1 /* $OpenBSD: e_aes.c,v 1.58 2024/04/09 13:52:41 beck Exp $ */
2 /* ====================================================================
3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52 #include <limits.h>
53 #include <stdlib.h>
54 #include <string.h>
55
56 #include <openssl/opensslconf.h>
57
58 #ifndef OPENSSL_NO_AES
59 #include <openssl/aes.h>
60 #include <openssl/err.h>
61 #include <openssl/evp.h>
62
63 #include "evp_local.h"
64 #include "modes_local.h"
65
66 typedef struct {
67 AES_KEY ks;
68 block128_f block;
69 union {
70 cbc128_f cbc;
71 ctr128_f ctr;
72 } stream;
73 } EVP_AES_KEY;
74
75 typedef struct {
76 AES_KEY ks; /* AES key schedule to use */
77 int key_set; /* Set if key initialised */
78 int iv_set; /* Set if an iv is set */
79 GCM128_CONTEXT gcm;
80 unsigned char *iv; /* Temporary IV store */
81 int ivlen; /* IV length */
82 int taglen;
83 int iv_gen; /* It is OK to generate IVs */
84 int tls_aad_len; /* TLS AAD length */
85 ctr128_f ctr;
86 } EVP_AES_GCM_CTX;
87
88 typedef struct {
89 AES_KEY ks1, ks2; /* AES key schedules to use */
90 XTS128_CONTEXT xts;
91 void (*stream)(const unsigned char *in, unsigned char *out,
92 size_t length, const AES_KEY *key1, const AES_KEY *key2,
93 const unsigned char iv[16]);
94 } EVP_AES_XTS_CTX;
95
96 typedef struct {
97 AES_KEY ks; /* AES key schedule to use */
98 int key_set; /* Set if key initialised */
99 int iv_set; /* Set if an iv is set */
100 int tag_set; /* Set if tag is valid */
101 int len_set; /* Set if message length set */
102 int L, M; /* L and M parameters from RFC3610 */
103 CCM128_CONTEXT ccm;
104 ccm128_f str;
105 } EVP_AES_CCM_CTX;
106
107 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
108
109 #ifdef VPAES_ASM
110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
111 AES_KEY *key);
112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
113 AES_KEY *key);
114
115 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
116 const AES_KEY *key);
117 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
118 const AES_KEY *key);
119
120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
122 #endif
123 #ifdef BSAES_ASM
124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
127 size_t len, const AES_KEY *key, const unsigned char ivec[16]);
128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
129 size_t len, const AES_KEY *key1, const AES_KEY *key2,
130 const unsigned char iv[16]);
131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
132 size_t len, const AES_KEY *key1, const AES_KEY *key2,
133 const unsigned char iv[16]);
134 #endif
135 #ifdef AES_CTR_ASM
136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
137 size_t blocks, const AES_KEY *key,
138 const unsigned char ivec[AES_BLOCK_SIZE]);
139 #endif
140 #ifdef AES_XTS_ASM
141 void AES_xts_encrypt(const char *inp, char *out, size_t len,
142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
143 void AES_xts_decrypt(const char *inp, char *out, size_t len,
144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
145 #endif
146
147 #if defined(AES_ASM) && ( \
148 ((defined(__i386) || defined(__i386__) || \
149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
150 defined(__x86_64) || defined(__x86_64__) || \
151 defined(_M_AMD64) || defined(_M_X64) || \
152 defined(__INTEL__) )
153
154 #include "x86_arch.h"
155
156 #ifdef VPAES_ASM
157 #define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3)
158 #endif
159 #ifdef BSAES_ASM
160 #define BSAES_CAPABLE VPAES_CAPABLE
161 #endif
162 /*
163 * AES-NI section
164 */
165 #define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI)
166
167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
168 AES_KEY *key);
169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
170 AES_KEY *key);
171
172 void aesni_encrypt(const unsigned char *in, unsigned char *out,
173 const AES_KEY *key);
174 void aesni_decrypt(const unsigned char *in, unsigned char *out,
175 const AES_KEY *key);
176
177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
178 size_t length, const AES_KEY *key, int enc);
179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
181
182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
183 size_t blocks, const void *key, const unsigned char *ivec);
184
185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
186 size_t length, const AES_KEY *key1, const AES_KEY *key2,
187 const unsigned char iv[16]);
188
189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
190 size_t length, const AES_KEY *key1, const AES_KEY *key2,
191 const unsigned char iv[16]);
192
193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
194 size_t blocks, const void *key, const unsigned char ivec[16],
195 unsigned char cmac[16]);
196
197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
198 size_t blocks, const void *key, const unsigned char ivec[16],
199 unsigned char cmac[16]);
200
201 static int
aesni_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
203 const unsigned char *iv, int enc)
204 {
205 int ret, mode;
206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
207
208 mode = ctx->cipher->flags & EVP_CIPH_MODE;
209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
210 !enc) {
211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
212 ctx->cipher_data);
213 dat->block = (block128_f)aesni_decrypt;
214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
215 (cbc128_f)aesni_cbc_encrypt : NULL;
216 } else {
217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
218 ctx->cipher_data);
219 dat->block = (block128_f)aesni_encrypt;
220 if (mode == EVP_CIPH_CBC_MODE)
221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
222 else if (mode == EVP_CIPH_CTR_MODE)
223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
224 else
225 dat->stream.cbc = NULL;
226 }
227
228 if (ret < 0) {
229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
230 return 0;
231 }
232
233 return 1;
234 }
235
236 static int
aesni_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
238 const unsigned char *in, size_t len)
239 {
240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
241 ctx->encrypt);
242
243 return 1;
244 }
245
246 static int
aesni_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
248 const unsigned char *in, size_t len)
249 {
250 size_t bl = ctx->cipher->block_size;
251
252 if (len < bl)
253 return 1;
254
255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
256
257 return 1;
258 }
259
260 static int
aesni_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
262 const unsigned char *iv, int enc)
263 {
264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
265
266 if (!iv && !key)
267 return 1;
268 if (key) {
269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
271 (block128_f)aesni_encrypt);
272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
273 /* If we have an iv can set it directly, otherwise use
274 * saved IV.
275 */
276 if (iv == NULL && gctx->iv_set)
277 iv = gctx->iv;
278 if (iv) {
279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
280 gctx->iv_set = 1;
281 }
282 gctx->key_set = 1;
283 } else {
284 /* If key set use IV, otherwise copy */
285 if (gctx->key_set)
286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
287 else
288 memcpy(gctx->iv, iv, gctx->ivlen);
289 gctx->iv_set = 1;
290 gctx->iv_gen = 0;
291 }
292 return 1;
293 }
294
295 static int
aesni_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
297 const unsigned char *iv, int enc)
298 {
299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
300
301 if (!iv && !key)
302 return 1;
303
304 if (key) {
305 /* key_len is two AES keys */
306 if (enc) {
307 aesni_set_encrypt_key(key, ctx->key_len * 4,
308 &xctx->ks1);
309 xctx->xts.block1 = (block128_f)aesni_encrypt;
310 xctx->stream = aesni_xts_encrypt;
311 } else {
312 aesni_set_decrypt_key(key, ctx->key_len * 4,
313 &xctx->ks1);
314 xctx->xts.block1 = (block128_f)aesni_decrypt;
315 xctx->stream = aesni_xts_decrypt;
316 }
317
318 aesni_set_encrypt_key(key + ctx->key_len / 2,
319 ctx->key_len * 4, &xctx->ks2);
320 xctx->xts.block2 = (block128_f)aesni_encrypt;
321
322 xctx->xts.key1 = &xctx->ks1;
323 }
324
325 if (iv) {
326 xctx->xts.key2 = &xctx->ks2;
327 memcpy(ctx->iv, iv, 16);
328 }
329
330 return 1;
331 }
332
333 static int
aesni_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
335 const unsigned char *iv, int enc)
336 {
337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
338
339 if (!iv && !key)
340 return 1;
341 if (key) {
342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
344 &cctx->ks, (block128_f)aesni_encrypt);
345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
346 (ccm128_f)aesni_ccm64_decrypt_blocks;
