xref: /dragonfly/crypto/libressl/crypto/evp/e_aes.c (revision de0e0e4d)
1 /* $OpenBSD: e_aes.c,v 1.49 2022/09/13 04:59:18 jsing Exp $ */
2 /* ====================================================================
3  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  */
51 
52 #include <limits.h>
53 #include <stdlib.h>
54 #include <string.h>
55 
56 #include <openssl/opensslconf.h>
57 
58 #ifndef OPENSSL_NO_AES
59 #include <openssl/aes.h>
60 #include <openssl/err.h>
61 #include <openssl/evp.h>
62 
63 #include "evp_locl.h"
64 #include "modes_lcl.h"
65 
66 typedef struct {
67 	AES_KEY ks;
68 	block128_f block;
69 	union {
70 		cbc128_f cbc;
71 		ctr128_f ctr;
72 	} stream;
73 } EVP_AES_KEY;
74 
75 typedef struct {
76 	AES_KEY ks;		/* AES key schedule to use */
77 	int key_set;		/* Set if key initialised */
78 	int iv_set;		/* Set if an iv is set */
79 	GCM128_CONTEXT gcm;
80 	unsigned char *iv;	/* Temporary IV store */
81 	int ivlen;		/* IV length */
82 	int taglen;
83 	int iv_gen;		/* It is OK to generate IVs */
84 	int tls_aad_len;	/* TLS AAD length */
85 	ctr128_f ctr;
86 } EVP_AES_GCM_CTX;
87 
88 typedef struct {
89 	AES_KEY ks1, ks2;	/* AES key schedules to use */
90 	XTS128_CONTEXT xts;
91 	void (*stream)(const unsigned char *in, unsigned char *out,
92 	    size_t length, const AES_KEY *key1, const AES_KEY *key2,
93 	    const unsigned char iv[16]);
94 } EVP_AES_XTS_CTX;
95 
96 typedef struct {
97 	AES_KEY ks;		/* AES key schedule to use */
98 	int key_set;		/* Set if key initialised */
99 	int iv_set;		/* Set if an iv is set */
100 	int tag_set;		/* Set if tag is valid */
101 	int len_set;		/* Set if message length set */
102 	int L, M;		/* L and M parameters from RFC3610 */
103 	CCM128_CONTEXT ccm;
104 	ccm128_f str;
105 } EVP_AES_CCM_CTX;
106 
107 #define MAXBITCHUNK	((size_t)1<<(sizeof(size_t)*8-4))
108 
109 #ifdef VPAES_ASM
110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
111     AES_KEY *key);
112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
113     AES_KEY *key);
114 
115 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
116     const AES_KEY *key);
117 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
118     const AES_KEY *key);
119 
120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
121     size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
122 #endif
123 #ifdef BSAES_ASM
124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
125     size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
127     size_t len, const AES_KEY *key, const unsigned char ivec[16]);
128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
129     size_t len, const AES_KEY *key1, const AES_KEY *key2,
130     const unsigned char iv[16]);
131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
132     size_t len, const AES_KEY *key1, const AES_KEY *key2,
133     const unsigned char iv[16]);
134 #endif
135 #ifdef AES_CTR_ASM
136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
137     size_t blocks, const AES_KEY *key,
138     const unsigned char ivec[AES_BLOCK_SIZE]);
139 #endif
140 #ifdef AES_XTS_ASM
141 void AES_xts_encrypt(const char *inp, char *out, size_t len,
142     const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
143 void AES_xts_decrypt(const char *inp, char *out, size_t len,
144     const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
145 #endif
146 
147 #if	defined(AES_ASM) &&				(  \
148 	((defined(__i386)	|| defined(__i386__)	|| \
149 	  defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
150 	defined(__x86_64)	|| defined(__x86_64__)	|| \
151 	defined(_M_AMD64)	|| defined(_M_X64)	|| \
152 	defined(__INTEL__)				)
153 
154 #include "x86_arch.h"
155 
156 #ifdef VPAES_ASM
157 #define VPAES_CAPABLE	(OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3)
158 #endif
159 #ifdef BSAES_ASM
160 #define BSAES_CAPABLE	VPAES_CAPABLE
161 #endif
162 /*
163  * AES-NI section
164  */
165 #define	AESNI_CAPABLE	(OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI)
166 
167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
168     AES_KEY *key);
169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
170     AES_KEY *key);
171 
172 void aesni_encrypt(const unsigned char *in, unsigned char *out,
173     const AES_KEY *key);
174 void aesni_decrypt(const unsigned char *in, unsigned char *out,
175     const AES_KEY *key);
176 
177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
178     size_t length, const AES_KEY *key, int enc);
179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
180     size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
181 
182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
183     size_t blocks, const void *key, const unsigned char *ivec);
184 
185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
186     size_t length, const AES_KEY *key1, const AES_KEY *key2,
187     const unsigned char iv[16]);
188 
189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
190     size_t length, const AES_KEY *key1, const AES_KEY *key2,
191     const unsigned char iv[16]);
192 
193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
194     size_t blocks, const void *key, const unsigned char ivec[16],
195     unsigned char cmac[16]);
196 
197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
198     size_t blocks, const void *key, const unsigned char ivec[16],
199     unsigned char cmac[16]);
200 
201 static int
aesni_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
203     const unsigned char *iv, int enc)
204 {
205 	int ret, mode;
206 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
207 
208 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
209 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
210 	    !enc) {
211 		ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
212 		    ctx->cipher_data);
213 		dat->block = (block128_f)aesni_decrypt;
214 		dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
215 		    (cbc128_f)aesni_cbc_encrypt : NULL;
216 	} else {
217 		ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
218 		    ctx->cipher_data);
219 		dat->block = (block128_f)aesni_encrypt;
220 		if (mode == EVP_CIPH_CBC_MODE)
221 			dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
222 		else if (mode == EVP_CIPH_CTR_MODE)
223 			dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
224 		else
225 			dat->stream.cbc = NULL;
226 	}
227 
228 	if (ret < 0) {
229 		EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
230 		return 0;
231 	}
232 
233 	return 1;
234 }
235 
236 static int
aesni_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
238     const unsigned char *in, size_t len)
239 {
240 	aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
241 	    ctx->encrypt);
242 
243 	return 1;
244 }
245 
246 static int
aesni_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
248     const unsigned char *in, size_t len)
249 {
250 	size_t	bl = ctx->cipher->block_size;
251 
252 	if (len < bl)
253 		return 1;
254 
255 	aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
256 
257 	return 1;
258 }
259 
260 static int
aesni_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
262     const unsigned char *iv, int enc)
263 {
264 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
265 
266 	if (!iv && !key)
267 		return 1;
268 	if (key) {
269 		aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
270 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
271 		    (block128_f)aesni_encrypt);
272 		gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
273 		/* If we have an iv can set it directly, otherwise use
274 		 * saved IV.
275 		 */
276 		if (iv == NULL && gctx->iv_set)
277 			iv = gctx->iv;
278 		if (iv) {
279 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
280 			gctx->iv_set = 1;
281 		}
282 		gctx->key_set = 1;
283 	} else {
284 		/* If key set use IV, otherwise copy */
285 		if (gctx->key_set)
286 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
287 		else
288 			memcpy(gctx->iv, iv, gctx->ivlen);
289 		gctx->iv_set = 1;
290 		gctx->iv_gen = 0;
291 	}
292 	return 1;
293 }
294 
295 static int
aesni_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
297     const unsigned char *iv, int enc)
298 {
299 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
300 
301 	if (!iv && !key)
302 		return 1;
303 
304 	if (key) {
305 		/* key_len is two AES keys */
306 		if (enc) {
307 			aesni_set_encrypt_key(key, ctx->key_len * 4,
308 			    &xctx->ks1);
309 			xctx->xts.block1 = (block128_f)aesni_encrypt;
310 			xctx->stream = aesni_xts_encrypt;
311 		} else {
312 			aesni_set_decrypt_key(key, ctx->key_len * 4,
313 			    &xctx->ks1);
314 			xctx->xts.block1 = (block128_f)aesni_decrypt;
315 			xctx->stream = aesni_xts_decrypt;
316 		}
317 
318 		aesni_set_encrypt_key(key + ctx->key_len / 2,
319 		    ctx->key_len * 4, &xctx->ks2);
320 		xctx->xts.block2 = (block128_f)aesni_encrypt;
321 
322 		xctx->xts.key1 = &xctx->ks1;
