1 /* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */
2 /* ====================================================================
3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52 #include <limits.h>
53 #include <stdlib.h>
54 #include <string.h>
55
56 #include <openssl/opensslconf.h>
57
58 #include "crypto_internal.h"
59
60 #ifndef OPENSSL_NO_AES
61 #include <openssl/aes.h>
62 #include <openssl/err.h>
63 #include <openssl/evp.h>
64
65 #include "evp_local.h"
66 #include "modes_local.h"
67
68 typedef struct {
69 AES_KEY ks;
70 block128_f block;
71 union {
72 cbc128_f cbc;
73 ctr128_f ctr;
74 } stream;
75 } EVP_AES_KEY;
76
77 typedef struct {
78 AES_KEY ks; /* AES key schedule to use */
79 int key_set; /* Set if key initialised */
80 int iv_set; /* Set if an iv is set */
81 GCM128_CONTEXT gcm;
82 unsigned char *iv; /* Temporary IV store */
83 int ivlen; /* IV length */
84 int taglen;
85 int iv_gen; /* It is OK to generate IVs */
86 int tls_aad_len; /* TLS AAD length */
87 ctr128_f ctr;
88 } EVP_AES_GCM_CTX;
89
90 typedef struct {
91 AES_KEY ks1, ks2; /* AES key schedules to use */
92 XTS128_CONTEXT xts;
93 void (*stream)(const unsigned char *in, unsigned char *out,
94 size_t length, const AES_KEY *key1, const AES_KEY *key2,
95 const unsigned char iv[16]);
96 } EVP_AES_XTS_CTX;
97
98 typedef struct {
99 AES_KEY ks; /* AES key schedule to use */
100 int key_set; /* Set if key initialised */
101 int iv_set; /* Set if an iv is set */
102 int tag_set; /* Set if tag is valid */
103 int len_set; /* Set if message length set */
104 int L, M; /* L and M parameters from RFC3610 */
105 CCM128_CONTEXT ccm;
106 ccm128_f str;
107 } EVP_AES_CCM_CTX;
108
109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
110
111 #ifdef VPAES_ASM
112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113 AES_KEY *key);
114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115 AES_KEY *key);
116
117 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118 const AES_KEY *key);
119 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120 const AES_KEY *key);
121
122 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
123 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
124 #endif
125 #ifdef BSAES_ASM
126 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
127 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
128 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
129 size_t len, const AES_KEY *key, const unsigned char ivec[16]);
130 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
131 size_t len, const AES_KEY *key1, const AES_KEY *key2,
132 const unsigned char iv[16]);
133 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
134 size_t len, const AES_KEY *key1, const AES_KEY *key2,
135 const unsigned char iv[16]);
136 #endif
137 #ifdef AES_CTR_ASM
138 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
139 size_t blocks, const AES_KEY *key,
140 const unsigned char ivec[AES_BLOCK_SIZE]);
141 #endif
142 #ifdef AES_XTS_ASM
143 void AES_xts_encrypt(const char *inp, char *out, size_t len,
144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
145 void AES_xts_decrypt(const char *inp, char *out, size_t len,
146 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
147 #endif
148
149 #if defined(AES_ASM) && ( \
150 ((defined(__i386) || defined(__i386__) || \
151 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
152 defined(__x86_64) || defined(__x86_64__) || \
153 defined(_M_AMD64) || defined(_M_X64) || \
154 defined(__INTEL__) )
155
156 #include "x86_arch.h"
157
158 #ifdef VPAES_ASM
159 #define VPAES_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3)
160 #endif
161 #ifdef BSAES_ASM
162 #define BSAES_CAPABLE VPAES_CAPABLE
163 #endif
164 /*
165 * AES-NI section
166 */
167 #define AESNI_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
168
169 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
170 AES_KEY *key);
171 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
172 AES_KEY *key);
173
174 void aesni_encrypt(const unsigned char *in, unsigned char *out,
175 const AES_KEY *key);
176 void aesni_decrypt(const unsigned char *in, unsigned char *out,
177 const AES_KEY *key);
178
179 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
180 size_t length, const AES_KEY *key, int enc);
181 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
182 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
183
184 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
185 size_t blocks, const void *key, const unsigned char *ivec);
186
187 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
188 size_t length, const AES_KEY *key1, const AES_KEY *key2,
189 const unsigned char iv[16]);
190
191 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
192 size_t length, const AES_KEY *key1, const AES_KEY *key2,
193 const unsigned char iv[16]);
194
195 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
196 size_t blocks, const void *key, const unsigned char ivec[16],
197 unsigned char cmac[16]);
198
199 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
200 size_t blocks, const void *key, const unsigned char ivec[16],
201 unsigned char cmac[16]);
202
203 static int
aesni_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)204 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
205 const unsigned char *iv, int enc)
206 {
207 int ret, mode;
208 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
209
210 mode = ctx->cipher->flags & EVP_CIPH_MODE;
211 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
212 !enc) {
213 ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
214 ctx->cipher_data);
215 dat->block = (block128_f)aesni_decrypt;
216 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
217 (cbc128_f)aesni_cbc_encrypt : NULL;
218 } else {
219 ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
220 ctx->cipher_data);
221 dat->block = (block128_f)aesni_encrypt;
222 if (mode == EVP_CIPH_CBC_MODE)
223 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
224 else if (mode == EVP_CIPH_CTR_MODE)
225 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
226 else
227 dat->stream.cbc = NULL;
228 }
229
230 if (ret < 0) {
231 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
232 return 0;
233 }
234
235 return 1;
236 }
237
238 static int
aesni_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)239 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
240 const unsigned char *in, size_t len)
241 {
242 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
243 ctx->encrypt);
244
245 return 1;
246 }
247
248 static int
aesni_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)249 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
250 const unsigned char *in, size_t len)
251 {
252 size_t bl = ctx->cipher->block_size;
253
254 if (len < bl)
255 return 1;
256
257 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
258
259 return 1;
260 }
261
262 static int
aesni_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)263 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
264 const unsigned char *iv, int enc)
265 {
266 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
267
268 if (!iv && !key)
269 return 1;
270 if (key) {
271 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
272 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
273 (block128_f)aesni_encrypt);
274 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
275 /* If we have an iv can set it directly, otherwise use
276 * saved IV.
277 */
278 if (iv == NULL && gctx->iv_set)
279 iv = gctx->iv;
280 if (iv) {
281 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
282 gctx->iv_set = 1;
283 }
284 gctx->key_set = 1;
285 } else {
286 /* If key set use IV, otherwise copy */
287 if (gctx->key_set)
288 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
289 else
290 memcpy(gctx->iv, iv, gctx->ivlen);
291 gctx->iv_set = 1;
292 gctx->iv_gen = 0;
293 }
294 return 1;
295 }
296
297 static int
aesni_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)298 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
299 const unsigned char *iv, int enc)
300 {
301 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
302
303 if (!iv && !key)
304 return 1;
305
306 if (key) {
307 /* key_len is two AES keys */
308 if (enc) {
309 aesni_set_encrypt_key(key, ctx->key_len * 4,
310 &xctx->ks1);
311 xctx->xts.block1 = (block128_f)aesni_encrypt;
312 xctx->stream = aesni_xts_encrypt;
313 } else {
314 aesni_set_decrypt_key(key, ctx->key_len * 4,
315 &xctx->ks1);
316 xctx->xts.block1 = (block128_f)aesni_decrypt;
317 xctx->stream = aesni_xts_decrypt;
318 }
319
320 aesni_set_encrypt_key(key + ctx->key_len / 2,
321 ctx->key_len * 4, &xctx->ks2);
322 xctx->xts.block2 = (block128_f)aesni_encrypt;
323
324 xctx->xts.key1 = &xctx->ks1;
325 }
326
327 if (iv) {
328 xctx->xts.key2 = &xctx->ks2;
329 memcpy(ctx->iv, iv, 16);
330 }
331
332 return 1;
333 }
334
335 static int
aesni_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)336 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
