1 /* $OpenBSD: e_aes.c,v 1.49 2022/09/13 04:59:18 jsing Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #include <limits.h> 53 #include <stdlib.h> 54 #include <string.h> 55 56 #include <openssl/opensslconf.h> 57 58 #ifndef OPENSSL_NO_AES 59 #include <openssl/aes.h> 60 #include <openssl/err.h> 61 #include <openssl/evp.h> 62 63 #include "evp_locl.h" 64 #include "modes_lcl.h" 65 66 typedef struct { 67 AES_KEY ks; 68 block128_f block; 69 union { 70 cbc128_f cbc; 71 ctr128_f ctr; 72 } stream; 73 } EVP_AES_KEY; 74 75 typedef struct { 76 AES_KEY ks; /* AES key schedule to use */ 77 int key_set; /* Set if key initialised */ 78 int iv_set; /* Set if an iv is set */ 79 GCM128_CONTEXT gcm; 80 unsigned char *iv; /* Temporary IV store */ 81 int ivlen; /* IV length */ 82 int taglen; 83 int iv_gen; /* It is OK to generate IVs */ 84 int tls_aad_len; /* TLS AAD length */ 85 ctr128_f ctr; 86 } EVP_AES_GCM_CTX; 87 88 typedef struct { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, unsigned char *out, 92 size_t length, const AES_KEY *key1, const AES_KEY *key2, 93 const unsigned char iv[16]); 94 } EVP_AES_XTS_CTX; 95 96 typedef struct { 97 AES_KEY ks; /* AES key schedule to use */ 98 int key_set; /* Set if key initialised */ 99 int iv_set; /* Set if an iv is set */ 100 int tag_set; /* Set if tag is valid */ 101 int len_set; /* Set if message length set */ 102 int L, M; /* L and M parameters from RFC3610 */ 103 CCM128_CONTEXT ccm; 104 ccm128_f str; 105 } EVP_AES_CCM_CTX; 106 107 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 108 109 #ifdef VPAES_ASM 110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 111 AES_KEY *key); 112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 115 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 116 const AES_KEY *key); 117 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 122 #endif 123 #ifdef BSAES_ASM 124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); 126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 127 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 129 size_t len, const AES_KEY *key1, const AES_KEY *key2, 130 const unsigned char iv[16]); 131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 132 size_t len, const AES_KEY *key1, const AES_KEY *key2, 133 const unsigned char iv[16]); 134 #endif 135 #ifdef AES_CTR_ASM 136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 137 size_t blocks, const AES_KEY *key, 138 const unsigned char ivec[AES_BLOCK_SIZE]); 139 #endif 140 #ifdef AES_XTS_ASM 141 void AES_xts_encrypt(const char *inp, char *out, size_t len, 142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 143 void AES_xts_decrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 145 #endif 146 147 #if defined(AES_ASM) && ( \ 148 ((defined(__i386) || defined(__i386__) || \ 149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 150 defined(__x86_64) || defined(__x86_64__) || \ 151 defined(_M_AMD64) || defined(_M_X64) || \ 152 defined(__INTEL__) ) 153 154 #include "x86_arch.h" 155 156 #ifdef VPAES_ASM 157 #define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3) 158 #endif 159 #ifdef BSAES_ASM 160 #define BSAES_CAPABLE VPAES_CAPABLE 161 #endif 162 /* 163 * AES-NI section 164 */ 165 #define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) 166 167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 168 AES_KEY *key); 169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 170 AES_KEY *key); 171 172 void aesni_encrypt(const unsigned