323 	}
324 
325 	if (iv) {
326 		xctx->xts.key2 = &xctx->ks2;
327 		memcpy(ctx->iv, iv, 16);
328 	}
329 
330 	return 1;
331 }
332 
333 static int
aesni_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
335     const unsigned char *iv, int enc)
336 {
337 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
338 
339 	if (!iv && !key)
340 		return 1;
341 	if (key) {
342 		aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
343 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
344 		    &cctx->ks, (block128_f)aesni_encrypt);
345 		cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
346 		    (ccm128_f)aesni_ccm64_decrypt_blocks;
347 		cctx->key_set = 1;
348 	}
349 	if (iv) {
350 		memcpy(ctx->iv, iv, 15 - cctx->L);
351 		cctx->iv_set = 1;
352 	}
353 	return 1;
354 }
355 
356 #endif
357 
358 static int
aes_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
360     const unsigned char *iv, int enc)
361 {
362 	int ret, mode;
363 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
364 
365 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
366 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
367 	    !enc)
368 #ifdef BSAES_CAPABLE
369 		if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
370 			ret = AES_set_decrypt_key(key, ctx->key_len * 8,
371 			    &dat->ks);
372 			dat->block = (block128_f)AES_decrypt;
373 			dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
374 		} else
375 #endif
376 #ifdef VPAES_CAPABLE
377 		if (VPAES_CAPABLE) {
378 			ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
379 			    &dat->ks);
380 			dat->block = (block128_f)vpaes_decrypt;
381 			dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
382 			    (cbc128_f)vpaes_cbc_encrypt : NULL;
383 		} else
384 #endif
385 		{
386 			ret = AES_set_decrypt_key(key, ctx->key_len * 8,
387 			    &dat->ks);
388 			dat->block = (block128_f)AES_decrypt;
389 			dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
390 			    (cbc128_f)AES_cbc_encrypt : NULL;
391 		} else
392 #ifdef BSAES_CAPABLE
393 		if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
394 			ret = AES_set_encrypt_key(key, ctx->key_len * 8,
395 			    &dat->ks);
396 			dat->block = (block128_f)AES_encrypt;
397 			dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
398 		} else
399 #endif
400 #ifdef VPAES_CAPABLE
401 		if (VPAES_CAPABLE) {
402 			ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
403 			    &dat->ks);
404 			dat->block = (block128_f)vpaes_encrypt;
405 			dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
406 			    (cbc128_f)vpaes_cbc_encrypt : NULL;
407 		} else
408 #endif
409 		{
410 			ret = AES_set_encrypt_key(key, ctx->key_len * 8,
411 			    &dat->ks);
412 			dat->block = (block128_f)AES_encrypt;
413 			dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
414 			    (cbc128_f)AES_cbc_encrypt : NULL;
415 #ifdef AES_CTR_ASM
416 			if (mode == EVP_CIPH_CTR_MODE)
417 				dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
418 #endif
419 		}
420 
421 	if (ret < 0) {
422 		EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
423 		return 0;
424 	}
425 
426 	return 1;
427 }
428 
429 static int
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
431     const unsigned char *in, size_t len)
432 {
433 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
434 
435 	if (dat->stream.cbc)
436 		(*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
437 		    ctx->encrypt);
438 	else if (ctx->encrypt)
439 		CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
440 		    dat->block);
441 	else
442 		CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
443 		    dat->block);
444 
445 	return 1;
446 }
447 
448 static int
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
450     const unsigned char *in, size_t len)
451 {
452 	size_t	bl = ctx->cipher->block_size;
453 	size_t	i;
454 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
455 
456 	if (len < bl)
457 		return 1;
458 
459 	for (i = 0, len -= bl; i <= len; i += bl)
460 		(*dat->block)(in + i, out + i, &dat->ks);
461 
462 	return 1;
463 }
464 
465 static int
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
467     const unsigned char *in, size_t len)
468 {
469 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
470 
471 	CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
472 	    dat->block);
473 	return 1;
474 }
475 
476 static int
aes_cfb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
478     const unsigned char *in, size_t len)
479 {
480 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
481 
482 	CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
483 	    ctx->encrypt, dat->block);
484 	return 1;
485 }
486 
487 static int
aes_cfb8_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
489     const unsigned char *in, size_t len)
490 {
491 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
492 
493 	CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
494 	    ctx->encrypt, dat->block);
495 	return 1;
496 }
497 
498 static int
aes_cfb1_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
500     const unsigned char *in, size_t len)
501 {
502 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
503 
504 	if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
505 		CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
506 		    &ctx->num, ctx->encrypt, dat->block);
507 		return 1;
508 	}
509 
510 	while (len >= MAXBITCHUNK) {
511 		CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
512 		    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
513 		len -= MAXBITCHUNK;
514 		in += MAXBITCHUNK;
515 		out += MAXBITCHUNK;
516 	}
517 	if (len)
518 		CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
519 		    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
520 
521 	return 1;
522 }
523 
524 static int
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
526     const unsigned char *in, size_t len)
527 {
528 	unsigned int num = ctx->num;
529 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
530 
531 	if (dat->stream.ctr)
532 		CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
533 		    ctx->iv, ctx->buf, &num, dat->stream.ctr);
534 	else
535 		CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
536 		    ctx->iv, ctx->buf, &num, dat->block);
537 	ctx->num = (size_t)num;
538 	return 1;
539 }
540 
541 
542 #ifdef AESNI_CAPABLE
543 static const EVP_CIPHER aesni_128_cbc = {
544 	.nid = NID_aes_128_cbc,
545 	.block_size = 16,
546 	.key_len = 16,
547 	.iv_len = 16,
548 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
549 	.init = aesni_init_key,
550 	.do_cipher = aesni_cbc_cipher,
551 	.ctx_size = sizeof(EVP_AES_KEY),
552 };
553 #endif
554 
555 static const EVP_CIPHER aes_128_cbc = {
556 	.nid = NID_aes_128_cbc,
557 	.block_size = 16,
558 	.key_len = 16,
559 	.iv_len = 16,
560 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
561 	.init = aes_init_key,
562 	.do_cipher = aes_cbc_cipher,
563 	.ctx_size = sizeof(EVP_AES_KEY),
564 };
565 
566 const EVP_CIPHER *
EVP_aes_128_cbc(void)567 EVP_aes_128_cbc(void)
568 {
569 #ifdef AESNI_CAPABLE
570 	return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
571 #else
572 	return &aes_128_cbc;
573 #endif
574 }
575 
576 #ifdef AESNI_CAPABLE
577 static const EVP_CIPHER aesni_128_ecb = {
578 	.nid = NID_aes_128_ecb,
579 	.block_size = 16,
580 	.key_len = 16,
581 	.iv_len = 0,
582 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
583 	.init = aesni_init_key,
584 	.do_cipher = aesni_ecb_cipher,
585 	.ctx_size = sizeof(EVP_AES_KEY),
586 };
587 #endif
588 
589 static const EVP_CIPHER aes_128_ecb = {
590 	.nid = NID_aes_128_ecb,
591 	.block_size = 16,
592 	.key_len = 16,
593 	.iv_len = 0,
594 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
595 	.init = aes_init_key,
596 	.do_cipher = aes_ecb_cipher,
597 	.ctx_size = sizeof(EVP_AES_KEY),
598 };
599 
600 const EVP_CIPHER *
EVP_aes_128_ecb(void)601 EVP_aes_128_ecb(void)
602 {
603 #ifdef AESNI_CAPABLE
604 	return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
605 #else
606 	return &aes_128_ecb;
607 #endif
608 }
609 
610 #ifdef AESNI_CAPABLE
611 static const EVP_CIPHER aesni_128_ofb = {
612 	.nid = NID_aes_128_ofb128,
613 	.block_size = 1,
614 	.key_len = 16,
615 	.iv_len = 16,
616 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
617 	.init = aesni_init_key,
618 	.do_cipher = aes_ofb_cipher,
619 	.ctx_size = sizeof(EVP_AES_KEY),
620 };
621 #endif
622 
623 static const EVP_CIPHER aes_128_ofb = {
624 	.nid = NID_aes_128_ofb128,
625 	.block_size = 1,
626 	.key_len = 16,
627 	.iv_len = 16,
628 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
629 	.init = aes_init_key,
630 	.do_cipher = aes_ofb_cipher,
631 	.ctx_size = sizeof(EVP_AES_KEY),
632 };
633 
634 const EVP_CIPHER *
EVP_aes_128_ofb(void)635 EVP_aes_128_ofb(void)
636 {
637 #ifdef AESNI_CAPABLE
638 	return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
639 #else