347 cctx->key_set = 1;
348 }
349 if (iv) {
350 memcpy(ctx->iv, iv, 15 - cctx->L);
351 cctx->iv_set = 1;
352 }
353 return 1;
354 }
355
356 #endif
357
358 static int
aes_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
360 const unsigned char *iv, int enc)
361 {
362 int ret, mode;
363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
364
365 mode = ctx->cipher->flags & EVP_CIPH_MODE;
366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
367 !enc)
368 #ifdef BSAES_CAPABLE
369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
370 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
371 &dat->ks);
372 dat->block = (block128_f)AES_decrypt;
373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
374 } else
375 #endif
376 #ifdef VPAES_CAPABLE
377 if (VPAES_CAPABLE) {
378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
379 &dat->ks);
380 dat->block = (block128_f)vpaes_decrypt;
381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
382 (cbc128_f)vpaes_cbc_encrypt : NULL;
383 } else
384 #endif
385 {
386 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
387 &dat->ks);
388 dat->block = (block128_f)AES_decrypt;
389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
390 (cbc128_f)AES_cbc_encrypt : NULL;
391 } else
392 #ifdef BSAES_CAPABLE
393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
394 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
395 &dat->ks);
396 dat->block = (block128_f)AES_encrypt;
397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
398 } else
399 #endif
400 #ifdef VPAES_CAPABLE
401 if (VPAES_CAPABLE) {
402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
403 &dat->ks);
404 dat->block = (block128_f)vpaes_encrypt;
405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
406 (cbc128_f)vpaes_cbc_encrypt : NULL;
407 } else
408 #endif
409 {
410 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
411 &dat->ks);
412 dat->block = (block128_f)AES_encrypt;
413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
414 (cbc128_f)AES_cbc_encrypt : NULL;
415 #ifdef AES_CTR_ASM
416 if (mode == EVP_CIPH_CTR_MODE)
417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
418 #endif
419 }
420
421 if (ret < 0) {
422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
423 return 0;
424 }
425
426 return 1;
427 }
428
429 static int
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
431 const unsigned char *in, size_t len)
432 {
433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
434
435 if (dat->stream.cbc)
436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
437 ctx->encrypt);
438 else if (ctx->encrypt)
439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
440 dat->block);
441 else
442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
443 dat->block);
444
445 return 1;
446 }
447
448 static int
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
450 const unsigned char *in, size_t len)
451 {
452 size_t bl = ctx->cipher->block_size;
453 size_t i;
454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
455
456 if (len < bl)
457 return 1;
458
459 for (i = 0, len -= bl; i <= len; i += bl)
460 (*dat->block)(in + i, out + i, &dat->ks);
461
462 return 1;
463 }
464
465 static int
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
467 const unsigned char *in, size_t len)
468 {
469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
470
471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
472 dat->block);
473 return 1;
474 }
475
476 static int
aes_cfb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
478 const unsigned char *in, size_t len)
479 {
480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
481
482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
483 ctx->encrypt, dat->block);
484 return 1;
485 }
486
487 static int
aes_cfb8_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
489 const unsigned char *in, size_t len)
490 {
491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
492
493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
494 ctx->encrypt, dat->block);
495 return 1;
496 }
497
498 static int
aes_cfb1_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
500 const unsigned char *in, size_t len)
501 {
502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
503
504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
506 &ctx->num, ctx->encrypt, dat->block);
507 return 1;
508 }
509
510 while (len >= MAXBITCHUNK) {
511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
512 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
513 len -= MAXBITCHUNK;
514 in += MAXBITCHUNK;
515 out += MAXBITCHUNK;
516 }
517 if (len)
518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
519 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
520
521 return 1;
522 }
523
524 static int
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
526 const unsigned char *in, size_t len)
527 {
528 unsigned int num = ctx->num;
529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
530
531 if (dat->stream.ctr)
532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
533 ctx->iv, ctx->buf, &num, dat->stream.ctr);
534 else
535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
536 ctx->iv, ctx->buf, &num, dat->block);
537 ctx->num = (size_t)num;
538 return 1;
539 }
540
541
542 #ifdef AESNI_CAPABLE
543 static const EVP_CIPHER aesni_128_cbc = {
544 .nid = NID_aes_128_cbc,
545 .block_size = 16,
546 .key_len = 16,
547 .iv_len = 16,
548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
549 .init = aesni_init_key,
550 .do_cipher = aesni_cbc_cipher,
551 .ctx_size = sizeof(EVP_AES_KEY),
552 };
553 #endif
554
555 static const EVP_CIPHER aes_128_cbc = {
556 .nid = NID_aes_128_cbc,
557 .block_size = 16,
558 .key_len = 16,
559 .iv_len = 16,
560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
561 .init = aes_init_key,
562 .do_cipher = aes_cbc_cipher,
563 .ctx_size = sizeof(EVP_AES_KEY),
564 };
565
566 const EVP_CIPHER *
EVP_aes_128_cbc(void)567 EVP_aes_128_cbc(void)
568 {
569 #ifdef AESNI_CAPABLE
570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
571 #else
572 return &aes_128_cbc;
573 #endif
574 }
575 LCRYPTO_ALIAS(EVP_aes_128_cbc);
576
577 #ifdef AESNI_CAPABLE
578 static const EVP_CIPHER aesni_128_ecb = {
579 .nid = NID_aes_128_ecb,
580 .block_size = 16,
581 .key_len = 16,
582 .iv_len = 0,
583 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
584 .init = aesni_init_key,
585 .do_cipher = aesni_ecb_cipher,
586 .ctx_size = sizeof(EVP_AES_KEY),
587 };
588 #endif
589
590 static const EVP_CIPHER aes_128_ecb = {
591 .nid = NID_aes_128_ecb,
592 .block_size = 16,
593 .key_len = 16,
594 .iv_len = 0,
595 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
596 .init = aes_init_key,
597 .do_cipher = aes_ecb_cipher,
598 .ctx_size = sizeof(EVP_AES_KEY),
599 };
600
601 const EVP_CIPHER *
EVP_aes_128_ecb(void)602 EVP_aes_128_ecb(void)
603 {
604 #ifdef AESNI_CAPABLE
605 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
606 #else
607 return &aes_128_ecb;
608 #endif
609 }
610 LCRYPTO_ALIAS(EVP_aes_128_ecb);
611
612 #ifdef AESNI_CAPABLE
613 static const EVP_CIPHER aesni_128_ofb = {
614 .nid = NID_aes_128_ofb128,
615 .block_size = 1,
616 .key_len = 16,
617 .iv_len = 16,
618 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
619 .init = aesni_init_key,
620 .do_cipher = aes_ofb_cipher,
621 .ctx_size = sizeof(EVP_AES_KEY),
622 };
623 #endif
624
625 static const EVP_CIPHER aes_128_ofb = {
626 .nid = NID_aes_128_ofb128,
627 .block_size = 1,
628 .key_len = 16,
629 .iv_len = 16,
630 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
631 .init = aes_init_key,
632 .do_cipher = aes_ofb_cipher,
633 .ctx_size = sizeof(EVP_AES_KEY),
634 };
635
636 const EVP_CIPHER *
EVP_aes_128_ofb(void)637 EVP_aes_128_ofb(void)
638 {
639 #ifdef AESNI_CAPABLE
640 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
641 #else
642 return &aes_128_ofb;
643 #endif
644 }
645 LCRYPTO_ALIAS(EVP_aes_128_ofb);
646
647 #ifdef AESNI_CAPABLE
648 static const EVP_CIPHER aesni_128_cfb = {
649 .nid = NID_aes_128_cfb128,
650 .block_size = 1,
651 .key_len = 16,
652 .iv_len = 16,
653 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
654 .init = aesni_init_key,
655 .do_cipher = aes_cfb_cipher,
656 .ctx_size = sizeof(EVP_AES_KEY),
657 };
658 #endif
659
660 static const EVP_CIPHER aes_128_cfb = {
661 .nid = NID_aes_128_cfb128,
662 .block_size = 1,
663 .key_len = 16,
664 .iv_len = 16,
665 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
666 .init = aes_init_key,
667 .do_cipher = aes_cfb_cipher,
668 .ctx_size = sizeof(EVP_AES_KEY),
669 };
670
671 const EVP_CIPHER *
EVP_aes_128_cfb128(void)672 EVP_aes_128_cfb128(void)
673 {
674 #ifdef AESNI_CAPABLE
