrypt(in, out, len,
3146 gctx->gcm.key,
3147 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3148 gctx->gcm.len.u[1] += bulk;
3149 }
5158c763 3150#endif
0f113f3e
MC		 3151 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3152 in + bulk,
3153 out + bulk,
3154 len - bulk, gctx->ctr))
3155 goto err;
3156 } else {
3157 size_t bulk = 0;
5158c763 3158#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3159 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3160 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
3161 return -1;
3162
3163 bulk = AES_gcm_encrypt(in, out, len,
3164 gctx->gcm.key,
3165 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3166 gctx->gcm.len.u[1] += bulk;
3167 }
5158c763 3168#endif
0f113f3e
MC		 3169 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3170 in + bulk, out + bulk, len - bulk))
3171 goto err;
3172 }
3173 out += len;
3174 /* Finally write tag */
3175 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
3176 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
3177 } else {
3178 /* Decrypt */
3179 if (gctx->ctr) {
3180 size_t bulk = 0;
5158c763 3181#if defined(AES_GCM_ASM)
0f113f3e
MC		 3182 if (len >= 16 && AES_GCM_ASM(gctx)) {
3183 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
3184 return -1;
3185
3186 bulk = AES_gcm_decrypt(in, out, len,
3187 gctx->gcm.key,
3188 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3189 gctx->gcm.len.u[1] += bulk;
3190 }
5158c763 3191#endif
0f113f3e
MC		 3192 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3193 in + bulk,
3194 out + bulk,
3195 len - bulk, gctx->ctr))
3196 goto err;
3197 } else {
3198 size_t bulk = 0;
5158c763 3199#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3200 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3201 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
3202 return -1;
3203
3204 bulk = AES_gcm_decrypt(in, out, len,
3205 gctx->gcm.key,
3206 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3207 gctx->gcm.len.u[1] += bulk;
3208 }
5158c763 3209#endif
0f113f3e
MC		 3210 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3211 in + bulk, out + bulk, len - bulk))
3212 goto err;
3213 }
3214 /* Retrieve tag */
c5307d9c 3215 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
0f113f3e 3216 /* If tag mismatch wipe buffer */
c5307d9c 3217 if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
0f113f3e
MC		 3218 OPENSSL_cleanse(out, len);
3219 goto err;
3220 }
3221 rv = len;
3222 }
3223
3224 err:
3225 gctx->iv_set = 0;
3226 gctx->tls_aad_len = -1;
3227 return rv;
3228}
28dd49fa 3229
bcf082d1
SL		 3230#ifdef FIPS_MODE
3231/*
3232 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
3233 *
3234 * See also 8.2.2 RBG-based construction.
3235 * Random construction consists of a free field (which can be NULL) and a
3236 * random field which will use a DRBG that can return at least 96 bits of
3237 * entropy strength. (The DRBG must be seeded by the FIPS module).
3238 */
3239static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
3240{
3241 int sz = gctx->ivlen - offset;
3242
3243 /* Must be at least 96 bits */
3244 if (sz <= 0 || gctx->ivlen < 12)
3245 return 0;
3246
3247 /* Use DRBG to generate random iv */
3248 if (RAND_bytes(gctx->iv + offset, sz) <= 0)
3249 return 0;
3250 return 1;
3251}
3252#endif /* FIPS_MODE */
3253
17f121de 3254static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3255 const unsigned char *in, size_t len)
3256{
6435f0f6 3257 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
bcf082d1 3258
0f113f3e
MC		 3259 /* If not set up, return error */
3260 if (!gctx->key_set)
3261 return -1;
3262
3263 if (gctx->tls_aad_len >= 0)
3264 return aes_gcm_tls_cipher(ctx, out, in, len);
3265
bcf082d1
SL		 3266#ifdef FIPS_MODE
3267 /*
3268 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
3269 * The IV can still be set externally (the security policy will state that
3270 * this is not FIPS compliant). There are some applications
3271 * where setting the IV externally is the only option available.
3272 */
3273 if (!gctx->iv_set) {
3274 if (!ctx->encrypt || !aes_gcm_iv_generate(gctx, 0))
3275 return -1;
3276 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
3277 gctx->iv_set = 1;
3278 gctx->iv_gen_rand = 1;
3279 }
3280#else
0f113f3e
MC		 3281 if (!gctx->iv_set)
3282 return -1;
bcf082d1
SL		 3283#endif /* FIPS_MODE */
3284
0f113f3e
MC		 3285 if (in) {
3286 if (out == NULL) {
3287 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
3288 return -1;
c5307d9c 3289 } else if (ctx->encrypt) {
0f113f3e
MC		 3290 if (gctx->ctr) {
3291 size_t bulk = 0;
5158c763 3292#if defined(AES_GCM_ASM)
0f113f3e
MC		 3293 if (len >= 32 && AES_GCM_ASM(gctx)) {
3294 size_t res = (16 - gctx->gcm.mres) % 16;
3295
3296 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3297 return -1;
3298
3299 bulk = AES_gcm_encrypt(in + res,
3300 out + res, len - res,
3301 gctx->gcm.key, gctx->gcm.Yi.c,
3302 gctx->gcm.Xi.u);
3303 gctx->gcm.len.u[1] += bulk;
3304 bulk += res;
