2 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/opensslconf.h>
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/aes.h>
15 #include <openssl/rand.h>
16 #include <openssl/cmac.h>
17 #include "ciphers_locl.h"
18 #include "internal/evp_int.h"
19 #include "internal/providercommonerr.h"
20 #include "internal/aes_platform.h"
22 #define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
24 #if defined(AESNI_CAPABLE)
28 static int aesni_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
33 if ((dat
->mode
== EVP_CIPH_ECB_MODE
|| dat
->mode
== EVP_CIPH_CBC_MODE
)
35 ret
= aesni_set_decrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
36 dat
->block
= (block128_f
) aesni_decrypt
;
37 dat
->stream
.cbc
= dat
->mode
== EVP_CIPH_CBC_MODE
?
38 (cbc128_f
) aesni_cbc_encrypt
: NULL
;
40 ret
= aesni_set_encrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
41 dat
->block
= (block128_f
) aesni_encrypt
;
42 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
43 dat
->stream
.cbc
= (cbc128_f
) aesni_cbc_encrypt
;
44 else if (dat
->mode
== EVP_CIPH_CTR_MODE
)
45 dat
->stream
.ctr
= (ctr128_f
) aesni_ctr32_encrypt_blocks
;
47 dat
->stream
.cbc
= NULL
;
51 PROVerr(PROV_F_AESNI_INIT_KEY
, PROV_R_AES_KEY_SETUP_FAILED
);
58 static int aesni_cbc_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
59 const unsigned char *in
, size_t len
)
61 aesni_cbc_encrypt(in
, out
, len
, &ctx
->ks
.ks
, ctx
->iv
, ctx
->enc
);
66 static int aesni_ecb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
67 const unsigned char *in
, size_t len
)
69 if (len
< AES_BLOCK_SIZE
)
72 aesni_ecb_encrypt(in
, out
, len
, &ctx
->ks
.ks
, ctx
->enc
);
77 # define aesni_ofb_cipher aes_ofb_cipher
78 static int aesni_ofb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
79 const unsigned char *in
, size_t len
);
81 # define aesni_cfb_cipher aes_cfb_cipher
82 static int aesni_cfb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
83 const unsigned char *in
, size_t len
);
85 # define aesni_cfb8_cipher aes_cfb8_cipher
86 static int aesni_cfb8_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
87 const unsigned char *in
, size_t len
);
89 # define aesni_cfb1_cipher aes_cfb1_cipher
90 static int aesni_cfb1_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
91 const unsigned char *in
, size_t len
);
93 # define aesni_ctr_cipher aes_ctr_cipher
94 static int aesni_ctr_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
95 const unsigned char *in
, size_t len
);
97 # define BLOCK_CIPHER_generic_prov(mode) \
98 static const PROV_AES_CIPHER aesni_##mode = { \
100 aesni_##mode##_cipher}; \
101 static const PROV_AES_CIPHER aes_##mode = { \
103 aes_##mode##_cipher}; \
104 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
105 { return AESNI_CAPABLE?&aesni_##mode:&aes_##mode; }
108 #elif defined(SPARC_AES_CAPABLE)
110 static int aes_t4_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
116 if ((dat
->mode
== EVP_CIPH_ECB_MODE
|| dat
->mode
== EVP_CIPH_CBC_MODE
)
119 aes_t4_set_decrypt_key(key
, bits
, &dat
->ks
.ks
);
120 dat
->block
= (block128_f
) aes_t4_decrypt
;
123 dat
->stream
.cbc
= dat
->mode
== EVP_CIPH_CBC_MODE
?
124 (cbc128_f
) aes128_t4_cbc_decrypt
: NULL
;
127 dat
->stream
.cbc
= dat
->mode
== EVP_CIPH_CBC_MODE
?
128 (cbc128_f
) aes192_t4_cbc_decrypt
: NULL
;
131 dat
->stream
.cbc
= dat
->mode
== EVP_CIPH_CBC_MODE
?