337 const unsigned char *iv, int enc)
338 {
339 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
340
341 if (!iv && !key)
342 return 1;
343 if (key) {
344 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
345 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
346 &cctx->ks, (block128_f)aesni_encrypt);
347 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
348 (ccm128_f)aesni_ccm64_decrypt_blocks;
349 cctx->key_set = 1;
350 }
351 if (iv) {
352 memcpy(ctx->iv, iv, 15 - cctx->L);
353 cctx->iv_set = 1;
354 }
355 return 1;
356 }
357
358 #endif
359
360 static int
aes_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)361 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
362 const unsigned char *iv, int enc)
363 {
364 int ret, mode;
365 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
366
367 mode = ctx->cipher->flags & EVP_CIPH_MODE;
368 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
369 !enc)
370 #ifdef BSAES_CAPABLE
371 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
372 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
373 &dat->ks);
374 dat->block = (block128_f)AES_decrypt;
375 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
376 } else
377 #endif
378 #ifdef VPAES_CAPABLE
379 if (VPAES_CAPABLE) {
380 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
381 &dat->ks);
382 dat->block = (block128_f)vpaes_decrypt;
383 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
384 (cbc128_f)vpaes_cbc_encrypt : NULL;
385 } else
386 #endif
387 {
388 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
389 &dat->ks);
390 dat->block = (block128_f)AES_decrypt;
391 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
392 (cbc128_f)AES_cbc_encrypt : NULL;
393 } else
394 #ifdef BSAES_CAPABLE
395 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
396 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
397 &dat->ks);
398 dat->block = (block128_f)AES_encrypt;
399 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
400 } else
401 #endif
402 #ifdef VPAES_CAPABLE
403 if (VPAES_CAPABLE) {
404 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
405 &dat->ks);
406 dat->block = (block128_f)vpaes_encrypt;
407 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
408 (cbc128_f)vpaes_cbc_encrypt : NULL;
409 } else
410 #endif
411 {
412 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
413 &dat->ks);
414 dat->block = (block128_f)AES_encrypt;
415 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
416 (cbc128_f)AES_cbc_encrypt : NULL;
417 #ifdef AES_CTR_ASM
418 if (mode == EVP_CIPH_CTR_MODE)
419 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
420 #endif
421 }
422
423 if (ret < 0) {
424 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
425 return 0;
426 }
427
428 return 1;
429 }
430
431 static int
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)432 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
433 const unsigned char *in, size_t len)
434 {
435 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
436
437 if (dat->stream.cbc)
438 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
439 ctx->encrypt);
440 else if (ctx->encrypt)
441 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
442 dat->block);
443 else
444 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
445 dat->block);
446
447 return 1;
448 }
449
450 static int
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)451 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
452 const unsigned char *in, size_t len)
453 {
454 size_t bl = ctx->cipher->block_size;
455 size_t i;
456 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
457
458 if (len < bl)
459 return 1;
460
461 for (i = 0, len -= bl; i <= len; i += bl)
462 (*dat->block)(in + i, out + i, &dat->ks);
463
464 return 1;
465 }
466
467 static int
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)468 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
469 const unsigned char *in, size_t len)
470 {
471 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
472
473 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
474 dat->block);
475 return 1;
476 }
477
478 static int
aes_cfb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)479 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
480 const unsigned char *in, size_t len)
481 {
482 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
483
484 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
485 ctx->encrypt, dat->block);
486 return 1;
487 }
488
489 static int
aes_cfb8_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)490 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
491 const unsigned char *in, size_t len)
492 {
493 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
494
495 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
496 ctx->encrypt, dat->block);
497 return 1;
498 }
499
500 static int
aes_cfb1_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)501 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
502 const unsigned char *in, size_t len)
503 {
504 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
505
506 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
507 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
508 &ctx->num, ctx->encrypt, dat->block);
509 return 1;
510 }
511
512 while (len >= MAXBITCHUNK) {
513 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
514 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
515 len -= MAXBITCHUNK;
516 in += MAXBITCHUNK;
517 out += MAXBITCHUNK;
518 }
519 if (len)
520 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
521 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
522
523 return 1;
524 }
525
526 static int
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)527 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
528 const unsigned char *in, size_t len)
529 {
530 unsigned int num = ctx->num;
531 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
532
533 if (dat->stream.ctr)
534 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
535 ctx->iv, ctx->buf, &num, dat->stream.ctr);
536 else
537 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
538 ctx->iv, ctx->buf, &num, dat->block);
539 ctx->num = (size_t)num;
540 return 1;
541 }
542
543
544 #ifdef AESNI_CAPABLE
545 static const EVP_CIPHER aesni_128_cbc = {
546 .nid = NID_aes_128_cbc,
547 .block_size = 16,
548 .key_len = 16,
549 .iv_len = 16,
550 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
551 .init = aesni_init_key,
552 .do_cipher = aesni_cbc_cipher,
553 .ctx_size = sizeof(EVP_AES_KEY),
554 };
555 #endif
556
557 static const EVP_CIPHER aes_128_cbc = {
558 .nid = NID_aes_128_cbc,
559 .block_size = 16,
560 .key_len = 16,
561 .iv_len = 16,
562 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
563 .init = aes_init_key,
564 .do_cipher = aes_cbc_cipher,
565 .ctx_size = sizeof(EVP_AES_KEY),
566 };
567
568 const EVP_CIPHER *
EVP_aes_128_cbc(void)569 EVP_aes_128_cbc(void)
570 {
571 #ifdef AESNI_CAPABLE
572 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
573 #else
574 return &aes_128_cbc;
575 #endif
576 }
577 LCRYPTO_ALIAS(EVP_aes_128_cbc);
578
579 #ifdef AESNI_CAPABLE
580 static const EVP_CIPHER aesni_128_ecb = {
581 .nid = NID_aes_128_ecb,
582 .block_size = 16,
583 .key_len = 16,
584 .iv_len = 0,
585 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
586 .init = aesni_init_key,
587 .do_cipher = aesni_ecb_cipher,
588 .ctx_size = sizeof(EVP_AES_KEY),
589 };
590 #endif
591
592 static const EVP_CIPHER aes_128_ecb = {
593 .nid = NID_aes_128_ecb,
594 .block_size = 16,
595 .key_len = 16,
596 .iv_len = 0,
597 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
598 .init = aes_init_key,
599 .do_cipher = aes_ecb_cipher,
600 .ctx_size = sizeof(EVP_AES_KEY),
601 };
602
603 const EVP_CIPHER *
EVP_aes_128_ecb(void)604 EVP_aes_128_ecb(void)
605 {
606 #ifdef AESNI_CAPABLE
607 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
608 #else
609 return &aes_128_ecb;
610 #endif
611 }
612 LCRYPTO_ALIAS(EVP_aes_128_ecb);
613
614 #ifdef AESNI_CAPABLE
615 static const EVP_CIPHER aesni_128_ofb = {
616 .nid = NID_aes_128_ofb128,
617 .block_size = 1,
618 .key_len = 16,
619 .iv_len = 16,
620 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
621 .init = aesni_init_key,
622 .do_cipher = aes_ofb_cipher,
623 .ctx_size = sizeof(EVP_AES_KEY),
624 };
625 #endif
626
627 static const EVP_CIPHER aes_128_ofb = {
628 .nid = NID_aes_128_ofb128,
629 .block_size = 1,
630 .key_len = 16,
631 .iv_len = 16,
632 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
633 .init = aes_init_key,
634 .do_cipher = aes_ofb_cipher,
635 .ctx_size = sizeof(EVP_AES_KEY),
636 };
637
638 const EVP_CIPHER *
EVP_aes_128_ofb(void)639 EVP_aes_128_ofb(void)
640 {
641 #ifdef AESNI_CAPABLE
642 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
643 #else
644 return &aes_128_ofb;
645 #endif
646 }
647 LCRYPTO_ALIAS(EVP_aes_128_ofb);
648
649 #ifdef AESNI_CAPABLE
650 static const EVP_CIPHER aesni_128_cfb = {
