1 /* $OpenBSD: e_aes.c,v 1.49 2022/09/13 04:59:18 jsing Exp $ */
2 /* ====================================================================
3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52 #include <limits.h>
53 #include <stdlib.h>
54 #include <string.h>
55
56 #include <openssl/opensslconf.h>
57
58 #ifndef OPENSSL_NO_AES
59 #include <openssl/aes.h>
60 #include <openssl/err.h>
61 #include <openssl/evp.h>
62
63 #include "evp_locl.h"
64 #include "modes_lcl.h"
65
66 typedef struct {
67 AES_KEY ks;
68 block128_f block;
69 union {
70 cbc128_f cbc;
71 ctr128_f ctr;
72 } stream;
73 } EVP_AES_KEY;
74
75 typedef struct {
76 AES_KEY ks; /* AES key schedule to use */
77 int key_set; /* Set if key initialised */
78 int iv_set; /* Set if an iv is set */
79 GCM128_CONTEXT gcm;
80 unsigned char *iv; /* Temporary IV store */
81 int ivlen; /* IV length */
82 int taglen;
83 int iv_gen; /* It is OK to generate IVs */
84 int tls_aad_len; /* TLS AAD length */
85 ctr128_f ctr;
86 } EVP_AES_GCM_CTX;
87
88 typedef struct {
89 AES_KEY ks1, ks2; /* AES key schedules to use */
90 XTS128_CONTEXT xts;
91 void (*stream)(const unsigned char *in, unsigned char *out,
92 size_t length, const AES_KEY *key1, const AES_KEY *key2,
93 const unsigned char iv[16]);
94 } EVP_AES_XTS_CTX;
95
96 typedef struct {
97 AES_KEY ks; /* AES key schedule to use */
98 int key_set; /* Set if key initialised */
99 int iv_set; /* Set if an iv is set */
100 int tag_set; /* Set if tag is valid */
101 int len_set; /* Set if message length set */
102 int L, M; /* L and M parameters from RFC3610 */
103 CCM128_CONTEXT ccm;
104 ccm128_f str;
105 } EVP_AES_CCM_CTX;
106
107 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
108
109 #ifdef VPAES_ASM
110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
111 AES_KEY *key);
112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
113 AES_KEY *key);
114
115 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
116 const AES_KEY *key);
117 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
118 const AES_KEY *key);
119
120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
122 #endif
123 #ifdef BSAES_ASM
124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
127 size_t len, const AES_KEY *key, const unsigned char ivec[16]);
128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
129 size_t len, const AES_KEY *key1, const AES_KEY *key2,
130 const unsigned char iv[16]);
131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
132 size_t len, const AES_KEY *key1, const AES_KEY *key2,
133 const unsigned char iv[16]);
134 #endif
135 #ifdef AES_CTR_ASM
136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
137 size_t blocks, const AES_KEY *key,
138 const unsigned char ivec[AES_BLOCK_SIZE]);
139 #endif
140 #ifdef AES_XTS_ASM
141 void AES_xts_encrypt(const char *inp, char *out, size_t len,
142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
143 void AES_xts_decrypt(const char *inp, char *out, size_t len,
144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
145 #endif
146
147 #if defined(AES_ASM) && ( \
148 ((defined(__i386) || defined(__i386__) || \
149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
150 defined(__x86_64) || defined(__x86_64__) || \
151 defined(_M_AMD64) || defined(_M_X64) || \
152 defined(__INTEL__) )
153
154 #include "x86_arch.h"
155
156 #ifdef VPAES_ASM
157 #define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3)
158 #endif
159 #ifdef BSAES_ASM
160 #define BSAES_CAPABLE VPAES_CAPABLE
161 #endif
162 /*
163 * AES-NI section
164 */
165 #define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI)
166
167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
168 AES_KEY *key);
169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
170 AES_KEY *key);
171
172 void aesni_encrypt(const unsigned char *in, unsigned char *out,
173 const AES_KEY *key);
174 void aesni_decrypt(const unsigned char *in, unsigned char *out,
175 const AES_KEY *key);
176
177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
178 size_t length, const AES_KEY *key, int enc);
179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
181
182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
183 size_t blocks, const void *key, const unsigned char *ivec);
184
185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
186 size_t length, const AES_KEY *key1, const AES_KEY *key2,
187 const unsigned char iv[16]);
188
189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
190 size_t length, const AES_KEY *key1, const AES_KEY *key2,
191 const unsigned char iv[16]);
192
193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
194 size_t blocks, const void *key, const unsigned char ivec[16],
195 unsigned char cmac[16]);
196
197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
198 size_t blocks, const void *key, const unsigned char ivec[16],
199 unsigned char cmac[16]);
200
201 static int
aesni_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
203 const unsigned char *iv, int enc)
204 {
205 int ret, mode;
206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
207
208 mode = ctx->cipher->flags & EVP_CIPH_MODE;
209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
210 !enc) {
211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
212 ctx->cipher_data);
213 dat->block = (block128_f)aesni_decrypt;
214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
215 (cbc128_f)aesni_cbc_encrypt : NULL;
216 } else {
217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
218 ctx->cipher_data);
219 dat->block = (block128_f)aesni_encrypt;
220 if (mode == EVP_CIPH_CBC_MODE)
221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
222 else if (mode == EVP_CIPH_CTR_MODE)
223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
224 else
225 dat->stream.cbc = NULL;
226 }
227
228 if (ret < 0) {
229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
230 return 0;
231 }
232
233 return 1;
234 }
235
236 static int
aesni_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
238 const unsigned char *in, size_t len)
239 {
240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
241 ctx->encrypt);
242
243 return 1;
244 }
245
246 static int
aesni_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
248 const unsigned char *in, size_t len)
249 {
250 size_t bl = ctx->cipher->block_size;
251
252 if (len < bl)
253 return 1;
254
255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
256
257 return 1;
258 }
259
260 static int
aesni_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
262 const unsigned char *iv, int enc)
263 {
264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
265
266 if (!iv && !key)
267 return 1;
268 if (key) {
269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
271 (block128_f)aesni_encrypt);
272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
273 /* If we have an iv can set it directly, otherwise use
274 * saved IV.
275 */
276 if (iv == NULL && gctx->iv_set)
277 iv = gctx->iv;
278 if (iv) {
279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
280 gctx->iv_set = 1;
281 }
282 gctx->key_set = 1;
283 } else {
284 /* If key set use IV, otherwise copy */
285 if (gctx->key_set)
286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
287 else
288 memcpy(gctx->iv, iv, gctx->ivlen);
289 gctx->iv_set = 1;
290 gctx->iv_gen = 0;
291 }
292 return 1;
293 }
294
295 static int
aesni_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
297 const unsigned char *iv, int enc)
298 {
299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
300
301 if (!iv && !key)
302 return 1;
303
304 if (key) {
305 /* key_len is two AES keys */
306 if (enc) {
307 aesni_set_encrypt_key(key, ctx->key_len * 4,
308 &xctx->ks1);
309 xctx->xts.block1 = (block128_f)aesni_encrypt;
310 xctx->stream = aesni_xts_encrypt;
311 } else {
312 aesni_set_decrypt_key(key, ctx->key_len * 4,
313 &xctx->ks1);
314 xctx->xts.block1 = (block128_f)aesni_decrypt;
315 xctx->stream = aesni_xts_decrypt;
316 }
317
318 aesni_set_encrypt_key(key + ctx->key_len / 2,
319 ctx->key_len * 4, &xctx->ks2);
320 xctx->xts.block2 = (block128_f)aesni_encrypt;
321
322 xctx->xts.key1 = &xctx->ks1;
323 }
324
325 if (iv) {
326 xctx->xts.key2 = &xctx->ks2;
327 memcpy(ctx->iv, iv, 16);
328 }
329
330 return 1;
331 }
332
333 static int
aesni_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
335 const unsigned char *iv, int enc)
336 {
337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
338
339 if (!iv && !key)