3305 }
5158c763 3306#endif
0f113f3e
MC		 3307 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3308 in + bulk,
3309 out + bulk,
3310 len - bulk, gctx->ctr))
3311 return -1;
3312 } else {
3313 size_t bulk = 0;
5158c763 3314#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3315 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3316 size_t res = (16 - gctx->gcm.mres) % 16;
3317
3318 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3319 return -1;
3320
3321 bulk = AES_gcm_encrypt(in + res,
3322 out + res, len - res,
3323 gctx->gcm.key, gctx->gcm.Yi.c,
3324 gctx->gcm.Xi.u);
3325 gctx->gcm.len.u[1] += bulk;
3326 bulk += res;
3327 }
5158c763 3328#endif
0f113f3e
MC		 3329 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3330 in + bulk, out + bulk, len - bulk))
3331 return -1;
3332 }
3333 } else {
3334 if (gctx->ctr) {
3335 size_t bulk = 0;
5158c763 3336#if defined(AES_GCM_ASM)
0f113f3e
MC		 3337 if (len >= 16 && AES_GCM_ASM(gctx)) {
3338 size_t res = (16 - gctx->gcm.mres) % 16;
3339
3340 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3341 return -1;
3342
3343 bulk = AES_gcm_decrypt(in + res,
3344 out + res, len - res,
3345 gctx->gcm.key,
3346 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3347 gctx->gcm.len.u[1] += bulk;
3348 bulk += res;
3349 }
5158c763 3350#endif
0f113f3e
MC		 3351 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3352 in + bulk,
3353 out + bulk,
3354 len - bulk, gctx->ctr))
3355 return -1;
3356 } else {
3357 size_t bulk = 0;
5158c763 3358#if defined(AES_GCM_ASM2)
0f113f3e
MC		 3359 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3360 size_t res = (16 - gctx->gcm.mres) % 16;
3361
3362 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3363 return -1;
3364
3365 bulk = AES_gcm_decrypt(in + res,
3366 out + res, len - res,
3367 gctx->gcm.key,
3368 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3369 gctx->gcm.len.u[1] += bulk;
3370 bulk += res;
3371 }
5158c763 3372#endif
0f113f3e
MC		 3373 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3374 in + bulk, out + bulk, len - bulk))
3375 return -1;
3376 }
3377 }
3378 return len;
3379 } else {
c5307d9c 3380 if (!ctx->encrypt) {
0f113f3e
MC		 3381 if (gctx->taglen < 0)
3382 return -1;
c5307d9c 3383 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
0f113f3e
MC		 3384 return -1;
3385 gctx->iv_set = 0;
3386 return 0;
3387 }
c5307d9c 3388 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
0f113f3e
MC		 3389 gctx->taglen = 16;
3390 /* Don't reuse the IV */
3391 gctx->iv_set = 0;
3392 return 0;
3393 }
3394
3395}
3396
5158c763 3397#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
0f113f3e
MC		 3398 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3399 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3400 | EVP_CIPH_CUSTOM_COPY)
3401
3402BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
3403 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3404 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
3405 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3406 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
3407 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
32a2d8dd
DSH		 3408
3409static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3410{
6435f0f6 3411 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
0f113f3e
MC		 3412 if (type == EVP_CTRL_COPY) {
3413 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3414 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
0f113f3e
MC		 3415 if (xctx->xts.key1) {
3416 if (xctx->xts.key1 != &xctx->ks1)
3417 return 0;
3418 xctx_out->xts.key1 = &xctx_out->ks1;
3419 }
3420 if (xctx->xts.key2) {
3421 if (xctx->xts.key2 != &xctx->ks2)
3422 return 0;
3423 xctx_out->xts.key2 = &xctx_out->ks2;
3424 }
3425 return 1;
3426 } else if (type != EVP_CTRL_INIT)
3427 return -1;
3428 /* key1 and key2 are used as an indicator both key and IV are set */
3429 xctx->xts.key1 = NULL;
3430 xctx->xts.key2 = NULL;
3431 return 1;
3432}
32a2d8dd
DSH		 3433
3434static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3435 const unsigned char *iv, int enc)
3436{
6435f0f6 3437 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
0f113f3e
MC		 3438 if (!iv && !key)
3439 return 1;
3440
3538b0f7 3441 if (key) {
0f113f3e 3442 do {
3538b0f7
P		 3443 /* The key is two half length keys in reality */
3444 const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
3445 const int bits = bytes * 8;
3446
3447 /*
3448 * Verify that the two keys are different.
3449 *
3450 * This addresses the vulnerability described in Rogaway's
3451 * September 2004 paper:
3452 *
3453 * "Efficient Instantiations of Tweakable Blockciphers and
3454 * Refinements to Modes OCB and PMAC".
3455 * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
3456 *
3457 * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
3458 * that:
3459 * "The check for Key_1 != Key_2 shall be done at any place
3460 * BEFORE using the keys in the XTS-AES algorithm to process
3461 * data with them."