675 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
676 #else
677 return &aes_128_cfb;
678 #endif
679 }
680 LCRYPTO_ALIAS(EVP_aes_128_cfb128);
681
682 #ifdef AESNI_CAPABLE
683 static const EVP_CIPHER aesni_128_cfb1 = {
684 .nid = NID_aes_128_cfb1,
685 .block_size = 1,
686 .key_len = 16,
687 .iv_len = 16,
688 .flags = EVP_CIPH_CFB_MODE,
689 .init = aesni_init_key,
690 .do_cipher = aes_cfb1_cipher,
691 .ctx_size = sizeof(EVP_AES_KEY),
692 };
693 #endif
694
695 static const EVP_CIPHER aes_128_cfb1 = {
696 .nid = NID_aes_128_cfb1,
697 .block_size = 1,
698 .key_len = 16,
699 .iv_len = 16,
700 .flags = EVP_CIPH_CFB_MODE,
701 .init = aes_init_key,
702 .do_cipher = aes_cfb1_cipher,
703 .ctx_size = sizeof(EVP_AES_KEY),
704 };
705
706 const EVP_CIPHER *
EVP_aes_128_cfb1(void)707 EVP_aes_128_cfb1(void)
708 {
709 #ifdef AESNI_CAPABLE
710 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
711 #else
712 return &aes_128_cfb1;
713 #endif
714 }
715 LCRYPTO_ALIAS(EVP_aes_128_cfb1);
716
717 #ifdef AESNI_CAPABLE
718 static const EVP_CIPHER aesni_128_cfb8 = {
719 .nid = NID_aes_128_cfb8,
720 .block_size = 1,
721 .key_len = 16,
722 .iv_len = 16,
723 .flags = EVP_CIPH_CFB_MODE,
724 .init = aesni_init_key,
725 .do_cipher = aes_cfb8_cipher,
726 .ctx_size = sizeof(EVP_AES_KEY),
727 };
728 #endif
729
730 static const EVP_CIPHER aes_128_cfb8 = {
731 .nid = NID_aes_128_cfb8,
732 .block_size = 1,
733 .key_len = 16,
734 .iv_len = 16,
735 .flags = EVP_CIPH_CFB_MODE,
736 .init = aes_init_key,
737 .do_cipher = aes_cfb8_cipher,
738 .ctx_size = sizeof(EVP_AES_KEY),
739 };
740
741 const EVP_CIPHER *
EVP_aes_128_cfb8(void)742 EVP_aes_128_cfb8(void)
743 {
744 #ifdef AESNI_CAPABLE
745 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
746 #else
747 return &aes_128_cfb8;
748 #endif
749 }
750 LCRYPTO_ALIAS(EVP_aes_128_cfb8);
751
752 #ifdef AESNI_CAPABLE
753 static const EVP_CIPHER aesni_128_ctr = {
754 .nid = NID_aes_128_ctr,
755 .block_size = 1,
756 .key_len = 16,
757 .iv_len = 16,
758 .flags = EVP_CIPH_CTR_MODE,
759 .init = aesni_init_key,
760 .do_cipher = aes_ctr_cipher,
761 .ctx_size = sizeof(EVP_AES_KEY),
762 };
763 #endif
764
765 static const EVP_CIPHER aes_128_ctr = {
766 .nid = NID_aes_128_ctr,
767 .block_size = 1,
768 .key_len = 16,
769 .iv_len = 16,
770 .flags = EVP_CIPH_CTR_MODE,
771 .init = aes_init_key,
772 .do_cipher = aes_ctr_cipher,
773 .ctx_size = sizeof(EVP_AES_KEY),
774 };
775
776 const EVP_CIPHER *
EVP_aes_128_ctr(void)777 EVP_aes_128_ctr(void)
778 {
779 #ifdef AESNI_CAPABLE
780 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
781 #else
782 return &aes_128_ctr;
783 #endif
784 }
785 LCRYPTO_ALIAS(EVP_aes_128_ctr);
786
787
788 #ifdef AESNI_CAPABLE
789 static const EVP_CIPHER aesni_192_cbc = {
790 .nid = NID_aes_192_cbc,
791 .block_size = 16,
792 .key_len = 24,
793 .iv_len = 16,
794 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
795 .init = aesni_init_key,
796 .do_cipher = aesni_cbc_cipher,
797 .ctx_size = sizeof(EVP_AES_KEY),
798 };
799 #endif
800
801 static const EVP_CIPHER aes_192_cbc = {
802 .nid = NID_aes_192_cbc,
803 .block_size = 16,
804 .key_len = 24,
805 .iv_len = 16,
806 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
807 .init = aes_init_key,
808 .do_cipher = aes_cbc_cipher,
809 .ctx_size = sizeof(EVP_AES_KEY),
810 };
811
812 const EVP_CIPHER *
EVP_aes_192_cbc(void)813 EVP_aes_192_cbc(void)
814 {
815 #ifdef AESNI_CAPABLE
816 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
817 #else
818 return &aes_192_cbc;
819 #endif
820 }
821 LCRYPTO_ALIAS(EVP_aes_192_cbc);
822
823 #ifdef AESNI_CAPABLE
824 static const EVP_CIPHER aesni_192_ecb = {
825 .nid = NID_aes_192_ecb,
826 .block_size = 16,
827 .key_len = 24,
828 .iv_len = 0,
829 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
830 .init = aesni_init_key,
831 .do_cipher = aesni_ecb_cipher,
832 .ctx_size = sizeof(EVP_AES_KEY),
833 };
834 #endif
835
836 static const EVP_CIPHER aes_192_ecb = {
837 .nid = NID_aes_192_ecb,
838 .block_size = 16,
839 .key_len = 24,
840 .iv_len = 0,
841 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
842 .init = aes_init_key,
843 .do_cipher = aes_ecb_cipher,
844 .ctx_size = sizeof(EVP_AES_KEY),
845 };
846
847 const EVP_CIPHER *
EVP_aes_192_ecb(void)848 EVP_aes_192_ecb(void)
849 {
850 #ifdef AESNI_CAPABLE
851 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
852 #else
853 return &aes_192_ecb;
854 #endif
855 }
856 LCRYPTO_ALIAS(EVP_aes_192_ecb);
857
858 #ifdef AESNI_CAPABLE
859 static const EVP_CIPHER aesni_192_ofb = {
860 .nid = NID_aes_192_ofb128,
861 .block_size = 1,
862 .key_len = 24,
863 .iv_len = 16,
864 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
865 .init = aesni_init_key,
866 .do_cipher = aes_ofb_cipher,
867 .ctx_size = sizeof(EVP_AES_KEY),
868 };
869 #endif
870
871 static const EVP_CIPHER aes_192_ofb = {
872 .nid = NID_aes_192_ofb128,
873 .block_size = 1,
874 .key_len = 24,
875 .iv_len = 16,
876 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
877 .init = aes_init_key,
878 .do_cipher = aes_ofb_cipher,
879 .ctx_size = sizeof(EVP_AES_KEY),
880 };
881
882 const EVP_CIPHER *
EVP_aes_192_ofb(void)883 EVP_aes_192_ofb(void)
884 {
885 #ifdef AESNI_CAPABLE
886 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
887 #else
888 return &aes_192_ofb;
889 #endif
890 }
891 LCRYPTO_ALIAS(EVP_aes_192_ofb);
892
893 #ifdef AESNI_CAPABLE
894 static const EVP_CIPHER aesni_192_cfb = {
895 .nid = NID_aes_192_cfb128,
896 .block_size = 1,
897 .key_len = 24,
898 .iv_len = 16,
899 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
900 .init = aesni_init_key,
901 .do_cipher = aes_cfb_cipher,
902 .ctx_size = sizeof(EVP_AES_KEY),
903 };
904 #endif
905
906 static const EVP_CIPHER aes_192_cfb = {
907 .nid = NID_aes_192_cfb128,
908 .block_size = 1,
909 .key_len = 24,
910 .iv_len = 16,
911 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
912 .init = aes_init_key,
913 .do_cipher = aes_cfb_cipher,
914 .ctx_size = sizeof(EVP_AES_KEY),
915 };
916
917 const EVP_CIPHER *
EVP_aes_192_cfb128(void)918 EVP_aes_192_cfb128(void)
919 {
920 #ifdef AESNI_CAPABLE
921 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
922 #else
923 return &aes_192_cfb;
924 #endif
925 }
926 LCRYPTO_ALIAS(EVP_aes_192_cfb128);
927
928 #ifdef AESNI_CAPABLE
929 static const EVP_CIPHER aesni_192_cfb1 = {
930 .nid = NID_aes_192_cfb1,
931 .block_size = 1,
932 .key_len = 24,
933 .iv_len = 16,
934 .flags = EVP_CIPH_CFB_MODE,
935 .init = aesni_init_key,
936 .do_cipher = aes_cfb1_cipher,
937 .ctx_size = sizeof(EVP_AES_KEY),
938 };
939 #endif
940
941 static const EVP_CIPHER aes_192_cfb1 = {
942 .nid = NID_aes_192_cfb1,
943 .block_size = 1,
944 .key_len = 24,
945 .iv_len = 16,
946 .flags = EVP_CIPH_CFB_MODE,
947 .init = aes_init_key,
948 .do_cipher = aes_cfb1_cipher,
949 .ctx_size = sizeof(EVP_AES_KEY),
950 };
951
952 const EVP_CIPHER *
EVP_aes_192_cfb1(void)953 EVP_aes_192_cfb1(void)
954 {
955 #ifdef AESNI_CAPABLE
956 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
957 #else
958 return &aes_192_cfb1;
959 #endif
960 }
961 LCRYPTO_ALIAS(EVP_aes_192_cfb1);
962
963 #ifdef AESNI_CAPABLE
964 static const EVP_CIPHER aesni_192_cfb8 = {
965 .nid = NID_aes_192_cfb8,
966 .block_size = 1,
967 .key_len = 24,
968 .iv_len = 16,
969 .flags = EVP_CIPH_CFB_MODE,
970 .init = aesni_init_key,
971 .do_cipher = aes_cfb8_cipher,
972 .ctx_size = sizeof(EVP_AES_KEY),
973 };
974 #endif
975
976 static const EVP_CIPHER aes_192_cfb8 = {
977 .nid = NID_aes_192_cfb8,
978 .block_size = 1,
979 .key_len = 24,
980 .iv_len = 16,
981 .flags = EVP_CIPH_CFB_MODE,
982 .init = aes_init_key,
983 .do_cipher = aes_cfb8_cipher,
984 .ctx_size = sizeof(EVP_AES_KEY),
985 };
986
987 const EVP_CIPHER *
EVP_aes_192_cfb8(void)988 EVP_aes_192_cfb8(void)
989 {
990 #ifdef AESNI_CAPABLE
991 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
992 #else
993 return &aes_192_cfb8;
994 #endif
995 }
996 LCRYPTO_ALIAS(EVP_aes_192_cfb8);
997
998 #ifdef AESNI_CAPABLE
999 static const EVP_CIPHER aesni_192_ctr = {
1000 .nid = NID_aes_192_ctr,
1001 .block_size = 1,
1002 .key_len = 24,
1003 .iv_len = 16,
1004 .flags = EVP_CIPH_CTR_MODE,
1005 .init = aesni_init_key,
1006 .do_cipher = aes_ctr_cipher,
1007 .ctx_size = sizeof(EVP_AES_KEY),
1008 };
1009 #endif
1010
1011 static const EVP_CIPHER aes_192_ctr = {
1012 .nid = NID_aes_192_ctr,
1013 .block_size = 1,
1014 .key_len = 24,
1015 .iv_len = 16,
1016 .flags = EVP_CIPH_CTR_MODE,
1017 .init = aes_init_key,
1018 .do_cipher = aes_ctr_cipher,
1019 .ctx_size = sizeof(EVP_AES_KEY),
1020 };
1021
1022 const EVP_CIPHER *
EVP_aes_192_ctr(void)1023 EVP_aes_192_ctr(void)
1024 {
1025 #ifdef AESNI_CAPABLE