340 return 1;
341 if (key) {
342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
344 &cctx->ks, (block128_f)aesni_encrypt);
345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
346 (ccm128_f)aesni_ccm64_decrypt_blocks;
347 cctx->key_set = 1;
348 }
349 if (iv) {
350 memcpy(ctx->iv, iv, 15 - cctx->L);
351 cctx->iv_set = 1;
352 }
353 return 1;
354 }
355
356 #endif
357
358 static int
aes_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
360 const unsigned char *iv, int enc)
361 {
362 int ret, mode;
363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
364
365 mode = ctx->cipher->flags & EVP_CIPH_MODE;
366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
367 !enc)
368 #ifdef BSAES_CAPABLE
369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
370 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
371 &dat->ks);
372 dat->block = (block128_f)AES_decrypt;
373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
374 } else
375 #endif
376 #ifdef VPAES_CAPABLE
377 if (VPAES_CAPABLE) {
378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
379 &dat->ks);
380 dat->block = (block128_f)vpaes_decrypt;
381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
382 (cbc128_f)vpaes_cbc_encrypt : NULL;
383 } else
384 #endif
385 {
386 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
387 &dat->ks);
388 dat->block = (block128_f)AES_decrypt;
389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
390 (cbc128_f)AES_cbc_encrypt : NULL;
391 } else
392 #ifdef BSAES_CAPABLE
393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
394 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
395 &dat->ks);
396 dat->block = (block128_f)AES_encrypt;
397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
398 } else
399 #endif
400 #ifdef VPAES_CAPABLE
401 if (VPAES_CAPABLE) {
402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
403 &dat->ks);
404 dat->block = (block128_f)vpaes_encrypt;
405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
406 (cbc128_f)vpaes_cbc_encrypt : NULL;
407 } else
408 #endif
409 {
410 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
411 &dat->ks);
412 dat->block = (block128_f)AES_encrypt;
413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
414 (cbc128_f)AES_cbc_encrypt : NULL;
415 #ifdef AES_CTR_ASM
416 if (mode == EVP_CIPH_CTR_MODE)
417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
418 #endif
419 }
420
421 if (ret < 0) {
422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
423 return 0;
424 }
425
426 return 1;
427 }
428
429 static int
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
431 const unsigned char *in, size_t len)
432 {
433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
434
435 if (dat->stream.cbc)
436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
437 ctx->encrypt);
438 else if (ctx->encrypt)
439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
440 dat->block);
441 else
442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
443 dat->block);
444
445 return 1;
446 }
447
448 static int
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
450 const unsigned char *in, size_t len)
451 {
452 size_t bl = ctx->cipher->block_size;
453 size_t i;
454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
455
456 if (len < bl)
457 return 1;
458
459 for (i = 0, len -= bl; i <= len; i += bl)
460 (*dat->block)(in + i, out + i, &dat->ks);
461
462 return 1;
463 }
464
465 static int
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
467 const unsigned char *in, size_t len)
468 {
469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
470
471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
472 dat->block);
473 return 1;
474 }
475
476 static int
aes_cfb_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
478 const unsigned char *in, size_t len)
479 {
480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
481
482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
483 ctx->encrypt, dat->block);
484 return 1;
485 }
486
487 static int
aes_cfb8_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
489 const unsigned char *in, size_t len)
490 {
491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
492
493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
494 ctx->encrypt, dat->block);
495 return 1;
496 }
497
498 static int
aes_cfb1_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
500 const unsigned char *in, size_t len)
501 {
502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
503
504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
506 &ctx->num, ctx->encrypt, dat->block);
507 return 1;
508 }
509
510 while (len >= MAXBITCHUNK) {
511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
512 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
513 len -= MAXBITCHUNK;
514 in += MAXBITCHUNK;
515 out += MAXBITCHUNK;
516 }
517 if (len)
518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
519 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
520
521 return 1;
522 }
523
524 static int
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
526 const unsigned char *in, size_t len)
527 {
528 unsigned int num = ctx->num;
529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
530
531 if (dat->stream.ctr)
532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
533 ctx->iv, ctx->buf, &num, dat->stream.ctr);
534 else
535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
536 ctx->iv, ctx->buf, &num, dat->block);
537 ctx->num = (size_t)num;
538 return 1;
539 }
540
541
542 #ifdef AESNI_CAPABLE
543 static const EVP_CIPHER aesni_128_cbc = {
544 .nid = NID_aes_128_cbc,
545 .block_size = 16,
546 .key_len = 16,
547 .iv_len = 16,
548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
549 .init = aesni_init_key,
550 .do_cipher = aesni_cbc_cipher,
551 .ctx_size = sizeof(EVP_AES_KEY),
552 };
553 #endif
554
555 static const EVP_CIPHER aes_128_cbc = {
556 .nid = NID_aes_128_cbc,
557 .block_size = 16,
558 .key_len = 16,
559 .iv_len = 16,
560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
561 .init = aes_init_key,
562 .do_cipher = aes_cbc_cipher,
563 .ctx_size = sizeof(EVP_AES_KEY),
564 };
565
566 const EVP_CIPHER *
EVP_aes_128_cbc(void)567 EVP_aes_128_cbc(void)
568 {
569 #ifdef AESNI_CAPABLE
570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
571 #else
572 return &aes_128_cbc;
573 #endif
574 }
575
576 #ifdef AESNI_CAPABLE
577 static const EVP_CIPHER aesni_128_ecb = {
578 .nid = NID_aes_128_ecb,
579 .block_size = 16,
580 .key_len = 16,
581 .iv_len = 0,
582 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
583 .init = aesni_init_key,
584 .do_cipher = aesni_ecb_cipher,
585 .ctx_size = sizeof(EVP_AES_KEY),
586 };
587 #endif
588
589 static const EVP_CIPHER aes_128_ecb = {
590 .nid = NID_aes_128_ecb,
591 .block_size = 16,
592 .key_len = 16,
593 .iv_len = 0,
594 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
595 .init = aes_init_key,
596 .do_cipher = aes_ecb_cipher,
597 .ctx_size = sizeof(EVP_AES_KEY),
598 };
599
600 const EVP_CIPHER *
EVP_aes_128_ecb(void)601 EVP_aes_128_ecb(void)
602 {
603 #ifdef AESNI_CAPABLE
604 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
605 #else
606 return &aes_128_ecb;
607 #endif
608 }
609
610 #ifdef AESNI_CAPABLE
611 static const EVP_CIPHER aesni_128_ofb = {
612 .nid = NID_aes_128_ofb128,
613 .block_size = 1,
614 .key_len = 16,
615 .iv_len = 16,
616 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
617 .init = aesni_init_key,
618 .do_cipher = aes_ofb_cipher,
619 .ctx_size = sizeof(EVP_AES_KEY),
620 };
621 #endif
622
623 static const EVP_CIPHER aes_128_ofb = {
624 .nid = NID_aes_128_ofb128,
625 .block_size = 1,
626 .key_len = 16,
627 .iv_len = 16,
628 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
629 .init = aes_init_key,
630 .do_cipher = aes_ofb_cipher,
631 .ctx_size = sizeof(EVP_AES_KEY),
632 };
633
634 const EVP_CIPHER *
EVP_aes_128_ofb(void)635 EVP_aes_128_ofb(void)
636 {
637 #ifdef AESNI_CAPABLE
638 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
639 #else
640 return &aes_128_ofb;
641 #endif
642 }
643
644 #ifdef AESNI_CAPABLE
645 static const EVP_CIPHER aesni_128_cfb = {
646 .nid = NID_aes_128_cfb128,
647 .block_size = 1,
648 .key_len = 16,
649 .iv_len = 16,
650 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
651 .init = aesni_init_key,
652 .do_cipher = aes_cfb_cipher,
653 .ctx_size = sizeof(EVP_AES_KEY),
654 };
655 #endif
656
657 static const EVP_CIPHER aes_128_cfb = {