char *in, unsigned char *out, 173 const AES_KEY *key); 174 void aesni_decrypt(const unsigned char *in, unsigned char *out, 175 const AES_KEY *key); 176 177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, 178 size_t length, const AES_KEY *key, int enc); 179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, 180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 181 182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 183 size_t blocks, const void *key, const unsigned char *ivec); 184 185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, 186 size_t length, const AES_KEY *key1, const AES_KEY *key2, 187 const unsigned char iv[16]); 188 189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, 190 size_t length, const AES_KEY *key1, const AES_KEY *key2, 191 const unsigned char iv[16]); 192 193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, 194 size_t blocks, const void *key, const unsigned char ivec[16], 195 unsigned char cmac[16]); 196 197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, 198 size_t blocks, const void *key, const unsigned char ivec[16], 199 unsigned char cmac[16]); 200 201 static int 202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 203 const unsigned char *iv, int enc) 204 { 205 int ret, mode; 206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 207 208 mode = ctx->cipher->flags & EVP_CIPH_MODE; 209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 210 !enc) { 211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, 212 ctx->cipher_data); 213 dat->block = (block128_f)aesni_decrypt; 214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 215 (cbc128_f)aesni_cbc_encrypt : NULL; 216 } else { 217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, 218 ctx->cipher_data); 219 dat->block = (block128_f)aesni_encrypt; 220 if (mode == EVP_CIPH_CBC_MODE) 221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 222 else if (mode == EVP_CIPH_CTR_MODE) 223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 224 else 225 dat->stream.cbc = NULL; 226 } 227 228 if (ret < 0) { 229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 230 return 0; 231 } 232 233 return 1; 234 } 235 236 static int 237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 238 const unsigned char *in, size_t len) 239 { 240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, 241 ctx->encrypt); 242 243 return 1; 244 } 245 246 static int 247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 248 const unsigned char *in, size_t len) 249 { 250 size_t bl = ctx->cipher->block_size; 251 252 if (len < bl) 253 return 1; 254 255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 256 257 return 1; 258 } 259 260 static int 261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 262 const unsigned char *iv, int enc) 263 { 264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 265 266 if (!iv && !key) 267 return 1; 268 if (key) { 269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 271 (block128_f)aesni_encrypt); 272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 273 /* If we have an iv can set it directly, otherwise use 274 * saved IV. 275 */ 276 if (iv == NULL && gctx->iv_set) 277 iv = gctx->iv; 278 if (iv) { 279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 280 gctx->iv_set = 1; 281 } 282 gctx->key_set = 1; 283 } else { 284 /* If key set use IV, otherwise copy */ 285 if (gctx->key_set) 286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 287 else 288 memcpy(gctx->iv, iv, gctx->ivlen); 