3462 */
3463 if (memcmp(key, key + bytes, bytes) == 0) {
3464 EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
3465 return 0;
3466 }
3467
5158c763 3468#ifdef AES_XTS_ASM
0f113f3e 3469 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
5158c763 3470#else
0f113f3e 3471 xctx->stream = NULL;
5158c763 3472#endif
0f113f3e 3473 /* key_len is two AES keys */
5158c763 3474#ifdef HWAES_CAPABLE
0f113f3e
MC		 3475 if (HWAES_CAPABLE) {
3476 if (enc) {
3538b0f7 3477 HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e 3478 xctx->xts.block1 = (block128_f) HWAES_encrypt;
46f047d7
AP		 3479# ifdef HWAES_xts_encrypt
3480 xctx->stream = HWAES_xts_encrypt;
3481# endif
0f113f3e 3482 } else {
3538b0f7 3483 HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e 3484 xctx->xts.block1 = (block128_f) HWAES_decrypt;
46f047d7
AP		 3485# ifdef HWAES_xts_decrypt
3486 xctx->stream = HWAES_xts_decrypt;
3487#endif
0f113f3e
MC		 3488 }
3489
3538b0f7 3490 HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3491 xctx->xts.block2 = (block128_f) HWAES_encrypt;
3492
3493 xctx->xts.key1 = &xctx->ks1;
3494 break;
3495 } else
5158c763
MC		 3496#endif
3497#ifdef BSAES_CAPABLE
0f113f3e
MC		 3498 if (BSAES_CAPABLE)
3499 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
3500 else
5158c763
MC		 3501#endif
3502#ifdef VPAES_CAPABLE
0f113f3e
MC		 3503 if (VPAES_CAPABLE) {
3504 if (enc) {
3538b0f7 3505 vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3506 xctx->xts.block1 = (block128_f) vpaes_encrypt;
3507 } else {
3538b0f7 3508 vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3509 xctx->xts.block1 = (block128_f) vpaes_decrypt;
3510 }
3511
3538b0f7 3512 vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3513 xctx->xts.block2 = (block128_f) vpaes_encrypt;
3514
3515 xctx->xts.key1 = &xctx->ks1;
3516 break;
3517 } else
5158c763 3518#endif
0f113f3e
MC		 3519 (void)0; /* terminate potentially open 'else' */
3520
3521 if (enc) {
3538b0f7 3522 AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3523 xctx->xts.block1 = (block128_f) AES_encrypt;
3524 } else {
3538b0f7 3525 AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
0f113f3e
MC		 3526 xctx->xts.block1 = (block128_f) AES_decrypt;
3527 }
3528
3538b0f7 3529 AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
0f113f3e
MC		 3530 xctx->xts.block2 = (block128_f) AES_encrypt;
3531
3532 xctx->xts.key1 = &xctx->ks1;
3533 } while (0);
3538b0f7 3534 }
0f113f3e
MC		 3535
3536 if (iv) {
3537 xctx->xts.key2 = &xctx->ks2;
6435f0f6 3538 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
0f113f3e
MC		 3539 }
3540
3541 return 1;
3542}
32a2d8dd 3543
17f121de 3544static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3545 const unsigned char *in, size_t len)
3546{
6435f0f6 3547 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
95eda4f0
P		 3548
3549 if (xctx->xts.key1 == NULL
3550 || xctx->xts.key2 == NULL
3551 || out == NULL
3552 || in == NULL
3553 || len < AES_BLOCK_SIZE)
0f113f3e 3554 return 0;
95eda4f0 3555
5516c19b
P		 3556 /*
3557 * Impose a limit of 2^20 blocks per data unit as specifed by
3558 * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
3559 * indicated that this was a SHOULD NOT rather than a MUST NOT.
3560 * NIST SP 800-38E mandates the same limit.
3561 */
3562 if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
3563 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
3564 return 0;
3565 }
3566
0f113f3e
MC		 3567 if (xctx->stream)
3568 (*xctx->stream) (in, out, len,
6435f0f6
RL		 3569 xctx->xts.key1, xctx->xts.key2,
3570 EVP_CIPHER_CTX_iv_noconst(ctx));
3571 else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
3572 in, out, len,
3573 EVP_CIPHER_CTX_encrypting(ctx)))
0f113f3e
MC		 3574 return 0;
3575 return 1;
3576}
3577
5158c763 3578#define aes_xts_cleanup NULL
0f113f3e 3579
5158c763 3580#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
0f113f3e
MC		 3581 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3582 | EVP_CIPH_CUSTOM_COPY)
3583
3584BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
3585 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
23916810
DSH		 3586
3587static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 3588{
6435f0f6 3589 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
0f113f3e
MC		 3590 switch (type) {
3591 case EVP_CTRL_INIT:
3592 cctx->key_set = 0;
3593 cctx->iv_set = 0;
3594 cctx->L = 8;
3595 cctx->M = 12;
3596 cctx->tag_set = 0;
3597 cctx->len_set = 0;
e75c5a79
DSH		 3598 cctx->tls_aad_len = -1;
3599 return 1;
3600
3601 case EVP_CTRL_AEAD_TLS1_AAD:
3602 /* Save the AAD for later use */
3603 if (arg != EVP_AEAD_TLS1_AAD_LEN)
3604 return 0;
6435f0f6 3605 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
e75c5a79
DSH		 3606 cctx->tls_aad_len = arg;
3607 {
6435f0f6
RL		 3608 uint16_t len =
3609 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
3610 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
e75c5a79 3611 /* Correct length for explicit IV */
2198b3a5
AP		 3612 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
3613 return 0;
e75c5a79
DSH		 3614 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
3615 /* If decrypting correct for tag too */
2198b3a5
AP		 3616 if (!EVP_CIPHER_CTX_encrypting(c)) {
3617 if (len < cctx->M)
3618 return 0;
e75c5a79 3619 len -= cctx->M;
2198b3a5 3620 }
6435f0f6
RL		 3621 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
3622 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