658 .nid = NID_aes_128_cfb128,
659 .block_size = 1,
660 .key_len = 16,
661 .iv_len = 16,
662 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
663 .init = aes_init_key,
664 .do_cipher = aes_cfb_cipher,
665 .ctx_size = sizeof(EVP_AES_KEY),
666 };
667
668 const EVP_CIPHER *
EVP_aes_128_cfb(void)669 EVP_aes_128_cfb(void)
670 {
671 #ifdef AESNI_CAPABLE
672 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
673 #else
674 return &aes_128_cfb;
675 #endif
676 }
677
678 #ifdef AESNI_CAPABLE
679 static const EVP_CIPHER aesni_128_cfb1 = {
680 .nid = NID_aes_128_cfb1,
681 .block_size = 1,
682 .key_len = 16,
683 .iv_len = 16,
684 .flags = EVP_CIPH_CFB_MODE,
685 .init = aesni_init_key,
686 .do_cipher = aes_cfb1_cipher,
687 .ctx_size = sizeof(EVP_AES_KEY),
688 };
689 #endif
690
691 static const EVP_CIPHER aes_128_cfb1 = {
692 .nid = NID_aes_128_cfb1,
693 .block_size = 1,
694 .key_len = 16,
695 .iv_len = 16,
696 .flags = EVP_CIPH_CFB_MODE,
697 .init = aes_init_key,
698 .do_cipher = aes_cfb1_cipher,
699 .ctx_size = sizeof(EVP_AES_KEY),
700 };
701
702 const EVP_CIPHER *
EVP_aes_128_cfb1(void)703 EVP_aes_128_cfb1(void)
704 {
705 #ifdef AESNI_CAPABLE
706 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
707 #else
708 return &aes_128_cfb1;
709 #endif
710 }
711
712 #ifdef AESNI_CAPABLE
713 static const EVP_CIPHER aesni_128_cfb8 = {
714 .nid = NID_aes_128_cfb8,
715 .block_size = 1,
716 .key_len = 16,
717 .iv_len = 16,
718 .flags = EVP_CIPH_CFB_MODE,
719 .init = aesni_init_key,
720 .do_cipher = aes_cfb8_cipher,
721 .ctx_size = sizeof(EVP_AES_KEY),
722 };
723 #endif
724
725 static const EVP_CIPHER aes_128_cfb8 = {
726 .nid = NID_aes_128_cfb8,
727 .block_size = 1,
728 .key_len = 16,
729 .iv_len = 16,
730 .flags = EVP_CIPH_CFB_MODE,
731 .init = aes_init_key,
732 .do_cipher = aes_cfb8_cipher,
733 .ctx_size = sizeof(EVP_AES_KEY),
734 };
735
736 const EVP_CIPHER *
EVP_aes_128_cfb8(void)737 EVP_aes_128_cfb8(void)
738 {
739 #ifdef AESNI_CAPABLE
740 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
741 #else
742 return &aes_128_cfb8;
743 #endif
744 }
745
746 #ifdef AESNI_CAPABLE
747 static const EVP_CIPHER aesni_128_ctr = {
748 .nid = NID_aes_128_ctr,
749 .block_size = 1,
750 .key_len = 16,
751 .iv_len = 16,
752 .flags = EVP_CIPH_CTR_MODE,
753 .init = aesni_init_key,
754 .do_cipher = aes_ctr_cipher,
755 .ctx_size = sizeof(EVP_AES_KEY),
756 };
757 #endif
758
759 static const EVP_CIPHER aes_128_ctr = {
760 .nid = NID_aes_128_ctr,
761 .block_size = 1,
762 .key_len = 16,
763 .iv_len = 16,
764 .flags = EVP_CIPH_CTR_MODE,
765 .init = aes_init_key,
766 .do_cipher = aes_ctr_cipher,
767 .ctx_size = sizeof(EVP_AES_KEY),
768 };
769
770 const EVP_CIPHER *
EVP_aes_128_ctr(void)771 EVP_aes_128_ctr(void)
772 {
773 #ifdef AESNI_CAPABLE
774 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
775 #else
776 return &aes_128_ctr;
777 #endif
778 }
779
780
781 #ifdef AESNI_CAPABLE
782 static const EVP_CIPHER aesni_192_cbc = {
783 .nid = NID_aes_192_cbc,
784 .block_size = 16,
785 .key_len = 24,
786 .iv_len = 16,
787 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
788 .init = aesni_init_key,
789 .do_cipher = aesni_cbc_cipher,
790 .ctx_size = sizeof(EVP_AES_KEY),
791 };
792 #endif
793
794 static const EVP_CIPHER aes_192_cbc = {
795 .nid = NID_aes_192_cbc,
796 .block_size = 16,
797 .key_len = 24,
798 .iv_len = 16,
799 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
800 .init = aes_init_key,
801 .do_cipher = aes_cbc_cipher,
802 .ctx_size = sizeof(EVP_AES_KEY),
803 };
804
805 const EVP_CIPHER *
EVP_aes_192_cbc(void)806 EVP_aes_192_cbc(void)
807 {
808 #ifdef AESNI_CAPABLE
809 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
810 #else
811 return &aes_192_cbc;
812 #endif
813 }
814
815 #ifdef AESNI_CAPABLE
816 static const EVP_CIPHER aesni_192_ecb = {
817 .nid = NID_aes_192_ecb,
818 .block_size = 16,
819 .key_len = 24,
820 .iv_len = 0,
821 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
822 .init = aesni_init_key,
823 .do_cipher = aesni_ecb_cipher,
824 .ctx_size = sizeof(EVP_AES_KEY),
825 };
826 #endif
827
828 static const EVP_CIPHER aes_192_ecb = {
829 .nid = NID_aes_192_ecb,
830 .block_size = 16,
831 .key_len = 24,
832 .iv_len = 0,
833 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
834 .init = aes_init_key,
835 .do_cipher = aes_ecb_cipher,
836 .ctx_size = sizeof(EVP_AES_KEY),
837 };
838
839 const EVP_CIPHER *
EVP_aes_192_ecb(void)840 EVP_aes_192_ecb(void)
841 {
842 #ifdef AESNI_CAPABLE
843 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
844 #else
845 return &aes_192_ecb;
846 #endif
847 }
848
849 #ifdef AESNI_CAPABLE
850 static const EVP_CIPHER aesni_192_ofb = {
851 .nid = NID_aes_192_ofb128,
852 .block_size = 1,
853 .key_len = 24,
854 .iv_len = 16,
855 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
856 .init = aesni_init_key,
857 .do_cipher = aes_ofb_cipher,
858 .ctx_size = sizeof(EVP_AES_KEY),
859 };
860 #endif
861
862 static const EVP_CIPHER aes_192_ofb = {
863 .nid = NID_aes_192_ofb128,
864 .block_size = 1,
865 .key_len = 24,
866 .iv_len = 16,
867 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
868 .init = aes_init_key,
869 .do_cipher = aes_ofb_cipher,
870 .ctx_size = sizeof(EVP_AES_KEY),
871 };
872
873 const EVP_CIPHER *
EVP_aes_192_ofb(void)874 EVP_aes_192_ofb(void)
875 {
876 #ifdef AESNI_CAPABLE
877 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
878 #else
879 return &aes_192_ofb;
880 #endif
881 }
882
883 #ifdef AESNI_CAPABLE
884 static const EVP_CIPHER aesni_192_cfb = {
885 .nid = NID_aes_192_cfb128,
886 .block_size = 1,
887 .key_len = 24,
888 .iv_len = 16,
889 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
890 .init = aesni_init_key,
891 .do_cipher = aes_cfb_cipher,
892 .ctx_size = sizeof(EVP_AES_KEY),
893 };
894 #endif
895
896 static const EVP_CIPHER aes_192_cfb = {
897 .nid = NID_aes_192_cfb128,
898 .block_size = 1,
899 .key_len = 24,
900 .iv_len = 16,
901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
902 .init = aes_init_key,
903 .do_cipher = aes_cfb_cipher,
904 .ctx_size = sizeof(EVP_AES_KEY),
905 };
906
907 const EVP_CIPHER *
EVP_aes_192_cfb(void)908 EVP_aes_192_cfb(void)
909 {
910 #ifdef AESNI_CAPABLE
911 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
912 #else
913 return &aes_192_cfb;
914 #endif
915 }
916
917 #ifdef AESNI_CAPABLE
918 static const EVP_CIPHER aesni_192_cfb1 = {
919 .nid = NID_aes_192_cfb1,
920 .block_size = 1,
921 .key_len = 24,
922 .iv_len = 16,
923 .flags = EVP_CIPH_CFB_MODE,
924 .init = aesni_init_key,
925 .do_cipher = aes_cfb1_cipher,
926 .ctx_size = sizeof(EVP_AES_KEY),
927 };
928 #endif
929
930 static const EVP_CIPHER aes_192_cfb1 = {
931 .nid = NID_aes_192_cfb1,
932 .block_size = 1,
933 .key_len = 24,
934 .iv_len = 16,
935 .flags = EVP_CIPH_CFB_MODE,
936 .init = aes_init_key,
937 .do_cipher = aes_cfb1_cipher,
938 .ctx_size = sizeof(EVP_AES_KEY),
939 };
940
941 const EVP_CIPHER *
EVP_aes_192_cfb1(void)942 EVP_aes_192_cfb1(void)
943 {
944 #ifdef AESNI_CAPABLE
945 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
946 #else
947 return &aes_192_cfb1;
948 #endif
949 }
950
951 #ifdef AESNI_CAPABLE
952 static const EVP_CIPHER aesni_192_cfb8 = {
953 .nid = NID_aes_192_cfb8,
954 .block_size = 1,
955 .key_len = 24,
956 .iv_len = 16,
957 .flags = EVP_CIPH_CFB_MODE,
958 .init = aesni_init_key,
959 .do_cipher = aes_cfb8_cipher,
960 .ctx_size = sizeof(EVP_AES_KEY),
961 };
962 #endif
963
964 static const EVP_CIPHER aes_192_cfb8 = {
965 .nid = NID_aes_192_cfb8,
966 .block_size = 1,
967 .key_len = 24,
968 .iv_len = 16,
969 .flags = EVP_CIPH_CFB_MODE,
970 .init = aes_init_key,
971 .do_cipher = aes_cfb8_cipher,
972 .ctx_size = sizeof(EVP_AES_KEY),
973 };
974
975 const EVP_CIPHER *
EVP_aes_192_cfb8(void)976 EVP_aes_192_cfb8(void)
977 {
978 #ifdef AESNI_CAPABLE
979 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
980 #else
981 return &aes_192_cfb8;
982 #endif
983 }
984
985 #ifdef AESNI_CAPABLE
986 static const EVP_CIPHER aesni_192_ctr = {
987 .nid = NID_aes_192_ctr,
988 .block_size = 1,
989 .key_len = 24,
990 .iv_len = 16,
991 .flags = EVP_CIPH_CTR_MODE,
992 .init = aesni_init_key,
993 .do_cipher = aes_ctr_cipher,
994 .ctx_size = sizeof(EVP_AES_KEY),
995 };
996 #endif
997
998 static const EVP_CIPHER aes_192_ctr = {
999 .nid = NID_aes_192_ctr,
1000 .block_size = 1,
1001 .key_len = 24,
1002 .iv_len = 16,
1003 .flags = EVP_CIPH_CTR_MODE,
1004 .init = aes_init_key,
1005 .do_cipher = aes_ctr_cipher,