651 .nid = NID_aes_128_cfb128,
652 .block_size = 1,
653 .key_len = 16,
654 .iv_len = 16,
655 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
656 .init = aesni_init_key,
657 .do_cipher = aes_cfb_cipher,
658 .ctx_size = sizeof(EVP_AES_KEY),
659 };
660 #endif
661
662 static const EVP_CIPHER aes_128_cfb = {
663 .nid = NID_aes_128_cfb128,
664 .block_size = 1,
665 .key_len = 16,
666 .iv_len = 16,
667 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
668 .init = aes_init_key,
669 .do_cipher = aes_cfb_cipher,
670 .ctx_size = sizeof(EVP_AES_KEY),
671 };
672
673 const EVP_CIPHER *
EVP_aes_128_cfb128(void)674 EVP_aes_128_cfb128(void)
675 {
676 #ifdef AESNI_CAPABLE
677 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
678 #else
679 return &aes_128_cfb;
680 #endif
681 }
682 LCRYPTO_ALIAS(EVP_aes_128_cfb128);
683
684 #ifdef AESNI_CAPABLE
685 static const EVP_CIPHER aesni_128_cfb1 = {
686 .nid = NID_aes_128_cfb1,
687 .block_size = 1,
688 .key_len = 16,
689 .iv_len = 16,
690 .flags = EVP_CIPH_CFB_MODE,
691 .init = aesni_init_key,
692 .do_cipher = aes_cfb1_cipher,
693 .ctx_size = sizeof(EVP_AES_KEY),
694 };
695 #endif
696
697 static const EVP_CIPHER aes_128_cfb1 = {
698 .nid = NID_aes_128_cfb1,
699 .block_size = 1,
700 .key_len = 16,
701 .iv_len = 16,
702 .flags = EVP_CIPH_CFB_MODE,
703 .init = aes_init_key,
704 .do_cipher = aes_cfb1_cipher,
705 .ctx_size = sizeof(EVP_AES_KEY),
706 };
707
708 const EVP_CIPHER *
EVP_aes_128_cfb1(void)709 EVP_aes_128_cfb1(void)
710 {
711 #ifdef AESNI_CAPABLE
712 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
713 #else
714 return &aes_128_cfb1;
715 #endif
716 }
717 LCRYPTO_ALIAS(EVP_aes_128_cfb1);
718
719 #ifdef AESNI_CAPABLE
720 static const EVP_CIPHER aesni_128_cfb8 = {
721 .nid = NID_aes_128_cfb8,
722 .block_size = 1,
723 .key_len = 16,
724 .iv_len = 16,
725 .flags = EVP_CIPH_CFB_MODE,
726 .init = aesni_init_key,
727 .do_cipher = aes_cfb8_cipher,
728 .ctx_size = sizeof(EVP_AES_KEY),
729 };
730 #endif
731
732 static const EVP_CIPHER aes_128_cfb8 = {
733 .nid = NID_aes_128_cfb8,
734 .block_size = 1,
735 .key_len = 16,
736 .iv_len = 16,
737 .flags = EVP_CIPH_CFB_MODE,
738 .init = aes_init_key,
739 .do_cipher = aes_cfb8_cipher,
740 .ctx_size = sizeof(EVP_AES_KEY),
741 };
742
743 const EVP_CIPHER *
EVP_aes_128_cfb8(void)744 EVP_aes_128_cfb8(void)
745 {
746 #ifdef AESNI_CAPABLE
747 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
748 #else
749 return &aes_128_cfb8;
750 #endif
751 }
752 LCRYPTO_ALIAS(EVP_aes_128_cfb8);
753
754 #ifdef AESNI_CAPABLE
755 static const EVP_CIPHER aesni_128_ctr = {
756 .nid = NID_aes_128_ctr,
757 .block_size = 1,
758 .key_len = 16,
759 .iv_len = 16,
760 .flags = EVP_CIPH_CTR_MODE,
761 .init = aesni_init_key,
762 .do_cipher = aes_ctr_cipher,
763 .ctx_size = sizeof(EVP_AES_KEY),
764 };
765 #endif
766
767 static const EVP_CIPHER aes_128_ctr = {
768 .nid = NID_aes_128_ctr,
769 .block_size = 1,
770 .key_len = 16,
771 .iv_len = 16,
772 .flags = EVP_CIPH_CTR_MODE,
773 .init = aes_init_key,
774 .do_cipher = aes_ctr_cipher,
775 .ctx_size = sizeof(EVP_AES_KEY),
776 };
777
778 const EVP_CIPHER *
EVP_aes_128_ctr(void)779 EVP_aes_128_ctr(void)
780 {
781 #ifdef AESNI_CAPABLE
782 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
783 #else
784 return &aes_128_ctr;
785 #endif
786 }
787 LCRYPTO_ALIAS(EVP_aes_128_ctr);
788
789
790 #ifdef AESNI_CAPABLE
791 static const EVP_CIPHER aesni_192_cbc = {
792 .nid = NID_aes_192_cbc,
793 .block_size = 16,
794 .key_len = 24,
795 .iv_len = 16,
796 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
797 .init = aesni_init_key,
798 .do_cipher = aesni_cbc_cipher,
799 .ctx_size = sizeof(EVP_AES_KEY),
800 };
801 #endif
802
803 static const EVP_CIPHER aes_192_cbc = {
804 .nid = NID_aes_192_cbc,
805 .block_size = 16,
806 .key_len = 24,
807 .iv_len = 16,
808 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
809 .init = aes_init_key,
810 .do_cipher = aes_cbc_cipher,
811 .ctx_size = sizeof(EVP_AES_KEY),
812 };
813
814 const EVP_CIPHER *
EVP_aes_192_cbc(void)815 EVP_aes_192_cbc(void)
816 {
817 #ifdef AESNI_CAPABLE
818 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
819 #else
820 return &aes_192_cbc;
821 #endif
822 }
823 LCRYPTO_ALIAS(EVP_aes_192_cbc);
824
825 #ifdef AESNI_CAPABLE
826 static const EVP_CIPHER aesni_192_ecb = {
827 .nid = NID_aes_192_ecb,
828 .block_size = 16,
829 .key_len = 24,
830 .iv_len = 0,
831 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
832 .init = aesni_init_key,
833 .do_cipher = aesni_ecb_cipher,
834 .ctx_size = sizeof(EVP_AES_KEY),
835 };
836 #endif
837
838 static const EVP_CIPHER aes_192_ecb = {
839 .nid = NID_aes_192_ecb,
840 .block_size = 16,
841 .key_len = 24,
842 .iv_len = 0,
843 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
844 .init = aes_init_key,
845 .do_cipher = aes_ecb_cipher,
846 .ctx_size = sizeof(EVP_AES_KEY),
847 };
848
849 const EVP_CIPHER *
EVP_aes_192_ecb(void)850 EVP_aes_192_ecb(void)
851 {
852 #ifdef AESNI_CAPABLE
853 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
854 #else
855 return &aes_192_ecb;
856 #endif
857 }
858 LCRYPTO_ALIAS(EVP_aes_192_ecb);
859
860 #ifdef AESNI_CAPABLE
861 static const EVP_CIPHER aesni_192_ofb = {
862 .nid = NID_aes_192_ofb128,
863 .block_size = 1,
864 .key_len = 24,
865 .iv_len = 16,
866 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
867 .init = aesni_init_key,
868 .do_cipher = aes_ofb_cipher,
869 .ctx_size = sizeof(EVP_AES_KEY),
870 };
871 #endif
872
873 static const EVP_CIPHER aes_192_ofb = {
874 .nid = NID_aes_192_ofb128,
875 .block_size = 1,
876 .key_len = 24,
877 .iv_len = 16,
878 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
879 .init = aes_init_key,
880 .do_cipher = aes_ofb_cipher,
881 .ctx_size = sizeof(EVP_AES_KEY),
882 };
883
884 const EVP_CIPHER *
EVP_aes_192_ofb(void)885 EVP_aes_192_ofb(void)
886 {
887 #ifdef AESNI_CAPABLE
888 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
889 #else
890 return &aes_192_ofb;
891 #endif
892 }
893 LCRYPTO_ALIAS(EVP_aes_192_ofb);
894
895 #ifdef AESNI_CAPABLE
896 static const EVP_CIPHER aesni_192_cfb = {
897 .nid = NID_aes_192_cfb128,
898 .block_size = 1,
899 .key_len = 24,
900 .iv_len = 16,
901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
902 .init = aesni_init_key,
903 .do_cipher = aes_cfb_cipher,
904 .ctx_size = sizeof(EVP_AES_KEY),
905 };
906 #endif
907
908 static const EVP_CIPHER aes_192_cfb = {
909 .nid = NID_aes_192_cfb128,
910 .block_size = 1,
911 .key_len = 24,
912 .iv_len = 16,
913 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
914 .init = aes_init_key,
915 .do_cipher = aes_cfb_cipher,
916 .ctx_size = sizeof(EVP_AES_KEY),
917 };
918
919 const EVP_CIPHER *
EVP_aes_192_cfb128(void)920 EVP_aes_192_cfb128(void)
921 {
922 #ifdef AESNI_CAPABLE
923 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
924 #else
925 return &aes_192_cfb;
926 #endif
927 }
928 LCRYPTO_ALIAS(EVP_aes_192_cfb128);
929
930 #ifdef AESNI_CAPABLE
931 static const EVP_CIPHER aesni_192_cfb1 = {
932 .nid = NID_aes_192_cfb1,
933 .block_size = 1,
934 .key_len = 24,
935 .iv_len = 16,
936 .flags = EVP_CIPH_CFB_MODE,
937 .init = aesni_init_key,
938 .do_cipher = aes_cfb1_cipher,
939 .ctx_size = sizeof(EVP_AES_KEY),
940 };
941 #endif
942
943 static const EVP_CIPHER aes_192_cfb1 = {
944 .nid = NID_aes_192_cfb1,
945 .block_size = 1,
946 .key_len = 24,
947 .iv_len = 16,
948 .flags = EVP_CIPH_CFB_MODE,
949 .init = aes_init_key,
950 .do_cipher = aes_cfb1_cipher,
951 .ctx_size = sizeof(EVP_AES_KEY),
952 };
953
954 const EVP_CIPHER *
EVP_aes_192_cfb1(void)955 EVP_aes_192_cfb1(void)
956 {
957 #ifdef AESNI_CAPABLE
958 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
959 #else
960 return &aes_192_cfb1;
961 #endif
962 }
963 LCRYPTO_ALIAS(EVP_aes_192_cfb1);
964
965 #ifdef AESNI_CAPABLE
966 static const EVP_CIPHER aesni_192_cfb8 = {
967 .nid = NID_aes_192_cfb8,
968 .block_size = 1,
969 .key_len = 24,
970 .iv_len = 16,
971 .flags = EVP_CIPH_CFB_MODE,
972 .init = aesni_init_key,
973 .do_cipher = aes_cfb8_cipher,
974 .ctx_size = sizeof(EVP_AES_KEY),
975 };
976 #endif
977
978 static const EVP_CIPHER aes_192_cfb8 = {
979 .nid = NID_aes_192_cfb8,
980 .block_size = 1,
981 .key_len = 24,
982 .iv_len = 16,
983 .flags = EVP_CIPH_CFB_MODE,
984 .init = aes_init_key,
985 .do_cipher = aes_cfb8_cipher,
986 .ctx_size = sizeof(EVP_AES_KEY),
987 };
988
989 const EVP_CIPHER *
EVP_aes_192_cfb8(void)990 EVP_aes_192_cfb8(void)
991 {
992 #ifdef AESNI_CAPABLE
993 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
994 #else
995 return &aes_192_cfb8;
996 #endif
997 }
998 LCRYPTO_ALIAS(EVP_aes_192_cfb8);
999
1000 #ifdef AESNI_CAPABLE
1001 static const EVP_CIPHER aesni_192_ctr = {
1002 .nid = NID_aes_192_ctr,
1003 .block_size = 1,
1004 .key_len = 24,
1005 .iv_len = 16,
1006 .flags = EVP_CIPH_CTR_MODE,
1007 .init = aesni_init_key,
1008 .do_cipher = aes_ctr_cipher,
1009 .ctx_size = sizeof(EVP_AES_KEY),
1010 };
1011 #endif
1012
1013 static const EVP_CIPHER aes_192_ctr = {
1014 .nid = NID_aes_192_ctr,