e75c5a79
DSH		 3623 }
3624 /* Extra padding: tag appended to record */
3625 return cctx->M;
3626
3627 case EVP_CTRL_CCM_SET_IV_FIXED:
3628 /* Sanity check length */
3629 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
3630 return 0;
3631 /* Just copy to first part of IV */
6435f0f6 3632 memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
0f113f3e
MC		 3633 return 1;
3634
e640fa02 3635 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e 3636 arg = 15 - arg;
018fcbec 3637 /* fall thru */
0f113f3e
MC		 3638 case EVP_CTRL_CCM_SET_L:
3639 if (arg < 2 || arg > 8)
3640 return 0;
3641 cctx->L = arg;
3642 return 1;
3643
e640fa02 3644 case EVP_CTRL_AEAD_SET_TAG:
0f113f3e
MC		 3645 if ((arg & 1) || arg < 4 || arg > 16)
3646 return 0;
6435f0f6 3647 if (EVP_CIPHER_CTX_encrypting(c) && ptr)
0f113f3e
MC		 3648 return 0;
3649 if (ptr) {
3650 cctx->tag_set = 1;
6435f0f6 3651 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
0f113f3e
MC		 3652 }
3653 cctx->M = arg;
3654 return 1;
3655
e640fa02 3656 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 3657 if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
0f113f3e
MC		 3658 return 0;
3659 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
3660 return 0;
3661 cctx->tag_set = 0;
3662 cctx->iv_set = 0;
3663 cctx->len_set = 0;
3664 return 1;
3665
3666 case EVP_CTRL_COPY:
3667 {
3668 EVP_CIPHER_CTX *out = ptr;
6435f0f6 3669 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
0f113f3e
MC		 3670 if (cctx->ccm.key) {
3671 if (cctx->ccm.key != &cctx->ks)
3672 return 0;
3673 cctx_out->ccm.key = &cctx_out->ks;
3674 }
3675 return 1;
3676 }
3677
3678 default:
3679 return -1;
3680
3681 }
3682}
23916810
DSH		 3683
3684static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3685 const unsigned char *iv, int enc)
3686{
6435f0f6 3687 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3688 if (!iv && !key)
3689 return 1;
3690 if (key)
3691 do {
5158c763 3692#ifdef HWAES_CAPABLE
0f113f3e 3693 if (HWAES_CAPABLE) {
6435f0f6
RL		 3694 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3695 &cctx->ks.ks);
0f113f3e
MC		 3696
3697 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3698 &cctx->ks, (block128_f) HWAES_encrypt);
3699 cctx->str = NULL;
3700 cctx->key_set = 1;
3701 break;
3702 } else
5158c763
MC		 3703#endif
3704#ifdef VPAES_CAPABLE
0f113f3e 3705 if (VPAES_CAPABLE) {
6435f0f6
RL		 3706 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3707 &cctx->ks.ks);
0f113f3e
MC		 3708 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3709 &cctx->ks, (block128_f) vpaes_encrypt);
3710 cctx->str = NULL;
3711 cctx->key_set = 1;
3712 break;
3713 }
5158c763 3714#endif
6435f0f6
RL		 3715 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3716 &cctx->ks.ks);
0f113f3e
MC		 3717 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3718 &cctx->ks, (block128_f) AES_encrypt);
3719 cctx->str = NULL;
3720 cctx->key_set = 1;
3721 } while (0);
3722 if (iv) {
6435f0f6 3723 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
0f113f3e
MC		 3724 cctx->iv_set = 1;
3725 }
3726 return 1;
3727}
23916810 3728
e75c5a79
DSH		 3729static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3730 const unsigned char *in, size_t len)
3731{
6435f0f6 3732 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
e75c5a79
DSH		 3733 CCM128_CONTEXT *ccm = &cctx->ccm;
3734 /* Encrypt/decrypt must be performed in place */
3735 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
3736 return -1;
3737 /* If encrypting set explicit IV from sequence number (start of AAD) */
6435f0f6
RL		 3738 if (EVP_CIPHER_CTX_encrypting(ctx))
3739 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
3740 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79 3741 /* Get rest of IV from explicit IV */
6435f0f6
RL		 3742 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
3743 EVP_CCM_TLS_EXPLICIT_IV_LEN);
e75c5a79
DSH		 3744 /* Correct length value */
3745 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
6435f0f6
RL		 3746 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
3747 len))
e75c5a79
DSH		 3748 return -1;
3749 /* Use saved AAD */
6435f0f6 3750 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
e75c5a79
DSH		 3751 /* Fix buffer to point to payload */
3752 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
3753 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
6435f0f6 3754 if (EVP_CIPHER_CTX_encrypting(ctx)) {
e75c5a79
DSH		 3755 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3756 cctx->str) :
3757 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3758 return -1;
3759 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
3760 return -1;
3761 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
3762 } else {
3763 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3764 cctx->str) :
3765 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3766 unsigned char tag[16];
3767 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
3768 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
3769 return len;
3770 }
3771 }
3772 OPENSSL_cleanse(out, len);
3773 return -1;
3774 }
3775}
3776
17f121de 3777static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3778 const unsigned char *in, size_t len)
3779{
6435f0f6 3780 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
0f113f3e
MC		 3781 CCM128_CONTEXT *ccm = &cctx->ccm;
3782 /* If not set up, return error */
e75c5a79