1006 .ctx_size = sizeof(EVP_AES_KEY),
1007 };
1008
1009 const EVP_CIPHER *
EVP_aes_192_ctr(void)1010 EVP_aes_192_ctr(void)
1011 {
1012 #ifdef AESNI_CAPABLE
1013 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
1014 #else
1015 return &aes_192_ctr;
1016 #endif
1017 }
1018
1019
1020 #ifdef AESNI_CAPABLE
1021 static const EVP_CIPHER aesni_256_cbc = {
1022 .nid = NID_aes_256_cbc,
1023 .block_size = 16,
1024 .key_len = 32,
1025 .iv_len = 16,
1026 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1027 .init = aesni_init_key,
1028 .do_cipher = aesni_cbc_cipher,
1029 .ctx_size = sizeof(EVP_AES_KEY),
1030 };
1031 #endif
1032
1033 static const EVP_CIPHER aes_256_cbc = {
1034 .nid = NID_aes_256_cbc,
1035 .block_size = 16,
1036 .key_len = 32,
1037 .iv_len = 16,
1038 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1039 .init = aes_init_key,
1040 .do_cipher = aes_cbc_cipher,
1041 .ctx_size = sizeof(EVP_AES_KEY),
1042 };
1043
1044 const EVP_CIPHER *
EVP_aes_256_cbc(void)1045 EVP_aes_256_cbc(void)
1046 {
1047 #ifdef AESNI_CAPABLE
1048 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
1049 #else
1050 return &aes_256_cbc;
1051 #endif
1052 }
1053
1054 #ifdef AESNI_CAPABLE
1055 static const EVP_CIPHER aesni_256_ecb = {
1056 .nid = NID_aes_256_ecb,
1057 .block_size = 16,
1058 .key_len = 32,
1059 .iv_len = 0,
1060 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1061 .init = aesni_init_key,
1062 .do_cipher = aesni_ecb_cipher,
1063 .ctx_size = sizeof(EVP_AES_KEY),
1064 };
1065 #endif
1066
1067 static const EVP_CIPHER aes_256_ecb = {
1068 .nid = NID_aes_256_ecb,
1069 .block_size = 16,
1070 .key_len = 32,
1071 .iv_len = 0,
1072 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1073 .init = aes_init_key,
1074 .do_cipher = aes_ecb_cipher,
1075 .ctx_size = sizeof(EVP_AES_KEY),
1076 };
1077
1078 const EVP_CIPHER *
EVP_aes_256_ecb(void)1079 EVP_aes_256_ecb(void)
1080 {
1081 #ifdef AESNI_CAPABLE
1082 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
1083 #else
1084 return &aes_256_ecb;
1085 #endif
1086 }
1087
1088 #ifdef AESNI_CAPABLE
1089 static const EVP_CIPHER aesni_256_ofb = {
1090 .nid = NID_aes_256_ofb128,
1091 .block_size = 1,
1092 .key_len = 32,
1093 .iv_len = 16,
1094 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1095 .init = aesni_init_key,
1096 .do_cipher = aes_ofb_cipher,
1097 .ctx_size = sizeof(EVP_AES_KEY),
1098 };
1099 #endif
1100
1101 static const EVP_CIPHER aes_256_ofb = {
1102 .nid = NID_aes_256_ofb128,
1103 .block_size = 1,
1104 .key_len = 32,
1105 .iv_len = 16,
1106 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1107 .init = aes_init_key,
1108 .do_cipher = aes_ofb_cipher,
1109 .ctx_size = sizeof(EVP_AES_KEY),
1110 };
1111
1112 const EVP_CIPHER *
EVP_aes_256_ofb(void)1113 EVP_aes_256_ofb(void)
1114 {
1115 #ifdef AESNI_CAPABLE
1116 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
1117 #else
1118 return &aes_256_ofb;
1119 #endif
1120 }
1121
1122 #ifdef AESNI_CAPABLE
1123 static const EVP_CIPHER aesni_256_cfb = {
1124 .nid = NID_aes_256_cfb128,
1125 .block_size = 1,
1126 .key_len = 32,
1127 .iv_len = 16,
1128 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1129 .init = aesni_init_key,
1130 .do_cipher = aes_cfb_cipher,
1131 .ctx_size = sizeof(EVP_AES_KEY),
1132 };
1133 #endif
1134
1135 static const EVP_CIPHER aes_256_cfb = {
1136 .nid = NID_aes_256_cfb128,
1137 .block_size = 1,
1138 .key_len = 32,
1139 .iv_len = 16,
1140 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1141 .init = aes_init_key,
1142 .do_cipher = aes_cfb_cipher,
1143 .ctx_size = sizeof(EVP_AES_KEY),
1144 };
1145
1146 const EVP_CIPHER *
EVP_aes_256_cfb(void)1147 EVP_aes_256_cfb(void)
1148 {
1149 #ifdef AESNI_CAPABLE
1150 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
1151 #else
1152 return &aes_256_cfb;
1153 #endif
1154 }
1155
1156 #ifdef AESNI_CAPABLE
1157 static const EVP_CIPHER aesni_256_cfb1 = {
1158 .nid = NID_aes_256_cfb1,
1159 .block_size = 1,
1160 .key_len = 32,
1161 .iv_len = 16,
1162 .flags = EVP_CIPH_CFB_MODE,
1163 .init = aesni_init_key,
1164 .do_cipher = aes_cfb1_cipher,
1165 .ctx_size = sizeof(EVP_AES_KEY),
1166 };
1167 #endif
1168
1169 static const EVP_CIPHER aes_256_cfb1 = {
1170 .nid = NID_aes_256_cfb1,
1171 .block_size = 1,
1172 .key_len = 32,
1173 .iv_len = 16,
1174 .flags = EVP_CIPH_CFB_MODE,
1175 .init = aes_init_key,
1176 .do_cipher = aes_cfb1_cipher,
1177 .ctx_size = sizeof(EVP_AES_KEY),
1178 };
1179
1180 const EVP_CIPHER *
EVP_aes_256_cfb1(void)1181 EVP_aes_256_cfb1(void)
1182 {
1183 #ifdef AESNI_CAPABLE
1184 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
1185 #else
1186 return &aes_256_cfb1;
1187 #endif
1188 }
1189
1190 #ifdef AESNI_CAPABLE
1191 static const EVP_CIPHER aesni_256_cfb8 = {
1192 .nid = NID_aes_256_cfb8,
1193 .block_size = 1,
1194 .key_len = 32,
1195 .iv_len = 16,
1196 .flags = EVP_CIPH_CFB_MODE,
1197 .init = aesni_init_key,
1198 .do_cipher = aes_cfb8_cipher,
1199 .ctx_size = sizeof(EVP_AES_KEY),
1200 };
1201 #endif
1202
1203 static const EVP_CIPHER aes_256_cfb8 = {
1204 .nid = NID_aes_256_cfb8,
1205 .block_size = 1,
1206 .key_len = 32,
1207 .iv_len = 16,
1208 .flags = EVP_CIPH_CFB_MODE,
1209 .init = aes_init_key,
1210 .do_cipher = aes_cfb8_cipher,
1211 .ctx_size = sizeof(EVP_AES_KEY),
1212 };
1213
1214 const EVP_CIPHER *
EVP_aes_256_cfb8(void)1215 EVP_aes_256_cfb8(void)
1216 {
1217 #ifdef AESNI_CAPABLE
1218 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
1219 #else
1220 return &aes_256_cfb8;
1221 #endif
1222 }
1223
1224 #ifdef AESNI_CAPABLE
1225 static const EVP_CIPHER aesni_256_ctr = {
1226 .nid = NID_aes_256_ctr,
1227 .block_size = 1,
1228 .key_len = 32,
1229 .iv_len = 16,
1230 .flags = EVP_CIPH_CTR_MODE,
1231 .init = aesni_init_key,
1232 .do_cipher = aes_ctr_cipher,
1233 .ctx_size = sizeof(EVP_AES_KEY),
1234 };
1235 #endif
1236
1237 static const EVP_CIPHER aes_256_ctr = {
1238 .nid = NID_aes_256_ctr,
1239 .block_size = 1,
1240 .key_len = 32,
1241 .iv_len = 16,
1242 .flags = EVP_CIPH_CTR_MODE,
1243 .init = aes_init_key,
1244 .do_cipher = aes_ctr_cipher,
1245 .ctx_size = sizeof(EVP_AES_KEY),
1246 };
1247
1248 const EVP_CIPHER *
EVP_aes_256_ctr(void)1249 EVP_aes_256_ctr(void)
1250 {
1251 #ifdef AESNI_CAPABLE
1252 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
1253 #else
1254 return &aes_256_ctr;
1255 #endif
1256 }
1257
1258 static void
aes_gcm_cleanup(EVP_CIPHER_CTX * c)1259 aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1260 {
1261 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1262
1263 if (gctx->iv != c->iv)
1264 free(gctx->iv);
1265
1266 explicit_bzero(gctx, sizeof(*gctx));
1267 }
1268
1269 /* increment counter (64-bit int) by 1 */
1270 static void
ctr64_inc(unsigned char * counter)1271 ctr64_inc(unsigned char *counter)
1272 {
1273 int n = 8;
1274 unsigned char c;
1275
1276 do {
1277 --n;
1278 c = counter[n];
1279 ++c;
1280 counter[n] = c;
1281 if (c)
1282 return;
1283 } while (n);
1284 }
1285
1286 static int
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1287 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1288 {
1289 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1290
1291 switch (type) {
1292 case EVP_CTRL_INIT:
1293 gctx->key_set = 0;
1294 gctx->iv_set = 0;
1295 if (c->cipher->iv_len == 0) {
1296 EVPerror(EVP_R_INVALID_IV_LENGTH);
1297 return 0;
1298 }
1299 gctx->ivlen = c->cipher->iv_len;
1300 gctx->iv = c->iv;
1301 gctx->taglen = -1;
1302 gctx->iv_gen = 0;
1303 gctx->tls_aad_len = -1;
1304 return 1;
1305
1306 case EVP_CTRL_GCM_SET_IVLEN:
1307 if (arg <= 0)
1308 return 0;
1309 /* Allocate memory for IV if needed */
1310 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1311 if (gctx->iv != c->iv)
1312 free(gctx->iv);
1313 gctx->iv = malloc(arg);
1314 if (!gctx->iv)
1315 return 0;
1316 }
1317 gctx->ivlen = arg;
1318 return 1;
1319
1320 case EVP_CTRL_GCM_SET_TAG:
1321 if (arg <= 0 || arg > 16 || c->encrypt)
1322 return 0;
1323 memcpy(c->buf, ptr, arg);
1324 gctx->taglen = arg;
1325 return 1;
1326
1327 case EVP_CTRL_GCM_GET_TAG:
1328 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1329 return 0;
1330 memcpy(ptr, c->buf, arg);
1331 return 1;
1332
1333 case EVP_CTRL_GCM_SET_IV_FIXED:
1334 /* Special case: -1 length restores whole IV */
1335 if (arg == -1) {
1336 memcpy(gctx->iv, ptr, gctx->ivlen);
1337 gctx->iv_gen = 1;
1338 return 1;
1339 }
1340 /* Fixed field must be at least 4 bytes and invocation field
1341 * at least 8.