1015 .block_size = 1,
1016 .key_len = 24,
1017 .iv_len = 16,
1018 .flags = EVP_CIPH_CTR_MODE,
1019 .init = aes_init_key,
1020 .do_cipher = aes_ctr_cipher,
1021 .ctx_size = sizeof(EVP_AES_KEY),
1022 };
1023
1024 const EVP_CIPHER *
EVP_aes_192_ctr(void)1025 EVP_aes_192_ctr(void)
1026 {
1027 #ifdef AESNI_CAPABLE
1028 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
1029 #else
1030 return &aes_192_ctr;
1031 #endif
1032 }
1033 LCRYPTO_ALIAS(EVP_aes_192_ctr);
1034
1035
1036 #ifdef AESNI_CAPABLE
1037 static const EVP_CIPHER aesni_256_cbc = {
1038 .nid = NID_aes_256_cbc,
1039 .block_size = 16,
1040 .key_len = 32,
1041 .iv_len = 16,
1042 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1043 .init = aesni_init_key,
1044 .do_cipher = aesni_cbc_cipher,
1045 .ctx_size = sizeof(EVP_AES_KEY),
1046 };
1047 #endif
1048
1049 static const EVP_CIPHER aes_256_cbc = {
1050 .nid = NID_aes_256_cbc,
1051 .block_size = 16,
1052 .key_len = 32,
1053 .iv_len = 16,
1054 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1055 .init = aes_init_key,
1056 .do_cipher = aes_cbc_cipher,
1057 .ctx_size = sizeof(EVP_AES_KEY),
1058 };
1059
1060 const EVP_CIPHER *
EVP_aes_256_cbc(void)1061 EVP_aes_256_cbc(void)
1062 {
1063 #ifdef AESNI_CAPABLE
1064 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
1065 #else
1066 return &aes_256_cbc;
1067 #endif
1068 }
1069 LCRYPTO_ALIAS(EVP_aes_256_cbc);
1070
1071 #ifdef AESNI_CAPABLE
1072 static const EVP_CIPHER aesni_256_ecb = {
1073 .nid = NID_aes_256_ecb,
1074 .block_size = 16,
1075 .key_len = 32,
1076 .iv_len = 0,
1077 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1078 .init = aesni_init_key,
1079 .do_cipher = aesni_ecb_cipher,
1080 .ctx_size = sizeof(EVP_AES_KEY),
1081 };
1082 #endif
1083
1084 static const EVP_CIPHER aes_256_ecb = {
1085 .nid = NID_aes_256_ecb,
1086 .block_size = 16,
1087 .key_len = 32,
1088 .iv_len = 0,
1089 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1090 .init = aes_init_key,
1091 .do_cipher = aes_ecb_cipher,
1092 .ctx_size = sizeof(EVP_AES_KEY),
1093 };
1094
1095 const EVP_CIPHER *
EVP_aes_256_ecb(void)1096 EVP_aes_256_ecb(void)
1097 {
1098 #ifdef AESNI_CAPABLE
1099 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
1100 #else
1101 return &aes_256_ecb;
1102 #endif
1103 }
1104 LCRYPTO_ALIAS(EVP_aes_256_ecb);
1105
1106 #ifdef AESNI_CAPABLE
1107 static const EVP_CIPHER aesni_256_ofb = {
1108 .nid = NID_aes_256_ofb128,
1109 .block_size = 1,
1110 .key_len = 32,
1111 .iv_len = 16,
1112 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1113 .init = aesni_init_key,
1114 .do_cipher = aes_ofb_cipher,
1115 .ctx_size = sizeof(EVP_AES_KEY),
1116 };
1117 #endif
1118
1119 static const EVP_CIPHER aes_256_ofb = {
1120 .nid = NID_aes_256_ofb128,
1121 .block_size = 1,
1122 .key_len = 32,
1123 .iv_len = 16,
1124 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1125 .init = aes_init_key,
1126 .do_cipher = aes_ofb_cipher,
1127 .ctx_size = sizeof(EVP_AES_KEY),
1128 };
1129
1130 const EVP_CIPHER *
EVP_aes_256_ofb(void)1131 EVP_aes_256_ofb(void)
1132 {
1133 #ifdef AESNI_CAPABLE
1134 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
1135 #else
1136 return &aes_256_ofb;
1137 #endif
1138 }
1139 LCRYPTO_ALIAS(EVP_aes_256_ofb);
1140
1141 #ifdef AESNI_CAPABLE
1142 static const EVP_CIPHER aesni_256_cfb = {
1143 .nid = NID_aes_256_cfb128,
1144 .block_size = 1,
1145 .key_len = 32,
1146 .iv_len = 16,
1147 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1148 .init = aesni_init_key,
1149 .do_cipher = aes_cfb_cipher,
1150 .ctx_size = sizeof(EVP_AES_KEY),
1151 };
1152 #endif
1153
1154 static const EVP_CIPHER aes_256_cfb = {
1155 .nid = NID_aes_256_cfb128,
1156 .block_size = 1,
1157 .key_len = 32,
1158 .iv_len = 16,
1159 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1160 .init = aes_init_key,
1161 .do_cipher = aes_cfb_cipher,
1162 .ctx_size = sizeof(EVP_AES_KEY),
1163 };
1164
1165 const EVP_CIPHER *
EVP_aes_256_cfb128(void)1166 EVP_aes_256_cfb128(void)
1167 {
1168 #ifdef AESNI_CAPABLE
1169 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
1170 #else
1171 return &aes_256_cfb;
1172 #endif
1173 }
1174 LCRYPTO_ALIAS(EVP_aes_256_cfb128);
1175
1176 #ifdef AESNI_CAPABLE
1177 static const EVP_CIPHER aesni_256_cfb1 = {
1178 .nid = NID_aes_256_cfb1,
1179 .block_size = 1,
1180 .key_len = 32,
1181 .iv_len = 16,
1182 .flags = EVP_CIPH_CFB_MODE,
1183 .init = aesni_init_key,
1184 .do_cipher = aes_cfb1_cipher,
1185 .ctx_size = sizeof(EVP_AES_KEY),
1186 };
1187 #endif
1188
1189 static const EVP_CIPHER aes_256_cfb1 = {
1190 .nid = NID_aes_256_cfb1,
1191 .block_size = 1,
1192 .key_len = 32,
1193 .iv_len = 16,
1194 .flags = EVP_CIPH_CFB_MODE,
1195 .init = aes_init_key,
1196 .do_cipher = aes_cfb1_cipher,
1197 .ctx_size = sizeof(EVP_AES_KEY),
1198 };
1199
1200 const EVP_CIPHER *
EVP_aes_256_cfb1(void)1201 EVP_aes_256_cfb1(void)
1202 {
1203 #ifdef AESNI_CAPABLE
1204 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
1205 #else
1206 return &aes_256_cfb1;
1207 #endif
1208 }
1209 LCRYPTO_ALIAS(EVP_aes_256_cfb1);
1210
1211 #ifdef AESNI_CAPABLE
1212 static const EVP_CIPHER aesni_256_cfb8 = {
1213 .nid = NID_aes_256_cfb8,
1214 .block_size = 1,
1215 .key_len = 32,
1216 .iv_len = 16,
1217 .flags = EVP_CIPH_CFB_MODE,
1218 .init = aesni_init_key,
1219 .do_cipher = aes_cfb8_cipher,
1220 .ctx_size = sizeof(EVP_AES_KEY),
1221 };
1222 #endif
1223
1224 static const EVP_CIPHER aes_256_cfb8 = {
1225 .nid = NID_aes_256_cfb8,
1226 .block_size = 1,
1227 .key_len = 32,
1228 .iv_len = 16,
1229 .flags = EVP_CIPH_CFB_MODE,
1230 .init = aes_init_key,
1231 .do_cipher = aes_cfb8_cipher,
1232 .ctx_size = sizeof(EVP_AES_KEY),
1233 };
1234
1235 const EVP_CIPHER *
EVP_aes_256_cfb8(void)1236 EVP_aes_256_cfb8(void)
1237 {
1238 #ifdef AESNI_CAPABLE
1239 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
1240 #else
1241 return &aes_256_cfb8;
1242 #endif
1243 }
1244 LCRYPTO_ALIAS(EVP_aes_256_cfb8);
1245
1246 #ifdef AESNI_CAPABLE
1247 static const EVP_CIPHER aesni_256_ctr = {
1248 .nid = NID_aes_256_ctr,
1249 .block_size = 1,
1250 .key_len = 32,
1251 .iv_len = 16,
1252 .flags = EVP_CIPH_CTR_MODE,
1253 .init = aesni_init_key,
1254 .do_cipher = aes_ctr_cipher,
1255 .ctx_size = sizeof(EVP_AES_KEY),
1256 };
1257 #endif
1258
1259 static const EVP_CIPHER aes_256_ctr = {
1260 .nid = NID_aes_256_ctr,
1261 .block_size = 1,
1262 .key_len = 32,
1263 .iv_len = 16,
1264 .flags = EVP_CIPH_CTR_MODE,
1265 .init = aes_init_key,
1266 .do_cipher = aes_ctr_cipher,
1267 .ctx_size = sizeof(EVP_AES_KEY),
1268 };
1269
1270 const EVP_CIPHER *
EVP_aes_256_ctr(void)1271 EVP_aes_256_ctr(void)
1272 {
1273 #ifdef AESNI_CAPABLE
1274 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
1275 #else
1276 return &aes_256_ctr;
1277 #endif
1278 }
1279 LCRYPTO_ALIAS(EVP_aes_256_ctr);
1280
1281 static int
aes_gcm_cleanup(EVP_CIPHER_CTX * c)1282 aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1283 {
1284 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1285
1286 if (gctx->iv != c->iv)
1287 free(gctx->iv);
1288
1289 explicit_bzero(gctx, sizeof(*gctx));
1290
1291 return 1;
1292 }
1293
1294 /* increment counter (64-bit int) by 1 */
1295 static void
ctr64_inc(unsigned char * counter)1296 ctr64_inc(unsigned char *counter)
1297 {
1298 int n = 8;
1299 unsigned char c;
1300
1301 do {
1302 --n;
1303 c = counter[n];
1304 ++c;
1305 counter[n] = c;
1306 if (c)
1307 return;
1308 } while (n);
1309 }
1310
1311 static int
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1312 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1313 {
1314 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1315
1316 switch (type) {
1317 case EVP_CTRL_INIT:
1318 gctx->key_set = 0;
1319 gctx->iv_set = 0;
1320 if (c->cipher->iv_len == 0) {
1321 EVPerror(EVP_R_INVALID_IV_LENGTH);
1322 return 0;
1323 }
1324 gctx->ivlen = c->cipher->iv_len;
1325 gctx->iv = c->iv;
1326 gctx->taglen = -1;
1327 gctx->iv_gen = 0;
1328 gctx->tls_aad_len = -1;
1329 return 1;
1330
1331 case EVP_CTRL_AEAD_GET_IVLEN:
1332 *(int *)ptr = gctx->ivlen;
1333 return 1;
1334
1335 case EVP_CTRL_AEAD_SET_IVLEN:
1336 if (arg <= 0)
1337 return 0;
1338 /* Allocate memory for IV if needed */
1339 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1340 if (gctx->iv != c->iv)
1341 free(gctx->iv);
1342 gctx->iv = malloc(arg);
1343 if (!gctx->iv)
1344 return 0;
1345 }
1346 gctx->ivlen = arg;
1347 return 1;
1348
1349 case EVP_CTRL_GCM_SET_TAG:
1350 if (arg <= 0 || arg > 16 || c->encrypt)
1351 return 0;
1352 memcpy(c->buf, ptr, arg);
1353 gctx->taglen = arg;
1354 return 1;
1355
1356 case EVP_CTRL_GCM_GET_TAG:
1357 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1358 return 0;
1359 memcpy(ptr, c->buf, arg);
1360 return 1;
1361
1362 case EVP_CTRL_GCM_SET_IV_FIXED:
1363 /* Special case: -1 length restores whole IV */
1364 if (arg == -1) {
1365 memcpy(gctx->iv, ptr, gctx->ivlen);
1366 gctx->iv_gen = 1;
1367 return 1;
1368 }
1369 /* Fixed field must be at least 4 bytes and invocation field
1370 * at least 8.