640 	return &aes_128_ofb;
641 #endif
642 }
643 
644 #ifdef AESNI_CAPABLE
645 static const EVP_CIPHER aesni_128_cfb = {
646 	.nid = NID_aes_128_cfb128,
647 	.block_size = 1,
648 	.key_len = 16,
649 	.iv_len = 16,
650 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
651 	.init = aesni_init_key,
652 	.do_cipher = aes_cfb_cipher,
653 	.ctx_size = sizeof(EVP_AES_KEY),
654 };
655 #endif
656 
657 static const EVP_CIPHER aes_128_cfb = {
658 	.nid = NID_aes_128_cfb128,
659 	.block_size = 1,
660 	.key_len = 16,
661 	.iv_len = 16,
662 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
663 	.init = aes_init_key,
664 	.do_cipher = aes_cfb_cipher,
665 	.ctx_size = sizeof(EVP_AES_KEY),
666 };
667 
668 const EVP_CIPHER *
EVP_aes_128_cfb(void)669 EVP_aes_128_cfb(void)
670 {
671 #ifdef AESNI_CAPABLE
672 	return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
673 #else
674 	return &aes_128_cfb;
675 #endif
676 }
677 
678 #ifdef AESNI_CAPABLE
679 static const EVP_CIPHER aesni_128_cfb1 = {
680 	.nid = NID_aes_128_cfb1,
681 	.block_size = 1,
682 	.key_len = 16,
683 	.iv_len = 16,
684 	.flags = EVP_CIPH_CFB_MODE,
685 	.init = aesni_init_key,
686 	.do_cipher = aes_cfb1_cipher,
687 	.ctx_size = sizeof(EVP_AES_KEY),
688 };
689 #endif
690 
691 static const EVP_CIPHER aes_128_cfb1 = {
692 	.nid = NID_aes_128_cfb1,
693 	.block_size = 1,
694 	.key_len = 16,
695 	.iv_len = 16,
696 	.flags = EVP_CIPH_CFB_MODE,
697 	.init = aes_init_key,
698 	.do_cipher = aes_cfb1_cipher,
699 	.ctx_size = sizeof(EVP_AES_KEY),
700 };
701 
702 const EVP_CIPHER *
EVP_aes_128_cfb1(void)703 EVP_aes_128_cfb1(void)
704 {
705 #ifdef AESNI_CAPABLE
706 	return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
707 #else
708 	return &aes_128_cfb1;
709 #endif
710 }
711 
712 #ifdef AESNI_CAPABLE
713 static const EVP_CIPHER aesni_128_cfb8 = {
714 	.nid = NID_aes_128_cfb8,
715 	.block_size = 1,
716 	.key_len = 16,
717 	.iv_len = 16,
718 	.flags = EVP_CIPH_CFB_MODE,
719 	.init = aesni_init_key,
720 	.do_cipher = aes_cfb8_cipher,
721 	.ctx_size = sizeof(EVP_AES_KEY),
722 };
723 #endif
724 
725 static const EVP_CIPHER aes_128_cfb8 = {
726 	.nid = NID_aes_128_cfb8,
727 	.block_size = 1,
728 	.key_len = 16,
729 	.iv_len = 16,
730 	.flags = EVP_CIPH_CFB_MODE,
731 	.init = aes_init_key,
732 	.do_cipher = aes_cfb8_cipher,
733 	.ctx_size = sizeof(EVP_AES_KEY),
734 };
735 
736 const EVP_CIPHER *
EVP_aes_128_cfb8(void)737 EVP_aes_128_cfb8(void)
738 {
739 #ifdef AESNI_CAPABLE
740 	return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
741 #else
742 	return &aes_128_cfb8;
743 #endif
744 }
745 
746 #ifdef AESNI_CAPABLE
747 static const EVP_CIPHER aesni_128_ctr = {
748 	.nid = NID_aes_128_ctr,
749 	.block_size = 1,
750 	.key_len = 16,
751 	.iv_len = 16,
752 	.flags = EVP_CIPH_CTR_MODE,
753 	.init = aesni_init_key,
754 	.do_cipher = aes_ctr_cipher,
755 	.ctx_size = sizeof(EVP_AES_KEY),
756 };
757 #endif
758 
759 static const EVP_CIPHER aes_128_ctr = {
760 	.nid = NID_aes_128_ctr,
761 	.block_size = 1,
762 	.key_len = 16,
763 	.iv_len = 16,
764 	.flags = EVP_CIPH_CTR_MODE,
765 	.init = aes_init_key,
766 	.do_cipher = aes_ctr_cipher,
767 	.ctx_size = sizeof(EVP_AES_KEY),
768 };
769 
770 const EVP_CIPHER *
EVP_aes_128_ctr(void)771 EVP_aes_128_ctr(void)
772 {
773 #ifdef AESNI_CAPABLE
774 	return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
775 #else
776 	return &aes_128_ctr;
777 #endif
778 }
779 
780 
781 #ifdef AESNI_CAPABLE
782 static const EVP_CIPHER aesni_192_cbc = {
783 	.nid = NID_aes_192_cbc,
784 	.block_size = 16,
785 	.key_len = 24,
786 	.iv_len = 16,
787 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
788 	.init = aesni_init_key,
789 	.do_cipher = aesni_cbc_cipher,
790 	.ctx_size = sizeof(EVP_AES_KEY),
791 };
792 #endif
793 
794 static const EVP_CIPHER aes_192_cbc = {
795 	.nid = NID_aes_192_cbc,
796 	.block_size = 16,
797 	.key_len = 24,
798 	.iv_len = 16,
799 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
800 	.init = aes_init_key,
801 	.do_cipher = aes_cbc_cipher,
802 	.ctx_size = sizeof(EVP_AES_KEY),
803 };
804 
805 const EVP_CIPHER *
EVP_aes_192_cbc(void)806 EVP_aes_192_cbc(void)
807 {
808 #ifdef AESNI_CAPABLE
809 	return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
810 #else
811 	return &aes_192_cbc;
812 #endif
813 }
814 
815 #ifdef AESNI_CAPABLE
816 static const EVP_CIPHER aesni_192_ecb = {
817 	.nid = NID_aes_192_ecb,
818 	.block_size = 16,
819 	.key_len = 24,
820 	.iv_len = 0,
821 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
822 	.init = aesni_init_key,
823 	.do_cipher = aesni_ecb_cipher,
824 	.ctx_size = sizeof(EVP_AES_KEY),
825 };
826 #endif
827 
828 static const EVP_CIPHER aes_192_ecb = {
829 	.nid = NID_aes_192_ecb,
830 	.block_size = 16,
831 	.key_len = 24,
832 	.iv_len = 0,
833 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
834 	.init = aes_init_key,
835 	.do_cipher = aes_ecb_cipher,
836 	.ctx_size = sizeof(EVP_AES_KEY),
837 };
838 
839 const EVP_CIPHER *
EVP_aes_192_ecb(void)840 EVP_aes_192_ecb(void)
841 {
842 #ifdef AESNI_CAPABLE
843 	return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
844 #else
845 	return &aes_192_ecb;
846 #endif
847 }
848 
849 #ifdef AESNI_CAPABLE
850 static const EVP_CIPHER aesni_192_ofb = {
851 	.nid = NID_aes_192_ofb128,
852 	.block_size = 1,
853 	.key_len = 24,
854 	.iv_len = 16,
855 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
856 	.init = aesni_init_key,
857 	.do_cipher = aes_ofb_cipher,
858 	.ctx_size = sizeof(EVP_AES_KEY),
859 };
860 #endif
861 
862 static const EVP_CIPHER aes_192_ofb = {
863 	.nid = NID_aes_192_ofb128,
864 	.block_size = 1,
865 	.key_len = 24,
866 	.iv_len = 16,
867 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
868 	.init = aes_init_key,
869 	.do_cipher = aes_ofb_cipher,
870 	.ctx_size = sizeof(EVP_AES_KEY),
871 };
872 
873 const EVP_CIPHER *
EVP_aes_192_ofb(void)874 EVP_aes_192_ofb(void)
875 {
876 #ifdef AESNI_CAPABLE
877 	return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
878 #else
879 	return &aes_192_ofb;
880 #endif
881 }
882 
883 #ifdef AESNI_CAPABLE
884 static const EVP_CIPHER aesni_192_cfb = {
885 	.nid = NID_aes_192_cfb128,
886 	.block_size = 1,
887 	.key_len = 24,
888 	.iv_len = 16,
889 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
890 	.init = aesni_init_key,
891 	.do_cipher = aes_cfb_cipher,
892 	.ctx_size = sizeof(EVP_AES_KEY),
893 };
894 #endif
895 
896 static const EVP_CIPHER aes_192_cfb = {
897 	.nid = NID_aes_192_cfb128,
898 	.block_size = 1,
899 	.key_len = 24,
900 	.iv_len = 16,
901 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
902 	.init = aes_init_key,
903 	.do_cipher = aes_cfb_cipher,
904 	.ctx_size = sizeof(EVP_AES_KEY),
905 };
906 
907 const EVP_CIPHER *
EVP_aes_192_cfb(void)908 EVP_aes_192_cfb(void)
909 {
910 #ifdef AESNI_CAPABLE
911 	return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
912 #else
913 	return &aes_192_cfb;
914 #endif
915 }
916 
917 #ifdef AESNI_CAPABLE
918 static const EVP_CIPHER aesni_192_cfb1 = {
919 	.nid = NID_aes_192_cfb1,
920 	.block_size = 1,
921 	.key_len = 24,
922 	.iv_len = 16,
923 	.flags = EVP_CIPH_CFB_MODE,
924 	.init = aesni_init_key,
925 	.do_cipher = aes_cfb1_cipher,
926 	.ctx_size = sizeof(EVP_AES_KEY),
927 };
928 #endif
929 
930 static const EVP_CIPHER aes_192_cfb1 = {
931 	.nid = NID_aes_192_cfb1,
932 	.block_size = 1,
933 	.key_len = 24,
934 	.iv_len = 16,
935 	.flags = EVP_CIPH_CFB_MODE,
936 	.init = aes_init_key,
937 	.do_cipher = aes_cfb1_cipher,
938 	.ctx_size = sizeof(EVP_AES_KEY),
939 };
940 
941 const EVP_CIPHER *
EVP_aes_192_cfb1(void)942 EVP_aes_192_cfb1(void)
943 {
944 #ifdef AESNI_CAPABLE
945 	return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
946 #else
947 	return &aes_192_cfb1;
948 #endif
949 }
950 
951 #ifdef AESNI_CAPABLE
952 static const EVP_CIPHER aesni_192_cfb8 = {
953 	.nid = NID_aes_192_cfb8,
954 	.block_size = 1,
955 	.key_len = 24,
956 	.iv_len = 16,
957 	.flags = EVP_CIPH_CFB_MODE,
958 	.init = aesni_init_key,
959 	.do_cipher = aes_cfb8_cipher,
960 	.ctx_size = sizeof(EVP_AES_KEY),
961 };
962 #endif
963 
964 static const EVP_CIPHER aes_192_cfb8 = {
965 	.nid = NID_aes_192_cfb8,
966 	.block_size = 1,
967 	.key_len = 24,
968 	.iv_len = 16,
969 	.flags = EVP_CIPH_CFB_MODE,
970 	.init = aes_init_key,
971 	.do_cipher = aes_cfb8_cipher,
972 	.ctx_size = sizeof(EVP_AES_KEY),
973 };
974 
975 const EVP_CIPHER *
EVP_aes_192_cfb8(void)976 EVP_aes_192_cfb8(void)
977 {
978 #ifdef AESNI_CAPABLE
979 	return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
980 #else
981 	return &aes_192_cfb8;
982 #endif
983 }
984 
985 #ifdef AESNI_CAPABLE
986 static const EVP_CIPHER aesni_192_ctr = {
987 	.nid = NID_aes_192_ctr,
988 	.block_size = 1,
989 	.key_len = 24,
990 	.iv_len = 16,
991 	.flags = EVP_CIPH_CTR_MODE,
992 	.init = aesni_init_key,
993 	.do_cipher = aes_ctr_cipher,
994 	.ctx_size = sizeof(EVP_AES_KEY),
995 };
996 #endif
997 
998 static const EVP_CIPHER aes_192_ctr = {