1342 */
1343 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1344 return 0;
1345 if (arg)
1346 memcpy(gctx->iv, ptr, arg);
1347 if (c->encrypt)
1348 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
1349 gctx->iv_gen = 1;
1350 return 1;
1351
1352 case EVP_CTRL_GCM_IV_GEN:
1353 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1354 return 0;
1355 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1356 if (arg <= 0 || arg > gctx->ivlen)
1357 arg = gctx->ivlen;
1358 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1359 /* Invocation field will be at least 8 bytes in size and
1360 * so no need to check wrap around or increment more than
1361 * last 8 bytes.
1362 */
1363 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1364 gctx->iv_set = 1;
1365 return 1;
1366
1367 case EVP_CTRL_GCM_SET_IV_INV:
1368 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1369 return 0;
1370 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1371 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1372 gctx->iv_set = 1;
1373 return 1;
1374
1375 case EVP_CTRL_AEAD_TLS1_AAD:
1376 /* Save the AAD for later use */
1377 if (arg != 13)
1378 return 0;
1379 memcpy(c->buf, ptr, arg);
1380 gctx->tls_aad_len = arg;
1381 {
1382 unsigned int len = c->buf[arg - 2] << 8 |
1383 c->buf[arg - 1];
1384
1385 /* Correct length for explicit IV */
1386 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1387 return 0;
1388 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1389
1390 /* If decrypting correct for tag too */
1391 if (!c->encrypt) {
1392 if (len < EVP_GCM_TLS_TAG_LEN)
1393 return 0;
1394 len -= EVP_GCM_TLS_TAG_LEN;
1395 }
1396 c->buf[arg - 2] = len >> 8;
1397 c->buf[arg - 1] = len & 0xff;
1398 }
1399 /* Extra padding: tag appended to record */
1400 return EVP_GCM_TLS_TAG_LEN;
1401
1402 case EVP_CTRL_COPY:
1403 {
1404 EVP_CIPHER_CTX *out = ptr;
1405 EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1406
1407 if (gctx->gcm.key) {
1408 if (gctx->gcm.key != &gctx->ks)
1409 return 0;
1410 gctx_out->gcm.key = &gctx_out->ks;
1411 }
1412
1413 if (gctx->iv == c->iv) {
1414 gctx_out->iv = out->iv;
1415 } else {
1416 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL)
1417 return 0;
1418 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1419 }
1420 return 1;
1421 }
1422
1423 default:
1424 return -1;
1425
1426 }
1427 }
1428
1429 static ctr128_f
aes_gcm_set_key(AES_KEY * aes_key,GCM128_CONTEXT * gcm_ctx,const unsigned char * key,size_t key_len)1430 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
1431 const unsigned char *key, size_t key_len)
1432 {
1433 #ifdef BSAES_CAPABLE
1434 if (BSAES_CAPABLE) {
1435 AES_set_encrypt_key(key, key_len * 8, aes_key);
1436 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1437 return (ctr128_f)bsaes_ctr32_encrypt_blocks;
1438 } else
1439 #endif
1440 #ifdef VPAES_CAPABLE
1441 if (VPAES_CAPABLE) {
1442 vpaes_set_encrypt_key(key, key_len * 8, aes_key);
1443 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
1444 return NULL;
1445 } else
1446 #endif
1447 (void)0; /* terminate potentially open 'else' */
1448
1449 AES_set_encrypt_key(key, key_len * 8, aes_key);
1450 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1451 #ifdef AES_CTR_ASM
1452 return (ctr128_f)AES_ctr32_encrypt;
1453 #else
1454 return NULL;
1455 #endif
1456 }
1457
1458 static int
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1459 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1460 const unsigned char *iv, int enc)
1461 {
1462 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1463
1464 if (!iv && !key)
1465 return 1;
1466 if (key) {
1467 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
1468 key, ctx->key_len);
1469
1470 /* If we have an iv can set it directly, otherwise use
1471 * saved IV.
1472 */
1473 if (iv == NULL && gctx->iv_set)
1474 iv = gctx->iv;
1475 if (iv) {
1476 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1477 gctx->iv_set = 1;
1478 }
1479 gctx->key_set = 1;
1480 } else {
1481 /* If key set use IV, otherwise copy */
1482 if (gctx->key_set)
1483 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1484 else
1485 memcpy(gctx->iv, iv, gctx->ivlen);
1486 gctx->iv_set = 1;
1487 gctx->iv_gen = 0;
1488 }
1489 return 1;
1490 }
1491
1492 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1493 * followed by the payload and finally the tag. On encrypt generate IV,
1494 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1495 * and verify tag.
1496 */
1497
1498 static int
aes_gcm_tls_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1499 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1500 const unsigned char *in, size_t len)
1501 {
1502 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1503 int rv = -1;
1504
1505 /* Encrypt/decrypt must be performed in place */
1506 if (out != in ||
1507 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1508 return -1;
1509
1510 /* Set IV from start of buffer or generate IV and write to start
1511 * of buffer.
1512 */
1513 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1514 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1515 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1516 goto err;
1517
1518 /* Use saved AAD */
1519 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1520 goto err;
1521
1522 /* Fix buffer and length to point to payload */
1523 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1524 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1525 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1526 if (ctx->encrypt) {
1527 /* Encrypt payload */
1528 if (gctx->ctr) {
1529 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
1530 len, gctx->ctr))
1531 goto err;
1532 } else {
1533 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1534 goto err;
1535 }
1536 out += len;
1537
1538 /* Finally write tag */
1539 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1540 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1541 } else {
1542 /* Decrypt */
1543 if (gctx->ctr) {
1544 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
1545 len, gctx->ctr))
1546 goto err;
1547 } else {
1548 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1549 goto err;
1550 }
1551 /* Retrieve tag */
1552 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1553
1554 /* If tag mismatch wipe buffer */
1555 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1556 explicit_bzero(out, len);
1557 goto err;
1558 }
1559 rv = len;
1560 }
1561
1562 err:
1563 gctx->iv_set = 0;
1564 gctx->tls_aad_len = -1;
1565 return rv;
1566 }
1567
1568 static int
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1569 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1570 const unsigned char *in, size_t len)
1571 {
1572 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1573
1574 /* If not set up, return error */
1575 if (!gctx->key_set)
1576 return -1;
1577
1578 if (gctx->tls_aad_len >= 0)
1579 return aes_gcm_tls_cipher(ctx, out, in, len);
1580
1581 if (!gctx->iv_set)
1582 return -1;
1583
1584 if (in) {
1585 if (out == NULL) {
1586 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1587 return -1;
1588 } else if (ctx->encrypt) {
1589 if (gctx->ctr) {
1590 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1591 in, out, len, gctx->ctr))
1592 return -1;
1593 } else {
1594 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1595 in, out, len))
1596 return -1;
1597 }
1598 } else {
1599 if (gctx->ctr) {
1600 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1601 in, out, len, gctx->ctr))
1602 return -1;
1603 } else {
1604 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1605 in, out, len))
1606 return -1;
1607 }
1608 }
1609 return len;
1610 } else {
1611 if (!ctx->encrypt) {
1612 if (gctx->taglen < 0)
1613 return -1;
1614 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf,
1615 gctx->taglen) != 0)
1616 return -1;
1617 gctx->iv_set = 0;
1618 return 0;
1619 }
1620 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1621 gctx->taglen = 16;
1622
1623 /* Don't reuse the IV */
1624 gctx->iv_set = 0;
1625 return 0;
1626 }
1627
1628 }
1629
1630 #define CUSTOM_FLAGS \
1631 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1632 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
1633 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1634
1635
1636 #ifdef AESNI_CAPABLE
1637 static const EVP_CIPHER aesni_128_gcm = {
1638 .nid = NID_aes_128_gcm,
1639 .block_size = 1,
1640 .key_len = 16,
