]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/evp/e_aes.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Provisional AES XTS support.
[thirdparty/openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
48 *
49 */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
65 const unsigned char *iv, int enc);
66
67 typedef struct
68 {
69 AES_KEY ks;
70 } EVP_AES_KEY;
71
72 #define data(ctx) EVP_C_DATA(EVP_AES_KEY,ctx)
73
74 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
75 NID_aes_128, 16, 16, 16, 128,
76 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
77 aes_init_key, NULL, NULL, NULL, NULL)
78 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
79 NID_aes_192, 16, 24, 16, 128,
80 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
81 aes_init_key, NULL, NULL, NULL, NULL)
82 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
83 NID_aes_256, 16, 32, 16, 128,
84 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
85 aes_init_key, NULL, NULL, NULL, NULL)
86
87 #define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,EVP_CIPH_FLAG_FIPS)
88
89 IMPLEMENT_AES_CFBR(128,1)
90 IMPLEMENT_AES_CFBR(192,1)
91 IMPLEMENT_AES_CFBR(256,1)
92
93 IMPLEMENT_AES_CFBR(128,8)
94 IMPLEMENT_AES_CFBR(192,8)
95 IMPLEMENT_AES_CFBR(256,8)
96
97 static int aes_counter (EVP_CIPHER_CTX *ctx, unsigned char *out,
98 const unsigned char *in, size_t len)
99 {
100 unsigned int num;
101 num = ctx->num;
102 #ifdef AES_CTR_ASM
103 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
104 size_t blocks, const AES_KEY *key,
105 const unsigned char ivec[AES_BLOCK_SIZE]);
106
107 CRYPTO_ctr128_encrypt_ctr32(in,out,len,
108 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
109 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
110 #else
111 CRYPTO_ctr128_encrypt(in,out,len,
112 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
113 ctx->iv,ctx->buf,&num,(block128_f)AES_encrypt);
114 #endif
115 ctx->num = (size_t)num;
116 return 1;
117 }
118
119 static const EVP_CIPHER aes_128_ctr_cipher=
120 {
121 NID_aes_128_ctr,1,16,16,
122 EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
123 aes_init_key,
124 aes_counter,
125 NULL,
126 sizeof(EVP_AES_KEY),
127 NULL,
128 NULL,
129 NULL,
130 NULL
131 };
132
133 const EVP_CIPHER *EVP_aes_128_ctr (void)
134 { return &aes_128_ctr_cipher; }
135
136 static const EVP_CIPHER aes_192_ctr_cipher=
137 {
138 NID_aes_192_ctr,1,24,16,
139 EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
140 aes_init_key,
141 aes_counter,
142 NULL,
143 sizeof(EVP_AES_KEY),
144 NULL,
145 NULL,
146 NULL,
147 NULL
148 };
149
150 const EVP_CIPHER *EVP_aes_192_ctr (void)
151 { return &aes_192_ctr_cipher; }
152
153 static const EVP_CIPHER aes_256_ctr_cipher=
154 {
155 NID_aes_256_ctr,1,32,16,
156 EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
157 aes_init_key,
158 aes_counter,
159 NULL,
160 sizeof(EVP_AES_KEY),
161 NULL,
162 NULL,
163 NULL,
164 NULL
165 };
166
167 const EVP_CIPHER *EVP_aes_256_ctr (void)
168 { return &aes_256_ctr_cipher; }
169
170 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
171 const unsigned char *iv, int enc)
172 {
173 int ret;
174
175 if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
176 || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
177 && !enc)
178 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
179 else
180 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
181
182 if(ret < 0)
183 {
184 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
185 return 0;
186 }
187
188 return 1;
189 }
190
191 typedef struct
192 {
193 /* AES key schedule to use */
194 AES_KEY ks;
195 /* Set if key initialised */
196 int key_set;
197 /* Set if an iv is set */
198 int iv_set;
199 GCM128_CONTEXT gcm;
200 /* Temporary IV store */
201 unsigned char *iv;
202 /* IV length */
203 int ivlen;
204 /* Tag to verify */
205 unsigned char tag[16];
206 int taglen;
207 /* It is OK to generate IVs */
208 int iv_gen;
209 } EVP_AES_GCM_CTX;
210
211 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
212 {
213 EVP_AES_GCM_CTX *gctx = c->cipher_data;
214 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
215 if (gctx->iv != c->iv)
216 OPENSSL_free(gctx->iv);