999 	.nid = NID_aes_192_ctr,
1000 	.block_size = 1,
1001 	.key_len = 24,
1002 	.iv_len = 16,
1003 	.flags = EVP_CIPH_CTR_MODE,
1004 	.init = aes_init_key,
1005 	.do_cipher = aes_ctr_cipher,
1006 	.ctx_size = sizeof(EVP_AES_KEY),
1007 };
1008 
1009 const EVP_CIPHER *
EVP_aes_192_ctr(void)1010 EVP_aes_192_ctr(void)
1011 {
1012 #ifdef AESNI_CAPABLE
1013 	return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
1014 #else
1015 	return &aes_192_ctr;
1016 #endif
1017 }
1018 
1019 
1020 #ifdef AESNI_CAPABLE
1021 static const EVP_CIPHER aesni_256_cbc = {
1022 	.nid = NID_aes_256_cbc,
1023 	.block_size = 16,
1024 	.key_len = 32,
1025 	.iv_len = 16,
1026 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1027 	.init = aesni_init_key,
1028 	.do_cipher = aesni_cbc_cipher,
1029 	.ctx_size = sizeof(EVP_AES_KEY),
1030 };
1031 #endif
1032 
1033 static const EVP_CIPHER aes_256_cbc = {
1034 	.nid = NID_aes_256_cbc,
1035 	.block_size = 16,
1036 	.key_len = 32,
1037 	.iv_len = 16,
1038 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1039 	.init = aes_init_key,
1040 	.do_cipher = aes_cbc_cipher,
1041 	.ctx_size = sizeof(EVP_AES_KEY),
1042 };
1043 
1044 const EVP_CIPHER *
EVP_aes_256_cbc(void)1045 EVP_aes_256_cbc(void)
1046 {
1047 #ifdef AESNI_CAPABLE
1048 	return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
1049 #else
1050 	return &aes_256_cbc;
1051 #endif
1052 }
1053 
1054 #ifdef AESNI_CAPABLE
1055 static const EVP_CIPHER aesni_256_ecb = {
1056 	.nid = NID_aes_256_ecb,
1057 	.block_size = 16,
1058 	.key_len = 32,
1059 	.iv_len = 0,
1060 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1061 	.init = aesni_init_key,
1062 	.do_cipher = aesni_ecb_cipher,
1063 	.ctx_size = sizeof(EVP_AES_KEY),
1064 };
1065 #endif
1066 
1067 static const EVP_CIPHER aes_256_ecb = {
1068 	.nid = NID_aes_256_ecb,
1069 	.block_size = 16,
1070 	.key_len = 32,
1071 	.iv_len = 0,
1072 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1073 	.init = aes_init_key,
1074 	.do_cipher = aes_ecb_cipher,
1075 	.ctx_size = sizeof(EVP_AES_KEY),
1076 };
1077 
1078 const EVP_CIPHER *
EVP_aes_256_ecb(void)1079 EVP_aes_256_ecb(void)
1080 {
1081 #ifdef AESNI_CAPABLE
1082 	return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
1083 #else
1084 	return &aes_256_ecb;
1085 #endif
1086 }
1087 
1088 #ifdef AESNI_CAPABLE
1089 static const EVP_CIPHER aesni_256_ofb = {
1090 	.nid = NID_aes_256_ofb128,
1091 	.block_size = 1,
1092 	.key_len = 32,
1093 	.iv_len = 16,
1094 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1095 	.init = aesni_init_key,
1096 	.do_cipher = aes_ofb_cipher,
1097 	.ctx_size = sizeof(EVP_AES_KEY),
1098 };
1099 #endif
1100 
1101 static const EVP_CIPHER aes_256_ofb = {
1102 	.nid = NID_aes_256_ofb128,
1103 	.block_size = 1,
1104 	.key_len = 32,
1105 	.iv_len = 16,
1106 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1107 	.init = aes_init_key,
1108 	.do_cipher = aes_ofb_cipher,
1109 	.ctx_size = sizeof(EVP_AES_KEY),
1110 };
1111 
1112 const EVP_CIPHER *
EVP_aes_256_ofb(void)1113 EVP_aes_256_ofb(void)
1114 {
1115 #ifdef AESNI_CAPABLE
1116 	return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
1117 #else
1118 	return &aes_256_ofb;
1119 #endif
1120 }
1121 
1122 #ifdef AESNI_CAPABLE
1123 static const EVP_CIPHER aesni_256_cfb = {
1124 	.nid = NID_aes_256_cfb128,
1125 	.block_size = 1,
1126 	.key_len = 32,
1127 	.iv_len = 16,
1128 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1129 	.init = aesni_init_key,
1130 	.do_cipher = aes_cfb_cipher,
1131 	.ctx_size = sizeof(EVP_AES_KEY),
1132 };
1133 #endif
1134 
1135 static const EVP_CIPHER aes_256_cfb = {
1136 	.nid = NID_aes_256_cfb128,
1137 	.block_size = 1,
1138 	.key_len = 32,
1139 	.iv_len = 16,
1140 	.flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1141 	.init = aes_init_key,
1142 	.do_cipher = aes_cfb_cipher,
1143 	.ctx_size = sizeof(EVP_AES_KEY),
1144 };
1145 
1146 const EVP_CIPHER *
EVP_aes_256_cfb(void)1147 EVP_aes_256_cfb(void)
1148 {
1149 #ifdef AESNI_CAPABLE
1150 	return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
1151 #else
1152 	return &aes_256_cfb;
1153 #endif
1154 }
1155 
1156 #ifdef AESNI_CAPABLE
1157 static const EVP_CIPHER aesni_256_cfb1 = {
1158 	.nid = NID_aes_256_cfb1,
1159 	.block_size = 1,
1160 	.key_len = 32,
1161 	.iv_len = 16,
1162 	.flags = EVP_CIPH_CFB_MODE,
1163 	.init = aesni_init_key,
1164 	.do_cipher = aes_cfb1_cipher,
1165 	.ctx_size = sizeof(EVP_AES_KEY),
1166 };
1167 #endif
1168 
1169 static const EVP_CIPHER aes_256_cfb1 = {
1170 	.nid = NID_aes_256_cfb1,
1171 	.block_size = 1,
1172 	.key_len = 32,
1173 	.iv_len = 16,
1174 	.flags = EVP_CIPH_CFB_MODE,
1175 	.init = aes_init_key,
1176 	.do_cipher = aes_cfb1_cipher,
1177 	.ctx_size = sizeof(EVP_AES_KEY),
1178 };
1179 
1180 const EVP_CIPHER *
EVP_aes_256_cfb1(void)1181 EVP_aes_256_cfb1(void)
1182 {
1183 #ifdef AESNI_CAPABLE
1184 	return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
1185 #else
1186 	return &aes_256_cfb1;
1187 #endif
1188 }
1189 
1190 #ifdef AESNI_CAPABLE
1191 static const EVP_CIPHER aesni_256_cfb8 = {
1192 	.nid = NID_aes_256_cfb8,
1193 	.block_size = 1,
1194 	.key_len = 32,
1195 	.iv_len = 16,
1196 	.flags = EVP_CIPH_CFB_MODE,
1197 	.init = aesni_init_key,
1198 	.do_cipher = aes_cfb8_cipher,
1199 	.ctx_size = sizeof(EVP_AES_KEY),
1200 };
1201 #endif
1202 
1203 static const EVP_CIPHER aes_256_cfb8 = {
1204 	.nid = NID_aes_256_cfb8,
1205 	.block_size = 1,
1206 	.key_len = 32,
1207 	.iv_len = 16,
1208 	.flags = EVP_CIPH_CFB_MODE,
1209 	.init = aes_init_key,
1210 	.do_cipher = aes_cfb8_cipher,
1211 	.ctx_size = sizeof(EVP_AES_KEY),
1212 };
1213 
1214 const EVP_CIPHER *
EVP_aes_256_cfb8(void)1215 EVP_aes_256_cfb8(void)
1216 {
1217 #ifdef AESNI_CAPABLE
1218 	return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
1219 #else
1220 	return &aes_256_cfb8;
1221 #endif
1222 }
1223 
1224 #ifdef AESNI_CAPABLE
1225 static const EVP_CIPHER aesni_256_ctr = {
1226 	.nid = NID_aes_256_ctr,
1227 	.block_size = 1,
1228 	.key_len = 32,
1229 	.iv_len = 16,
1230 	.flags = EVP_CIPH_CTR_MODE,
1231 	.init = aesni_init_key,
1232 	.do_cipher = aes_ctr_cipher,
1233 	.ctx_size = sizeof(EVP_AES_KEY),
1234 };
1235 #endif
1236 
1237 static const EVP_CIPHER aes_256_ctr = {
1238 	.nid = NID_aes_256_ctr,
1239 	.block_size = 1,
1240 	.key_len = 32,
1241 	.iv_len = 16,
1242 	.flags = EVP_CIPH_CTR_MODE,
1243 	.init = aes_init_key,
1244 	.do_cipher = aes_ctr_cipher,
1245 	.ctx_size = sizeof(EVP_AES_KEY),
1246 };
1247 
1248 const EVP_CIPHER *
EVP_aes_256_ctr(void)1249 EVP_aes_256_ctr(void)
1250 {
1251 #ifdef AESNI_CAPABLE
1252 	return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
1253 #else
1254 	return &aes_256_ctr;
1255 #endif
1256 }
1257 
1258 static void
aes_gcm_cleanup(EVP_CIPHER_CTX * c)1259 aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1260 {
1261 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
1262 
1263 	if (gctx->iv != c->iv)
1264 		free(gctx->iv);
1265 
1266 	explicit_bzero(gctx, sizeof(*gctx));
1267 }
1268 
1269 /* increment counter (64-bit int) by 1 */
1270 static void
ctr64_inc(unsigned char * counter)1271 ctr64_inc(unsigned char *counter)
1272 {
1273 	int n = 8;
1274 	unsigned char  c;
1275 
1276 	do {
1277 		--n;
1278 		c = counter[n];
1279 		++c;
1280 		counter[n] = c;
1281 		if (c)
1282 			return;
1283 	} while (n);
1284 }
1285 
1286 static int
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1287 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1288 {
1289 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
1290 
1291 	switch (type) {
1292 	case EVP_CTRL_INIT:
1293 		gctx->key_set = 0;
1294 		gctx->iv_set = 0;
1295 		if (c->cipher->iv_len == 0) {
1296 			EVPerror(EVP_R_INVALID_IV_LENGTH);
1297 			return 0;
1298 		}
1299 		gctx->ivlen = c->cipher->iv_len;
1300 		gctx->iv = c->iv;
1301 		gctx->taglen = -1;
1302 		gctx->iv_gen = 0;
1303 		gctx->tls_aad_len = -1;
1304 		return 1;
1305 
1306 	case EVP_CTRL_GCM_SET_IVLEN:
1307 		if (arg <= 0)
1308 			return 0;
1309 		/* Allocate memory for IV if needed */
1310 		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1311 			if (gctx->iv != c->iv)
1312 				free(gctx->iv);
1313 			gctx->iv = malloc(arg);
1314 			if (!gctx->iv)
1315 				return 0;
1316 		}
1317 		gctx->ivlen = arg;
1318 		return 1;
1319 
1320 	case EVP_CTRL_GCM_SET_TAG:
1321 		if (arg <= 0 || arg > 16 || c->encrypt)
1322 			return 0;
1323 		memcpy(c->buf, ptr, arg);
1324 		gctx->taglen = arg;
1325 		return 1;
1326 
1327 	case EVP_CTRL_GCM_GET_TAG:
1328 		if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1329 			return 0;
1330 		memcpy(ptr, c->buf, arg);
1331 		return 1;
1332 
1333 	case EVP_CTRL_GCM_SET_IV_FIXED:
1334 		/* Special case: -1 length restores whole IV */
1335 		if (arg == -1) {
1336 			memcpy(gctx->iv, ptr, gctx->ivlen);
1337 			gctx->iv_gen = 1;
1338 			return 1;
1339 		}
1340 		/* Fixed field must be at least 4 bytes and invocation field
1341 		 * at least 8.