289 gctx->iv_set = 1; 290 gctx->iv_gen = 0; 291 } 292 return 1; 293 } 294 295 static int 296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 297 const unsigned char *iv, int enc) 298 { 299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 300 301 if (!iv && !key) 302 return 1; 303 304 if (key) { 305 /* key_len is two AES keys */ 306 if (enc) { 307 aesni_set_encrypt_key(key, ctx->key_len * 4, 308 &xctx->ks1); 309 xctx->xts.block1 = (block128_f)aesni_encrypt; 310 xctx->stream = aesni_xts_encrypt; 311 } else { 312 aesni_set_decrypt_key(key, ctx->key_len * 4, 313 &xctx->ks1); 314 xctx->xts.block1 = (block128_f)aesni_decrypt; 315 xctx->stream = aesni_xts_decrypt; 316 } 317 318 aesni_set_encrypt_key(key + ctx->key_len / 2, 319 ctx->key_len * 4, &xctx->ks2); 320 xctx->xts.block2 = (block128_f)aesni_encrypt; 321 322 xctx->xts.key1 = &xctx->ks1; 323 } 324 325 if (iv) { 326 xctx->xts.key2 = &xctx->ks2; 327 memcpy(ctx->iv, iv, 16); 328 } 329 330 return 1; 331 } 332 333 static int 334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 335 const unsigned char *iv, int enc) 336 { 337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 338 339 if (!iv && !key) 340 return 1; 341 if (key) { 342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 344 &cctx->ks, (block128_f)aesni_encrypt); 345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : 346 (ccm128_f)aesni_ccm64_decrypt_blocks; 347 cctx->key_set = 1; 348 } 349 if (iv) { 350 memcpy(ctx->iv, iv, 15 - cctx->L); 351 cctx->iv_set = 1; 352 } 353 return 1; 354 } 355 356 #endif 357 358 static int 359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 360 const unsigned char *iv, int enc) 361 { 362 int ret, mode; 363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 364 365 mode = ctx->cipher->flags & EVP_CIPH_MODE; 366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 367 !enc) 368 #ifdef BSAES_CAPABLE 369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 370 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 371 &dat->ks); 372 dat->block = (block128_f)AES_decrypt; 373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 374 } else 375 #endif 376 #ifdef VPAES_CAPABLE 377 if (VPAES_CAPABLE) { 378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, 379 &dat->ks); 380 dat->block = (block128_f)vpaes_decrypt; 381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 382 (cbc128_f)vpaes_cbc_encrypt : NULL; 383 } else 384 #endif 385 { 386 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 387 &dat->ks); 388 dat->block = (block128_f)AES_decrypt; 389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 390 (cbc128_f)AES_cbc_encrypt : NULL; 391 } else 392 #ifdef BSAES_CAPABLE 393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 394 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 395 &dat->ks); 396 dat->block = (block128_f)AES_encrypt; 397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 398 } else 399 #endif 400 #ifdef VPAES_CAPABLE 401 if (VPAES_CAPABLE) { 402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, 403 &dat->ks); 404 dat->block = (block128_f)vpaes_encrypt; 405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 406 (cbc128_f)vpaes_cbc_encrypt : NULL; 407 } else 408 #endif 409 { 410 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 411 &dat->ks); 412 dat->block = (block128_f)AES_encrypt; 413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 414 (cbc128_f)AES_cbc_encrypt : NULL; 415 #ifdef AES_CTR_ASM 416 if (mode == EVP_CIPH_CTR_MODE) 417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 418 #endif 419 } 420 421 if (ret < 0) { 422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 423 return 0; 424 } 425 426 return 1; 427 } 428 429 static int 430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 431 const unsigned char *in, size_t len) 432 { 433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 434 435 if (dat->stream.cbc) 436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, 437 ctx->encrypt); 438 else if (ctx->encrypt) 439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, 440 dat->block); 441 else 442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, 443 dat->block); 444 445 return 1; 446 } 447 448 static int 449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 450 const unsigned char *in, size_t len) 451 { 452 size_t bl = ctx->cipher->block_size; 453 size_t i; 454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 455 456 if (len < bl) 457 return 1; 458 459 for (i = 0, len -= bl; i <= len; i += bl) 460 (*dat->block)(in + i, out + i, &dat->ks); 461 462 return 1; 463 } 464 465 static int 466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 467 const unsigned char *in, size_t len) 468 { 469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 470 471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 472 dat->block); 473 return 1; 474 } 475 476 static int 477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 478 const unsigned char *in, size_t len) 479 { 480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 481 482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 483 ctx->encrypt, dat->block); 484 return 1; 485 } 486 487 static int 488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 489 const unsigned char *in, size_t len) 490 { 491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 492 493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 494 ctx->encrypt, dat->block); 495 return 1; 496 } 497 498 static int 499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 500 const unsigned char *in, size_t len) 501 { 502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 503 504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, 506 &ctx->num, ctx->encrypt, dat->block); 507 return 1; 508 } 509 510 while (len >= MAXBITCHUNK) { 511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, 512 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 513 len -= MAXBITCHUNK; 514 in += MAXBITCHUNK; 515 out += MAXBITCHUNK; 516 } 517 if (len) 518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, 519 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 520 521 return 1; 522 } 523 524 static int 525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 526 const unsigned char *in, size_t len) 527 { 528 unsigned int num = ctx->num; 529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 530 531 if (dat->stream.ctr) 532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 533 ctx->iv, ctx->buf, &num, dat->stream.ctr); 534 else 535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 536 ctx->iv, ctx->buf, &num, dat->block); 537 ctx->num = (size_t)num; 538 return 1; 539 } 540 541 542 #ifdef AESNI_CAPABLE 543 static const EVP_CIPHER aesni_128_cbc = { 544 .nid = NID_aes_128_cbc, 545 .block_size = 16, 546 .key_len = 16, 547 .iv_len = 16, 548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 549 .init = aesni_init_key, 550 .do_cipher = aesni_cbc_cipher, 551 .ctx_size = sizeof(EVP_AES_KEY), 