DSH		 3783 if (!cctx->key_set)
3784 return -1;
3785
3786 if (cctx->tls_aad_len >= 0)
3787 return aes_ccm_tls_cipher(ctx, out, in, len);
3788
197421b1
DSH		 3789 /* EVP_*Final() doesn't return any data */
3790 if (in == NULL && out != NULL)
3791 return 0;
3792
e75c5a79 3793 if (!cctx->iv_set)
0f113f3e 3794 return -1;
e75c5a79 3795
0f113f3e
MC		 3796 if (!out) {
3797 if (!in) {
6435f0f6
RL		 3798 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3799 15 - cctx->L, len))
0f113f3e
MC		 3800 return -1;
3801 cctx->len_set = 1;
3802 return len;
3803 }
3804 /* If have AAD need message length */
3805 if (!cctx->len_set && len)
3806 return -1;
3807 CRYPTO_ccm128_aad(ccm, in, len);
3808 return len;
3809 }
67c81ec3
TN		 3810
3811 /* The tag must be set before actually decrypting data */
3812 if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
3813 return -1;
3814
0f113f3e
MC		 3815 /* If not set length yet do it */
3816 if (!cctx->len_set) {
6435f0f6
RL		 3817 if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
3818 15 - cctx->L, len))
0f113f3e
MC		 3819 return -1;
3820 cctx->len_set = 1;
3821 }
6435f0f6 3822 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3823 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3824 cctx->str) :
3825 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3826 return -1;
3827 cctx->tag_set = 1;
3828 return len;
3829 } else {
3830 int rv = -1;
3831 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3832 cctx->str) :
3833 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3834 unsigned char tag[16];
3835 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
6435f0f6
RL		 3836 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
3837 cctx->M))
0f113f3e
MC		 3838 rv = len;
3839 }
3840 }
3841 if (rv == -1)
3842 OPENSSL_cleanse(out, len);
3843 cctx->iv_set = 0;
3844 cctx->tag_set = 0;
3845 cctx->len_set = 0;
3846 return rv;
3847 }
0f113f3e
MC		 3848}
3849
5158c763 3850#define aes_ccm_cleanup NULL
0f113f3e 3851
e75c5a79
DSH		 3852BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
3853 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3854 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
3855 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3856 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
3857 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
0f113f3e
MC		 3858
3859typedef struct {
3860 union {
39147079 3861 OSSL_UNION_ALIGN;
0f113f3e
MC		 3862 AES_KEY ks;
3863 } ks;
3864 /* Indicates if IV has been set */
3865 unsigned char *iv;
3866} EVP_AES_WRAP_CTX;
97cf1f6c
DSH		 3867
3868static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 3869 const unsigned char *iv, int enc)
3870{
6435f0f6 3871 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3872 if (!iv && !key)
3873 return 1;
3874 if (key) {
6435f0f6
RL		 3875 if (EVP_CIPHER_CTX_encrypting(ctx))
3876 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3877 &wctx->ks.ks);
0f113f3e 3878 else
6435f0f6
RL		 3879 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
3880 &wctx->ks.ks);
0f113f3e
MC		 3881 if (!iv)
3882 wctx->iv = NULL;
3883 }
3884 if (iv) {
6435f0f6
RL		 3885 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
3886 wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
0f113f3e
MC		 3887 }
3888 return 1;
3889}
97cf1f6c
DSH		 3890
3891static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 3892 const unsigned char *in, size_t inlen)
3893{
6435f0f6 3894 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
0f113f3e
MC		 3895 size_t rv;
3896 /* AES wrap with padding has IV length of 4, without padding 8 */
3897 int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
3898 /* No final operation so always return zero length */
3899 if (!in)
3900 return 0;
3901 /* Input length must always be non-zero */
3902 if (!inlen)
3903 return -1;
3904 /* If decrypting need at least 16 bytes and multiple of 8 */
6435f0f6 3905 if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
0f113f3e
MC		 3906 return -1;
3907 /* If not padding input must be multiple of 8 */
3908 if (!pad && inlen & 0x7)
3909 return -1;
7141ba31
MC		 3910 if (is_partially_overlapping(out, in, inlen)) {
3911 EVPerr(EVP_F_AES_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
3912 return 0;
3913 }
0f113f3e 3914 if (!out) {
6435f0f6 3915 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 3916 /* If padding round up to multiple of 8 */
3917 if (pad)
3918 inlen = (inlen + 7) / 8 * 8;
3919 /* 8 byte prefix */
3920 return inlen + 8;
3921 } else {
3922 /*
3923 * If not padding output will be exactly 8 bytes smaller than
3924 * input. If padding it will be at least 8 bytes smaller but we
3925 * don't know how much.
3926 */
3927 return inlen - 8;
3928 }
3929 }
3930 if (pad) {
6435f0f6 3931 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3932 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
3933 out, in, inlen,
3934 (block128_f) AES_encrypt);
3935 else
3936 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
3937 out, in, inlen,
3938 (block128_f) AES_decrypt);
3939 } else {
6435f0f6 3940 if (EVP_CIPHER_CTX_encrypting(ctx))
0f113f3e
MC		 3941 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
3942 out, in, inlen, (block128_f) AES_encrypt);
3943 else
3944 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
3945 out, in, inlen, (block128_f) AES_decrypt);
3946 }
3947 return rv ? (int)rv : -1;
3948}
3949
5158c763 3950#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