217 return 1;
218 }
219
220 /* increment counter (64-bit int) by 1 */
221 static void ctr64_inc(unsigned char *counter) {
222 int n=8;
223 unsigned char c;
224
225 do {
226 --n;
227 c = counter[n];
228 ++c;
229 counter[n] = c;
230 if (c) return;
231 } while (n);
232 }
233
234 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
235 {
236 EVP_AES_GCM_CTX *gctx = c->cipher_data;
237 switch (type)
238 {
239 case EVP_CTRL_INIT:
240 gctx->key_set = 0;
241 gctx->iv_set = 0;
242 gctx->ivlen = c->cipher->iv_len;
243 gctx->iv = c->iv;
244 gctx->taglen = -1;
245 gctx->iv_gen = 0;
246 return 1;
247
248 case EVP_CTRL_GCM_SET_IVLEN:
249 if (arg <= 0)
250 return 0;
251 #ifdef OPENSSL_FIPS
252 if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
253 && arg < 12)
254 return 0;
255 #endif
256 /* Allocate memory for IV if needed */
257 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
258 {
259 if (gctx->iv != c->iv)
260 OPENSSL_free(gctx->iv);
261 gctx->iv = OPENSSL_malloc(arg);
262 if (!gctx->iv)
263 return 0;
264 }
265 gctx->ivlen = arg;
266 return 1;
267
268 case EVP_CTRL_GCM_SET_TAG:
269 if (arg <= 0 || arg > 16 || c->encrypt)
270 return 0;
271 memcpy(gctx->tag, ptr, arg);
272 gctx->taglen = arg;
273 return 1;
274
275 case EVP_CTRL_GCM_GET_TAG:
276 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
277 return 0;
278 memcpy(ptr, gctx->tag, arg);
279 return 1;
280
281 case EVP_CTRL_GCM_SET_IV_FIXED:
282 /* Special case: -1 length restores whole IV */
283 if (arg == -1)
284 {
285 memcpy(gctx->iv, ptr, gctx->ivlen);
286 gctx->iv_gen = 1;
287 return 1;
288 }
289 /* Fixed field must be at least 4 bytes and invocation field
290 * at least 8.
291 */
292 if ((arg < 4) || (gctx->ivlen - arg) < 8)
293 return 0;
294 if (arg)
295 memcpy(gctx->iv, ptr, arg);
296 if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
297 return 0;
298 gctx->iv_gen = 1;
299 return 1;
300
301 case EVP_CTRL_GCM_IV_GEN:
302 if (gctx->iv_gen == 0 || gctx->key_set == 0)
303 return 0;
304 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
305 memcpy(ptr, gctx->iv, gctx->ivlen);
306 /* Invocation field will be at least 8 bytes in size and
307 * so no need to check wrap around or increment more than
308 * last 8 bytes.
309 */
310 ctr64_inc(gctx->iv + gctx->ivlen - 8);
311 gctx->iv_set = 1;
312 return 1;
313
314 default:
315 return -1;
316
317 }
318 }
319
320 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
321 const unsigned char *iv, int enc)
322 {
323 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
324 if (!iv && !key)
325 return 1;
326 if (key)
327 {
328 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
329 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
330 /* If we have an iv can set it directly, otherwise use
331 * saved IV.
332 */
333 if (iv == NULL && gctx->iv_set)
334 iv = gctx->iv;
335 if (iv)
336 {
337 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
338 gctx->iv_set = 1;
339 }
340 gctx->key_set = 1;
341 }
342 else
343 {
344 /* If key set use IV, otherwise copy */
345 if (gctx->key_set)
346 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
347 else
348 memcpy(gctx->iv, iv, gctx->ivlen);
349 gctx->iv_set = 1;
350 gctx->iv_gen = 0;
351 }
352 return 1;
353 }
354
355 static int aes_gcm(EVP_CIPHER_CTX *ctx, unsigned char *out,
356 const unsigned char *in, size_t len)
357 {
358 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
359 /* If not set up, return error */
360 if (!gctx->iv_set && !gctx->key_set)
361 return -1;
362 if (!ctx->encrypt && gctx->taglen < 0)
363 return -1;
364 if (in)
365 {
366 if (out == NULL)
367 {
368 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
369 return -1;
370 }
371 else if (ctx->encrypt)
372 {
373 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
374 return -1;
375 }
376 else
377 {
378 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
379 return -1;
380 }
381 return len;
382 }
383 else
384 {
385 if (!ctx->encrypt)
386 {
387 if (CRYPTO_gcm128_finish(&gctx->gcm,
388 gctx->tag, gctx->taglen) != 0)
389 return -1;
390 gctx->iv_set = 0;
391 return 0;
392 }
393 CRYPTO_gcm128_tag(&gctx->gcm, gctx->tag, 16);
394 gctx->taglen = 16;