1026 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
1027 #else
1028 return &aes_192_ctr;
1029 #endif
1030 }
1031 LCRYPTO_ALIAS(EVP_aes_192_ctr);
1032
1033
1034 #ifdef AESNI_CAPABLE
1035 static const EVP_CIPHER aesni_256_cbc = {
1036 .nid = NID_aes_256_cbc,
1037 .block_size = 16,
1038 .key_len = 32,
1039 .iv_len = 16,
1040 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1041 .init = aesni_init_key,
1042 .do_cipher = aesni_cbc_cipher,
1043 .ctx_size = sizeof(EVP_AES_KEY),
1044 };
1045 #endif
1046
1047 static const EVP_CIPHER aes_256_cbc = {
1048 .nid = NID_aes_256_cbc,
1049 .block_size = 16,
1050 .key_len = 32,
1051 .iv_len = 16,
1052 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1053 .init = aes_init_key,
1054 .do_cipher = aes_cbc_cipher,
1055 .ctx_size = sizeof(EVP_AES_KEY),
1056 };
1057
1058 const EVP_CIPHER *
EVP_aes_256_cbc(void)1059 EVP_aes_256_cbc(void)
1060 {
1061 #ifdef AESNI_CAPABLE
1062 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
1063 #else
1064 return &aes_256_cbc;
1065 #endif
1066 }
1067 LCRYPTO_ALIAS(EVP_aes_256_cbc);
1068
1069 #ifdef AESNI_CAPABLE
1070 static const EVP_CIPHER aesni_256_ecb = {
1071 .nid = NID_aes_256_ecb,
1072 .block_size = 16,
1073 .key_len = 32,
1074 .iv_len = 0,
1075 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1076 .init = aesni_init_key,
1077 .do_cipher = aesni_ecb_cipher,
1078 .ctx_size = sizeof(EVP_AES_KEY),
1079 };
1080 #endif
1081
1082 static const EVP_CIPHER aes_256_ecb = {
1083 .nid = NID_aes_256_ecb,
1084 .block_size = 16,
1085 .key_len = 32,
1086 .iv_len = 0,
1087 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1088 .init = aes_init_key,
1089 .do_cipher = aes_ecb_cipher,
1090 .ctx_size = sizeof(EVP_AES_KEY),
1091 };
1092
1093 const EVP_CIPHER *
EVP_aes_256_ecb(void)1094 EVP_aes_256_ecb(void)
1095 {
1096 #ifdef AESNI_CAPABLE
1097 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
1098 #else
1099 return &aes_256_ecb;
1100 #endif
1101 }
1102 LCRYPTO_ALIAS(EVP_aes_256_ecb);
1103
1104 #ifdef AESNI_CAPABLE
1105 static const EVP_CIPHER aesni_256_ofb = {
1106 .nid = NID_aes_256_ofb128,
1107 .block_size = 1,
1108 .key_len = 32,
1109 .iv_len = 16,
1110 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1111 .init = aesni_init_key,
1112 .do_cipher = aes_ofb_cipher,
1113 .ctx_size = sizeof(EVP_AES_KEY),
1114 };
1115 #endif
1116
1117 static const EVP_CIPHER aes_256_ofb = {
1118 .nid = NID_aes_256_ofb128,
1119 .block_size = 1,
1120 .key_len = 32,
1121 .iv_len = 16,
1122 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1123 .init = aes_init_key,
1124 .do_cipher = aes_ofb_cipher,
1125 .ctx_size = sizeof(EVP_AES_KEY),
1126 };
1127
1128 const EVP_CIPHER *
EVP_aes_256_ofb(void)1129 EVP_aes_256_ofb(void)
1130 {
1131 #ifdef AESNI_CAPABLE
1132 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
1133 #else
1134 return &aes_256_ofb;
1135 #endif
1136 }
1137 LCRYPTO_ALIAS(EVP_aes_256_ofb);
1138
1139 #ifdef AESNI_CAPABLE
1140 static const EVP_CIPHER aesni_256_cfb = {
1141 .nid = NID_aes_256_cfb128,
1142 .block_size = 1,
1143 .key_len = 32,
1144 .iv_len = 16,
1145 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1146 .init = aesni_init_key,
1147 .do_cipher = aes_cfb_cipher,
1148 .ctx_size = sizeof(EVP_AES_KEY),
1149 };
1150 #endif
1151
1152 static const EVP_CIPHER aes_256_cfb = {
1153 .nid = NID_aes_256_cfb128,
1154 .block_size = 1,
1155 .key_len = 32,
1156 .iv_len = 16,
1157 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1158 .init = aes_init_key,
1159 .do_cipher = aes_cfb_cipher,
1160 .ctx_size = sizeof(EVP_AES_KEY),
1161 };
1162
1163 const EVP_CIPHER *
EVP_aes_256_cfb128(void)1164 EVP_aes_256_cfb128(void)
1165 {
1166 #ifdef AESNI_CAPABLE
1167 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
1168 #else
1169 return &aes_256_cfb;
1170 #endif
1171 }
1172 LCRYPTO_ALIAS(EVP_aes_256_cfb128);
1173
1174 #ifdef AESNI_CAPABLE
1175 static const EVP_CIPHER aesni_256_cfb1 = {
1176 .nid = NID_aes_256_cfb1,
1177 .block_size = 1,
1178 .key_len = 32,
1179 .iv_len = 16,
1180 .flags = EVP_CIPH_CFB_MODE,
1181 .init = aesni_init_key,
1182 .do_cipher = aes_cfb1_cipher,
1183 .ctx_size = sizeof(EVP_AES_KEY),
1184 };
1185 #endif
1186
1187 static const EVP_CIPHER aes_256_cfb1 = {
1188 .nid = NID_aes_256_cfb1,
1189 .block_size = 1,
1190 .key_len = 32,
1191 .iv_len = 16,
1192 .flags = EVP_CIPH_CFB_MODE,
1193 .init = aes_init_key,
1194 .do_cipher = aes_cfb1_cipher,
1195 .ctx_size = sizeof(EVP_AES_KEY),
1196 };
1197
1198 const EVP_CIPHER *
EVP_aes_256_cfb1(void)1199 EVP_aes_256_cfb1(void)
1200 {
1201 #ifdef AESNI_CAPABLE
1202 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
1203 #else
1204 return &aes_256_cfb1;
1205 #endif
1206 }
1207 LCRYPTO_ALIAS(EVP_aes_256_cfb1);
1208
1209 #ifdef AESNI_CAPABLE
1210 static const EVP_CIPHER aesni_256_cfb8 = {
1211 .nid = NID_aes_256_cfb8,
1212 .block_size = 1,
1213 .key_len = 32,
1214 .iv_len = 16,
1215 .flags = EVP_CIPH_CFB_MODE,
1216 .init = aesni_init_key,
1217 .do_cipher = aes_cfb8_cipher,
1218 .ctx_size = sizeof(EVP_AES_KEY),
1219 };
1220 #endif
1221
1222 static const EVP_CIPHER aes_256_cfb8 = {
1223 .nid = NID_aes_256_cfb8,
1224 .block_size = 1,
1225 .key_len = 32,
1226 .iv_len = 16,
1227 .flags = EVP_CIPH_CFB_MODE,
1228 .init = aes_init_key,
1229 .do_cipher = aes_cfb8_cipher,
1230 .ctx_size = sizeof(EVP_AES_KEY),
1231 };
1232
1233 const EVP_CIPHER *
EVP_aes_256_cfb8(void)1234 EVP_aes_256_cfb8(void)
1235 {
1236 #ifdef AESNI_CAPABLE
1237 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
1238 #else
1239 return &aes_256_cfb8;
1240 #endif
1241 }
1242 LCRYPTO_ALIAS(EVP_aes_256_cfb8);
1243
1244 #ifdef AESNI_CAPABLE
1245 static const EVP_CIPHER aesni_256_ctr = {
1246 .nid = NID_aes_256_ctr,
1247 .block_size = 1,
1248 .key_len = 32,
1249 .iv_len = 16,
1250 .flags = EVP_CIPH_CTR_MODE,
1251 .init = aesni_init_key,
1252 .do_cipher = aes_ctr_cipher,
1253 .ctx_size = sizeof(EVP_AES_KEY),
1254 };
1255 #endif
1256
1257 static const EVP_CIPHER aes_256_ctr = {
1258 .nid = NID_aes_256_ctr,
1259 .block_size = 1,
1260 .key_len = 32,
1261 .iv_len = 16,
1262 .flags = EVP_CIPH_CTR_MODE,
1263 .init = aes_init_key,
1264 .do_cipher = aes_ctr_cipher,
1265 .ctx_size = sizeof(EVP_AES_KEY),
1266 };
1267
1268 const EVP_CIPHER *
EVP_aes_256_ctr(void)1269 EVP_aes_256_ctr(void)
1270 {
1271 #ifdef AESNI_CAPABLE
1272 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
1273 #else
1274 return &aes_256_ctr;
1275 #endif
1276 }
1277 LCRYPTO_ALIAS(EVP_aes_256_ctr);
1278
1279 static int
aes_gcm_cleanup(EVP_CIPHER_CTX * c)1280 aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1281 {
1282 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1283
1284 if (gctx->iv != c->iv)
1285 free(gctx->iv);
1286
1287 explicit_bzero(gctx, sizeof(*gctx));
1288
1289 return 1;
1290 }
1291
1292 /* increment counter (64-bit int) by 1 */
1293 static void
ctr64_inc(unsigned char * counter)1294 ctr64_inc(unsigned char *counter)
1295 {
1296 int n = 8;
1297 unsigned char c;
1298
1299 do {
1300 --n;
1301 c = counter[n];
1302 ++c;
1303 counter[n] = c;
1304 if (c)
1305 return;
1306 } while (n);
1307 }
1308
1309 static int
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1310 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1311 {
1312 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1313
1314 switch (type) {
1315 case EVP_CTRL_INIT:
1316 gctx->key_set = 0;
1317 gctx->iv_set = 0;
1318 if (c->cipher->iv_len == 0) {
1319 EVPerror(EVP_R_INVALID_IV_LENGTH);
1320 return 0;
1321 }
1322 gctx->ivlen = c->cipher->iv_len;
1323 gctx->iv = c->iv;
1324 gctx->taglen = -1;
1325 gctx->iv_gen = 0;
1326 gctx->tls_aad_len = -1;
1327 return 1;
1328
1329 case EVP_CTRL_AEAD_GET_IVLEN:
1330 *(int *)ptr = gctx->ivlen;
1331 return 1;
1332
1333 case EVP_CTRL_AEAD_SET_IVLEN:
1334 if (arg <= 0)
1335 return 0;
1336 /* Allocate memory for IV if needed */
1337 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1338 if (gctx->iv != c->iv)
1339 free(gctx->iv);
1340 gctx->iv = malloc(arg);
1341 if (!gctx->iv)
1342 return 0;
1343 }
1344 gctx->ivlen = arg;
1345 return 1;
1346
1347 case EVP_CTRL_GCM_SET_TAG:
1348 if (arg <= 0 || arg > 16 || c->encrypt)
1349 return 0;
1350 memcpy(c->buf, ptr, arg);
1351 gctx->taglen = arg;
1352 return 1;
1353
1354 case EVP_CTRL_GCM_GET_TAG:
1355 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1356 return 0;
1357 memcpy(ptr, c->buf, arg);
1358 return 1;
1359
1360 case EVP_CTRL_GCM_SET_IV_FIXED:
1361 /* Special case: -1 length restores whole IV */
1362 if (arg == -1) {
1363 memcpy(gctx->iv, ptr, gctx->ivlen);
1364 gctx->iv_gen = 1;
1365 return 1;
1366 }
1367 /* Fixed field must be at least 4 bytes and invocation field
1368 * at least 8.