1641 .iv_len = 12,
1642 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1643 .init = aesni_gcm_init_key,
1644 .do_cipher = aes_gcm_cipher,
1645 .cleanup = aes_gcm_cleanup,
1646 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1647 .ctrl = aes_gcm_ctrl,
1648 };
1649 #endif
1650
1651 static const EVP_CIPHER aes_128_gcm = {
1652 .nid = NID_aes_128_gcm,
1653 .block_size = 1,
1654 .key_len = 16,
1655 .iv_len = 12,
1656 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1657 .init = aes_gcm_init_key,
1658 .do_cipher = aes_gcm_cipher,
1659 .cleanup = aes_gcm_cleanup,
1660 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1661 .ctrl = aes_gcm_ctrl,
1662 };
1663
1664 const EVP_CIPHER *
EVP_aes_128_gcm(void)1665 EVP_aes_128_gcm(void)
1666 {
1667 #ifdef AESNI_CAPABLE
1668 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1669 #else
1670 return &aes_128_gcm;
1671 #endif
1672 }
1673
1674 #ifdef AESNI_CAPABLE
1675 static const EVP_CIPHER aesni_192_gcm = {
1676 .nid = NID_aes_192_gcm,
1677 .block_size = 1,
1678 .key_len = 24,
1679 .iv_len = 12,
1680 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1681 .init = aesni_gcm_init_key,
1682 .do_cipher = aes_gcm_cipher,
1683 .cleanup = aes_gcm_cleanup,
1684 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1685 .ctrl = aes_gcm_ctrl,
1686 };
1687 #endif
1688
1689 static const EVP_CIPHER aes_192_gcm = {
1690 .nid = NID_aes_192_gcm,
1691 .block_size = 1,
1692 .key_len = 24,
1693 .iv_len = 12,
1694 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1695 .init = aes_gcm_init_key,
1696 .do_cipher = aes_gcm_cipher,
1697 .cleanup = aes_gcm_cleanup,
1698 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1699 .ctrl = aes_gcm_ctrl,
1700 };
1701
1702 const EVP_CIPHER *
EVP_aes_192_gcm(void)1703 EVP_aes_192_gcm(void)
1704 {
1705 #ifdef AESNI_CAPABLE
1706 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1707 #else
1708 return &aes_192_gcm;
1709 #endif
1710 }
1711
1712 #ifdef AESNI_CAPABLE
1713 static const EVP_CIPHER aesni_256_gcm = {
1714 .nid = NID_aes_256_gcm,
1715 .block_size = 1,
1716 .key_len = 32,
1717 .iv_len = 12,
1718 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1719 .init = aesni_gcm_init_key,
1720 .do_cipher = aes_gcm_cipher,
1721 .cleanup = aes_gcm_cleanup,
1722 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1723 .ctrl = aes_gcm_ctrl,
1724 };
1725 #endif
1726
1727 static const EVP_CIPHER aes_256_gcm = {
1728 .nid = NID_aes_256_gcm,
1729 .block_size = 1,
1730 .key_len = 32,
1731 .iv_len = 12,
1732 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1733 .init = aes_gcm_init_key,
1734 .do_cipher = aes_gcm_cipher,
1735 .cleanup = aes_gcm_cleanup,
1736 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1737 .ctrl = aes_gcm_ctrl,
1738 };
1739
1740 const EVP_CIPHER *
EVP_aes_256_gcm(void)1741 EVP_aes_256_gcm(void)
1742 {
1743 #ifdef AESNI_CAPABLE
1744 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1745 #else
1746 return &aes_256_gcm;
1747 #endif
1748 }
1749
1750 static int
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1751 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1752 {
1753 EVP_AES_XTS_CTX *xctx = c->cipher_data;
1754
1755 switch (type) {
1756 case EVP_CTRL_INIT:
1757 /*
1758 * key1 and key2 are used as an indicator both key and IV
1759 * are set
1760 */
1761 xctx->xts.key1 = NULL;
1762 xctx->xts.key2 = NULL;
1763 return 1;
1764
1765 case EVP_CTRL_COPY:
1766 {
1767 EVP_CIPHER_CTX *out = ptr;
1768 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1769
1770 if (xctx->xts.key1) {
1771 if (xctx->xts.key1 != &xctx->ks1)
1772 return 0;
1773 xctx_out->xts.key1 = &xctx_out->ks1;
1774 }
1775 if (xctx->xts.key2) {
1776 if (xctx->xts.key2 != &xctx->ks2)
1777 return 0;
1778 xctx_out->xts.key2 = &xctx_out->ks2;
1779 }
1780 return 1;
1781 }
1782 }
1783 return -1;
1784 }
1785
1786 static int
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)1787 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1788 const unsigned char *iv, int enc)
1789 {
1790 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1791
1792 if (!iv && !key)
1793 return 1;
1794
1795 if (key) do {
1796 #ifdef AES_XTS_ASM
1797 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1798 #else
1799 xctx->stream = NULL;
1800 #endif
1801 /* key_len is two AES keys */
1802 #ifdef BSAES_CAPABLE
1803 if (BSAES_CAPABLE)
1804 xctx->stream = enc ? bsaes_xts_encrypt :
1805 bsaes_xts_decrypt;
1806 else
1807 #endif
1808 #ifdef VPAES_CAPABLE
1809 if (VPAES_CAPABLE) {
1810 if (enc) {
1811 vpaes_set_encrypt_key(key, ctx->key_len * 4,
1812 &xctx->ks1);
1813 xctx->xts.block1 = (block128_f)vpaes_encrypt;
1814 } else {
1815 vpaes_set_decrypt_key(key, ctx->key_len * 4,
1816 &xctx->ks1);
1817 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1818 }
1819
1820 vpaes_set_encrypt_key(key + ctx->key_len / 2,
1821 ctx->key_len * 4, &xctx->ks2);
1822 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1823
1824 xctx->xts.key1 = &xctx->ks1;
1825 break;
1826 } else
1827 #endif
1828 (void)0; /* terminate potentially open 'else' */
1829
1830 if (enc) {
1831 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1832 xctx->xts.block1 = (block128_f)AES_encrypt;
1833 } else {
1834 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1835 xctx->xts.block1 = (block128_f)AES_decrypt;
1836 }
1837
1838 AES_set_encrypt_key(key + ctx->key_len / 2,
1839 ctx->key_len * 4, &xctx->ks2);
1840 xctx->xts.block2 = (block128_f)AES_encrypt;
1841
1842 xctx->xts.key1 = &xctx->ks1;
1843 } while (0);
1844
1845 if (iv) {
1846 xctx->xts.key2 = &xctx->ks2;
1847 memcpy(ctx->iv, iv, 16);
1848 }
1849
1850 return 1;
1851 }
1852
1853 static int
aes_xts_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)1854 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1855 const unsigned char *in, size_t len)
1856 {
1857 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1858
1859 if (!xctx->xts.key1 || !xctx->xts.key2)
1860 return 0;
1861 if (!out || !in || len < AES_BLOCK_SIZE)
1862 return 0;
1863
1864 if (xctx->stream)
1865 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1866 ctx->iv);
1867 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1868 ctx->encrypt))
1869 return 0;
1870 return 1;
1871 }
1872
1873 #define XTS_FLAGS \
1874 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1875 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1876
1877
1878 #ifdef AESNI_CAPABLE
1879 static const EVP_CIPHER aesni_128_xts = {
1880 .nid = NID_aes_128_xts,
1881 .block_size = 1,
1882 .key_len = 2 * 16,
1883 .iv_len = 16,
1884 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1885 .init = aesni_xts_init_key,
1886 .do_cipher = aes_xts_cipher,
1887 .cleanup = NULL,
1888 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1889 .ctrl = aes_xts_ctrl,
1890 };
1891 #endif
1892
1893 static const EVP_CIPHER aes_128_xts = {
1894 .nid = NID_aes_128_xts,
1895 .block_size = 1,
1896 .key_len = 2 * 16,
1897 .iv_len = 16,
1898 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1899 .init = aes_xts_init_key,
1900 .do_cipher = aes_xts_cipher,
1901 .cleanup = NULL,
1902 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1903 .ctrl = aes_xts_ctrl,
1904 };
1905
1906 const EVP_CIPHER *
EVP_aes_128_xts(void)1907 EVP_aes_128_xts(void)
1908 {
1909 #ifdef AESNI_CAPABLE
1910 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1911 #else
1912 return &aes_128_xts;
1913 #endif
1914 }
1915
1916 #ifdef AESNI_CAPABLE
1917 static const EVP_CIPHER aesni_256_xts = {
1918 .nid = NID_aes_256_xts,
1919 .block_size = 1,
1920 .key_len = 2 * 32,
1921 .iv_len = 16,
1922 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1923 .init = aesni_xts_init_key,
1924 .do_cipher = aes_xts_cipher,
1925 .cleanup = NULL,
1926 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1927 .ctrl = aes_xts_ctrl,
1928 };
1929 #endif
1930
1931 static const EVP_CIPHER aes_256_xts = {
1932 .nid = NID_aes_256_xts,
1933 .block_size = 1,
1934 .key_len = 2 * 32,
1935 .iv_len = 16,
1936 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1937 .init = aes_xts_init_key,
1938 .do_cipher = aes_xts_cipher,
1939 .cleanup = NULL,
1940 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1941 .ctrl = aes_xts_ctrl,
1942 };
1943
1944 const EVP_CIPHER *
EVP_aes_256_xts(void)1945 EVP_aes_256_xts(void)
1946 {
1947 #ifdef AESNI_CAPABLE
1948 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1949 #else
1950 return &aes_256_xts;
1951 #endif
1952 }
1953
1954 static int