552 }; 553 #endif 554 555 static const EVP_CIPHER aes_128_cbc = { 556 .nid = NID_aes_128_cbc, 557 .block_size = 16, 558 .key_len = 16, 559 .iv_len = 16, 560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 561 .init = aes_init_key, 562 .do_cipher = aes_cbc_cipher, 563 .ctx_size = sizeof(EVP_AES_KEY), 564 }; 565 566 const EVP_CIPHER * 567 EVP_aes_128_cbc(void) 568 { 569 #ifdef AESNI_CAPABLE 570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; 571 #else 572 return &aes_128_cbc; 573 #endif 574 } 575 576 #ifdef AESNI_CAPABLE 577 static const EVP_CIPHER aesni_128_ecb = { 578 .nid = NID_aes_128_ecb, 579 .block_size = 16, 580 .key_len = 16, 581 .iv_len = 0, 582 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 583 .init = aesni_init_key, 584 .do_cipher = aesni_ecb_cipher, 585 .ctx_size = sizeof(EVP_AES_KEY), 586 }; 587 #endif 588 589 static const EVP_CIPHER aes_128_ecb = { 590 .nid = NID_aes_128_ecb, 591 .block_size = 16, 592 .key_len = 16, 593 .iv_len = 0, 594 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 595 .init = aes_init_key, 596 .do_cipher = aes_ecb_cipher, 597 .ctx_size = sizeof(EVP_AES_KEY), 598 }; 599 600 const EVP_CIPHER * 601 EVP_aes_128_ecb(void) 602 { 603 #ifdef AESNI_CAPABLE 604 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; 605 #else 606 return &aes_128_ecb; 607 #endif 608 } 609 610 #ifdef AESNI_CAPABLE 611 static const EVP_CIPHER aesni_128_ofb = { 612 .nid = NID_aes_128_ofb128, 613 .block_size = 1, 614 .key_len = 16, 615 .iv_len = 16, 616 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 617 .init = aesni_init_key, 618 .do_cipher = aes_ofb_cipher, 619 .ctx_size = sizeof(EVP_AES_KEY), 620 }; 621 #endif 622 623 static const EVP_CIPHER aes_128_ofb = { 624 .nid = NID_aes_128_ofb128, 625 .block_size = 1, 626 .key_len = 16, 627 .iv_len = 16, 628 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 629 .init = aes_init_key, 630 .do_cipher = aes_ofb_cipher, 631 .ctx_size = sizeof(EVP_AES_KEY), 632 }; 633 634 const EVP_CIPHER * 635 EVP_aes_128_ofb(void) 636 { 637 #ifdef AESNI_CAPABLE 638 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; 639 #else 640 return &aes_128_ofb; 641 #endif 642 } 643 644 #ifdef AESNI_CAPABLE 645 static const EVP_CIPHER aesni_128_cfb = { 646 .nid = NID_aes_128_cfb128, 647 .block_size = 1, 648 .key_len = 16, 649 .iv_len = 16, 650 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 651 .init = aesni_init_key, 652 .do_cipher = aes_cfb_cipher, 653 .ctx_size = sizeof(EVP_AES_KEY), 654 }; 655 #endif 656 657 static const EVP_CIPHER aes_128_cfb = { 658 .nid = NID_aes_128_cfb128, 659 .block_size = 1, 660 .key_len = 16, 661 .iv_len = 16, 662 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 663 .init = aes_init_key, 664 .do_cipher = aes_cfb_cipher, 665 .ctx_size = sizeof(EVP_AES_KEY), 666 }; 667 668 const EVP_CIPHER * 669 EVP_aes_128_cfb(void) 670 { 671 #ifdef AESNI_CAPABLE 672 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; 673 #else 674 return &aes_128_cfb; 675 #endif 676 } 677 678 #ifdef AESNI_CAPABLE 679 static const EVP_CIPHER aesni_128_cfb1 = { 680 .nid = NID_aes_128_cfb1, 681 .block_size = 1, 682 .key_len = 16, 683 .iv_len = 16, 684 .flags = EVP_CIPH_CFB_MODE, 685 .init = aesni_init_key, 686 .do_cipher = aes_cfb1_cipher, 687 .ctx_size = sizeof(EVP_AES_KEY), 688 }; 689 #endif 690 691 static const EVP_CIPHER aes_128_cfb1 = { 692 .nid = NID_aes_128_cfb1, 693 .block_size = 1, 694 .key_len = 16, 695 .iv_len = 16, 696 .flags = EVP_CIPH_CFB_MODE, 