1369 */
1370 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1371 return 0;
1372 if (arg)
1373 memcpy(gctx->iv, ptr, arg);
1374 if (c->encrypt)
1375 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
1376 gctx->iv_gen = 1;
1377 return 1;
1378
1379 case EVP_CTRL_GCM_IV_GEN:
1380 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1381 return 0;
1382 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1383 if (arg <= 0 || arg > gctx->ivlen)
1384 arg = gctx->ivlen;
1385 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1386 /* Invocation field will be at least 8 bytes in size and
1387 * so no need to check wrap around or increment more than
1388 * last 8 bytes.
1389 */
1390 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1391 gctx->iv_set = 1;
1392 return 1;
1393
1394 case EVP_CTRL_GCM_SET_IV_INV:
1395 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1396 return 0;
1397 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1398 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1399 gctx->iv_set = 1;
1400 return 1;
1401
1402 case EVP_CTRL_AEAD_TLS1_AAD:
1403 /* Save the AAD for later use */
1404 if (arg != 13)
1405 return 0;
1406 memcpy(c->buf, ptr, arg);
1407 gctx->tls_aad_len = arg;
1408 {
1409 unsigned int len = c->buf[arg - 2] << 8 |
1410 c->buf[arg - 1];
1411
1412 /* Correct length for explicit IV */
1413 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1414 return 0;
1415 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1416
1417 /* If decrypting correct for tag too */
1418 if (!c->encrypt) {
1419 if (len < EVP_GCM_TLS_TAG_LEN)
1420 return 0;
1421 len -= EVP_GCM_TLS_TAG_LEN;
1422 }
1423 c->buf[arg - 2] = len >> 8;
1424 c->buf[arg - 1] = len & 0xff;
1425 }
1426 /* Extra padding: tag appended to record */
1427 return EVP_GCM_TLS_TAG_LEN;
1428
1429 case EVP_CTRL_COPY:
1430 {
1431 EVP_CIPHER_CTX *out = ptr;
1432 EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1433
1434 if (gctx->gcm.key) {
1435 if (gctx->gcm.key != &gctx->ks)
1436 return 0;
1437 gctx_out->gcm.key = &gctx_out->ks;
1438 }
1439
1440 if (gctx->iv == c->iv) {
1441 gctx_out->iv = out->iv;
1442 } else {
1443 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL)
1444 return 0;
1445 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1446 }
1447 return 1;
1448 }
1449
1450 default:
1451 return -1;
1452
1453 }
1454 }
1455
1456 static ctr128_f
aes_gcm_set_key(AES_KEY * aes_key,GCM128_CONTEXT * gcm_ctx,const unsigned char * key,size_t key_len)1457 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
1458 const unsigned char *key, size_t key_len)
1459 {
1460 #ifdef BSAES_CAPABLE
1461 if (BSAES_CAPABLE) {
1462 AES_set_encrypt_key(key, key_len * 8, aes_key);
1463 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1464 return (ctr128_f)bsaes_ctr32_encrypt_blocks;
1465 } else
1466 #endif
1467 #ifdef VPAES_CAPABLE
1468 if (VPAES_CAPABLE) {
1469 vpaes_set_encrypt_key(key, key_len * 8, aes_key);
1470 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
1471 return NULL;
1472 } else
1473 #endif
1474 (void)0; /* terminate potentially open 'else' */
1475
1476 AES_set_encrypt_key(key, key_len * 8, aes_key);
1477 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1478 #ifdef AES_CTR_ASM
1479 return (ctr128_f)AES_ctr32_encrypt;
1480 #else
1481 return NULL;
1482 #endif
1483 }
1484
1485 static int
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1486 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1487 const unsigned char *iv, int enc)
1488 {
1489 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1490
1491 if (!iv && !key)
1492 return 1;
1493 if (key) {
1494 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
1495 key, ctx->key_len);
1496
1497 /* If we have an iv can set it directly, otherwise use
1498 * saved IV.
1499 */
1500 if (iv == NULL && gctx->iv_set)
1501 iv = gctx->iv;
1502 if (iv) {
1503 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1504 gctx->iv_set = 1;
1505 }
1506 gctx->key_set = 1;
1507 } else {
1508 /* If key set use IV, otherwise copy */
1509 if (gctx->key_set)
1510 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1511 else
1512 memcpy(gctx->iv, iv, gctx->ivlen);
1513 gctx->iv_set = 1;
1514 gctx->iv_gen = 0;
1515 }
1516 return 1;
1517 }
1518
1519 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1520 * followed by the payload and finally the tag. On encrypt generate IV,
1521 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1522 * and verify tag.
1523 */
1524
1525 static int
aes_gcm_tls_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1526 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1527 const unsigned char *in, size_t len)
1528 {
1529 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1530 int rv = -1;
1531
1532 /* Encrypt/decrypt must be performed in place */
1533 if (out != in ||
1534 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1535 return -1;
1536
1537 /* Set IV from start of buffer or generate IV and write to start
1538 * of buffer.
1539 */
1540 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1541 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1542 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1543 goto err;
1544
1545 /* Use saved AAD */
1546 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1547 goto err;
1548
1549 /* Fix buffer and length to point to payload */
1550 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1551 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1552 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1553 if (ctx->encrypt) {
1554 /* Encrypt payload */
1555 if (gctx->ctr) {
1556 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
1557 len, gctx->ctr))
1558 goto err;
1559 } else {
1560 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1561 goto err;
1562 }
1563 out += len;
1564
1565 /* Finally write tag */
1566 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1567 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1568 } else {
1569 /* Decrypt */
1570 if (gctx->ctr) {
1571 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
1572 len, gctx->ctr))
1573 goto err;
1574 } else {
1575 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1576 goto err;
1577 }
1578 /* Retrieve tag */
1579 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1580
1581 /* If tag mismatch wipe buffer */
1582 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1583 explicit_bzero(out, len);
1584 goto err;
1585 }
1586 rv = len;
1587 }
1588
1589 err:
1590 gctx->iv_set = 0;
1591 gctx->tls_aad_len = -1;
1592 return rv;
1593 }
1594
1595 static int
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1596 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1597 const unsigned char *in, size_t len)
1598 {
1599 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1600
1601 /* If not set up, return error */
1602 if (!gctx->key_set)
1603 return -1;
1604
1605 if (gctx->tls_aad_len >= 0)
1606 return aes_gcm_tls_cipher(ctx, out, in, len);
1607
1608 if (!gctx->iv_set)
1609 return -1;
1610
1611 if (in) {
1612 if (out == NULL) {
1613 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1614 return -1;
1615 } else if (ctx->encrypt) {
1616 if (gctx->ctr) {
1617 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1618 in, out, len, gctx->ctr))
1619 return -1;
1620 } else {
1621 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1622 in, out, len))
1623 return -1;
1624 }
1625 } else {
1626 if (gctx->ctr) {
1627 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1628 in, out, len, gctx->ctr))
1629 return -1;
1630 } else {
1631 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1632 in, out, len))
1633 return -1;
1634 }
1635 }
1636 return len;
1637 } else {
1638 if (!ctx->encrypt) {
1639 if (gctx->taglen < 0)
1640 return -1;
1641 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf,
1642 gctx->taglen) != 0)
1643 return -1;
1644 gctx->iv_set = 0;
1645 return 0;
1646 }
1647 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1648 gctx->taglen = 16;
1649
1650 /* Don't reuse the IV */
1651 gctx->iv_set = 0;
1652 return 0;
1653 }
1654
1655 }
1656
1657 #define CUSTOM_FLAGS \
1658 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1659 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \
1660 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
1661 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1662
1663
1664 #ifdef AESNI_CAPABLE
1665 static const EVP_CIPHER aesni_128_gcm = {
1666 .nid = NID_aes_128_gcm,
1667 .block_size = 1,
1668 .key_len = 16,
1669 .iv_len = 12,
1670 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1671 .init = aesni_gcm_init_key,