1342 		 */
1343 		if ((arg < 4) || (gctx->ivlen - arg) < 8)
1344 			return 0;
1345 		if (arg)
1346 			memcpy(gctx->iv, ptr, arg);
1347 		if (c->encrypt)
1348 			arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
1349 		gctx->iv_gen = 1;
1350 		return 1;
1351 
1352 	case EVP_CTRL_GCM_IV_GEN:
1353 		if (gctx->iv_gen == 0 || gctx->key_set == 0)
1354 			return 0;
1355 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1356 		if (arg <= 0 || arg > gctx->ivlen)
1357 			arg = gctx->ivlen;
1358 		memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1359 		/* Invocation field will be at least 8 bytes in size and
1360 		 * so no need to check wrap around or increment more than
1361 		 * last 8 bytes.
1362 		 */
1363 		ctr64_inc(gctx->iv + gctx->ivlen - 8);
1364 		gctx->iv_set = 1;
1365 		return 1;
1366 
1367 	case EVP_CTRL_GCM_SET_IV_INV:
1368 		if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1369 			return 0;
1370 		memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1371 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1372 		gctx->iv_set = 1;
1373 		return 1;
1374 
1375 	case EVP_CTRL_AEAD_TLS1_AAD:
1376 		/* Save the AAD for later use */
1377 		if (arg != 13)
1378 			return 0;
1379 		memcpy(c->buf, ptr, arg);
1380 		gctx->tls_aad_len = arg;
1381 		{
1382 			unsigned int len = c->buf[arg - 2] << 8 |
1383 			    c->buf[arg - 1];
1384 
1385 			/* Correct length for explicit IV */
1386 			if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1387 				return 0;
1388 			len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1389 
1390 			/* If decrypting correct for tag too */
1391 			if (!c->encrypt) {
1392 				if (len < EVP_GCM_TLS_TAG_LEN)
1393 					return 0;
1394 				len -= EVP_GCM_TLS_TAG_LEN;
1395 			}
1396 			c->buf[arg - 2] = len >> 8;
1397 			c->buf[arg - 1] = len & 0xff;
1398 		}
1399 		/* Extra padding: tag appended to record */
1400 		return EVP_GCM_TLS_TAG_LEN;
1401 
1402 	case EVP_CTRL_COPY:
1403 	    {
1404 		EVP_CIPHER_CTX *out = ptr;
1405 		EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1406 
1407 		if (gctx->gcm.key) {
1408 			if (gctx->gcm.key != &gctx->ks)
1409 				return 0;
1410 			gctx_out->gcm.key = &gctx_out->ks;
1411 		}
1412 
1413 		if (gctx->iv == c->iv) {
1414 			gctx_out->iv = out->iv;
1415 		} else {
1416 			if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL)
1417 				return 0;
1418 			memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1419 		}
1420 		return 1;
1421 	    }
1422 
1423 	default:
1424 		return -1;
1425 
1426 	}
1427 }
1428 
1429 static ctr128_f
aes_gcm_set_key(AES_KEY * aes_key,GCM128_CONTEXT * gcm_ctx,const unsigned char * key,size_t key_len)1430 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
1431     const unsigned char *key, size_t key_len)
1432 {
1433 #ifdef BSAES_CAPABLE
1434 	if (BSAES_CAPABLE) {
1435 		AES_set_encrypt_key(key, key_len * 8, aes_key);
1436 		CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1437 		return (ctr128_f)bsaes_ctr32_encrypt_blocks;
1438 	} else
1439 #endif
1440 #ifdef VPAES_CAPABLE
1441 	if (VPAES_CAPABLE) {
1442 		vpaes_set_encrypt_key(key, key_len * 8, aes_key);
1443 		CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
1444 		return NULL;
1445 	} else
1446 #endif
1447 		(void)0; /* terminate potentially open 'else' */
1448 
1449 	AES_set_encrypt_key(key, key_len * 8, aes_key);
1450 	CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1451 #ifdef AES_CTR_ASM
1452 	return (ctr128_f)AES_ctr32_encrypt;
1453 #else
1454 	return NULL;
1455 #endif
1456 }
1457 
1458 static int
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1459 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1460     const unsigned char *iv, int enc)
1461 {
1462 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1463 
1464 	if (!iv && !key)
1465 		return 1;
1466 	if (key) {
1467 		gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
1468 		    key, ctx->key_len);
1469 
1470 		/* If we have an iv can set it directly, otherwise use
1471 		 * saved IV.
1472 		 */
1473 		if (iv == NULL && gctx->iv_set)
1474 			iv = gctx->iv;
1475 		if (iv) {
1476 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1477 			gctx->iv_set = 1;
1478 		}
1479 		gctx->key_set = 1;
1480 	} else {
1481 		/* If key set use IV, otherwise copy */
1482 		if (gctx->key_set)
1483 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1484 		else
1485 			memcpy(gctx->iv, iv, gctx->ivlen);
1486 		gctx->iv_set = 1;
1487 		gctx->iv_gen = 0;
1488 	}
1489 	return 1;
1490 }
1491 
1492 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1493  * followed by the payload and finally the tag. On encrypt generate IV,
1494  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1495  * and verify tag.
1496  */
1497 
1498 static int
aes_gcm_tls_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1499 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1500     const unsigned char *in, size_t len)
1501 {
1502 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1503 	int rv = -1;
1504 
1505 	/* Encrypt/decrypt must be performed in place */
1506 	if (out != in ||
1507 	    len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1508 		return -1;
1509 
1510 	/* Set IV from start of buffer or generate IV and write to start
1511 	 * of buffer.
1512 	 */
1513 	if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1514 	    EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1515 	    EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1516 		goto err;
1517 
1518 	/* Use saved AAD */
1519 	if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1520 		goto err;
1521 
1522 	/* Fix buffer and length to point to payload */
1523 	in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1524 	out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1525 	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1526 	if (ctx->encrypt) {
1527 		/* Encrypt payload */
1528 		if (gctx->ctr) {
1529 			if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
1530 			    len, gctx->ctr))
1531 				goto err;
1532 		} else {
1533 			if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1534 				goto err;
1535 		}
1536 		out += len;
1537 
1538 		/* Finally write tag */
1539 		CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1540 		rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1541 	} else {
1542 		/* Decrypt */
1543 		if (gctx->ctr) {
1544 			if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
1545 			    len, gctx->ctr))
1546 				goto err;
1547 		} else {
1548 			if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1549 				goto err;
1550 		}
1551 		/* Retrieve tag */
1552 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1553 
1554 		/* If tag mismatch wipe buffer */
1555 		if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1556 			explicit_bzero(out, len);
1557 			goto err;
1558 		}
1559 		rv = len;
1560 	}
1561 
1562 err:
1563 	gctx->iv_set = 0;
1564 	gctx->tls_aad_len = -1;
1565 	return rv;
1566 }
1567 
1568 static int
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1569 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1570     const unsigned char *in, size_t len)
1571 {
1572 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1573 
1574 	/* If not set up, return error */
1575 	if (!gctx->key_set)
1576 		return -1;
1577 
1578 	if (gctx->tls_aad_len >= 0)
1579 		return aes_gcm_tls_cipher(ctx, out, in, len);
1580 
1581 	if (!gctx->iv_set)
1582 		return -1;
1583 
1584 	if (in) {
1585 		if (out == NULL) {
1586 			if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1587 				return -1;
1588 		} else if (ctx->encrypt) {
1589 			if (gctx->ctr) {
1590 				if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1591 				    in, out, len, gctx->ctr))
1592 					return -1;
1593 			} else {
1594 				if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1595 				    in, out, len))
1596 					return -1;
1597 			}
1598 		} else {
1599 			if (gctx->ctr) {
1600 				if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1601 				    in, out, len, gctx->ctr))
1602 					return -1;
1603 			} else {
1604 				if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1605 				    in, out, len))
1606 					return -1;
1607 			}
1608 		}
1609 		return len;
1610 	} else {
1611 		if (!ctx->encrypt) {
1612 			if (gctx->taglen < 0)
1613 				return -1;
1614 			if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf,
1615 			    gctx->taglen) != 0)
1616 				return -1;
1617 			gctx->iv_set = 0;
1618 			return 0;
1619 		}
1620 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1621 		gctx->taglen = 16;
1622 
1623 		/* Don't reuse the IV */
1624 		gctx->iv_set = 0;
1625 		return 0;
1626 	}
1627 
1628 }
1629 
1630 #define CUSTOM_FLAGS \
1631     ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1632       EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