1371 */
1372 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1373 return 0;
1374 if (arg)
1375 memcpy(gctx->iv, ptr, arg);
1376 if (c->encrypt)
1377 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
1378 gctx->iv_gen = 1;
1379 return 1;
1380
1381 case EVP_CTRL_GCM_IV_GEN:
1382 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1383 return 0;
1384 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1385 if (arg <= 0 || arg > gctx->ivlen)
1386 arg = gctx->ivlen;
1387 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1388 /* Invocation field will be at least 8 bytes in size and
1389 * so no need to check wrap around or increment more than
1390 * last 8 bytes.
1391 */
1392 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1393 gctx->iv_set = 1;
1394 return 1;
1395
1396 case EVP_CTRL_GCM_SET_IV_INV:
1397 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1398 return 0;
1399 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1400 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1401 gctx->iv_set = 1;
1402 return 1;
1403
1404 case EVP_CTRL_AEAD_TLS1_AAD:
1405 /* Save the AAD for later use */
1406 if (arg != 13)
1407 return 0;
1408 memcpy(c->buf, ptr, arg);
1409 gctx->tls_aad_len = arg;
1410 {
1411 unsigned int len = c->buf[arg - 2] << 8 |
1412 c->buf[arg - 1];
1413
1414 /* Correct length for explicit IV */
1415 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1416 return 0;
1417 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1418
1419 /* If decrypting correct for tag too */
1420 if (!c->encrypt) {
1421 if (len < EVP_GCM_TLS_TAG_LEN)
1422 return 0;
1423 len -= EVP_GCM_TLS_TAG_LEN;
1424 }
1425 c->buf[arg - 2] = len >> 8;
1426 c->buf[arg - 1] = len & 0xff;
1427 }
1428 /* Extra padding: tag appended to record */
1429 return EVP_GCM_TLS_TAG_LEN;
1430
1431 case EVP_CTRL_COPY:
1432 {
1433 EVP_CIPHER_CTX *out = ptr;
1434 EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1435
1436 if (gctx->gcm.key) {
1437 if (gctx->gcm.key != &gctx->ks)
1438 return 0;
1439 gctx_out->gcm.key = &gctx_out->ks;
1440 }
1441
1442 if (gctx->iv == c->iv) {
1443 gctx_out->iv = out->iv;
1444 } else {
1445 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL)
1446 return 0;
1447 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1448 }
1449 return 1;
1450 }
1451
1452 default:
1453 return -1;
1454
1455 }
1456 }
1457
1458 static ctr128_f
aes_gcm_set_key(AES_KEY * aes_key,GCM128_CONTEXT * gcm_ctx,const unsigned char * key,size_t key_len)1459 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
1460 const unsigned char *key, size_t key_len)
1461 {
1462 #ifdef BSAES_CAPABLE
1463 if (BSAES_CAPABLE) {
1464 AES_set_encrypt_key(key, key_len * 8, aes_key);
1465 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1466 return (ctr128_f)bsaes_ctr32_encrypt_blocks;
1467 } else
1468 #endif
1469 #ifdef VPAES_CAPABLE
1470 if (VPAES_CAPABLE) {
1471 vpaes_set_encrypt_key(key, key_len * 8, aes_key);
1472 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
1473 return NULL;
1474 } else
1475 #endif
1476 (void)0; /* terminate potentially open 'else' */
1477
1478 AES_set_encrypt_key(key, key_len * 8, aes_key);
1479 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1480 #ifdef AES_CTR_ASM
1481 return (ctr128_f)AES_ctr32_encrypt;
1482 #else
1483 return NULL;
1484 #endif
1485 }
1486
1487 static int
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1488 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1489 const unsigned char *iv, int enc)
1490 {
1491 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1492
1493 if (!iv && !key)
1494 return 1;
1495 if (key) {
1496 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
1497 key, ctx->key_len);
1498
1499 /* If we have an iv can set it directly, otherwise use
1500 * saved IV.
1501 */
1502 if (iv == NULL && gctx->iv_set)
1503 iv = gctx->iv;
1504 if (iv) {
1505 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1506 gctx->iv_set = 1;
1507 }
1508 gctx->key_set = 1;
1509 } else {
1510 /* If key set use IV, otherwise copy */
1511 if (gctx->key_set)
1512 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1513 else
1514 memcpy(gctx->iv, iv, gctx->ivlen);
1515 gctx->iv_set = 1;
1516 gctx->iv_gen = 0;
1517 }
1518 return 1;
1519 }
1520
1521 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1522 * followed by the payload and finally the tag. On encrypt generate IV,
1523 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1524 * and verify tag.
1525 */
1526
1527 static int
aes_gcm_tls_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1528 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1529 const unsigned char *in, size_t len)
1530 {
1531 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1532 int rv = -1;
1533
1534 /* Encrypt/decrypt must be performed in place */
1535 if (out != in ||
1536 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1537 return -1;
1538
1539 /* Set IV from start of buffer or generate IV and write to start
1540 * of buffer.