1672 .do_cipher = aes_gcm_cipher,
1673 .cleanup = aes_gcm_cleanup,
1674 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1675 .ctrl = aes_gcm_ctrl,
1676 };
1677 #endif
1678
1679 static const EVP_CIPHER aes_128_gcm = {
1680 .nid = NID_aes_128_gcm,
1681 .block_size = 1,
1682 .key_len = 16,
1683 .iv_len = 12,
1684 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1685 .init = aes_gcm_init_key,
1686 .do_cipher = aes_gcm_cipher,
1687 .cleanup = aes_gcm_cleanup,
1688 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1689 .ctrl = aes_gcm_ctrl,
1690 };
1691
1692 const EVP_CIPHER *
EVP_aes_128_gcm(void)1693 EVP_aes_128_gcm(void)
1694 {
1695 #ifdef AESNI_CAPABLE
1696 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1697 #else
1698 return &aes_128_gcm;
1699 #endif
1700 }
1701 LCRYPTO_ALIAS(EVP_aes_128_gcm);
1702
1703 #ifdef AESNI_CAPABLE
1704 static const EVP_CIPHER aesni_192_gcm = {
1705 .nid = NID_aes_192_gcm,
1706 .block_size = 1,
1707 .key_len = 24,
1708 .iv_len = 12,
1709 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1710 .init = aesni_gcm_init_key,
1711 .do_cipher = aes_gcm_cipher,
1712 .cleanup = aes_gcm_cleanup,
1713 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1714 .ctrl = aes_gcm_ctrl,
1715 };
1716 #endif
1717
1718 static const EVP_CIPHER aes_192_gcm = {
1719 .nid = NID_aes_192_gcm,
1720 .block_size = 1,
1721 .key_len = 24,
1722 .iv_len = 12,
1723 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1724 .init = aes_gcm_init_key,
1725 .do_cipher = aes_gcm_cipher,
1726 .cleanup = aes_gcm_cleanup,
1727 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1728 .ctrl = aes_gcm_ctrl,
1729 };
1730
1731 const EVP_CIPHER *
EVP_aes_192_gcm(void)1732 EVP_aes_192_gcm(void)
1733 {
1734 #ifdef AESNI_CAPABLE
1735 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1736 #else
1737 return &aes_192_gcm;
1738 #endif
1739 }
1740 LCRYPTO_ALIAS(EVP_aes_192_gcm);
1741
1742 #ifdef AESNI_CAPABLE
1743 static const EVP_CIPHER aesni_256_gcm = {
1744 .nid = NID_aes_256_gcm,
1745 .block_size = 1,
1746 .key_len = 32,
1747 .iv_len = 12,
1748 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1749 .init = aesni_gcm_init_key,
1750 .do_cipher = aes_gcm_cipher,
1751 .cleanup = aes_gcm_cleanup,
1752 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1753 .ctrl = aes_gcm_ctrl,
1754 };
1755 #endif
1756
1757 static const EVP_CIPHER aes_256_gcm = {
1758 .nid = NID_aes_256_gcm,
1759 .block_size = 1,
1760 .key_len = 32,
1761 .iv_len = 12,
1762 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1763 .init = aes_gcm_init_key,
1764 .do_cipher = aes_gcm_cipher,
1765 .cleanup = aes_gcm_cleanup,
1766 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1767 .ctrl = aes_gcm_ctrl,
1768 };
1769
1770 const EVP_CIPHER *
EVP_aes_256_gcm(void)1771 EVP_aes_256_gcm(void)
1772 {
1773 #ifdef AESNI_CAPABLE
1774 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1775 #else
1776 return &aes_256_gcm;
1777 #endif
1778 }
1779 LCRYPTO_ALIAS(EVP_aes_256_gcm);
1780
1781 static int
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1782 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1783 {
1784 EVP_AES_XTS_CTX *xctx = c->cipher_data;
1785
1786 switch (type) {
1787 case EVP_CTRL_INIT:
1788 /*
1789 * key1 and key2 are used as an indicator both key and IV
1790 * are set
1791 */
1792 xctx->xts.key1 = NULL;
1793 xctx->xts.key2 = NULL;
1794 return 1;
1795
1796 case EVP_CTRL_COPY:
1797 {
1798 EVP_CIPHER_CTX *out = ptr;
1799 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1800
1801 if (xctx->xts.key1) {
1802 if (xctx->xts.key1 != &xctx->ks1)
1803 return 0;
1804 xctx_out->xts.key1 = &xctx_out->ks1;
1805 }
1806 if (xctx->xts.key2) {
1807 if (xctx->xts.key2 != &xctx->ks2)
1808 return 0;
1809 xctx_out->xts.key2 = &xctx_out->ks2;
1810 }
1811 return 1;
1812 }
1813 }
1814 return -1;
1815 }
1816
1817 static int
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1818 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1819 const unsigned char *iv, int enc)
1820 {
1821 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1822
1823 if (!iv && !key)
1824 return 1;
1825
1826 if (key) do {
1827 #ifdef AES_XTS_ASM
1828 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1829 #else
1830 xctx->stream = NULL;
1831 #endif
1832 /* key_len is two AES keys */
1833 #ifdef BSAES_CAPABLE
1834 if (BSAES_CAPABLE)
1835 xctx->stream = enc ? bsaes_xts_encrypt :
1836 bsaes_xts_decrypt;
1837 else
1838 #endif
1839 #ifdef VPAES_CAPABLE
1840 if (VPAES_CAPABLE) {
1841 if (enc) {
1842 vpaes_set_encrypt_key(key, ctx->key_len * 4,
1843 &xctx->ks1);
1844 xctx->xts.block1 = (block128_f)vpaes_encrypt;
1845 } else {
1846 vpaes_set_decrypt_key(key, ctx->key_len * 4,
1847 &xctx->ks1);
1848 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1849 }
1850
1851 vpaes_set_encrypt_key(key + ctx->key_len / 2,
1852 ctx->key_len * 4, &xctx->ks2);
1853 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1854
1855 xctx->xts.key1 = &xctx->ks1;
1856 break;
1857 } else
1858 #endif
1859 (void)0; /* terminate potentially open 'else' */
1860
1861 if (enc) {
1862 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1863 xctx->xts.block1 = (block128_f)AES_encrypt;
1864 } else {
1865 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1866 xctx->xts.block1 = (block128_f)AES_decrypt;
1867 }
1868
1869 AES_set_encrypt_key(key + ctx->key_len / 2,
1870 ctx->key_len * 4, &xctx->ks2);
1871 xctx->xts.block2 = (block128_f)AES_encrypt;
1872
1873 xctx->xts.key1 = &xctx->ks1;
1874 } while (0);
1875
1876 if (iv) {
1877 xctx->xts.key2 = &xctx->ks2;
1878 memcpy(ctx->iv, iv, 16);
1879 }
1880
1881 return 1;
1882 }
1883
1884 static int
aes_xts_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1885 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1886 const unsigned char *in, size_t len)
1887 {
1888 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1889
1890 if (!xctx->xts.key1 || !xctx->xts.key2)
1891 return 0;
1892 if (!out || !in || len < AES_BLOCK_SIZE)
1893 return 0;
1894
1895 if (xctx->stream)
1896 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1897 ctx->iv);
1898 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1899 ctx->encrypt))
1900 return 0;
1901 return 1;
1902 }
1903
1904 #define XTS_FLAGS \
1905 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1906 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1907
1908
1909 #ifdef AESNI_CAPABLE
1910 static const EVP_CIPHER aesni_128_xts = {
1911 .nid = NID_aes_128_xts,
1912 .block_size = 1,
1913 .key_len = 2 * 16,
1914 .iv_len = 16,
1915 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1916 .init = aesni_xts_init_key,
1917 .do_cipher = aes_xts_cipher,
1918 .cleanup = NULL,
1919 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1920 .ctrl = aes_xts_ctrl,
1921 };
1922 #endif
1923
1924 static const EVP_CIPHER aes_128_xts = {
1925 .nid = NID_aes_128_xts,
1926 .block_size = 1,
1927 .key_len = 2 * 16,
1928 .iv_len = 16,
1929 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1930 .init = aes_xts_init_key,
1931 .do_cipher = aes_xts_cipher,
1932 .cleanup = NULL,
1933 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1934 .ctrl = aes_xts_ctrl,
1935 };
1936
1937 const EVP_CIPHER *
EVP_aes_128_xts(void)1938 EVP_aes_128_xts(void)
1939 {
1940 #ifdef AESNI_CAPABLE
1941 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1942 #else
1943 return &aes_128_xts;
1944 #endif
1945 }
1946 LCRYPTO_ALIAS(EVP_aes_128_xts);
1947
1948 #ifdef AESNI_CAPABLE
1949 static const EVP_CIPHER aesni_256_xts = {
1950 .nid = NID_aes_256_xts,
1951 .block_size = 1,
1952 .key_len = 2 * 32,
1953 .iv_len = 16,
1954 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1955 .init = aesni_xts_init_key,
1956 .do_cipher = aes_xts_cipher,
1957 .cleanup = NULL,
1958 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1959 .ctrl = aes_xts_ctrl,
1960 };
1961 #endif
1962
1963 static const EVP_CIPHER aes_256_xts = {
1964 .nid = NID_aes_256_xts,
1965 .block_size = 1,
1966 .key_len = 2 * 32,
1967 .iv_len = 16,
1968 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1969 .init = aes_xts_init_key,
1970 .do_cipher = aes_xts_cipher,
1971 .cleanup = NULL,
1972 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1973 .ctrl = aes_xts_ctrl,
1974 };
1975
1976 const EVP_CIPHER *
EVP_aes_256_xts(void)1977 EVP_aes_256_xts(void)
1978 {
1979 #ifdef AESNI_CAPABLE
1980 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1981 #else
1982 return &aes_256_xts;
1983 #endif
1984 }
1985 LCRYPTO_ALIAS(EVP_aes_256_xts);
1986
1987 static int