1633       EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1634 
1635 
1636 #ifdef AESNI_CAPABLE
1637 static const EVP_CIPHER aesni_128_gcm = {
1638 	.nid = NID_aes_128_gcm,
1639 	.block_size = 1,
1640 	.key_len = 16,
1641 	.iv_len = 12,
1642 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1643 	.init = aesni_gcm_init_key,
1644 	.do_cipher = aes_gcm_cipher,
1645 	.cleanup = aes_gcm_cleanup,
1646 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1647 	.ctrl = aes_gcm_ctrl,
1648 };
1649 #endif
1650 
1651 static const EVP_CIPHER aes_128_gcm = {
1652 	.nid = NID_aes_128_gcm,
1653 	.block_size = 1,
1654 	.key_len = 16,
1655 	.iv_len = 12,
1656 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1657 	.init = aes_gcm_init_key,
1658 	.do_cipher = aes_gcm_cipher,
1659 	.cleanup = aes_gcm_cleanup,
1660 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1661 	.ctrl = aes_gcm_ctrl,
1662 };
1663 
1664 const EVP_CIPHER *
EVP_aes_128_gcm(void)1665 EVP_aes_128_gcm(void)
1666 {
1667 #ifdef AESNI_CAPABLE
1668 	return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1669 #else
1670 	return &aes_128_gcm;
1671 #endif
1672 }
1673 
1674 #ifdef AESNI_CAPABLE
1675 static const EVP_CIPHER aesni_192_gcm = {
1676 	.nid = NID_aes_192_gcm,
1677 	.block_size = 1,
1678 	.key_len = 24,
1679 	.iv_len = 12,
1680 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1681 	.init = aesni_gcm_init_key,
1682 	.do_cipher = aes_gcm_cipher,
1683 	.cleanup = aes_gcm_cleanup,
1684 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1685 	.ctrl = aes_gcm_ctrl,
1686 };
1687 #endif
1688 
1689 static const EVP_CIPHER aes_192_gcm = {
1690 	.nid = NID_aes_192_gcm,
1691 	.block_size = 1,
1692 	.key_len = 24,
1693 	.iv_len = 12,
1694 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1695 	.init = aes_gcm_init_key,
1696 	.do_cipher = aes_gcm_cipher,
1697 	.cleanup = aes_gcm_cleanup,
1698 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1699 	.ctrl = aes_gcm_ctrl,
1700 };
1701 
1702 const EVP_CIPHER *
EVP_aes_192_gcm(void)1703 EVP_aes_192_gcm(void)
1704 {
1705 #ifdef AESNI_CAPABLE
1706 	return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1707 #else
1708 	return &aes_192_gcm;
1709 #endif
1710 }
1711 
1712 #ifdef AESNI_CAPABLE
1713 static const EVP_CIPHER aesni_256_gcm = {
1714 	.nid = NID_aes_256_gcm,
1715 	.block_size = 1,
1716 	.key_len = 32,
1717 	.iv_len = 12,
1718 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1719 	.init = aesni_gcm_init_key,
1720 	.do_cipher = aes_gcm_cipher,
1721 	.cleanup = aes_gcm_cleanup,
1722 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1723 	.ctrl = aes_gcm_ctrl,
1724 };
1725 #endif
1726 
1727 static const EVP_CIPHER aes_256_gcm = {
1728 	.nid = NID_aes_256_gcm,
1729 	.block_size = 1,
1730 	.key_len = 32,
1731 	.iv_len = 12,
1732 	.flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1733 	.init = aes_gcm_init_key,
1734 	.do_cipher = aes_gcm_cipher,
1735 	.cleanup = aes_gcm_cleanup,
1736 	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1737 	.ctrl = aes_gcm_ctrl,
1738 };
1739 
1740 const EVP_CIPHER *
EVP_aes_256_gcm(void)1741 EVP_aes_256_gcm(void)
1742 {
1743 #ifdef AESNI_CAPABLE
1744 	return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1745 #else
1746 	return &aes_256_gcm;
1747 #endif
1748 }
1749 
1750 static int
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1751 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1752 {
1753 	EVP_AES_XTS_CTX *xctx = c->cipher_data;
1754 
1755 	switch (type) {
1756 	case EVP_CTRL_INIT:
1757 		/*
1758 		 * key1 and key2 are used as an indicator both key and IV
1759 		 * are set
1760 		 */
1761 		xctx->xts.key1 = NULL;
1762 		xctx->xts.key2 = NULL;
1763 		return 1;
1764 
1765 	case EVP_CTRL_COPY:
1766 	    {
1767 		EVP_CIPHER_CTX *out = ptr;
1768 		EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1769 
1770 		if (xctx->xts.key1) {
1771 			if (xctx->xts.key1 != &xctx->ks1)
1772 				return 0;
1773 			xctx_out->xts.key1 = &xctx_out->ks1;
1774 		}
1775 		if (xctx->xts.key2) {
1776 			if (xctx->xts.key2 != &xctx->ks2)
1777 				return 0;
1778 			xctx_out->xts.key2 = &xctx_out->ks2;
1779 		}
1780 		return 1;
1781 	    }
1782 	}
1783 	return -1;
1784 }
1785 
1786 static int
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1787 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1788     const unsigned char *iv, int enc)
1789 {
1790 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1791 
1792 	if (!iv && !key)
1793 		return 1;
1794 
1795 	if (key) do {
1796 #ifdef AES_XTS_ASM
1797 		xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1798 #else
1799 		xctx->stream = NULL;
1800 #endif
1801 		/* key_len is two AES keys */
1802 #ifdef BSAES_CAPABLE
1803 		if (BSAES_CAPABLE)
1804 			xctx->stream = enc ? bsaes_xts_encrypt :
1805 			    bsaes_xts_decrypt;
1806 		else
1807 #endif
1808 #ifdef VPAES_CAPABLE
1809 		if (VPAES_CAPABLE) {
1810 			if (enc) {
1811 				vpaes_set_encrypt_key(key, ctx->key_len * 4,
1812 				    &xctx->ks1);
1813 				xctx->xts.block1 = (block128_f)vpaes_encrypt;
1814 			} else {
1815 				vpaes_set_decrypt_key(key, ctx->key_len * 4,
1816 				    &xctx->ks1);
1817 				xctx->xts.block1 = (block128_f)vpaes_decrypt;
1818 			}
1819 
1820 			vpaes_set_encrypt_key(key + ctx->key_len / 2,
1821 			    ctx->key_len * 4, &xctx->ks2);
1822 			xctx->xts.block2 = (block128_f)vpaes_encrypt;
1823 
1824 			xctx->xts.key1 = &xctx->ks1;
1825 			break;
1826 		} else
1827 #endif
1828 			(void)0;	/* terminate potentially open 'else' */
1829 
1830 		if (enc) {
1831 			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1832 			xctx->xts.block1 = (block128_f)AES_encrypt;
1833 		} else {
1834 			AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1835 			xctx->xts.block1 = (block128_f)AES_decrypt;
1836 		}
1837 
1838 		AES_set_encrypt_key(key + ctx->key_len / 2,
1839 		    ctx->key_len * 4, &xctx->ks2);
1840 		xctx->xts.block2 = (block128_f)AES_encrypt;
1841 
1842 		xctx->xts.key1 = &xctx->ks1;
1843 	} while (0);
1844 
1845 	if (iv) {
1846 		xctx->xts.key2 = &xctx->ks2;
1847 		memcpy(ctx->iv, iv, 16);
1848 	}
1849 
1850 	return 1;
1851 }
1852 
1853 static int
aes_xts_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1854 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1855     const unsigned char *in, size_t len)
1856 {
1857 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1858 
1859 	if (!xctx->xts.key1 || !xctx->xts.key2)
1860 		return 0;
1861 	if (!out || !in || len < AES_BLOCK_SIZE)
1862 		return 0;
1863 
1864 	if (xctx->stream)
1865 		(*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1866 		    ctx->iv);
1867 	else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1868 	    ctx->encrypt))
1869 		return 0;
1870 	return 1;
1871 }
1872 
1873 #define XTS_FLAGS \
1874     ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1875       EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1876 
1877 
1878 #ifdef AESNI_CAPABLE
1879 static const EVP_CIPHER aesni_128_xts = {
1880 	.nid = NID_aes_128_xts,
1881 	.block_size = 1,
1882 	.key_len = 2 * 16,
1883 	.iv_len = 16,
1884 	.flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1885 	.init = aesni_xts_init_key,
1886 	.do_cipher = aes_xts_cipher,
1887 	.cleanup = NULL,
1888 	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1889 	.ctrl = aes_xts_ctrl,
1890 };
1891 #endif
1892 
1893 static const EVP_CIPHER aes_128_xts = {
1894 	.nid = NID_aes_128_xts,
1895 	.block_size = 1,
1896 	.key_len = 2 * 16,
1897 	.iv_len = 16,
1898 	.flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1899 	.init = aes_xts_init_key,
1900 	.do_cipher = aes_xts_cipher,
1901 	.cleanup = NULL,
1902 	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1903 	.ctrl = aes_xts_ctrl,
1904 };
1905 
1906 const EVP_CIPHER *
EVP_aes_128_xts(void)1907 EVP_aes_128_xts(void)
1908 {
1909 #ifdef AESNI_CAPABLE
1910 	return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1911 #else
1912 	return &aes_128_xts;
1913 #endif
1914 }
1915 
1916 #ifdef AESNI_CAPABLE
1917 static const EVP_CIPHER aesni_256_xts = {
1918 	.nid = NID_aes_256_xts,
1919 	.block_size = 1,
1920 	.key_len = 2 * 32,
1921 	.iv_len = 16,
1922 	.flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1923 	.init = aesni_xts_init_key,
1924 	.do_cipher = aes_xts_cipher,
1925 	.cleanup = NULL,
1926 	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1927 	.ctrl = aes_xts_ctrl,
1928 };
1929 #endif
1930 
1931 static const EVP_CIPHER aes_256_xts = {
1932 	.nid = NID_aes_256_xts,
1933 	.block_size = 1,
1934 	.key_len = 2 * 32,
1935 	.iv_len = 16,
1936 	.flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1937 	.init = aes_xts_init_key,
1938 	.do_cipher = aes_xts_cipher,
1939 	.cleanup = NULL,
1940 	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1941 	.ctrl = aes_xts_ctrl,
1942 };
1943 
1944 const EVP_CIPHER *
EVP_aes_256_xts(void)1945 EVP_aes_256_xts(void)
1946 {