1541 */
1542 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1543 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1544 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1545 goto err;
1546
1547 /* Use saved AAD */
1548 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1549 goto err;
1550
1551 /* Fix buffer and length to point to payload */
1552 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1553 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1554 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1555 if (ctx->encrypt) {
1556 /* Encrypt payload */
1557 if (gctx->ctr) {
1558 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
1559 len, gctx->ctr))
1560 goto err;
1561 } else {
1562 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1563 goto err;
1564 }
1565 out += len;
1566
1567 /* Finally write tag */
1568 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1569 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1570 } else {
1571 /* Decrypt */
1572 if (gctx->ctr) {
1573 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
1574 len, gctx->ctr))
1575 goto err;
1576 } else {
1577 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1578 goto err;
1579 }
1580 /* Retrieve tag */
1581 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1582
1583 /* If tag mismatch wipe buffer */
1584 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1585 explicit_bzero(out, len);
1586 goto err;
1587 }
1588 rv = len;
1589 }
1590
1591 err:
1592 gctx->iv_set = 0;
1593 gctx->tls_aad_len = -1;
1594 return rv;
1595 }
1596
1597 static int
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1598 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1599 const unsigned char *in, size_t len)
1600 {
1601 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1602
1603 /* If not set up, return error */
1604 if (!gctx->key_set)
1605 return -1;
1606
1607 if (gctx->tls_aad_len >= 0)
1608 return aes_gcm_tls_cipher(ctx, out, in, len);
1609
1610 if (!gctx->iv_set)
1611 return -1;
1612
1613 if (in) {
1614 if (out == NULL) {
1615 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1616 return -1;
1617 } else if (ctx->encrypt) {
1618 if (gctx->ctr) {
1619 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1620 in, out, len, gctx->ctr))
1621 return -1;
1622 } else {
1623 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1624 in, out, len))
1625 return -1;
1626 }
1627 } else {
1628 if (gctx->ctr) {
1629 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1630 in, out, len, gctx->ctr))
1631 return -1;
1632 } else {
1633 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1634 in, out, len))
1635 return -1;
1636 }
1637 }
1638 return len;
1639 } else {
1640 if (!ctx->encrypt) {
1641 if (gctx->taglen < 0)
1642 return -1;
1643 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf,
1644 gctx->taglen) != 0)
1645 return -1;
1646 gctx->iv_set = 0;
1647 return 0;
1648 }
1649 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1650 gctx->taglen = 16;
1651
1652 /* Don't reuse the IV */
1653 gctx->iv_set = 0;
1654 return 0;
1655 }
1656
1657 }
1658
1659 #define CUSTOM_FLAGS \
1660 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1661 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \
1662 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
1663 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1664
1665
1666 #ifdef AESNI_CAPABLE
1667 static const EVP_CIPHER aesni_128_gcm = {
1668 .nid = NID_aes_128_gcm,
1669 .block_size = 1,
1670 .key_len = 16,
1671 .iv_len = 12,
1672 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1673 .init = aesni_gcm_init_key,
1674 .do_cipher = aes_gcm_cipher,
1675 .cleanup = aes_gcm_cleanup,
1676 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1677 .ctrl = aes_gcm_ctrl,
1678 };
1679 #endif
1680
1681 static const EVP_CIPHER aes_128_gcm = {
1682 .nid = NID_aes_128_gcm,
1683 .block_size = 1,
1684 .key_len = 16,
1685 .iv_len = 12,
1686 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1687 .init = aes_gcm_init_key,
1688 .do_cipher = aes_gcm_cipher,
1689 .cleanup = aes_gcm_cleanup,
1690 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1691 .ctrl = aes_gcm_ctrl,
1692 };
1693
1694 const EVP_CIPHER *
EVP_aes_128_gcm(void)1695 EVP_aes_128_gcm(void)
1696 {
1697 #ifdef AESNI_CAPABLE
1698 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1699 #else
1700 return &aes_128_gcm;
1701 #endif
1702 }
1703 LCRYPTO_ALIAS(EVP_aes_128_gcm);
1704
1705 #ifdef AESNI_CAPABLE
1706 static const EVP_CIPHER aesni_192_gcm = {
1707 .nid = NID_aes_192_gcm,
1708 .block_size = 1,
1709 .key_len = 24,
1710 .iv_len = 12,
1711 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1712 .init = aesni_gcm_init_key,
1713 .do_cipher = aes_gcm_cipher,
1714 .cleanup = aes_gcm_cleanup,
1715 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1716 .ctrl = aes_gcm_ctrl,
1717 };
1718 #endif
1719
1720 static const EVP_CIPHER aes_192_gcm = {
1721 .nid = NID_aes_192_gcm,
1722 .block_size = 1,
1723 .key_len = 24,
1724 .iv_len = 12,
1725 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1726 .init = aes_gcm_init_key,
1727 .do_cipher = aes_gcm_cipher,
1728 .cleanup = aes_gcm_cleanup,
1729 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1730 .ctrl = aes_gcm_ctrl,
1731 };
1732
1733 const EVP_CIPHER *
EVP_aes_192_gcm(void)1734 EVP_aes_192_gcm(void)
1735 {
1736 #ifdef AESNI_CAPABLE
1737 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1738 #else
1739 return &aes_192_gcm;
1740 #endif
1741 }
1742 LCRYPTO_ALIAS(EVP_aes_192_gcm);
1743
1744 #ifdef AESNI_CAPABLE
1745 static const EVP_CIPHER aesni_256_gcm = {
1746 .nid = NID_aes_256_gcm,
1747 .block_size = 1,
1748 .key_len = 32,
1749 .iv_len = 12,
1750 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1751 .init = aesni_gcm_init_key,
1752 .do_cipher = aes_gcm_cipher,
1753 .cleanup = aes_gcm_cleanup,
1754 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1755 .ctrl = aes_gcm_ctrl,
1756 };
1757 #endif
1758
1759 static const EVP_CIPHER aes_256_gcm = {
1760 .nid = NID_aes_256_gcm,
1761 .block_size = 1,
1762 .key_len = 32,
1763 .iv_len = 12,
1764 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1765 .init = aes_gcm_init_key,
1766 .do_cipher = aes_gcm_cipher,
1767 .cleanup = aes_gcm_cleanup,
1768 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1769 .ctrl = aes_gcm_ctrl,
1770 };
1771
1772 const EVP_CIPHER *
EVP_aes_256_gcm(void)1773 EVP_aes_256_gcm(void)
1774 {
1775 #ifdef AESNI_CAPABLE
1776 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1777 #else
1778 return &aes_256_gcm;
1779 #endif
1780 }
1781 LCRYPTO_ALIAS(EVP_aes_256_gcm);
1782
1783 static int
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1784 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1785 {
1786 EVP_AES_XTS_CTX *xctx = c->cipher_data;
1787
1788 switch (type) {
1789 case EVP_CTRL_INIT:
1790 /*
1791 * key1 and key2 are used as an indicator both key and IV
1792 * are set
1793 */
1794 xctx->xts.key1 = NULL;
1795 xctx->xts.key2 = NULL;
1796 return 1;
1797
1798 case EVP_CTRL_COPY:
1799 {
1800 EVP_CIPHER_CTX *out = ptr;
1801 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1802
1803 if (xctx->xts.key1) {
1804 if (xctx->xts.key1 != &xctx->ks1)
1805 return 0;
1806 xctx_out->xts.key1 = &xctx_out->ks1;
1807 }
1808 if (xctx->xts.key2) {
1809 if (xctx->xts.key2 != &xctx->ks2)
1810 return 0;
1811 xctx_out->xts.key2 = &xctx_out->ks2;
1812 }
1813 return 1;
1814 }
1815 }
1816 return -1;
1817 }
1818
1819 static int
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1820 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1821 const unsigned char *iv, int enc)
1822 {
1823 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1824
1825 if (!iv && !key)
1826 return 1;
1827
1828 if (key) do {
1829 #ifdef AES_XTS_ASM
1830 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1831 #else
1832 xctx->stream = NULL;
1833 #endif
1834 /* key_len is two AES keys */
1835 #ifdef BSAES_CAPABLE
1836 if (BSAES_CAPABLE)
1837 xctx->stream = enc ? bsaes_xts_encrypt :
1838 bsaes_xts_decrypt;
1839 else
1840 #endif
1841 #ifdef VPAES_CAPABLE
1842 if (VPAES_CAPABLE) {
1843 if (enc) {
1844 vpaes_set_encrypt_key(key, ctx->key_len * 4,
1845 &xctx->ks1);
1846 xctx->xts.block1 = (block128_f)vpaes_encrypt;
1847 } else {
1848 vpaes_set_decrypt_key(key, ctx->key_len * 4,
1849 &xctx->ks1);
1850 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1851 }
1852
1853 vpaes_set_encrypt_key(key + ctx->key_len / 2,
1854 ctx->key_len * 4, &xctx->ks2);
1855 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1856
1857 xctx->xts.key1 = &xctx->ks1;
1858 break;
1859 } else
1860 #endif
1861 (void)0; /* terminate potentially open 'else' */
1862
1863 if (enc) {
1864 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1865 xctx->xts.block1 = (block128_f)AES_encrypt;
1866 } else {
1867 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1868 xctx->xts.block1 = (block128_f)AES_decrypt;
1869 }
1870
1871 AES_set_encrypt_key(key + ctx->key_len / 2,
1872 ctx->key_len * 4, &xctx->ks2);
1873 xctx->xts.block2 = (block128_f)AES_encrypt;
1874
1875 xctx->xts.key1 = &xctx->ks1;
1876 } while (0);
1877
1878 if (iv) {
1879 xctx->xts.key2 = &xctx->ks2;
1880 memcpy(ctx->iv, iv, 16);
1881 }
1882
1883 return 1;
1884 }
1885
1886 static int
aes_xts_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1887 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1888 const unsigned char *in, size_t len)
1889 {
1890 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1891
1892 if (!xctx->xts.key1 || !xctx->xts.key2)
1893 return 0;
1894 if (!out || !in || len < AES_BLOCK_SIZE)
1895 return 0;
1896
1897 if (xctx->stream)
1898 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1899 ctx->iv);
1900 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1901 ctx->encrypt))