aes_ccm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1988 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1989 {
1990 EVP_AES_CCM_CTX *cctx = c->cipher_data;
1991
1992 switch (type) {
1993 case EVP_CTRL_INIT:
1994 cctx->key_set = 0;
1995 cctx->iv_set = 0;
1996 cctx->L = 8;
1997 cctx->M = 12;
1998 cctx->tag_set = 0;
1999 cctx->len_set = 0;
2000 return 1;
2001
2002 case EVP_CTRL_AEAD_GET_IVLEN:
2003 *(int *)ptr = 15 - cctx->L;
2004 return 1;
2005
2006 case EVP_CTRL_AEAD_SET_IVLEN:
2007 arg = 15 - arg;
2008
2009 case EVP_CTRL_CCM_SET_L:
2010 if (arg < 2 || arg > 8)
2011 return 0;
2012 cctx->L = arg;
2013 return 1;
2014
2015 case EVP_CTRL_CCM_SET_TAG:
2016 if ((arg & 1) || arg < 4 || arg > 16)
2017 return 0;
2018 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
2019 return 0;
2020 if (ptr) {
2021 cctx->tag_set = 1;
2022 memcpy(c->buf, ptr, arg);
2023 }
2024 cctx->M = arg;
2025 return 1;
2026
2027 case EVP_CTRL_CCM_GET_TAG:
2028 if (!c->encrypt || !cctx->tag_set)
2029 return 0;
2030 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
2031 return 0;
2032 cctx->tag_set = 0;
2033 cctx->iv_set = 0;
2034 cctx->len_set = 0;
2035 return 1;
2036
2037 case EVP_CTRL_COPY:
2038 {
2039 EVP_CIPHER_CTX *out = ptr;
2040 EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
2041
2042 if (cctx->ccm.key) {
2043 if (cctx->ccm.key != &cctx->ks)
2044 return 0;
2045 cctx_out->ccm.key = &cctx_out->ks;
2046 }
2047 return 1;
2048 }
2049
2050 default:
2051 return -1;
2052 }
2053 }
2054
2055 static int
aes_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2056 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2057 const unsigned char *iv, int enc)
2058 {
2059 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2060
2061 if (!iv && !key)
2062 return 1;
2063 if (key) do {
2064 #ifdef VPAES_CAPABLE
2065 if (VPAES_CAPABLE) {
2066 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
2067 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2068 &cctx->ks, (block128_f)vpaes_encrypt);
2069 cctx->str = NULL;
2070 cctx->key_set = 1;
2071 break;
2072 }
2073 #endif
2074 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
2075 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2076 &cctx->ks, (block128_f)AES_encrypt);
2077 cctx->str = NULL;
2078 cctx->key_set = 1;
2079 } while (0);
2080 if (iv) {
2081 memcpy(ctx->iv, iv, 15 - cctx->L);
2082 cctx->iv_set = 1;
2083 }
2084 return 1;
2085 }
2086
2087 static int
aes_ccm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)2088 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2089 const unsigned char *in, size_t len)
2090 {
2091 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2092 CCM128_CONTEXT *ccm = &cctx->ccm;
2093
2094 /* If not set up, return error */
2095 if (!cctx->iv_set && !cctx->key_set)
2096 return -1;
2097 if (!ctx->encrypt && !cctx->tag_set)
2098 return -1;
2099
2100 if (!out) {
2101 if (!in) {
2102 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
2103 len))
2104 return -1;
2105 cctx->len_set = 1;
2106 return len;
2107 }
2108 /* If have AAD need message length */
2109 if (!cctx->len_set && len)
2110 return -1;
2111 CRYPTO_ccm128_aad(ccm, in, len);
2112 return len;
2113 }
2114 /* EVP_*Final() doesn't return any data */
2115 if (!in)
2116 return 0;
2117 /* If not set length yet do it */
2118 if (!cctx->len_set) {
2119 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2120 return -1;
2121 cctx->len_set = 1;
2122 }
2123 if (ctx->encrypt) {
2124 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2125 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
2126 return -1;
2127 cctx->tag_set = 1;
2128 return len;
2129 } else {
2130 int rv = -1;
2131 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2132 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2133 unsigned char tag[16];
2134 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2135 if (!memcmp(tag, ctx->buf, cctx->M))
2136 rv = len;
2137 }
2138 }
2139 if (rv == -1)
2140 explicit_bzero(out, len);
2141 cctx->iv_set = 0;
2142 cctx->tag_set = 0;
2143 cctx->len_set = 0;
2144 return rv;
2145 }
2146
2147 }
2148
2149 #ifdef AESNI_CAPABLE
2150 static const EVP_CIPHER aesni_128_ccm = {
2151 .nid = NID_aes_128_ccm,
2152 .block_size = 1,
2153 .key_len = 16,
2154 .iv_len = 12,
2155 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2156 .init = aesni_ccm_init_key,
2157 .do_cipher = aes_ccm_cipher,
2158 .cleanup = NULL,
2159 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2160 .ctrl = aes_ccm_ctrl,
2161 };
2162 #endif
2163
2164 static const EVP_CIPHER aes_128_ccm = {
2165 .nid = NID_aes_128_ccm,
2166 .block_size = 1,
2167 .key_len = 16,
2168 .iv_len = 12,
2169 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2170 .init = aes_ccm_init_key,
2171 .do_cipher = aes_ccm_cipher,
2172 .cleanup = NULL,
2173 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2174 .ctrl = aes_ccm_ctrl,
2175 };
2176
2177 const EVP_CIPHER *
EVP_aes_128_ccm(void)2178 EVP_aes_128_ccm(void)
2179 {
2180 #ifdef AESNI_CAPABLE
2181 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
2182 #else
2183 return &aes_128_ccm;
2184 #endif
2185 }
2186 LCRYPTO_ALIAS(EVP_aes_128_ccm);
2187
2188 #ifdef AESNI_CAPABLE
2189 static const EVP_CIPHER aesni_192_ccm = {
2190 .nid = NID_aes_192_ccm,
2191 .block_size = 1,
2192 .key_len = 24,
2193 .iv_len = 12,
2194 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2195 .init = aesni_ccm_init_key,
2196 .do_cipher = aes_ccm_cipher,
2197 .cleanup = NULL,
2198 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2199 .ctrl = aes_ccm_ctrl,
2200 };
2201 #endif
2202
2203 static const EVP_CIPHER aes_192_ccm = {
2204 .nid = NID_aes_192_ccm,
2205 .block_size = 1,
2206 .key_len = 24,
2207 .iv_len = 12,
2208 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2209 .init = aes_ccm_init_key,
2210 .do_cipher = aes_ccm_cipher,
2211 .cleanup = NULL,
2212 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2213 .ctrl = aes_ccm_ctrl,
2214 };
2215
2216 const EVP_CIPHER *
EVP_aes_192_ccm(void)2217 EVP_aes_192_ccm(void)
2218 {
2219 #ifdef AESNI_CAPABLE
2220 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
2221 #else
2222 return &aes_192_ccm;
2223 #endif
2224 }
2225 LCRYPTO_ALIAS(EVP_aes_192_ccm);
2226
2227 #ifdef AESNI_CAPABLE
2228 static const EVP_CIPHER aesni_256_ccm = {
2229 .nid = NID_aes_256_ccm,
2230 .block_size = 1,
2231 .key_len = 32,
2232 .iv_len = 12,
2233 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2234 .init = aesni_ccm_init_key,
2235 .do_cipher = aes_ccm_cipher,
2236 .cleanup = NULL,
2237 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2238 .ctrl = aes_ccm_ctrl,
2239 };
2240 #endif
2241
2242 static const EVP_CIPHER aes_256_ccm = {
2243 .nid = NID_aes_256_ccm,
2244 .block_size = 1,
2245 .key_len = 32,
2246 .iv_len = 12,
2247 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2248 .init = aes_ccm_init_key,
2249 .do_cipher = aes_ccm_cipher,
2250 .cleanup = NULL,
2251 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2252 .ctrl = aes_ccm_ctrl,
2253 };
2254
2255 const EVP_CIPHER *
EVP_aes_256_ccm(void)2256 EVP_aes_256_ccm(void)
2257 {
2258 #ifdef AESNI_CAPABLE
2259 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
2260 #else
2261 return &aes_256_ccm;
2262 #endif
2263 }
2264 LCRYPTO_ALIAS(EVP_aes_256_ccm);
2265
2266 #define EVP_AEAD_AES_GCM_TAG_LEN 16
2267
2268 struct aead_aes_gcm_ctx {
2269 union {
2270 double align;
2271 AES_KEY ks;
2272 } ks;
2273 GCM128_CONTEXT gcm;
2274 ctr128_f ctr;
2275 unsigned char tag_len;
2276 };
2277
2278 static int
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const unsigned char * key,size_t key_len,size_t tag_len)2279 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
2280 size_t tag_len)
2281 {
2282 struct aead_aes_gcm_ctx *gcm_ctx;
2283 const size_t key_bits = key_len * 8;
2284
2285 /* EVP_AEAD_CTX_init should catch this. */
2286 if (key_bits != 128 && key_bits != 256) {
2287 EVPerror(EVP_R_BAD_KEY_LENGTH);
2288 return 0;
2289 }
2290
2291 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
2292 tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
2293
2294 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
2295 EVPerror(EVP_R_TAG_TOO_LARGE);
2296 return 0;
2297 }
2298
2299 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
2300 return 0;
2301
2302 #ifdef AESNI_CAPABLE
2303 if (AESNI_CAPABLE) {
2304 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
2305 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
2306 (block128_f)aesni_encrypt);
2307 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
2308 } else
2309 #endif
2310 {
2311 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