395 /* Don't reuse the IV */
396 gctx->iv_set = 0;
397 return 0;
398 }
399
400 }
401
402 static const EVP_CIPHER aes_128_gcm_cipher=
403 {
404 NID_aes_128_gcm,1,16,12,
405 EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
406 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
407 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT
408 | EVP_CIPH_FLAG_FIPS,
409 aes_gcm_init_key,
410 aes_gcm,
411 aes_gcm_cleanup,
412 sizeof(EVP_AES_GCM_CTX),
413 NULL,
414 NULL,
415 aes_gcm_ctrl,
416 NULL
417 };
418
419 const EVP_CIPHER *EVP_aes_128_gcm (void)
420 { return &aes_128_gcm_cipher; }
421
422 static const EVP_CIPHER aes_192_gcm_cipher=
423 {
424 NID_aes_128_gcm,1,24,12,
425 EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
426 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
427 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT
428 | EVP_CIPH_FLAG_FIPS,
429 aes_gcm_init_key,
430 aes_gcm,
431 aes_gcm_cleanup,
432 sizeof(EVP_AES_GCM_CTX),
433 NULL,
434 NULL,
435 aes_gcm_ctrl,
436 NULL
437 };
438
439 const EVP_CIPHER *EVP_aes_192_gcm (void)
440 { return &aes_192_gcm_cipher; }
441
442 static const EVP_CIPHER aes_256_gcm_cipher=
443 {
444 NID_aes_128_gcm,1,32,12,
445 EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
446 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
447 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT
448 | EVP_CIPH_FLAG_FIPS,
449 aes_gcm_init_key,
450 aes_gcm,
451 aes_gcm_cleanup,
452 sizeof(EVP_AES_GCM_CTX),
453 NULL,
454 NULL,
455 aes_gcm_ctrl,
456 NULL
457 };
458
459 const EVP_CIPHER *EVP_aes_256_gcm (void)
460 { return &aes_256_gcm_cipher; }
461
462 typedef struct
463 {
464 /* AES key schedules to use */
465 AES_KEY ks1, ks2;
466 XTS128_CONTEXT xts;
467 } EVP_AES_XTS_CTX;
468
469 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
470 {
471 EVP_AES_XTS_CTX *xctx = c->cipher_data;
472 if (type != EVP_CTRL_INIT)
473 return -1;
474 /* key1 and key2 are used as an indicator both key and IV are set */
475 xctx->xts.key1 = NULL;
476 xctx->xts.key2 = NULL;
477 xctx->xts.block1 = (block128_f)AES_encrypt;
478 xctx->xts.block2 = (block128_f)AES_encrypt;
479 return 1;
480 }
481
482 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
483 const unsigned char *iv, int enc)
484 {
485 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
486 if (!iv && !key)
487 return 1;
488
489 if (key)
490 {
491 AES_set_encrypt_key(key, ctx->key_len * 8, &xctx->ks1);
492 AES_set_encrypt_key(key + ctx->key_len, ctx->key_len * 8,
493 &xctx->ks2);
494
495 xctx->xts.key1 = &xctx->ks1;
496 xctx->xts.block1 = (block128_f)AES_encrypt;
497 xctx->xts.block2 = (block128_f)AES_encrypt;
498 }
499
500 if (iv)
501 {
502 xctx->xts.key2 = &xctx->ks2;
503 memcpy(ctx->iv, iv, 16);
504 }
505
506 return 1;
507 }
508
509 static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out,
510 const unsigned char *in, size_t len)
511 {
512 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
513 if (!xctx->xts.key1 || !xctx->xts.key2)
514 return -1;
515 if (!out || !in)
516 return -1;
517 if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
518 ctx->encrypt))
519 return -1;
520 return len;
521 }
522
523 static const EVP_CIPHER aes_128_xts_cipher=
524 {
525 NID_aes_128_xts,16,32,16,
526 EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
527 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
528 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
529 aes_xts_init_key,
530 aes_xts,
531 0,
532 sizeof(EVP_AES_XTS_CTX),
533 NULL,
534 NULL,
535 aes_xts_ctrl,
536 NULL
537 };
538
539 const EVP_CIPHER *EVP_aes_128_xts (void)
540 { return &aes_128_xts_cipher; }
541
542 static const EVP_CIPHER aes_256_xts_cipher=
543 {
544 NID_aes_256_xts,16,64,16,
545 EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
546 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
547 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
548 aes_xts_init_key,
549 aes_xts,
550 0,
551 sizeof(EVP_AES_XTS_CTX),
552 NULL,
553 NULL,
554 aes_xts_ctrl,
555 NULL
556 };
557
558 const EVP_CIPHER *EVP_aes_256_xts (void)
559 { return &aes_256_xts_cipher; }
560
561 #endif
A mirror of the official openssl repository