0f113f3e
MC		 3951 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3952 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
97cf1f6c
DSH		 3953
3954static const EVP_CIPHER aes_128_wrap = {
0f113f3e
MC		 3955 NID_id_aes128_wrap,
3956 8, 16, 8, WRAP_FLAGS,
3957 aes_wrap_init_key, aes_wrap_cipher,
3958 NULL,
3959 sizeof(EVP_AES_WRAP_CTX),
3960 NULL, NULL, NULL, NULL
3961};
97cf1f6c
DSH		 3962
3963const EVP_CIPHER *EVP_aes_128_wrap(void)
0f113f3e
MC		 3964{
3965 return &aes_128_wrap;
3966}
97cf1f6c
DSH		 3967
3968static const EVP_CIPHER aes_192_wrap = {
0f113f3e
MC		 3969 NID_id_aes192_wrap,
3970 8, 24, 8, WRAP_FLAGS,
3971 aes_wrap_init_key, aes_wrap_cipher,
3972 NULL,
3973 sizeof(EVP_AES_WRAP_CTX),
3974 NULL, NULL, NULL, NULL
3975};
97cf1f6c
DSH		 3976
3977const EVP_CIPHER *EVP_aes_192_wrap(void)
0f113f3e
MC		 3978{
3979 return &aes_192_wrap;
3980}
97cf1f6c
DSH		 3981
3982static const EVP_CIPHER aes_256_wrap = {
0f113f3e
MC		 3983 NID_id_aes256_wrap,
3984 8, 32, 8, WRAP_FLAGS,
3985 aes_wrap_init_key, aes_wrap_cipher,
3986 NULL,
3987 sizeof(EVP_AES_WRAP_CTX),
3988 NULL, NULL, NULL, NULL
3989};
97cf1f6c
DSH		 3990
3991const EVP_CIPHER *EVP_aes_256_wrap(void)
0f113f3e
MC		 3992{
3993 return &aes_256_wrap;
3994}
97cf1f6c 3995
d31fed73 3996static const EVP_CIPHER aes_128_wrap_pad = {
0f113f3e
MC		 3997 NID_id_aes128_wrap_pad,
3998 8, 16, 4, WRAP_FLAGS,
3999 aes_wrap_init_key, aes_wrap_cipher,
4000 NULL,
4001 sizeof(EVP_AES_WRAP_CTX),
4002 NULL, NULL, NULL, NULL
4003};
d31fed73
DSH		 4004
4005const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
0f113f3e
MC		 4006{
4007 return &aes_128_wrap_pad;
4008}
d31fed73
DSH		 4009
4010static const EVP_CIPHER aes_192_wrap_pad = {
0f113f3e
MC		 4011 NID_id_aes192_wrap_pad,
4012 8, 24, 4, WRAP_FLAGS,
4013 aes_wrap_init_key, aes_wrap_cipher,
4014 NULL,
4015 sizeof(EVP_AES_WRAP_CTX),
4016 NULL, NULL, NULL, NULL
4017};
d31fed73
DSH		 4018
4019const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
0f113f3e
MC		 4020{
4021 return &aes_192_wrap_pad;
4022}
d31fed73
DSH		 4023
4024static const EVP_CIPHER aes_256_wrap_pad = {
0f113f3e
MC		 4025 NID_id_aes256_wrap_pad,
4026 8, 32, 4, WRAP_FLAGS,
4027 aes_wrap_init_key, aes_wrap_cipher,
4028 NULL,
4029 sizeof(EVP_AES_WRAP_CTX),
4030 NULL, NULL, NULL, NULL
4031};
d31fed73
DSH		 4032
4033const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
0f113f3e
MC		 4034{
4035 return &aes_256_wrap_pad;
4036}
d31fed73 4037
5158c763 4038#ifndef OPENSSL_NO_OCB
e6b336ef 4039static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
0f113f3e 4040{
6435f0f6 4041 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 4042 EVP_CIPHER_CTX *newc;
4043 EVP_AES_OCB_CTX *new_octx;
4044
4045 switch (type) {
4046 case EVP_CTRL_INIT:
4047 octx->key_set = 0;
4048 octx->iv_set = 0;
6435f0f6
RL		 4049 octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
4050 octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
0f113f3e
MC		 4051 octx->taglen = 16;
4052 octx->data_buf_len = 0;
4053 octx->aad_buf_len = 0;
4054 return 1;
4055
e640fa02 4056 case EVP_CTRL_AEAD_SET_IVLEN:
0f113f3e
MC		 4057 /* IV len must be 1 to 15 */
4058 if (arg <= 0 || arg > 15)
4059 return 0;
4060
4061 octx->ivlen = arg;
4062 return 1;
4063
e640fa02 4064 case EVP_CTRL_AEAD_SET_TAG:
d57d135c
MC		 4065 if (!ptr) {
4066 /* Tag len must be 0 to 16 */
4067 if (arg < 0 || arg > 16)
4068 return 0;
4069
4070 octx->taglen = arg;
4071 return 1;
4072 }
6435f0f6 4073 if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 4074 return 0;
4075 memcpy(octx->tag, ptr, arg);
4076 return 1;
4077
e640fa02 4078 case EVP_CTRL_AEAD_GET_TAG:
6435f0f6 4079 if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
0f113f3e
MC		 4080 return 0;
4081
4082 memcpy(ptr, octx->tag, arg);
4083 return 1;
4084
4085 case EVP_CTRL_COPY:
4086 newc = (EVP_CIPHER_CTX *)ptr;
6435f0f6 4087 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
0f113f3e 4088 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
bdc985b1
AP		 4089 &new_octx->ksenc.ks,
4090 &new_octx->ksdec.ks);
0f113f3e
MC		 4091
4092 default:
4093 return -1;
4094
4095 }
4096}
e6b336ef 4097
5158c763
MC		 4098# ifdef HWAES_CAPABLE
4099# ifdef HWAES_ocb_encrypt
02dc0b82
AP		 4100void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
4101 size_t blocks, const void *key,
4102 size_t start_block_num,
4103 unsigned char offset_i[16],
4104 const unsigned char L_[][16],
4105 unsigned char checksum[16]);
5158c763 4106# else
365f95ad 4107# define HWAES_ocb_encrypt ((ocb128_f)NULL)
5158c763
MC		 4108# endif
4109# ifdef HWAES_ocb_decrypt
02dc0b82
AP		 4110void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
4111 size_t blocks, const void *key,
4112 size_t start_block_num,
4113 unsigned char offset_i[16],
4114 const unsigned char L_[][16],
4115 unsigned char checksum[16]);
5158c763 4116# else
365f95ad 4117# define HWAES_ocb_decrypt ((ocb128_f)NULL)
02dc0b82 4118# endif
5158c763 4119# endif
02dc0b82 4120
e6b336ef 4121static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
0f113f3e
MC		 4122 const unsigned char *iv, int enc)
4123{
6435f0f6 4124 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 4125 if (!iv && !key)
4126 return 1;
4127 if (key) {
4128 do {
4129 /*
4130 * We set both the encrypt and decrypt key here because decrypt
4131 * needs both. We could possibly optimise to remove setting the
4132 * decrypt for an encryption operation.