1947 #ifdef AESNI_CAPABLE
1948 	return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1949 #else
1950 	return &aes_256_xts;
1951 #endif
1952 }
1953 
1954 static int
aes_ccm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1955 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1956 {
1957 	EVP_AES_CCM_CTX *cctx = c->cipher_data;
1958 
1959 	switch (type) {
1960 	case EVP_CTRL_INIT:
1961 		cctx->key_set = 0;
1962 		cctx->iv_set = 0;
1963 		cctx->L = 8;
1964 		cctx->M = 12;
1965 		cctx->tag_set = 0;
1966 		cctx->len_set = 0;
1967 		return 1;
1968 
1969 	case EVP_CTRL_CCM_SET_IVLEN:
1970 		arg = 15 - arg;
1971 
1972 	case EVP_CTRL_CCM_SET_L:
1973 		if (arg < 2 || arg > 8)
1974 			return 0;
1975 		cctx->L = arg;
1976 		return 1;
1977 
1978 	case EVP_CTRL_CCM_SET_TAG:
1979 		if ((arg & 1) || arg < 4 || arg > 16)
1980 			return 0;
1981 		if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1982 			return 0;
1983 		if (ptr) {
1984 			cctx->tag_set = 1;
1985 			memcpy(c->buf, ptr, arg);
1986 		}
1987 		cctx->M = arg;
1988 		return 1;
1989 
1990 	case EVP_CTRL_CCM_GET_TAG:
1991 		if (!c->encrypt || !cctx->tag_set)
1992 			return 0;
1993 		if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1994 			return 0;
1995 		cctx->tag_set = 0;
1996 		cctx->iv_set = 0;
1997 		cctx->len_set = 0;
1998 		return 1;
1999 
2000 	case EVP_CTRL_COPY:
2001 	    {
2002 		EVP_CIPHER_CTX *out = ptr;
2003 		EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
2004 
2005 		if (cctx->ccm.key) {
2006 			if (cctx->ccm.key != &cctx->ks)
2007 				return 0;
2008 			cctx_out->ccm.key = &cctx_out->ks;
2009 		}
2010 		return 1;
2011 	    }
2012 
2013 	default:
2014 		return -1;
2015 	}
2016 }
2017 
2018 static int
aes_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2019 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2020     const unsigned char *iv, int enc)
2021 {
2022 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2023 
2024 	if (!iv && !key)
2025 		return 1;
2026 	if (key) do {
2027 #ifdef VPAES_CAPABLE
2028 		if (VPAES_CAPABLE) {
2029 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
2030 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2031 			    &cctx->ks, (block128_f)vpaes_encrypt);
2032 			cctx->str = NULL;
2033 			cctx->key_set = 1;
2034 			break;
2035 		}
2036 #endif
2037 		AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
2038 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2039 		    &cctx->ks, (block128_f)AES_encrypt);
2040 		cctx->str = NULL;
2041 		cctx->key_set = 1;
2042 	} while (0);
2043 	if (iv) {
2044 		memcpy(ctx->iv, iv, 15 - cctx->L);
2045 		cctx->iv_set = 1;
2046 	}
2047 	return 1;
2048 }
2049 
2050 static int
aes_ccm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)2051 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2052     const unsigned char *in, size_t len)
2053 {
2054 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2055 	CCM128_CONTEXT *ccm = &cctx->ccm;
2056 
2057 	/* If not set up, return error */
2058 	if (!cctx->iv_set && !cctx->key_set)
2059 		return -1;
2060 	if (!ctx->encrypt && !cctx->tag_set)
2061 		return -1;
2062 
2063 	if (!out) {
2064 		if (!in) {
2065 			if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
2066 			    len))
2067 				return -1;
2068 			cctx->len_set = 1;
2069 			return len;
2070 		}
2071 		/* If have AAD need message length */
2072 		if (!cctx->len_set && len)
2073 			return -1;
2074 		CRYPTO_ccm128_aad(ccm, in, len);
2075 		return len;
2076 	}
2077 	/* EVP_*Final() doesn't return any data */
2078 	if (!in)
2079 		return 0;
2080 	/* If not set length yet do it */
2081 	if (!cctx->len_set) {
2082 		if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2083 			return -1;
2084 		cctx->len_set = 1;
2085 	}
2086 	if (ctx->encrypt) {
2087 		if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2088 		    cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
2089 			return -1;
2090 		cctx->tag_set = 1;
2091 		return len;
2092 	} else {
2093 		int rv = -1;
2094 		if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2095 		    cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2096 			unsigned char tag[16];
2097 			if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2098 				if (!memcmp(tag, ctx->buf, cctx->M))
2099 					rv = len;
2100 			}
2101 		}
2102 		if (rv == -1)
2103 			explicit_bzero(out, len);
2104 		cctx->iv_set = 0;
2105 		cctx->tag_set = 0;
2106 		cctx->len_set = 0;
2107 		return rv;
2108 	}
2109 
2110 }
2111 
2112 #ifdef AESNI_CAPABLE
2113 static const EVP_CIPHER aesni_128_ccm = {
2114 	.nid = NID_aes_128_ccm,
2115 	.block_size = 1,
2116 	.key_len = 16,
2117 	.iv_len = 12,
2118 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2119 	.init = aesni_ccm_init_key,
2120 	.do_cipher = aes_ccm_cipher,
2121 	.cleanup = NULL,
2122 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2123 	.ctrl = aes_ccm_ctrl,
2124 };
2125 #endif
2126 
2127 static const EVP_CIPHER aes_128_ccm = {
2128 	.nid = NID_aes_128_ccm,
2129 	.block_size = 1,
2130 	.key_len = 16,
2131 	.iv_len = 12,
2132 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2133 	.init = aes_ccm_init_key,
2134 	.do_cipher = aes_ccm_cipher,
2135 	.cleanup = NULL,
2136 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2137 	.ctrl = aes_ccm_ctrl,
2138 };
2139 
2140 const EVP_CIPHER *
EVP_aes_128_ccm(void)2141 EVP_aes_128_ccm(void)
2142 {
2143 #ifdef AESNI_CAPABLE
2144 	return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
2145 #else
2146 	return &aes_128_ccm;
2147 #endif
2148 }
2149 
2150 #ifdef AESNI_CAPABLE
2151 static const EVP_CIPHER aesni_192_ccm = {
2152 	.nid = NID_aes_192_ccm,
2153 	.block_size = 1,
2154 	.key_len = 24,
2155 	.iv_len = 12,
2156 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2157 	.init = aesni_ccm_init_key,
2158 	.do_cipher = aes_ccm_cipher,
2159 	.cleanup = NULL,
2160 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2161 	.ctrl = aes_ccm_ctrl,
2162 };
2163 #endif
2164 
2165 static const EVP_CIPHER aes_192_ccm = {
2166 	.nid = NID_aes_192_ccm,
2167 	.block_size = 1,
2168 	.key_len = 24,
2169 	.iv_len = 12,
2170 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2171 	.init = aes_ccm_init_key,
2172 	.do_cipher = aes_ccm_cipher,
2173 	.cleanup = NULL,
2174 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2175 	.ctrl = aes_ccm_ctrl,
2176 };
2177 
2178 const EVP_CIPHER *
EVP_aes_192_ccm(void)2179 EVP_aes_192_ccm(void)
2180 {
2181 #ifdef AESNI_CAPABLE
2182 	return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
2183 #else
2184 	return &aes_192_ccm;
2185 #endif
2186 }
2187 
2188 #ifdef AESNI_CAPABLE
2189 static const EVP_CIPHER aesni_256_ccm = {
2190 	.nid = NID_aes_256_ccm,
2191 	.block_size = 1,
2192 	.key_len = 32,
2193 	.iv_len = 12,
2194 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2195 	.init = aesni_ccm_init_key,
2196 	.do_cipher = aes_ccm_cipher,
2197 	.cleanup = NULL,
2198 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2199 	.ctrl = aes_ccm_ctrl,
2200 };
2201 #endif
2202 
2203 static const EVP_CIPHER aes_256_ccm = {
2204 	.nid = NID_aes_256_ccm,
2205 	.block_size = 1,
2206 	.key_len = 32,
2207 	.iv_len = 12,
2208 	.flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2209 	.init = aes_ccm_init_key,
2210 	.do_cipher = aes_ccm_cipher,
2211 	.cleanup = NULL,
2212 	.ctx_size = sizeof(EVP_AES_CCM_CTX),
2213 	.ctrl = aes_ccm_ctrl,
2214 };
2215 
2216 const EVP_CIPHER *
EVP_aes_256_ccm(void)2217 EVP_aes_256_ccm(void)
2218 {
2219 #ifdef AESNI_CAPABLE
2220 	return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
2221 #else
2222 	return &aes_256_ccm;
2223 #endif
2224 }
2225 
2226 #define EVP_AEAD_AES_GCM_TAG_LEN 16
2227 
2228 struct aead_aes_gcm_ctx {
2229 	union {
2230 		double align;
2231 		AES_KEY ks;
2232 	} ks;
2233 	GCM128_CONTEXT gcm;
2234 	ctr128_f ctr;
2235 	unsigned char tag_len;
2236 };
2237 
2238 static int
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const unsigned char * key,size_t key_len,size_t tag_len)2239 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
2240     size_t tag_len)
2241 {
2242 	struct aead_aes_gcm_ctx *gcm_ctx;
2243 	const size_t key_bits = key_len * 8;
2244 
2245 	/* EVP_AEAD_CTX_init should catch this. */
2246 	if (key_bits != 128 && key_bits != 256) {
2247 		EVPerror(EVP_R_BAD_KEY_LENGTH);
2248 		return 0;
2249 	}
2250 
2251 	if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
2252 		tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
2253 
2254 	if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
2255 		EVPerror(EVP_R_TAG_TOO_LARGE);
2256 		return 0;
2257 	}
2258 
2259 	if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
2260 		return 0;
2261 
2262 #ifdef AESNI_CAPABLE
2263 	if (AESNI_CAPABLE) {
2264 		aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
2265 		CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
2266 		    (block128_f)aesni_encrypt);