132 (cbc128_f
) aes256_t4_cbc_decrypt
: NULL
;
139 aes_t4_set_encrypt_key(key
, bits
, &dat
->ks
.ks
);
140 dat
->block
= (block128_f
)aes_t4_encrypt
;
143 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
144 dat
->stream
.cbc
= (cbc128_f
)aes128_t4_cbc_encrypt
;
145 else if (dat
->mode
== EVP_CIPH_CTR_MODE
)
146 dat
->stream
.ctr
= (ctr128_f
)aes128_t4_ctr32_encrypt
;
148 dat
->stream
.cbc
= NULL
;
151 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
152 dat
->stream
.cbc
= (cbc128_f
)aes192_t4_cbc_encrypt
;
153 else if (dat
->mode
== EVP_CIPH_CTR_MODE
)
154 dat
->stream
.ctr
= (ctr128_f
)aes192_t4_ctr32_encrypt
;
156 dat
->stream
.cbc
= NULL
;
159 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
160 dat
->stream
.cbc
= (cbc128_f
)aes256_t4_cbc_encrypt
;
161 else if (dat
->mode
== EVP_CIPH_CTR_MODE
)
162 dat
->stream
.ctr
= (ctr128_f
)aes256_t4_ctr32_encrypt
;
164 dat
->stream
.cbc
= NULL
;
172 PROVerr(PROV_F_AES_T4_INIT_KEY
, PROV_R_AES_KEY_SETUP_FAILED
);
179 # define aes_t4_cbc_cipher aes_cbc_cipher
180 static int aes_t4_cbc_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
181 const unsigned char *in
, size_t len
);
183 # define aes_t4_ecb_cipher aes_ecb_cipher
184 static int aes_t4_ecb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
185 const unsigned char *in
, size_t len
);
187 # define aes_t4_ofb_cipher aes_ofb_cipher
188 static int aes_t4_ofb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
189 const unsigned char *in
, size_t len
);
191 # define aes_t4_cfb_cipher aes_cfb_cipher
192 static int aes_t4_cfb_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
193 const unsigned char *in
, size_t len
);
195 # define aes_t4_cfb8_cipher aes_cfb8_cipher
196 static int aes_t4_cfb8_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
197 const unsigned char *in
, size_t len
);
199 # define aes_t4_cfb1_cipher aes_cfb1_cipher
200 static int aes_t4_cfb1_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
201 const unsigned char *in
, size_t len
);
203 # define aes_t4_ctr_cipher aes_ctr_cipher
204 static int aes_t4_ctr_cipher(PROV_AES_KEY
*ctx
, unsigned char *out
,
205 const unsigned char *in
, size_t len
);
207 # define BLOCK_CIPHER_generic_prov(mode) \
208 static const PROV_AES_CIPHER aes_t4_##mode = { \
210 aes_t4_##mode##_cipher}; \
211 static const PROV_AES_CIPHER aes_##mode = { \
213 aes_##mode##_cipher}; \
214 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
215 { return SPARC_AES_CAPABLE?&aes_t4_##mode:&aes_##mode; }
218 #elif defined(S390X_aes_128_CAPABLE)
222 # include "s390x_arch.h"
224 # define s390x_aes_init_key aes_init_key
225 static int s390x_aes_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
227 # define S390X_AES_CBC_CTX PROV_AES_KEY
229 # define s390x_aes_cbc_init_key aes_init_key
231 # define s390x_aes_cbc_cipher aes_cbc_cipher
232 static int s390x_aes_cbc_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
233 const unsigned char *in
, size_t len
);
235 static int s390x_aes_ecb_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
238 dat
->plat
.s390x
.fc
= S390X_AES_FC(keylen
);
240 dat
->plat
.s390x
.fc
|= S390X_DECRYPT
;
242 memcpy(dat
->plat
.s390x
.param
.km
.k
, key
, keylen
);
246 static int s390x_aes_ecb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
247 const unsigned char *in
, size_t len
)
249 s390x_km(in
, len
, out
, dat
->plat
.s390x
.fc
,
250 &dat
->plat
.s390x
.param
.km
);
254 static int s390x_aes_ofb_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
257 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.cv
, dat
->iv
, AES_BLOCK_SIZE
);
258 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.k
, key
, keylen
);
259 dat
->plat
.s390x
.fc
= S390X_AES_FC(keylen
);
260 dat
->plat
.s390x
.res
= 0;
264 static int s390x_aes_ofb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
265 const unsigned char *in
, size_t len
)
267 int n
= dat
->plat
.s390x
.res
;
271 *out
= *in
^ dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
];
282 s390x_kmo(in
, len
, out
, dat
->plat
.s390x
.fc
,
283 &dat
->plat
.s390x
.param
.kmo_kmf
);
290 s390x_km(dat
->plat
.s390x
.param
.kmo_kmf
.cv