1902 return 0;
1903 return 1;
1904 }
1905
1906 #define XTS_FLAGS \
1907 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1908 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1909
1910
1911 #ifdef AESNI_CAPABLE
1912 static const EVP_CIPHER aesni_128_xts = {
1913 .nid = NID_aes_128_xts,
1914 .block_size = 1,
1915 .key_len = 2 * 16,
1916 .iv_len = 16,
1917 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1918 .init = aesni_xts_init_key,
1919 .do_cipher = aes_xts_cipher,
1920 .cleanup = NULL,
1921 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1922 .ctrl = aes_xts_ctrl,
1923 };
1924 #endif
1925
1926 static const EVP_CIPHER aes_128_xts = {
1927 .nid = NID_aes_128_xts,
1928 .block_size = 1,
1929 .key_len = 2 * 16,
1930 .iv_len = 16,
1931 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1932 .init = aes_xts_init_key,
1933 .do_cipher = aes_xts_cipher,
1934 .cleanup = NULL,
1935 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1936 .ctrl = aes_xts_ctrl,
1937 };
1938
1939 const EVP_CIPHER *
EVP_aes_128_xts(void)1940 EVP_aes_128_xts(void)
1941 {
1942 #ifdef AESNI_CAPABLE
1943 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1944 #else
1945 return &aes_128_xts;
1946 #endif
1947 }
1948 LCRYPTO_ALIAS(EVP_aes_128_xts);
1949
1950 #ifdef AESNI_CAPABLE
1951 static const EVP_CIPHER aesni_256_xts = {
1952 .nid = NID_aes_256_xts,
1953 .block_size = 1,
1954 .key_len = 2 * 32,
1955 .iv_len = 16,
1956 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1957 .init = aesni_xts_init_key,
1958 .do_cipher = aes_xts_cipher,
1959 .cleanup = NULL,
1960 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1961 .ctrl = aes_xts_ctrl,
1962 };
1963 #endif
1964
1965 static const EVP_CIPHER aes_256_xts = {
1966 .nid = NID_aes_256_xts,
1967 .block_size = 1,
1968 .key_len = 2 * 32,
1969 .iv_len = 16,
1970 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1971 .init = aes_xts_init_key,
1972 .do_cipher = aes_xts_cipher,
1973 .cleanup = NULL,
1974 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1975 .ctrl = aes_xts_ctrl,
1976 };
1977
1978 const EVP_CIPHER *
EVP_aes_256_xts(void)1979 EVP_aes_256_xts(void)
1980 {
1981 #ifdef AESNI_CAPABLE
1982 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1983 #else
1984 return &aes_256_xts;
1985 #endif
1986 }
1987 LCRYPTO_ALIAS(EVP_aes_256_xts);
1988
1989 static int
aes_ccm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1990 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1991 {
1992 EVP_AES_CCM_CTX *cctx = c->cipher_data;
1993
1994 switch (type) {
1995 case EVP_CTRL_INIT:
1996 cctx->key_set = 0;
1997 cctx->iv_set = 0;
1998 cctx->L = 8;
1999 cctx->M = 12;
2000 cctx->tag_set = 0;
2001 cctx->len_set = 0;
2002 return 1;
2003
2004 case EVP_CTRL_AEAD_GET_IVLEN:
2005 *(int *)ptr = 15 - cctx->L;
2006 return 1;
2007
2008 case EVP_CTRL_AEAD_SET_IVLEN:
2009 arg = 15 - arg;
2010
2011 case EVP_CTRL_CCM_SET_L:
2012 if (arg < 2 || arg > 8)
2013 return 0;
2014 cctx->L = arg;
2015 return 1;
2016
2017 case EVP_CTRL_CCM_SET_TAG:
2018 if ((arg & 1) || arg < 4 || arg > 16)
2019 return 0;
2020 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
2021 return 0;
2022 if (ptr) {
2023 cctx->tag_set = 1;
2024 memcpy(c->buf, ptr, arg);
2025 }
2026 cctx->M = arg;
2027 return 1;
2028
2029 case EVP_CTRL_CCM_GET_TAG:
2030 if (!c->encrypt || !cctx->tag_set)
2031 return 0;
2032 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
2033 return 0;
2034 cctx->tag_set = 0;
2035 cctx->iv_set = 0;
2036 cctx->len_set = 0;
2037 return 1;
2038
2039 case EVP_CTRL_COPY:
2040 {
2041 EVP_CIPHER_CTX *out = ptr;
2042 EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
2043
2044 if (cctx->ccm.key) {
2045 if (cctx->ccm.key != &cctx->ks)
2046 return 0;
2047 cctx_out->ccm.key = &cctx_out->ks;
2048 }
2049 return 1;
2050 }
2051
2052 default:
2053 return -1;
2054 }
2055 }
2056
2057 static int
aes_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2058 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2059 const unsigned char *iv, int enc)
2060 {
2061 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2062
2063 if (!iv && !key)
2064 return 1;
2065 if (key) do {
2066 #ifdef VPAES_CAPABLE
2067 if (VPAES_CAPABLE) {
2068 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
2069 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2070 &cctx->ks, (block128_f)vpaes_encrypt);
2071 cctx->str = NULL;
2072 cctx->key_set = 1;
2073 break;
2074 }
2075 #endif
2076 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
2077 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2078 &cctx->ks, (block128_f)AES_encrypt);
2079 cctx->str = NULL;
2080 cctx->key_set = 1;
2081 } while (0);
2082 if (iv) {
2083 memcpy(ctx->iv, iv, 15 - cctx->L);
2084 cctx->iv_set = 1;
2085 }
2086 return 1;
2087 }
2088
2089 static int
aes_ccm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)2090 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2091 const unsigned char *in, size_t len)
2092 {
2093 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2094 CCM128_CONTEXT *ccm = &cctx->ccm;
2095
2096 /* If not set up, return error */
2097 if (!cctx->iv_set && !cctx->key_set)
2098 return -1;
2099 if (!ctx->encrypt && !cctx->tag_set)
2100 return -1;
2101
2102 if (!out) {
2103 if (!in) {
2104 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
2105 len))
2106 return -1;
2107 cctx->len_set = 1;
2108 return len;
2109 }
2110 /* If have AAD need message length */
2111 if (!cctx->len_set && len)
2112 return -1;
2113 CRYPTO_ccm128_aad(ccm, in, len);
2114 return len;
2115 }
2116 /* EVP_*Final() doesn't return any data */
2117 if (!in)
2118 return 0;
2119 /* If not set length yet do it */
2120 if (!cctx->len_set) {
2121 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2122 return -1;
2123 cctx->len_set = 1;
2124 }
2125 if (ctx->encrypt) {
2126 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2127 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
2128 return -1;
2129 cctx->tag_set = 1;
2130 return len;
2131 } else {
2132 int rv = -1;
2133 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2134 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2135 unsigned char tag[16];
2136 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2137 if (!memcmp(tag, ctx->buf, cctx->M))
2138 rv = len;
2139 }
2140 }
2141 if (rv == -1)
2142 explicit_bzero(out, len);
2143 cctx->iv_set = 0;
2144 cctx->tag_set = 0;
2145 cctx->len_set = 0;
2146 return rv;
2147 }
2148
2149 }
2150
2151 #ifdef AESNI_CAPABLE
2152 static const EVP_CIPHER aesni_128_ccm = {
2153 .nid = NID_aes_128_ccm,
2154 .block_size = 1,
2155 .key_len = 16,
2156 .iv_len = 12,
2157 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2158 .init = aesni_ccm_init_key,
2159 .do_cipher = aes_ccm_cipher,
2160 .cleanup = NULL,
2161 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2162 .ctrl = aes_ccm_ctrl,
2163 };
2164 #endif
2165
2166 static const EVP_CIPHER aes_128_ccm = {
2167 .nid = NID_aes_128_ccm,
2168 .block_size = 1,
2169 .key_len = 16,
2170 .iv_len = 12,
2171 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2172 .init = aes_ccm_init_key,
2173 .do_cipher = aes_ccm_cipher,
2174 .cleanup = NULL,
2175 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2176 .ctrl = aes_ccm_ctrl,
2177 };
2178
2179 const EVP_CIPHER *
EVP_aes_128_ccm(void)2180 EVP_aes_128_ccm(void)
2181 {
2182 #ifdef AESNI_CAPABLE
2183 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
2184 #else
2185 return &aes_128_ccm;
2186 #endif
2187 }
2188 LCRYPTO_ALIAS(EVP_aes_128_ccm);
2189
2190 #ifdef AESNI_CAPABLE
2191 static const EVP_CIPHER aesni_192_ccm = {
2192 .nid = NID_aes_192_ccm,
2193 .block_size = 1,
2194 .key_len = 24,
2195 .iv_len = 12,
2196 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2197 .init = aesni_ccm_init_key,
2198 .do_cipher = aes_ccm_cipher,
2199 .cleanup = NULL,
2200 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2201 .ctrl = aes_ccm_ctrl,
2202 };
2203 #endif
2204
2205 static const EVP_CIPHER aes_192_ccm = {
2206 .nid = NID_aes_192_ccm,
2207 .block_size = 1,
2208 .key_len = 24,
2209 .iv_len = 12,
2210 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2211 .init = aes_ccm_init_key,
2212 .do_cipher = aes_ccm_cipher,
2213 .cleanup = NULL,
2214 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2215 .ctrl = aes_ccm_ctrl,
2216 };
2217
2218 const EVP_CIPHER *
EVP_aes_192_ccm(void)2219 EVP_aes_192_ccm(void)
2220 {
2221 #ifdef AESNI_CAPABLE
2222 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
2223 #else
2224 return &aes_192_ccm;
2225 #endif
2226 }
2227 LCRYPTO_ALIAS(EVP_aes_192_ccm);
2228
2229 #ifdef AESNI_CAPABLE
2230 static const EVP_CIPHER aesni_256_ccm = {
2231 .nid = NID_aes_256_ccm,
2232 .block_size = 1,
2233 .key_len = 32,
2234 .iv_len = 12,
2235 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2236 .init = aesni_ccm_init_key,
2237 .do_cipher = aes_ccm_cipher,
2238 .cleanup = NULL,
2239 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2240 .ctrl = aes_ccm_ctrl,
2241 };
2242 #endif
2243
2244 static const EVP_CIPHER aes_256_ccm = {
2245 .nid = NID_aes_256_ccm,
2246 .block_size = 1,
2247 .key_len = 32,
2248 .iv_len = 12,
2249 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2250 .init = aes_ccm_init_key,
2251 .do_cipher = aes_ccm_cipher,
2252 .cleanup = NULL,
2253 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2254 .ctrl = aes_ccm_ctrl,
2255 };
2256
2257 const EVP_CIPHER *
EVP_aes_256_ccm(void)2258 EVP_aes_256_ccm(void)
2259 {
2260 #ifdef AESNI_CAPABLE
2261 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
2262 #else
2263 return &aes_256_ccm;
2264 #endif
2265 }
2266 LCRYPTO_ALIAS(EVP_aes_256_ccm);
2267
2268 #define EVP_AEAD_AES_GCM_TAG_LEN 16
2269
2270 struct aead_aes_gcm_ctx {
2271 union {
2272 double align;
2273 AES_KEY ks;