4133 */
5158c763 4134# ifdef HWAES_CAPABLE
02dc0b82 4135 if (HWAES_CAPABLE) {
6435f0f6
RL		 4136 HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4137 &octx->ksenc.ks);
4138 HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4139 &octx->ksdec.ks);
02dc0b82
AP		 4140 if (!CRYPTO_ocb128_init(&octx->ocb,
4141 &octx->ksenc.ks, &octx->ksdec.ks,
4142 (block128_f) HWAES_encrypt,
4143 (block128_f) HWAES_decrypt,
4144 enc ? HWAES_ocb_encrypt
4145 : HWAES_ocb_decrypt))
4146 return 0;
4147 break;
4148 }
5158c763
MC		 4149# endif
4150# ifdef VPAES_CAPABLE
0f113f3e 4151 if (VPAES_CAPABLE) {
6435f0f6
RL		 4152 vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4153 &octx->ksenc.ks);
4154 vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4155 &octx->ksdec.ks);
bdc985b1
AP		 4156 if (!CRYPTO_ocb128_init(&octx->ocb,
4157 &octx->ksenc.ks, &octx->ksdec.ks,
4158 (block128_f) vpaes_encrypt,
bd30091c
AP		 4159 (block128_f) vpaes_decrypt,
4160 NULL))
0f113f3e
MC		 4161 return 0;
4162 break;
4163 }
5158c763 4164# endif
6435f0f6
RL		 4165 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4166 &octx->ksenc.ks);
4167 AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
4168 &octx->ksdec.ks);
bdc985b1
AP		 4169 if (!CRYPTO_ocb128_init(&octx->ocb,
4170 &octx->ksenc.ks, &octx->ksdec.ks,
0f113f3e 4171 (block128_f) AES_encrypt,
bd30091c
AP		 4172 (block128_f) AES_decrypt,
4173 NULL))
0f113f3e
MC		 4174 return 0;
4175 }
4176 while (0);
4177
4178 /*
4179 * If we have an iv we can set it directly, otherwise use saved IV.
4180 */
4181 if (iv == NULL && octx->iv_set)
4182 iv = octx->iv;
4183 if (iv) {
4184 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
4185 != 1)
4186 return 0;
4187 octx->iv_set = 1;
4188 }
4189 octx->key_set = 1;
4190 } else {
4191 /* If key set use IV, otherwise copy */
4192 if (octx->key_set)
4193 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
4194 else
4195 memcpy(octx->iv, iv, octx->ivlen);
4196 octx->iv_set = 1;
4197 }
4198 return 1;
4199}
e6b336ef
MC		 4200
4201static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
0f113f3e
MC		 4202 const unsigned char *in, size_t len)
4203{
4204 unsigned char *buf;
4205 int *buf_len;
4206 int written_len = 0;
4207 size_t trailing_len;
6435f0f6 4208 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
0f113f3e
MC		 4209
4210 /* If IV or Key not set then return error */
4211 if (!octx->iv_set)
4212 return -1;
4213
4214 if (!octx->key_set)
4215 return -1;
4216
0ba5a9ea 4217 if (in != NULL) {
0f113f3e
MC		 4218 /*
4219 * Need to ensure we are only passing full blocks to low level OCB
4220 * routines. We do it here rather than in EVP_EncryptUpdate/
4221 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
4222 * and those routines don't support that
4223 */
4224
4225 /* Are we dealing with AAD or normal data here? */
4226 if (out == NULL) {
4227 buf = octx->aad_buf;
4228 buf_len = &(octx->aad_buf_len);
4229 } else {
4230 buf = octx->data_buf;
4231 buf_len = &(octx->data_buf_len);
7141ba31
MC		 4232
4233 if (is_partially_overlapping(out + *buf_len, in, len)) {
4234 EVPerr(EVP_F_AES_OCB_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
4235 return 0;
4236 }
0f113f3e
MC		 4237 }
4238
4239 /*
4240 * If we've got a partially filled buffer from a previous call then
4241 * use that data first
4242 */
0ba5a9ea 4243 if (*buf_len > 0) {
0f113f3e
MC		 4244 unsigned int remaining;
4245
0ba5a9ea 4246 remaining = AES_BLOCK_SIZE - (*buf_len);
0f113f3e
MC		 4247 if (remaining > len) {
4248 memcpy(buf + (*buf_len), in, len);
4249 *(buf_len) += len;
4250 return 0;
4251 }
4252 memcpy(buf + (*buf_len), in, remaining);
4253
4254 /*
4255 * If we get here we've filled the buffer, so process it
4256 */
4257 len -= remaining;
4258 in += remaining;
4259 if (out == NULL) {
0ba5a9ea 4260 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
0f113f3e 4261 return -1;
6435f0f6 4262 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0ba5a9ea
MC		 4263 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
4264 AES_BLOCK_SIZE))
0f113f3e
MC		 4265 return -1;
4266 } else {
0ba5a9ea
MC		 4267 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
4268 AES_BLOCK_SIZE))
0f113f3e
MC		 4269 return -1;
4270 }
0ba5a9ea 4271 written_len = AES_BLOCK_SIZE;
0f113f3e 4272 *buf_len = 0;
7c12c7b6
MC		 4273 if (out != NULL)
4274 out += AES_BLOCK_SIZE;
0f113f3e
MC		 4275 }
4276
4277 /* Do we have a partial block to handle at the end? */
0ba5a9ea 4278 trailing_len = len % AES_BLOCK_SIZE;
0f113f3e
MC		 4279
4280 /*
4281 * If we've got some full blocks to handle, then process these first
4282 */
4283 if (len != trailing_len) {
4284 if (out == NULL) {
4285 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
4286 return -1;
6435f0f6 4287 } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4288 if (!CRYPTO_ocb128_encrypt
4289 (&octx->ocb, in, out, len - trailing_len))
4290 return -1;
4291 } else {
4292 if (!CRYPTO_ocb128_decrypt
4293 (&octx->ocb, in, out, len - trailing_len))
4294 return -1;
4295 }
4296 written_len += len - trailing_len;
4297 in += len - trailing_len;
4298 }
4299
4300 /* Handle any trailing partial block */
0ba5a9ea 4301 if (trailing_len > 0) {
0f113f3e
MC		 4302 memcpy(buf, in, trailing_len);