2267 		gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
2268 	} else
2269 #endif
2270 	{
2271 		gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
2272 		    key, key_len);
2273 	}
2274 	gcm_ctx->tag_len = tag_len;
2275 	ctx->aead_state = gcm_ctx;
2276 
2277 	return 1;
2278 }
2279 
2280 static void
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)2281 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
2282 {
2283 	struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2284 
2285 	freezero(gcm_ctx, sizeof(*gcm_ctx));
2286 }
2287 
2288 static int
aead_aes_gcm_seal(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2289 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2290     size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2291     const unsigned char *in, size_t in_len, const unsigned char *ad,
2292     size_t ad_len)
2293 {
2294 	const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2295 	GCM128_CONTEXT gcm;
2296 	size_t bulk = 0;
2297 
2298 	if (max_out_len < in_len + gcm_ctx->tag_len) {
2299 		EVPerror(EVP_R_BUFFER_TOO_SMALL);
2300 		return 0;
2301 	}
2302 
2303 	memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2304 
2305 	if (nonce_len == 0) {
2306 		EVPerror(EVP_R_INVALID_IV_LENGTH);
2307 		return 0;
2308 	}
2309 	CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2310 
2311 	if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2312 		return 0;
2313 
2314 	if (gcm_ctx->ctr) {
2315 		if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
2316 		    in_len - bulk, gcm_ctx->ctr))
2317 			return 0;
2318 	} else {
2319 		if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
2320 		    in_len - bulk))
2321 			return 0;
2322 	}
2323 
2324 	CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
2325 	*out_len = in_len + gcm_ctx->tag_len;
2326 
2327 	return 1;
2328 }
2329 
2330 static int
aead_aes_gcm_open(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2331 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2332     size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2333     const unsigned char *in, size_t in_len, const unsigned char *ad,
2334     size_t ad_len)
2335 {
2336 	const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2337 	unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN];
2338 	GCM128_CONTEXT gcm;
2339 	size_t plaintext_len;
2340 	size_t bulk = 0;
2341 
2342 	if (in_len < gcm_ctx->tag_len) {
2343 		EVPerror(EVP_R_BAD_DECRYPT);
2344 		return 0;
2345 	}
2346 
2347 	plaintext_len = in_len - gcm_ctx->tag_len;
2348 
2349 	if (max_out_len < plaintext_len) {
2350 		EVPerror(EVP_R_BUFFER_TOO_SMALL);
2351 		return 0;
2352 	}
2353 
2354 	memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2355 
2356 	if (nonce_len == 0) {
2357 		EVPerror(EVP_R_INVALID_IV_LENGTH);
2358 		return 0;
2359 	}
2360 	CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2361 
2362 	if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2363 		return 0;
2364 
2365 	if (gcm_ctx->ctr) {
2366 		if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
2367 		    in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
2368 			return 0;
2369 	} else {
2370 		if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
2371 		    in_len - bulk - gcm_ctx->tag_len))
2372 			return 0;
2373 	}
2374 
2375 	CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
2376 	if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
2377 		EVPerror(EVP_R_BAD_DECRYPT);
2378 		return 0;
2379 	}
2380 
2381 	*out_len = plaintext_len;
2382 
2383 	return 1;
2384 }
2385 
2386 static const EVP_AEAD aead_aes_128_gcm = {
2387 	.key_len = 16,
2388 	.nonce_len = 12,
2389 	.overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2390 	.max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2391 
2392 	.init = aead_aes_gcm_init,
2393 	.cleanup = aead_aes_gcm_cleanup,
2394 	.seal = aead_aes_gcm_seal,
2395 	.open = aead_aes_gcm_open,
2396 };
2397 
2398 static const EVP_AEAD aead_aes_256_gcm = {
2399 	.key_len = 32,
2400 	.nonce_len = 12,
2401 	.overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2402 	.max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2403 
2404 	.init = aead_aes_gcm_init,
2405 	.cleanup = aead_aes_gcm_cleanup,
2406 	.seal = aead_aes_gcm_seal,
2407 	.open = aead_aes_gcm_open,
2408 };
2409 
2410 const EVP_AEAD *
EVP_aead_aes_128_gcm(void)2411 EVP_aead_aes_128_gcm(void)
2412 {
2413 	return &aead_aes_128_gcm;
2414 }
2415 
2416 const EVP_AEAD *
EVP_aead_aes_256_gcm(void)2417 EVP_aead_aes_256_gcm(void)
2418 {
2419 	return &aead_aes_256_gcm;
2420 }
2421 
2422 typedef struct {
2423 	union {
2424 		double align;
2425 		AES_KEY ks;
2426 	} ks;
2427 	unsigned char *iv;
2428 } EVP_AES_WRAP_CTX;
2429 
2430 static int
aes_wrap_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2431 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2432     const unsigned char *iv, int enc)
2433 {
2434 	EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data;
2435 
2436 	if (iv == NULL && key == NULL)
2437 		return 1;
2438 
2439 	if (key != NULL) {
2440 		if (ctx->encrypt)
2441 			AES_set_encrypt_key(key, 8 * ctx->key_len,
2442 			    &wctx->ks.ks);
2443 		else
2444 			AES_set_decrypt_key(key, 8 * ctx->key_len,
2445 			    &wctx->ks.ks);
2446 
2447 		if (iv == NULL)
2448 			wctx->iv = NULL;
2449 	}
2450 
2451 	if (iv != NULL) {
2452 		memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
2453 		wctx->iv = ctx->iv;
2454 	}
2455 
2456 	return 1;
2457 }
2458 
2459 static int
aes_wrap_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inlen)2460 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2461     const unsigned char *in, size_t inlen)
2462 {
2463 	EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2464 	int ret;
2465 
2466 	if (in == NULL)
2467 		return 0;
2468 
2469 	if (inlen % 8 != 0)
2470 		return -1;
2471 	if (ctx->encrypt && inlen < 8)
2472 		return -1;
2473 	if (!ctx->encrypt && inlen < 16)
2474 		return -1;
2475 	if (inlen > INT_MAX)
2476 		return -1;
2477 
2478 	if (out == NULL) {
2479 		if (ctx->encrypt)
2480 			return inlen + 8;
2481 		else
2482 			return inlen - 8;
2483 	}
2484 
2485 	if (ctx->encrypt)
2486 		ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in,
2487 		    (unsigned int)inlen);
2488 	else
2489 		ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in,
2490 		    (unsigned int)inlen);
2491 
2492 	return ret != 0 ? ret : -1;
2493 }
2494 
2495 static int
aes_wrap_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)2496 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2497 {
2498 	EVP_AES_WRAP_CTX *wctx = c->cipher_data;
2499 
2500 	switch (type) {
2501 	case EVP_CTRL_COPY:
2502 	    {
2503 		EVP_CIPHER_CTX *out = ptr;
2504 		EVP_AES_WRAP_CTX *wctx_out = out->cipher_data;
2505 
2506 		if (wctx->iv != NULL) {
2507 			if (c->iv != wctx->iv)
2508 				return 0;
2509 
2510 			wctx_out->iv = out->iv;
2511 		}
2512 
2513 		return 1;
2514 	    }
2515 	}
2516 
2517 	return -1;
2518 }
2519 
2520 #define WRAP_FLAGS \
2521     ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \
2522       EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \
2523       EVP_CIPH_CUSTOM_COPY )
2524 
2525 static const EVP_CIPHER aes_128_wrap = {
2526 	.nid = NID_id_aes128_wrap,
2527 	.block_size = 8,
2528 	.key_len = 16,
2529 	.iv_len = 8,
2530 	.flags = WRAP_FLAGS,
2531 	.init = aes_wrap_init_key,
2532 	.do_cipher = aes_wrap_cipher,
2533 	.cleanup = NULL,
2534 	.ctx_size = sizeof(EVP_AES_WRAP_CTX),
2535 	.set_asn1_parameters = NULL,
2536 	.get_asn1_parameters = NULL,
2537 	.ctrl = aes_wrap_ctrl,
2538 	.app_data = NULL,
2539 };
2540 
2541 const EVP_CIPHER *
EVP_aes_128_wrap(void)2542 EVP_aes_128_wrap(void)
2543 {
2544 	return &aes_128_wrap;
2545 }
2546 
2547 static const EVP_CIPHER aes_192_wrap = {
2548 	.nid = NID_id_aes192_wrap,
2549 	.block_size = 8,
2550 	.key_len = 24,
2551 	.iv_len = 8,
2552 	.flags = WRAP_FLAGS,
2553 	.init = aes_wrap_init_key,
2554 	.do_cipher = aes_wrap_cipher,
2555 	.cleanup = NULL,
2556 	.ctx_size = sizeof(EVP_AES_WRAP_CTX),
2557 	.set_asn1_parameters = NULL,
2558 	.get_asn1_parameters = NULL,
2559 	.ctrl = aes_wrap_ctrl,
2560 	.app_data = NULL,
2561 };
2562 
2563 const EVP_CIPHER *
EVP_aes_192_wrap(void)2564 EVP_aes_192_wrap(void)
2565 {
2566 	return &aes_192_wrap;
2567 }
2568 
2569 static const EVP_CIPHER aes_256_wrap = {
2570 	.nid = NID_id_aes256_wrap,
2571 	.block_size = 8,
2572 	.key_len = 32,
2573 	.iv_len = 8,
2574 	.flags = WRAP_FLAGS,
2575 	.init = aes_wrap_init_key,
2576 	.do_cipher = aes_wrap_cipher,
2577 	.cleanup = NULL,
2578 	.ctx_size = sizeof(EVP_AES_WRAP_CTX),
2579 	.set_asn1_parameters = NULL,
2580 	.get_asn1_parameters = NULL,
2581 	.ctrl = aes_wrap_ctrl,
2582 	.app_data = NULL,
2583 };
2584 
2585 const EVP_CIPHER *
EVP_aes_256_wrap(void)2586 EVP_aes_256_wrap(void)
2587 {
2588 	return &aes_256_wrap;
2589 }
2590 
2591 #endif
2592