2274 } ks;
2275 GCM128_CONTEXT gcm;
2276 ctr128_f ctr;
2277 unsigned char tag_len;
2278 };
2279
2280 static int
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const unsigned char * key,size_t key_len,size_t tag_len)2281 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
2282 size_t tag_len)
2283 {
2284 struct aead_aes_gcm_ctx *gcm_ctx;
2285 const size_t key_bits = key_len * 8;
2286
2287 /* EVP_AEAD_CTX_init should catch this. */
2288 if (key_bits != 128 && key_bits != 256) {
2289 EVPerror(EVP_R_BAD_KEY_LENGTH);
2290 return 0;
2291 }
2292
2293 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
2294 tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
2295
2296 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
2297 EVPerror(EVP_R_TAG_TOO_LARGE);
2298 return 0;
2299 }
2300
2301 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
2302 return 0;
2303
2304 #ifdef AESNI_CAPABLE
2305 if (AESNI_CAPABLE) {
2306 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
2307 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
2308 (block128_f)aesni_encrypt);
2309 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
2310 } else
2311 #endif
2312 {
2313 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
2314 key, key_len);
2315 }
2316 gcm_ctx->tag_len = tag_len;
2317 ctx->aead_state = gcm_ctx;
2318
2319 return 1;
2320 }
2321
2322 static void
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)2323 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
2324 {
2325 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2326
2327 freezero(gcm_ctx, sizeof(*gcm_ctx));
2328 }
2329
2330 static int
aead_aes_gcm_seal(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2331 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2332 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2333 const unsigned char *in, size_t in_len, const unsigned char *ad,
2334 size_t ad_len)
2335 {
2336 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2337 GCM128_CONTEXT gcm;
2338 size_t bulk = 0;
2339
2340 if (max_out_len < in_len + gcm_ctx->tag_len) {
2341 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2342 return 0;
2343 }
2344
2345 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2346
2347 if (nonce_len == 0) {
2348 EVPerror(EVP_R_INVALID_IV_LENGTH);
2349 return 0;
2350 }
2351 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2352
2353 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2354 return 0;
2355
2356 if (gcm_ctx->ctr) {
2357 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
2358 in_len - bulk, gcm_ctx->ctr))
2359 return 0;
2360 } else {
2361 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
2362 in_len - bulk))
2363 return 0;
2364 }
2365
2366 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
2367 *out_len = in_len + gcm_ctx->tag_len;
2368
2369 return 1;
2370 }
2371
2372 static int
aead_aes_gcm_open(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2373 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2374 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2375 const unsigned char *in, size_t in_len, const unsigned char *ad,
2376 size_t ad_len)
2377 {
2378 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2379 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN];
2380 GCM128_CONTEXT gcm;
2381 size_t plaintext_len;
2382 size_t bulk = 0;
2383
2384 if (in_len < gcm_ctx->tag_len) {
2385 EVPerror(EVP_R_BAD_DECRYPT);
2386 return 0;
2387 }
2388
2389 plaintext_len = in_len - gcm_ctx->tag_len;
2390
2391 if (max_out_len < plaintext_len) {
2392 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2393 return 0;
2394 }
2395
2396 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2397
2398 if (nonce_len == 0) {
2399 EVPerror(EVP_R_INVALID_IV_LENGTH);
2400 return 0;
2401 }
2402 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2403
2404 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2405 return 0;
2406
2407 if (gcm_ctx->ctr) {
2408 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
2409 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
2410 return 0;
2411 } else {
2412 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
2413 in_len - bulk - gcm_ctx->tag_len))
2414 return 0;
2415 }
2416
2417 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
2418 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
2419 EVPerror(EVP_R_BAD_DECRYPT);
2420 return 0;
2421 }
2422
2423 *out_len = plaintext_len;
2424
2425 return 1;
2426 }
2427
2428 static const EVP_AEAD aead_aes_128_gcm = {
2429 .key_len = 16,
2430 .nonce_len = 12,
2431 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2432 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2433
2434 .init = aead_aes_gcm_init,
2435 .cleanup = aead_aes_gcm_cleanup,
2436 .seal = aead_aes_gcm_seal,
2437 .open = aead_aes_gcm_open,
2438 };
2439
2440 static const EVP_AEAD aead_aes_256_gcm = {
2441 .key_len = 32,
2442 .nonce_len = 12,
2443 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2444 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2445
2446 .init = aead_aes_gcm_init,
2447 .cleanup = aead_aes_gcm_cleanup,
2448 .seal = aead_aes_gcm_seal,
2449 .open = aead_aes_gcm_open,
2450 };
2451
2452 const EVP_AEAD *
EVP_aead_aes_128_gcm(void)2453 EVP_aead_aes_128_gcm(void)
2454 {
2455 return &aead_aes_128_gcm;
2456 }
2457 LCRYPTO_ALIAS(EVP_aead_aes_128_gcm);
2458
2459 const EVP_AEAD *
EVP_aead_aes_256_gcm(void)2460 EVP_aead_aes_256_gcm(void)
2461 {
2462 return &aead_aes_256_gcm;
2463 }
2464 LCRYPTO_ALIAS(EVP_aead_aes_256_gcm);
2465
2466 typedef struct {
2467 union {
2468 double align;
2469 AES_KEY ks;
2470 } ks;
2471 unsigned char *iv;
2472 } EVP_AES_WRAP_CTX;
2473
2474 static int
aes_wrap_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2475 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2476 const unsigned char *iv, int enc)
2477 {
2478 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data;
2479
2480 if (iv == NULL && key == NULL)
2481 return 1;
2482
2483 if (key != NULL) {
2484 if (ctx->encrypt)
2485 AES_set_encrypt_key(key, 8 * ctx->key_len,
2486 &wctx->ks.ks);
2487 else
2488 AES_set_decrypt_key(key, 8 * ctx->key_len,
2489 &wctx->ks.ks);
2490
2491 if (iv == NULL)
2492 wctx->iv = NULL;
2493 }
2494
2495 if (iv != NULL) {
2496 int iv_len = EVP_CIPHER_CTX_iv_length(ctx);
2497
2498 if (iv_len < 0 || iv_len > sizeof(ctx->iv))
2499 return 0;
2500 memcpy(ctx->iv, iv, iv_len);
2501 wctx->iv = ctx->iv;
2502 }
2503
2504 return 1;
2505 }
2506
2507 static int
aes_wrap_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inlen)2508 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2509 const unsigned char *in, size_t inlen)
2510 {
2511 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2512 int ret;
2513
2514 if (in == NULL)
2515 return 0;
2516
2517 if (inlen % 8 != 0)
2518 return -1;
2519 if (ctx->encrypt && inlen < 8)
2520 return -1;
2521 if (!ctx->encrypt && inlen < 16)
2522 return -1;
2523 if (inlen > INT_MAX)
2524 return -1;
2525
2526 if (out == NULL) {
2527 if (ctx->encrypt)
2528 return inlen + 8;
2529 else
2530 return inlen - 8;
2531 }
2532
2533 if (ctx->encrypt)
2534 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in,
2535 (unsigned int)inlen);
2536 else
2537 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in,
2538 (unsigned int)inlen);
2539
2540 return ret != 0 ? ret : -1;
2541 }
2542
2543 static int
aes_wrap_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)2544 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2545 {
2546 EVP_AES_WRAP_CTX *wctx = c->cipher_data;
2547
2548 switch (type) {
2549 case EVP_CTRL_COPY:
2550 {
2551 EVP_CIPHER_CTX *out = ptr;
2552 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data;
2553
2554 if (wctx->iv != NULL) {
2555 if (c->iv != wctx->iv)
2556 return 0;
2557
2558 wctx_out->iv = out->iv;
2559 }
2560
2561 return 1;
2562 }
2563 }
2564
2565 return -1;
2566 }
2567
2568 #define WRAP_FLAGS \
2569 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \
2570 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \
2571 EVP_CIPH_CUSTOM_COPY )
2572
2573 static const EVP_CIPHER aes_128_wrap = {
2574 .nid = NID_id_aes128_wrap,
2575 .block_size = 8,
2576 .key_len = 16,
2577 .iv_len = 8,
2578 .flags = WRAP_FLAGS,
2579 .init = aes_wrap_init_key,
2580 .do_cipher = aes_wrap_cipher,
2581 .cleanup = NULL,
2582 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2583 .set_asn1_parameters = NULL,
2584 .get_asn1_parameters = NULL,
2585 .ctrl = aes_wrap_ctrl,
2586 };
2587
2588 const EVP_CIPHER *
EVP_aes_128_wrap(void)2589 EVP_aes_128_wrap(void)
2590 {
2591 return &aes_128_wrap;
2592 }
2593 LCRYPTO_ALIAS(EVP_aes_128_wrap);
2594
2595 static const EVP_CIPHER aes_192_wrap = {
2596 .nid = NID_id_aes192_wrap,
2597 .block_size = 8,
2598 .key_len = 24,
2599 .iv_len = 8,
2600 .flags = WRAP_FLAGS,
2601 .init = aes_wrap_init_key,
2602 .do_cipher = aes_wrap_cipher,
2603 .cleanup = NULL,
2604 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2605 .set_asn1_parameters = NULL,
2606 .get_asn1_parameters = NULL,
2607 .ctrl = aes_wrap_ctrl,
2608 };
2609
2610 const EVP_CIPHER *
EVP_aes_192_wrap(void)2611 EVP_aes_192_wrap(void)
2612 {
2613 return &aes_192_wrap;
2614 }
2615 LCRYPTO_ALIAS(EVP_aes_192_wrap);
2616
2617 static const EVP_CIPHER aes_256_wrap = {
2618 .nid = NID_id_aes256_wrap,
2619 .block_size = 8,
2620 .key_len = 32,
2621 .iv_len = 8,
2622 .flags = WRAP_FLAGS,
2623 .init = aes_wrap_init_key,
2624 .do_cipher = aes_wrap_cipher,
2625 .cleanup = NULL,
2626 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2627 .set_asn1_parameters = NULL,
2628 .get_asn1_parameters = NULL,
2629 .ctrl = aes_wrap_ctrl,
2630 };
2631
2632 const EVP_CIPHER *
EVP_aes_256_wrap(void)2633 EVP_aes_256_wrap(void)
2634 {
2635 return &aes_256_wrap;
2636 }
2637 LCRYPTO_ALIAS(EVP_aes_256_wrap);
2638
2639 #endif
2640