, 16,
291 dat
->plat
.s390x
.param
.kmo_kmf
.cv
, dat
->plat
.s390x
.fc
,
292 dat
->plat
.s390x
.param
.kmo_kmf
.k
);
295 out
[n
] = in
[n
] ^ dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
];
300 dat
->plat
.s390x
.res
= n
;
304 static int s390x_aes_cfb_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
307 dat
->plat
.s390x
.fc
= S390X_AES_FC(keylen
);
308 dat
->plat
.s390x
.fc
|= 16 << 24; /* 16 bytes cipher feedback */
310 dat
->plat
.s390x
.fc
|= S390X_DECRYPT
;
312 dat
->plat
.s390x
.res
= 0;
313 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.cv
, dat
->iv
, AES_BLOCK_SIZE
);
314 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.k
, key
, keylen
);
318 static int s390x_aes_cfb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
319 const unsigned char *in
, size_t len
)
321 int n
= dat
->plat
.s390x
.res
;
327 *out
= dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
] ^ tmp
;
328 dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
] = dat
->enc
? *out
: tmp
;
339 s390x_kmf(in
, len
, out
, dat
->plat
.s390x
.fc
,
340 &dat
->plat
.s390x
.param
.kmo_kmf
);
347 s390x_km(dat
->plat
.s390x
.param
.kmo_kmf
.cv
, 16,
348 dat
->plat
.s390x
.param
.kmo_kmf
.cv
,
349 S390X_AES_FC(dat
->keylen
), dat
->plat
.s390x
.param
.kmo_kmf
.k
);
353 out
[n
] = dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
] ^ tmp
;
354 dat
->plat
.s390x
.param
.kmo_kmf
.cv
[n
] = dat
->enc
? out
[n
] : tmp
;
359 dat
->plat
.s390x
.res
= n
;
363 static int s390x_aes_cfb8_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
366 dat
->plat
.s390x
.fc
= S390X_AES_FC(keylen
);
367 dat
->plat
.s390x
.fc
|= 1 << 24; /* 1 byte cipher feedback */
369 dat
->plat
.s390x
.fc
|= S390X_DECRYPT
;
371 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.cv
, dat
->iv
, AES_BLOCK_SIZE
);
372 memcpy(dat
->plat
.s390x
.param
.kmo_kmf
.k
, key
, keylen
);
376 static int s390x_aes_cfb8_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
377 const unsigned char *in
, size_t len
)
379 s390x_kmf(in
, len
, out
, dat
->plat
.s390x
.fc
,
380 &dat
->plat
.s390x
.param
.kmo_kmf
);
384 # define s390x_aes_cfb1_init_key aes_init_key
386 # define s390x_aes_cfb1_cipher aes_cfb1_cipher
387 static int s390x_aes_cfb1_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
388 const unsigned char *in
, size_t len
);
389 # define S390X_AES_CTR_CTX PROV_AES_KEY
391 # define s390x_aes_ctr_init_key aes_init_key
393 # define s390x_aes_ctr_cipher aes_ctr_cipher
394 static int s390x_aes_ctr_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
395 const unsigned char *in
, size_t len
);
397 # define BLOCK_CIPHER_generic_prov(mode) \
398 static const PROV_AES_CIPHER s390x_aes_##mode = { \
399 s390x_aes_##mode##_init_key, \
400 s390x_aes_##mode##_cipher \
402 static const PROV_AES_CIPHER aes_##mode = { \
404 aes_##mode##_cipher \
406 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
408 if ((keylen == 16 && S390X_aes_128_##mode##_CAPABLE) \
409 || (keylen == 24 && S390X_aes_192_##mode##_CAPABLE) \
410 || (keylen == 32 && S390X_aes_256_##mode##_CAPABLE)) \
411 return &s390x_aes_##mode; \
413 return &aes_##mode; \
417 /* The generic case */
418 # define BLOCK_CIPHER_generic_prov(mode) \
419 static const PROV_AES_CIPHER aes_##mode = { \
421 aes_##mode##_cipher}; \
422 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
423 { return &aes_##mode; }
427 static int aes_init_key(PROV_AES_KEY
*dat
, const unsigned char *key
,
432 if ((dat
->mode
== EVP_CIPH_ECB_MODE
|| dat
->mode
== EVP_CIPH_CBC_MODE
)
436 ret
= HWAES_set_decrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
437 dat
->block
= (block128_f
)HWAES_decrypt
;
438 dat
->stream
.cbc
= NULL
;
439 # ifdef HWAES_cbc_encrypt
440 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
441 dat
->stream
.cbc
= (cbc128_f
)HWAES_cbc_encrypt
;
446 if (BSAES_CAPABLE
&& dat
->mode
== EVP_CIPH_CBC_MODE
) {
447 ret
= AES_set_decrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
448 dat
->block
= (block128_f
)AES_decrypt
;
449 dat
->stream
.cbc
= (cbc128_f
)bsaes_cbc_encrypt
;
454 ret
= vpaes_set_decrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