aes_ccm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)1955 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1956 {
1957 EVP_AES_CCM_CTX *cctx = c->cipher_data;
1958
1959 switch (type) {
1960 case EVP_CTRL_INIT:
1961 cctx->key_set = 0;
1962 cctx->iv_set = 0;
1963 cctx->L = 8;
1964 cctx->M = 12;
1965 cctx->tag_set = 0;
1966 cctx->len_set = 0;
1967 return 1;
1968
1969 case EVP_CTRL_CCM_SET_IVLEN:
1970 arg = 15 - arg;
1971
1972 case EVP_CTRL_CCM_SET_L:
1973 if (arg < 2 || arg > 8)
1974 return 0;
1975 cctx->L = arg;
1976 return 1;
1977
1978 case EVP_CTRL_CCM_SET_TAG:
1979 if ((arg & 1) || arg < 4 || arg > 16)
1980 return 0;
1981 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1982 return 0;
1983 if (ptr) {
1984 cctx->tag_set = 1;
1985 memcpy(c->buf, ptr, arg);
1986 }
1987 cctx->M = arg;
1988 return 1;
1989
1990 case EVP_CTRL_CCM_GET_TAG:
1991 if (!c->encrypt || !cctx->tag_set)
1992 return 0;
1993 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1994 return 0;
1995 cctx->tag_set = 0;
1996 cctx->iv_set = 0;
1997 cctx->len_set = 0;
1998 return 1;
1999
2000 case EVP_CTRL_COPY:
2001 {
2002 EVP_CIPHER_CTX *out = ptr;
2003 EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
2004
2005 if (cctx->ccm.key) {
2006 if (cctx->ccm.key != &cctx->ks)
2007 return 0;
2008 cctx_out->ccm.key = &cctx_out->ks;
2009 }
2010 return 1;
2011 }
2012
2013 default:
2014 return -1;
2015 }
2016 }
2017
2018 static int
aes_ccm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2019 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2020 const unsigned char *iv, int enc)
2021 {
2022 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2023
2024 if (!iv && !key)
2025 return 1;
2026 if (key) do {
2027 #ifdef VPAES_CAPABLE
2028 if (VPAES_CAPABLE) {
2029 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
2030 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2031 &cctx->ks, (block128_f)vpaes_encrypt);
2032 cctx->str = NULL;
2033 cctx->key_set = 1;
2034 break;
2035 }
2036 #endif
2037 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
2038 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2039 &cctx->ks, (block128_f)AES_encrypt);
2040 cctx->str = NULL;
2041 cctx->key_set = 1;
2042 } while (0);
2043 if (iv) {
2044 memcpy(ctx->iv, iv, 15 - cctx->L);
2045 cctx->iv_set = 1;
2046 }
2047 return 1;
2048 }
2049
2050 static int
aes_ccm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)2051 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2052 const unsigned char *in, size_t len)
2053 {
2054 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2055 CCM128_CONTEXT *ccm = &cctx->ccm;
2056
2057 /* If not set up, return error */
2058 if (!cctx->iv_set && !cctx->key_set)
2059 return -1;
2060 if (!ctx->encrypt && !cctx->tag_set)
2061 return -1;
2062
2063 if (!out) {
2064 if (!in) {
2065 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
2066 len))
2067 return -1;
2068 cctx->len_set = 1;
2069 return len;
2070 }
2071 /* If have AAD need message length */
2072 if (!cctx->len_set && len)
2073 return -1;
2074 CRYPTO_ccm128_aad(ccm, in, len);
2075 return len;
2076 }
2077 /* EVP_*Final() doesn't return any data */
2078 if (!in)
2079 return 0;
2080 /* If not set length yet do it */
2081 if (!cctx->len_set) {
2082 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2083 return -1;
2084 cctx->len_set = 1;
2085 }
2086 if (ctx->encrypt) {
2087 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2088 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
2089 return -1;
2090 cctx->tag_set = 1;
2091 return len;
2092 } else {
2093 int rv = -1;
2094 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2095 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2096 unsigned char tag[16];
2097 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2098 if (!memcmp(tag, ctx->buf, cctx->M))
2099 rv = len;
2100 }
2101 }
2102 if (rv == -1)
2103 explicit_bzero(out, len);
2104 cctx->iv_set = 0;
2105 cctx->tag_set = 0;
2106 cctx->len_set = 0;
2107 return rv;
2108 }
2109
2110 }
2111
2112 #ifdef AESNI_CAPABLE
2113 static const EVP_CIPHER aesni_128_ccm = {
2114 .nid = NID_aes_128_ccm,
2115 .block_size = 1,
2116 .key_len = 16,
2117 .iv_len = 12,
2118 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2119 .init = aesni_ccm_init_key,
2120 .do_cipher = aes_ccm_cipher,
2121 .cleanup = NULL,
2122 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2123 .ctrl = aes_ccm_ctrl,
2124 };
2125 #endif
2126
2127 static const EVP_CIPHER aes_128_ccm = {
2128 .nid = NID_aes_128_ccm,
2129 .block_size = 1,
2130 .key_len = 16,
2131 .iv_len = 12,
2132 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2133 .init = aes_ccm_init_key,
2134 .do_cipher = aes_ccm_cipher,
2135 .cleanup = NULL,
2136 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2137 .ctrl = aes_ccm_ctrl,
2138 };
2139
2140 const EVP_CIPHER *
EVP_aes_128_ccm(void)2141 EVP_aes_128_ccm(void)
2142 {
2143 #ifdef AESNI_CAPABLE
2144 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
2145 #else
2146 return &aes_128_ccm;
2147 #endif
2148 }
2149
2150 #ifdef AESNI_CAPABLE
2151 static const EVP_CIPHER aesni_192_ccm = {
2152 .nid = NID_aes_192_ccm,
2153 .block_size = 1,
2154 .key_len = 24,
2155 .iv_len = 12,
2156 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2157 .init = aesni_ccm_init_key,
2158 .do_cipher = aes_ccm_cipher,
2159 .cleanup = NULL,
2160 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2161 .ctrl = aes_ccm_ctrl,
2162 };
2163 #endif
2164
2165 static const EVP_CIPHER aes_192_ccm = {
2166 .nid = NID_aes_192_ccm,
2167 .block_size = 1,
2168 .key_len = 24,
2169 .iv_len = 12,
2170 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2171 .init = aes_ccm_init_key,
2172 .do_cipher = aes_ccm_cipher,
2173 .cleanup = NULL,
2174 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2175 .ctrl = aes_ccm_ctrl,
2176 };
2177
2178 const EVP_CIPHER *
EVP_aes_192_ccm(void)2179 EVP_aes_192_ccm(void)
2180 {
2181 #ifdef AESNI_CAPABLE
2182 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
2183 #else
2184 return &aes_192_ccm;
2185 #endif
2186 }
2187
2188 #ifdef AESNI_CAPABLE
2189 static const EVP_CIPHER aesni_256_ccm = {
2190 .nid = NID_aes_256_ccm,
2191 .block_size = 1,
2192 .key_len = 32,
2193 .iv_len = 12,
2194 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2195 .init = aesni_ccm_init_key,
2196 .do_cipher = aes_ccm_cipher,
2197 .cleanup = NULL,
2198 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2199 .ctrl = aes_ccm_ctrl,
2200 };
2201 #endif
2202
2203 static const EVP_CIPHER aes_256_ccm = {
2204 .nid = NID_aes_256_ccm,
2205 .block_size = 1,
2206 .key_len = 32,
2207 .iv_len = 12,
2208 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2209 .init = aes_ccm_init_key,
2210 .do_cipher = aes_ccm_cipher,
2211 .cleanup = NULL,
2212 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2213 .ctrl = aes_ccm_ctrl,
2214 };
2215
2216 const EVP_CIPHER *
EVP_aes_256_ccm(void)2217 EVP_aes_256_ccm(void)
2218 {
2219 #ifdef AESNI_CAPABLE
2220 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
2221 #else
2222 return &aes_256_ccm;
2223 #endif
2224 }
2225
2226 #define EVP_AEAD_AES_GCM_TAG_LEN 16
2227
2228 struct aead_aes_gcm_ctx {
2229 union {
2230 double align;
2231 AES_KEY ks;
2232 } ks;
2233 GCM128_CONTEXT gcm;
2234 ctr128_f ctr;
2235 unsigned char tag_len;
2236 };
2237
2238 static int
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const unsigned char * key,size_t key_len,size_t tag_len)2239 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
2240 size_t tag_len)
2241 {
2242 struct aead_aes_gcm_ctx *gcm_ctx;
2243 const size_t key_bits = key_len * 8;
2244
2245 /* EVP_AEAD_CTX_init should catch this. */
2246 if (key_bits != 128 && key_bits != 256) {
2247 EVPerror(EVP_R_BAD_KEY_LENGTH);
2248 return 0;
2249 }
2250
2251 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
2252 tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
2253
2254 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
2255 EVPerror(EVP_R_TAG_TOO_LARGE);
2256 return 0;
2257 }
2258
2259 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
2260 return 0;
2261
2262 #ifdef AESNI_CAPABLE
2263 if (AESNI_CAPABLE) {
2264 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
2265 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
2266 (block128_f)aesni_encrypt);
2267 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
2268 } else
2269 #endif
2270 {
2271 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
2272 key, key_len);