2312 key, key_len);
2313 }
2314 gcm_ctx->tag_len = tag_len;
2315 ctx->aead_state = gcm_ctx;
2316
2317 return 1;
2318 }
2319
2320 static void
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)2321 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
2322 {
2323 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2324
2325 freezero(gcm_ctx, sizeof(*gcm_ctx));
2326 }
2327
2328 static int
aead_aes_gcm_seal(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2329 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2330 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2331 const unsigned char *in, size_t in_len, const unsigned char *ad,
2332 size_t ad_len)
2333 {
2334 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2335 GCM128_CONTEXT gcm;
2336 size_t bulk = 0;
2337
2338 if (max_out_len < in_len + gcm_ctx->tag_len) {
2339 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2340 return 0;
2341 }
2342
2343 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2344
2345 if (nonce_len == 0) {
2346 EVPerror(EVP_R_INVALID_IV_LENGTH);
2347 return 0;
2348 }
2349 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2350
2351 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2352 return 0;
2353
2354 if (gcm_ctx->ctr) {
2355 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
2356 in_len - bulk, gcm_ctx->ctr))
2357 return 0;
2358 } else {
2359 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
2360 in_len - bulk))
2361 return 0;
2362 }
2363
2364 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
2365 *out_len = in_len + gcm_ctx->tag_len;
2366
2367 return 1;
2368 }
2369
2370 static int
aead_aes_gcm_open(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2371 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2372 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2373 const unsigned char *in, size_t in_len, const unsigned char *ad,
2374 size_t ad_len)
2375 {
2376 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2377 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN];
2378 GCM128_CONTEXT gcm;
2379 size_t plaintext_len;
2380 size_t bulk = 0;
2381
2382 if (in_len < gcm_ctx->tag_len) {
2383 EVPerror(EVP_R_BAD_DECRYPT);
2384 return 0;
2385 }
2386
2387 plaintext_len = in_len - gcm_ctx->tag_len;
2388
2389 if (max_out_len < plaintext_len) {
2390 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2391 return 0;
2392 }
2393
2394 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2395
2396 if (nonce_len == 0) {
2397 EVPerror(EVP_R_INVALID_IV_LENGTH);
2398 return 0;
2399 }
2400 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2401
2402 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2403 return 0;
2404
2405 if (gcm_ctx->ctr) {
2406 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
2407 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
2408 return 0;
2409 } else {
2410 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
2411 in_len - bulk - gcm_ctx->tag_len))
2412 return 0;
2413 }
2414
2415 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
2416 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
2417 EVPerror(EVP_R_BAD_DECRYPT);
2418 return 0;
2419 }
2420
2421 *out_len = plaintext_len;
2422
2423 return 1;
2424 }
2425
2426 static const EVP_AEAD aead_aes_128_gcm = {
2427 .key_len = 16,
2428 .nonce_len = 12,
2429 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2430 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2431
2432 .init = aead_aes_gcm_init,
2433 .cleanup = aead_aes_gcm_cleanup,
2434 .seal = aead_aes_gcm_seal,
2435 .open = aead_aes_gcm_open,
2436 };
2437
2438 static const EVP_AEAD aead_aes_256_gcm = {
2439 .key_len = 32,
2440 .nonce_len = 12,
2441 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2442 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2443
2444 .init = aead_aes_gcm_init,
2445 .cleanup = aead_aes_gcm_cleanup,
2446 .seal = aead_aes_gcm_seal,
2447 .open = aead_aes_gcm_open,
2448 };
2449
2450 const EVP_AEAD *
EVP_aead_aes_128_gcm(void)2451 EVP_aead_aes_128_gcm(void)
2452 {
2453 return &aead_aes_128_gcm;
2454 }
2455 LCRYPTO_ALIAS(EVP_aead_aes_128_gcm);
2456
2457 const EVP_AEAD *
EVP_aead_aes_256_gcm(void)2458 EVP_aead_aes_256_gcm(void)
2459 {
2460 return &aead_aes_256_gcm;
2461 }
2462 LCRYPTO_ALIAS(EVP_aead_aes_256_gcm);
2463
2464 typedef struct {
2465 union {
2466 double align;
2467 AES_KEY ks;
2468 } ks;
2469 unsigned char *iv;
2470 } EVP_AES_WRAP_CTX;
2471
2472 static int
aes_wrap_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2473 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2474 const unsigned char *iv, int enc)
2475 {
2476 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data;
2477
2478 if (iv == NULL && key == NULL)
2479 return 1;
2480
2481 if (key != NULL) {
2482 if (ctx->encrypt)
2483 AES_set_encrypt_key(key, 8 * ctx->key_len,
2484 &wctx->ks.ks);
2485 else
2486 AES_set_decrypt_key(key, 8 * ctx->key_len,
2487 &wctx->ks.ks);
2488
2489 if (iv == NULL)
2490 wctx->iv = NULL;
2491 }
2492
2493 if (iv != NULL) {
2494 int iv_len = EVP_CIPHER_CTX_iv_length(ctx);
2495
2496 if (iv_len < 0 || iv_len > sizeof(ctx->iv))
2497 return 0;
2498 memcpy(ctx->iv, iv, iv_len);
2499 wctx->iv = ctx->iv;
2500 }
2501
2502 return 1;
2503 }
2504
2505 static int
aes_wrap_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inlen)2506 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2507 const unsigned char *in, size_t inlen)
2508 {
2509 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2510 int ret;
2511
2512 if (in == NULL)
2513 return 0;
2514
2515 if (inlen % 8 != 0)
2516 return -1;
2517 if (ctx->encrypt && inlen < 8)
2518 return -1;
2519 if (!ctx->encrypt && inlen < 16)
2520 return -1;
2521 if (inlen > INT_MAX)
2522 return -1;
2523
2524 if (out == NULL) {
2525 if (ctx->encrypt)
2526 return inlen + 8;
2527 else
2528 return inlen - 8;
2529 }
2530
2531 if (ctx->encrypt)
2532 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in,
2533 (unsigned int)inlen);
2534 else
2535 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in,
2536 (unsigned int)inlen);
2537
2538 return ret != 0 ? ret : -1;
2539 }
2540
2541 static int
aes_wrap_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)2542 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2543 {
2544 EVP_AES_WRAP_CTX *wctx = c->cipher_data;
2545
2546 switch (type) {
2547 case EVP_CTRL_COPY:
2548 {
2549 EVP_CIPHER_CTX *out = ptr;
2550 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data;
2551
2552 if (wctx->iv != NULL) {
2553 if (c->iv != wctx->iv)
2554 return 0;
2555
2556 wctx_out->iv = out->iv;
2557 }
2558
2559 return 1;
2560 }
2561 }
2562
2563 return -1;
2564 }
2565
2566 #define WRAP_FLAGS \
2567 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \
2568 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \
2569 EVP_CIPH_CUSTOM_COPY )
2570
2571 static const EVP_CIPHER aes_128_wrap = {
2572 .nid = NID_id_aes128_wrap,
2573 .block_size = 8,
2574 .key_len = 16,
2575 .iv_len = 8,
2576 .flags = WRAP_FLAGS,
2577 .init = aes_wrap_init_key,
2578 .do_cipher = aes_wrap_cipher,
2579 .cleanup = NULL,
2580 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2581 .set_asn1_parameters = NULL,
2582 .get_asn1_parameters = NULL,
2583 .ctrl = aes_wrap_ctrl,
2584 };
2585
2586 const EVP_CIPHER *
EVP_aes_128_wrap(void)2587 EVP_aes_128_wrap(void)
2588 {
2589 return &aes_128_wrap;
2590 }
2591 LCRYPTO_ALIAS(EVP_aes_128_wrap);
2592
2593 static const EVP_CIPHER aes_192_wrap = {
2594 .nid = NID_id_aes192_wrap,
2595 .block_size = 8,
2596 .key_len = 24,
2597 .iv_len = 8,
2598 .flags = WRAP_FLAGS,
2599 .init = aes_wrap_init_key,
2600 .do_cipher = aes_wrap_cipher,
2601 .cleanup = NULL,
2602 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2603 .set_asn1_parameters = NULL,
2604 .get_asn1_parameters = NULL,
2605 .ctrl = aes_wrap_ctrl,
2606 };
2607
2608 const EVP_CIPHER *
EVP_aes_192_wrap(void)2609 EVP_aes_192_wrap(void)
2610 {
2611 return &aes_192_wrap;
2612 }
2613 LCRYPTO_ALIAS(EVP_aes_192_wrap);
2614
2615 static const EVP_CIPHER aes_256_wrap = {
2616 .nid = NID_id_aes256_wrap,
2617 .block_size = 8,
2618 .key_len = 32,
2619 .iv_len = 8,
2620 .flags = WRAP_FLAGS,
2621 .init = aes_wrap_init_key,
2622 .do_cipher = aes_wrap_cipher,
2623 .cleanup = NULL,
2624 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2625 .set_asn1_parameters = NULL,
2626 .get_asn1_parameters = NULL,
2627 .ctrl = aes_wrap_ctrl,
2628 };
2629
2630 const EVP_CIPHER *
EVP_aes_256_wrap(void)2631 EVP_aes_256_wrap(void)
2632 {
2633 return &aes_256_wrap;
2634 }
2635 LCRYPTO_ALIAS(EVP_aes_256_wrap);
2636
2637 #endif
2638