455 dat
->block
= (block128_f
)vpaes_decrypt
;
456 dat
->stream
.cbc
= (dat
->mode
== EVP_CIPH_CBC_MODE
)
457 ?(cbc128_f
)vpaes_cbc_encrypt
: NULL
;
461 ret
= AES_set_decrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
462 dat
->block
= (block128_f
)AES_decrypt
;
463 dat
->stream
.cbc
= (dat
->mode
== EVP_CIPH_CBC_MODE
)
464 ? (cbc128_f
)AES_cbc_encrypt
: NULL
;
469 ret
= HWAES_set_encrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
470 dat
->block
= (block128_f
)HWAES_encrypt
;
471 dat
->stream
.cbc
= NULL
;
472 # ifdef HWAES_cbc_encrypt
473 if (dat
->mode
== EVP_CIPH_CBC_MODE
)
474 dat
->stream
.cbc
= (cbc128_f
)HWAES_cbc_encrypt
;
477 # ifdef HWAES_ctr32_encrypt_blocks
478 if (dat
->mode
== EVP_CIPH_CTR_MODE
)
479 dat
->stream
.ctr
= (ctr128_f
)HWAES_ctr32_encrypt_blocks
;
482 (void)0; /* terminate potentially open 'else' */
486 if (BSAES_CAPABLE
&& dat
->mode
== EVP_CIPH_CTR_MODE
) {
487 ret
= AES_set_encrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
488 dat
->block
= (block128_f
)AES_encrypt
;
489 dat
->stream
.ctr
= (ctr128_f
)bsaes_ctr32_encrypt_blocks
;
494 ret
= vpaes_set_encrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
495 dat
->block
= (block128_f
)vpaes_encrypt
;
496 dat
->stream
.cbc
= (dat
->mode
== EVP_CIPH_CBC_MODE
)
497 ? (cbc128_f
)vpaes_cbc_encrypt
: NULL
;
501 ret
= AES_set_encrypt_key(key
, keylen
* 8, &dat
->ks
.ks
);
502 dat
->block
= (block128_f
)AES_encrypt
;
503 dat
->stream
.cbc
= (dat
->mode
== EVP_CIPH_CBC_MODE
)
504 ? (cbc128_f
)AES_cbc_encrypt
: NULL
;
506 if (dat
->mode
== EVP_CIPH_CTR_MODE
)
507 dat
->stream
.ctr
= (ctr128_f
)AES_ctr32_encrypt
;
512 PROVerr(PROV_F_AES_INIT_KEY
, PROV_R_AES_KEY_SETUP_FAILED
);
519 static int aes_cbc_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
520 const unsigned char *in
, size_t len
)
523 (*dat
->stream
.cbc
) (in
, out
, len
, &dat
->ks
, dat
->iv
, dat
->enc
);
525 CRYPTO_cbc128_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, dat
->block
);
527 CRYPTO_cbc128_decrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, dat
->block
);
532 static int aes_ecb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
533 const unsigned char *in
, size_t len
)
537 if (len
< AES_BLOCK_SIZE
)
540 for (i
= 0, len
-= AES_BLOCK_SIZE
; i
<= len
; i
+= AES_BLOCK_SIZE
)
541 (*dat
->block
) (in
+ i
, out
+ i
, &dat
->ks
);
546 static int aes_ofb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
547 const unsigned char *in
, size_t len
)
550 CRYPTO_ofb128_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, &num
, dat
->block
);
556 static int aes_cfb_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
557 const unsigned char *in
, size_t len
)
560 CRYPTO_cfb128_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, &num
, dat
->enc
,
567 static int aes_cfb8_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
568 const unsigned char *in
, size_t len
)
571 CRYPTO_cfb128_8_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, &num
, dat
->enc
,
578 static int aes_cfb1_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
579 const unsigned char *in
, size_t len
)
583 if ((dat
->flags
& EVP_CIPH_FLAG_LENGTH_BITS
) != 0) {
584 CRYPTO_cfb128_1_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, &num
,
585 dat
->enc
, dat
->block
);
590 while (len
>= MAXBITCHUNK
) {
591 CRYPTO_cfb128_1_encrypt(in
, out
, MAXBITCHUNK
* 8, &dat
->ks
,
592 dat
->iv
, &num
, dat
->enc
, dat
->block
);
598 CRYPTO_cfb128_1_encrypt(in
, out
, len
* 8, &dat
->ks
, dat
->iv
, &num
,
599 dat
->enc
, dat
->block
);
606 static int aes_ctr_cipher(PROV_AES_KEY
*dat
, unsigned char *out
,
607 const unsigned char *in
, size_t len
)
609 unsigned int num
= dat
->num
;
612 CRYPTO_ctr128_encrypt_ctr32(in
, out
, len
, &dat
->ks
, dat
->iv
, dat
->buf
,
613 &num
, dat
->stream
.ctr
);
615 CRYPTO_ctr128_encrypt(in
, out
, len
, &dat
->ks
, dat
->iv
, dat
->buf
,
622 BLOCK_CIPHER_generic_prov(cbc
)
623 BLOCK_CIPHER_generic_prov(ecb
)
624 BLOCK_CIPHER_generic_prov(ofb
)
625 BLOCK_CIPHER_generic_prov(cfb
)
626 BLOCK_CIPHER_generic_prov(cfb1
)
627 BLOCK_CIPHER_generic_prov(cfb8
)
628 BLOCK_CIPHER_generic_prov(ctr
)