2273 }
2274 gcm_ctx->tag_len = tag_len;
2275 ctx->aead_state = gcm_ctx;
2276
2277 return 1;
2278 }
2279
2280 static void
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)2281 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
2282 {
2283 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2284
2285 freezero(gcm_ctx, sizeof(*gcm_ctx));
2286 }
2287
2288 static int
aead_aes_gcm_seal(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2289 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2290 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2291 const unsigned char *in, size_t in_len, const unsigned char *ad,
2292 size_t ad_len)
2293 {
2294 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2295 GCM128_CONTEXT gcm;
2296 size_t bulk = 0;
2297
2298 if (max_out_len < in_len + gcm_ctx->tag_len) {
2299 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2300 return 0;
2301 }
2302
2303 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2304
2305 if (nonce_len == 0) {
2306 EVPerror(EVP_R_INVALID_IV_LENGTH);
2307 return 0;
2308 }
2309 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2310
2311 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2312 return 0;
2313
2314 if (gcm_ctx->ctr) {
2315 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
2316 in_len - bulk, gcm_ctx->ctr))
2317 return 0;
2318 } else {
2319 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
2320 in_len - bulk))
2321 return 0;
2322 }
2323
2324 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
2325 *out_len = in_len + gcm_ctx->tag_len;
2326
2327 return 1;
2328 }
2329
2330 static int
aead_aes_gcm_open(const EVP_AEAD_CTX * ctx,unsigned char * out,size_t * out_len,size_t max_out_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * in,size_t in_len,const unsigned char * ad,size_t ad_len)2331 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2332 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2333 const unsigned char *in, size_t in_len, const unsigned char *ad,
2334 size_t ad_len)
2335 {
2336 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2337 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN];
2338 GCM128_CONTEXT gcm;
2339 size_t plaintext_len;
2340 size_t bulk = 0;
2341
2342 if (in_len < gcm_ctx->tag_len) {
2343 EVPerror(EVP_R_BAD_DECRYPT);
2344 return 0;
2345 }
2346
2347 plaintext_len = in_len - gcm_ctx->tag_len;
2348
2349 if (max_out_len < plaintext_len) {
2350 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2351 return 0;
2352 }
2353
2354 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2355
2356 if (nonce_len == 0) {
2357 EVPerror(EVP_R_INVALID_IV_LENGTH);
2358 return 0;
2359 }
2360 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2361
2362 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2363 return 0;
2364
2365 if (gcm_ctx->ctr) {
2366 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
2367 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
2368 return 0;
2369 } else {
2370 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
2371 in_len - bulk - gcm_ctx->tag_len))
2372 return 0;
2373 }
2374
2375 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
2376 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
2377 EVPerror(EVP_R_BAD_DECRYPT);
2378 return 0;
2379 }
2380
2381 *out_len = plaintext_len;
2382
2383 return 1;
2384 }
2385
2386 static const EVP_AEAD aead_aes_128_gcm = {
2387 .key_len = 16,
2388 .nonce_len = 12,
2389 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2390 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2391
2392 .init = aead_aes_gcm_init,
2393 .cleanup = aead_aes_gcm_cleanup,
2394 .seal = aead_aes_gcm_seal,
2395 .open = aead_aes_gcm_open,
2396 };
2397
2398 static const EVP_AEAD aead_aes_256_gcm = {
2399 .key_len = 32,
2400 .nonce_len = 12,
2401 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2402 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2403
2404 .init = aead_aes_gcm_init,
2405 .cleanup = aead_aes_gcm_cleanup,
2406 .seal = aead_aes_gcm_seal,
2407 .open = aead_aes_gcm_open,
2408 };
2409
2410 const EVP_AEAD *
EVP_aead_aes_128_gcm(void)2411 EVP_aead_aes_128_gcm(void)
2412 {
2413 return &aead_aes_128_gcm;
2414 }
2415
2416 const EVP_AEAD *
EVP_aead_aes_256_gcm(void)2417 EVP_aead_aes_256_gcm(void)
2418 {
2419 return &aead_aes_256_gcm;
2420 }
2421
2422 typedef struct {
2423 union {
2424 double align;
2425 AES_KEY ks;
2426 } ks;
2427 unsigned char *iv;
2428 } EVP_AES_WRAP_CTX;
2429
2430 static int
aes_wrap_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)2431 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2432 const unsigned char *iv, int enc)
2433 {
2434 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data;
2435
2436 if (iv == NULL && key == NULL)
2437 return 1;
2438
2439 if (key != NULL) {
2440 if (ctx->encrypt)
2441 AES_set_encrypt_key(key, 8 * ctx->key_len,
2442 &wctx->ks.ks);
2443 else
2444 AES_set_decrypt_key(key, 8 * ctx->key_len,
2445 &wctx->ks.ks);
2446
2447 if (iv == NULL)
2448 wctx->iv = NULL;
2449 }
2450
2451 if (iv != NULL) {
2452 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
2453 wctx->iv = ctx->iv;
2454 }
2455
2456 return 1;
2457 }
2458
2459 static int
aes_wrap_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inlen)2460 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2461 const unsigned char *in, size_t inlen)
2462 {
2463 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2464 int ret;
2465
2466 if (in == NULL)
2467 return 0;
2468
2469 if (inlen % 8 != 0)
2470 return -1;
2471 if (ctx->encrypt && inlen < 8)
2472 return -1;
2473 if (!ctx->encrypt && inlen < 16)
2474 return -1;
2475 if (inlen > INT_MAX)
2476 return -1;
2477
2478 if (out == NULL) {
2479 if (ctx->encrypt)
2480 return inlen + 8;
2481 else
2482 return inlen - 8;
2483 }
2484
2485 if (ctx->encrypt)
2486 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in,
2487 (unsigned int)inlen);
2488 else
2489 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in,
2490 (unsigned int)inlen);
2491
2492 return ret != 0 ? ret : -1;
2493 }
2494
2495 static int
aes_wrap_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)2496 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2497 {
2498 EVP_AES_WRAP_CTX *wctx = c->cipher_data;
2499
2500 switch (type) {
2501 case EVP_CTRL_COPY:
2502 {
2503 EVP_CIPHER_CTX *out = ptr;
2504 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data;
2505
2506 if (wctx->iv != NULL) {
2507 if (c->iv != wctx->iv)
2508 return 0;
2509
2510 wctx_out->iv = out->iv;
2511 }
2512
2513 return 1;
2514 }
2515 }
2516
2517 return -1;
2518 }
2519
2520 #define WRAP_FLAGS \
2521 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \
2522 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \
2523 EVP_CIPH_CUSTOM_COPY )
2524
2525 static const EVP_CIPHER aes_128_wrap = {
2526 .nid = NID_id_aes128_wrap,
2527 .block_size = 8,
2528 .key_len = 16,
2529 .iv_len = 8,
2530 .flags = WRAP_FLAGS,
2531 .init = aes_wrap_init_key,
2532 .do_cipher = aes_wrap_cipher,
2533 .cleanup = NULL,
2534 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2535 .set_asn1_parameters = NULL,
2536 .get_asn1_parameters = NULL,
2537 .ctrl = aes_wrap_ctrl,
2538 .app_data = NULL,
2539 };
2540
2541 const EVP_CIPHER *
EVP_aes_128_wrap(void)2542 EVP_aes_128_wrap(void)
2543 {
2544 return &aes_128_wrap;
2545 }
2546
2547 static const EVP_CIPHER aes_192_wrap = {
2548 .nid = NID_id_aes192_wrap,
2549 .block_size = 8,
2550 .key_len = 24,
2551 .iv_len = 8,
2552 .flags = WRAP_FLAGS,
2553 .init = aes_wrap_init_key,
2554 .do_cipher = aes_wrap_cipher,
2555 .cleanup = NULL,
2556 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2557 .set_asn1_parameters = NULL,
2558 .get_asn1_parameters = NULL,
2559 .ctrl = aes_wrap_ctrl,
2560 .app_data = NULL,
2561 };
2562
2563 const EVP_CIPHER *
EVP_aes_192_wrap(void)2564 EVP_aes_192_wrap(void)
2565 {
2566 return &aes_192_wrap;
2567 }
2568
2569 static const EVP_CIPHER aes_256_wrap = {
2570 .nid = NID_id_aes256_wrap,
2571 .block_size = 8,
2572 .key_len = 32,
2573 .iv_len = 8,
2574 .flags = WRAP_FLAGS,
2575 .init = aes_wrap_init_key,
2576 .do_cipher = aes_wrap_cipher,
2577 .cleanup = NULL,
2578 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2579 .set_asn1_parameters = NULL,
2580 .get_asn1_parameters = NULL,
2581 .ctrl = aes_wrap_ctrl,
2582 .app_data = NULL,
2583 };
2584
2585 const EVP_CIPHER *
EVP_aes_256_wrap(void)2586 EVP_aes_256_wrap(void)
2587 {
2588 return &aes_256_wrap;
2589 }
2590
2591 #endif
2592