4303 *buf_len = trailing_len;
4304 }
4305
4306 return written_len;
4307 } else {
4308 /*
4309 * First of all empty the buffer of any partial block that we might
4310 * have been provided - both for data and AAD
4311 */
0ba5a9ea 4312 if (octx->data_buf_len > 0) {
6435f0f6 4313 if (EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4314 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
4315 octx->data_buf_len))
4316 return -1;
4317 } else {
4318 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
4319 octx->data_buf_len))
4320 return -1;
4321 }
4322 written_len = octx->data_buf_len;
4323 octx->data_buf_len = 0;
4324 }
0ba5a9ea 4325 if (octx->aad_buf_len > 0) {
0f113f3e
MC		 4326 if (!CRYPTO_ocb128_aad
4327 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
4328 return -1;
4329 octx->aad_buf_len = 0;
4330 }
4331 /* If decrypting then verify */
6435f0f6 4332 if (!EVP_CIPHER_CTX_encrypting(ctx)) {
0f113f3e
MC		 4333 if (octx->taglen < 0)
4334 return -1;
4335 if (CRYPTO_ocb128_finish(&octx->ocb,
4336 octx->tag, octx->taglen) != 0)
4337 return -1;
4338 octx->iv_set = 0;
4339 return written_len;
4340 }
4341 /* If encrypting then just get the tag */
4342 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
4343 return -1;
4344 /* Don't reuse the IV */
4345 octx->iv_set = 0;
4346 return written_len;
4347 }
4348}
e6b336ef
MC		 4349
4350static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
0f113f3e 4351{
6435f0f6 4352 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
0f113f3e
MC		 4353 CRYPTO_ocb128_cleanup(&octx->ocb);
4354 return 1;
4355}
e6b336ef 4356
c4aede20
MC		 4357BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
4358 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4359BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
4360 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4361BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
4362 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
5158c763 4363#endif /* OPENSSL_NO_OCB */
b1ceb439
TS		 4364
4365/* AES-SIV mode */
4366#ifndef OPENSSL_NO_SIV
4367
4368typedef SIV128_CONTEXT EVP_AES_SIV_CTX;
4369
4370#define aesni_siv_init_key aes_siv_init_key
4371static int aes_siv_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
4372 const unsigned char *iv, int enc)
4373{
4374 const EVP_CIPHER *ctr;
4375 const EVP_CIPHER *cbc;
4376 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
4377 int klen = EVP_CIPHER_CTX_key_length(ctx) / 2;
4378
4379 if (key == NULL)
4380 return 1;
4381
4382 switch (klen) {
4383 case 16:
4384 cbc = EVP_aes_128_cbc();
4385 ctr = EVP_aes_128_ctr();
4386 break;
4387 case 24:
4388 cbc = EVP_aes_192_cbc();
4389 ctr = EVP_aes_192_ctr();
4390 break;
4391 case 32:
4392 cbc = EVP_aes_256_cbc();
4393 ctr = EVP_aes_256_ctr();
4394 break;
4395 default:
4396 return 0;
4397 }
4398
4399 /* klen is the length of the underlying cipher, not the input key,
4400 which should be twice as long */
4401 return CRYPTO_siv128_init(sctx, key, klen, cbc, ctr);
4402}
4403
4404#define aesni_siv_cipher aes_siv_cipher
4405static int aes_siv_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
4406 const unsigned char *in, size_t len)
4407{
4408 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
4409
4410 /* EncryptFinal or DecryptFinal */
4411 if (in == NULL)
4412 return CRYPTO_siv128_finish(sctx);
4413
4414 /* Deal with associated data */
4415 if (out == NULL)
4416 return CRYPTO_siv128_aad(sctx, in, len);
4417
4418 if (EVP_CIPHER_CTX_encrypting(ctx))
4419 return CRYPTO_siv128_encrypt(sctx, in, out, len);
4420
4421 return CRYPTO_siv128_decrypt(sctx, in, out, len);
4422}
4423
4424#define aesni_siv_cleanup aes_siv_cleanup
4425static int aes_siv_cleanup(EVP_CIPHER_CTX *c)
4426{
4427 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
4428
4429 return CRYPTO_siv128_cleanup(sctx);
4430}
4431
4432
4433#define aesni_siv_ctrl aes_siv_ctrl
4434static int aes_siv_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
4435{
4436 SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
4437 SIV128_CONTEXT *sctx_out;
4438
4439 switch (type) {
4440 case EVP_CTRL_INIT:
4441 return CRYPTO_siv128_cleanup(sctx);
4442
4443 case EVP_CTRL_SET_SPEED:
4444 return CRYPTO_siv128_speed(sctx, arg);
4445
4446 case EVP_CTRL_AEAD_SET_TAG:
4447 if (!EVP_CIPHER_CTX_encrypting(c))
4448 return CRYPTO_siv128_set_tag(sctx, ptr, arg);
4449 return 1;
4450
4451 case EVP_CTRL_AEAD_GET_TAG:
4452 if (!EVP_CIPHER_CTX_encrypting(c))
4453 return 0;
4454 return CRYPTO_siv128_get_tag(sctx, ptr, arg);
4455
4456 case EVP_CTRL_COPY:
4457 sctx_out = EVP_C_DATA(SIV128_CONTEXT, (EVP_CIPHER_CTX*)ptr);
4458 return CRYPTO_siv128_copy_ctx(sctx_out, sctx);
4459
4460 default:
4461 return -1;
4462
4463 }
4464}
4465
4466#define SIV_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
4467 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
4468 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_COPY \
4469 | EVP_CIPH_CTRL_INIT)
4470
4471BLOCK_CIPHER_custom(NID_aes, 128, 1, 0, siv, SIV, SIV_FLAGS)
4472BLOCK_CIPHER_custom(NID_aes, 192, 1, 0, siv, SIV, SIV_FLAGS)
4473BLOCK_CIPHER_custom(NID_aes, 256, 1, 0, siv, SIV, SIV_FLAGS)
4474#endif
A mirror of the official openssl repository