697 .init = aes_init_key, 698 .do_cipher = aes_cfb1_cipher, 699 .ctx_size = sizeof(EVP_AES_KEY), 700 }; 701 702 const EVP_CIPHER * 703 EVP_aes_128_cfb1(void) 704 { 705 #ifdef AESNI_CAPABLE 706 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; 707 #else 708 return &aes_128_cfb1; 709 #endif 710 } 711 712 #ifdef AESNI_CAPABLE 713 static const EVP_CIPHER aesni_128_cfb8 = { 714 .nid = NID_aes_128_cfb8, 715 .block_size = 1, 716 .key_len = 16, 717 .iv_len = 16, 718 .flags = EVP_CIPH_CFB_MODE, 719 .init = aesni_init_key, 720 .do_cipher = aes_cfb8_cipher, 721 .ctx_size = sizeof(EVP_AES_KEY), 722 }; 723 #endif 724 725 static const EVP_CIPHER aes_128_cfb8 = { 726 .nid = NID_aes_128_cfb8, 727 .block_size = 1, 728 .key_len = 16, 729 .iv_len = 16, 730 .flags = EVP_CIPH_CFB_MODE, 731 .init = aes_init_key, 732 .do_cipher = aes_cfb8_cipher, 733 .ctx_size = sizeof(EVP_AES_KEY), 734 }; 735 736 const EVP_CIPHER * 737 EVP_aes_128_cfb8(void) 738 { 739 #ifdef AESNI_CAPABLE 740 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; 741 #else 742 return &aes_128_cfb8; 743 #endif 744 } 745 746 #ifdef AESNI_CAPABLE 747 static const EVP_CIPHER aesni_128_ctr = { 748 .nid = NID_aes_128_ctr, 749 .block_size = 1, 750 .key_len = 16, 751 .iv_len = 16, 752 .flags = EVP_CIPH_CTR_MODE, 753 .init = aesni_init_key, 754 .do_cipher = aes_ctr_cipher, 755 .ctx_size = sizeof(EVP_AES_KEY), 756 }; 757 #endif 758 759 static const EVP_CIPHER aes_128_ctr = { 760 .nid = NID_aes_128_ctr, 761 .block_size = 1, 762 .key_len = 16, 763 .iv_len = 16, 764 .flags = EVP_CIPH_CTR_MODE, 765 .init = aes_init_key, 766 .do_cipher = aes_ctr_cipher, 767 .ctx_size = sizeof(EVP_AES_KEY), 768 }; 769 770 const EVP_CIPHER * 771 EVP_aes_128_ctr(void) 772 { 773 #ifdef AESNI_CAPABLE 774 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; 775 #else 776 return &aes_128_ctr; 777 #endif 778 } 779 780 781 #ifdef AESNI_CAPABLE 782 static const EVP_CIPHER aesni_192_cbc = { 783 .nid = NID_aes_192_cbc, 784 .block_size = 16, 785 .key_len = 24, 786 .iv_len = 16, 787 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 788 .init = aesni_init_key, 789 .do_cipher = aesni_cbc_cipher, 790 .ctx_size = sizeof(EVP_AES_KEY), 791 }; 792 #endif 793 794 static const EVP_CIPHER aes_192_cbc = { 795 .nid = NID_aes_192_cbc, 796 .block_size = 16, 797 .key_len = 24, 798 .iv_len = 16, 799 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 800 .init = aes_init_key, 801 .do_cipher = aes_cbc_cipher, 802 .ctx_size = sizeof(EVP_AES_KEY), 803 }; 804 805 const EVP_CIPHER * 806 EVP_aes_192_cbc(void) 807 { 808 #ifdef AESNI_CAPABLE 809 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; 810 #else 811 return &aes_192_cbc; 812 #endif 813 } 814 815 #ifdef AESNI_CAPABLE 816 static const EVP_CIPHER aesni_192_ecb = { 817 .nid = NID_aes_192_ecb, 818 .block_size = 16, 819 .key_len = 24, 820 .iv_len = 0, 821 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 822 .init = aesni_init_key, 823 .do_cipher = aesni_ecb_cipher, 824 .ctx_size = sizeof(EVP_AES_KEY), 825 }; 826 #endif 827 828 static const EVP_CIPHER aes_192_ecb = { 829 .nid = NID_aes_192_ecb, 830 .block_size = 16, 831 .key_len = 24, 832 .iv_len = 0, 833 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 834 .init = aes_init_key, 835 .do_cipher = aes_ecb_cipher, 836 .ctx_size = sizeof(EVP_AES_KEY), 837 }; 838 839 const EVP_CIPHER * 840 EVP_aes_192_ecb(void) 841 { 842 #ifdef AESNI_CAPABLE 843 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; 844 #else 845 return &aes_192_ecb; 846 #endif 847 } 848 849 #ifdef AESNI_CAPABLE 850 static const EVP_CIPHER aesni_192_ofb = { 851 .nid = NID_aes_192_ofb128, 852 .block_size = 1, 853 .key_len = 24, 854 .iv_len = 16, 855 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 856 .init = aesni_init_key, 857 .do_cipher = aes_ofb_cipher, 858 .ctx_size = sizeof(EVP_AES_KEY), 859 }; 860 #endif 861 862 static const EVP_CIPHER aes_192_ofb = { 863 .nid = NID_aes_192_ofb128, 864 .block_size = 1, 865 .key_len = 24, 866 .iv_len = 16, 867 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 868 .init = aes_init_key, 869 .do_cipher = aes_ofb_cipher, 870 .ctx_size = sizeof(EVP_AES_KEY), 871 }; 872 873 const EVP_CIPHER * 874 EVP_aes_192_ofb(void) 875 { 876 #ifdef AESNI_CAPABLE 877 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; 878 #else 879 return &aes_192_ofb; 880 #endif 881 } 882 883 #ifdef AESNI_CAPABLE 884 static const EVP_CIPHER aesni_192_cfb = { 885 .nid = NID_aes_192_cfb128, 886 .block_size = 1, 887 .key_len = 24, 888 .iv_len = 16, 889 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 890 .init = aesni_init_key, 891 .do_cipher = aes_cfb_cipher, 892 .ctx_size = sizeof(EVP_AES_KEY), 893 }; 894 #endif 895 896 static const EVP_CIPHER aes_192_cfb = { 897 .nid = NID_aes_192_cfb128, 898 .block_size = 1, 899 .key_len = 24, 900 .iv_len = 16, 901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 902 .init = aes_init_key, 903 .do_cipher = aes_cfb_cipher, 904 .ctx_size = sizeof(EVP_AES_KEY), 905 }; 906 907 const EVP_CIPHER * 908 EVP_aes_192_cfb(void) 909 { 910 #ifdef AESNI_CAPABLE 911 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; 912 #else 913 return &aes_192_cfb; 914 #endif 915 } 916 917 #ifdef AESNI_CAPABLE 918 static const EVP_CIPHER aesni_192_cfb1 = { 919 .nid = NID_aes_192_cfb1, 920 .block_size = 1, 921 .key_len = 24, 922 .iv_len = 16, 923 .flags = EVP_CIPH_CFB_MODE, 924 .init = aesni_init_key, 925 .do_cipher = aes_cfb1_cipher, 926 .ctx_size = sizeof(EVP_AES_KEY), 927 }; 928 #endif 929 930 static const EVP_CIPHER aes_192_cfb1 = { 931 .nid = NID_aes_192_cfb1, 932 .block_size = 1, 933 .key_len = 24, 934 .iv_len = 16, 935 .flags = EVP_CIPH_CFB_MODE, 936 .init = aes_init_key, 937 .do_cipher = aes_cfb1_cipher, 938 .ctx_size = sizeof(EVP_AES_KEY), 939 }; 940 941 const EVP_CIPHER * 942 EVP_aes_192_cfb1(void) 943 { 944 #ifdef AESNI_CAPABLE 945 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; 946 #else 947 return &aes_192_cfb1; 948 #endif 949 } 950 951 #ifdef AESNI_CAPABLE 952 static const EVP_CIPHER aesni_192_cfb8 = { 953 .nid = NID_aes_192_cfb8, 954 .block_size = 1, 955 .key_len = 24, 956 .iv_len = 16, 957 .flags = EVP_CIPH_CFB_MODE, 958 .init = aesni_init_key, 959 .do_cipher = aes_cfb8_cipher, 960 .ctx_size = sizeof(EVP_AES_KEY), 961 }; 962 #endif 963 964 static const EVP_CIPHER aes_192_cfb8 = { 965 .nid = NID_aes_192_cfb8, 966 .block_size = 1, 967 .key_len = 24, 968 .iv_len = 16, 969 .flags = EVP_CIPH_CFB_MODE, 970 .init = aes_init_key, 971 .do_cipher = aes_cfb8_cipher, 972 .ctx_size = sizeof(EVP_AES_KEY), 973 }; 974 975 const EVP_CIPHER * 976 EVP_aes_192_cfb8(void) 977 { 978 #ifdef AESNI_CAPABLE 979 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; 980 #else 981 return &aes_192_cfb8; 982 #endif 983 } 984 985 #ifdef AESNI_CAPABLE 986 static const EVP_CIPHER aesni_192_ctr = { 987 .nid = NID_aes_192_ctr, 988 .block_size = 1, 989 .key_len = 24, 990 .iv_len = 16, 991 .flags = EVP_CIPH_CTR_MODE, 992 .init = aesni_init_key, 993 .do_cipher = aes_ctr_cipher, 994 .ctx_size = sizeof(EVP_AES_KEY), 995 }; 996 #endif 997 998 static const EVP_CIPHER aes_192_ctr = { 999 .nid = NID_aes_192_ctr, 1000 .block_size = 1, 1001 .key_len = 24, 1002 .iv_len = 16, 1003 .flags = EVP_CIPH_CTR_MODE, 1004 .init = aes_init_key, 1005 .do_cipher = aes_ctr_cipher, 1006 .ctx_size = sizeof(EVP_AES_KEY), 1007 }; 1008 1009 const EVP_CIPHER * 1010 EVP_aes_192_ctr(void) 1011 { 1012 #ifdef AESNI_CAPABLE 1013 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; 1014 #else 1015 return &aes_192_ctr; 1016 #endif 1017 } 1018 1019 1020 #ifdef AESNI_CAPABLE 1021 static const EVP_CIPHER aesni_256_cbc = { 1022 .nid = NID_aes_256_cbc, 1023 .block_size = 16, 1024 .key_len = 32, 1025 .iv_len = 16, 1026 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1027 .init = aesni_init_key, 1028 .do_cipher = aesni_cbc_cipher, 1029 .ctx_size = sizeof(EVP_AES_KEY), 1030 }; 1031 #endif 1032 1033 static const EVP_CIPHER aes_256_cbc = { 1034 .nid = NID_aes_256_cbc, 1035 .block_size = 16, 1036 .key_len = 32, 1037 .iv_len = 16, 1038 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1039 .init = aes_init_key, 1040 .do_cipher = aes_cbc_cipher, 1041 .ctx_size = sizeof(EVP_AES_KEY), 1042 }; 1043 1044 const EVP_CIPHER * 1045 EVP_aes_256_cbc(void) 1046 { 1047 #ifdef AESNI_CAPABLE 1048 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; 1049 #else 1050 return &aes_256_cbc; 1051 #endif 1052 } 1053 1054 #ifdef AESNI_CAPABLE 1055 static const EVP_CIPHER aesni_256_ecb = { 1056 .nid = NID_aes_256_ecb, 1057 .block_size = 16, 1058 .key_len = 32, 1059 .iv_len = 0, 1060 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1061 .init = aesni_init_key, 1062 .do_cipher = aesni_ecb_cipher, 1063 .ctx_size = sizeof(EVP_AES_KEY), 1064 }; 1065 #endif 1066 1067 static const EVP_CIPHER aes_256_ecb = { 1068 .nid = NID_aes_256_ecb, 1069 .block_size = 16, 1070 .key_len = 32, 1071 .iv_len = 0, 1072 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1073 .init = aes_init_key, 1074 .do_cipher = aes_ecb_cipher, 1075 .ctx_size = sizeof(EVP_AES_KEY), 1076 }; 1077 1078 const EVP_CIPHER * 1079 EVP_aes_256_ecb(void) 1080 { 1081 #ifdef AESNI_CAPABLE 1082 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; 1083 #else 1084 return &aes_256_ecb; 1085 #endif 1086 } 1087 1088 #ifdef AESNI_CAPABLE 1089 static const EVP_CIPHER aesni_256_ofb = { 1090 .nid = NID_aes_256_ofb128, 1091 .block_size = 1, 1092 .key_len = 32, 1093 .iv_len = 16, 1094 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1095 .init = aesni_init_key, 1096 .do_cipher = aes_ofb_cipher, 1097 .ctx_size = sizeof(EVP_AES_KEY), 1098 }; 1099 #endif 1100 1101 static const EVP_CIPHER aes_256_ofb = { 1102 .nid = NID_aes_256_ofb128, 1103 .block_size = 1, 1104 .key_len = 32, 1105 .iv_len = 16, 1106 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1107 .init = aes_init_key, 1108 .do_cipher = aes_ofb_cipher, 1109 .ctx_size = sizeof(EVP_AES_KEY), 1110 }; 1111 1112 const EVP_CIPHER * 1113 EVP_aes_256_ofb(void) 1114 { 1115 #ifdef AESNI_CAPABLE 1116 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; 1117 #else 1118 return &aes_256_ofb; 1119 #endif 1120 } 1121 1122 #ifdef AESNI_CAPABLE 1123 static const EVP_CIPHER aesni_256_cfb = { 1124 .nid = NID_aes_256_cfb128, 1125 .block_size = 1, 1126 .key_len = 32, 1127 .iv_len = 16, 1128 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1129 .init = aesni_init_key, 1130 .do_cipher = aes_cfb_cipher, 1131 .ctx_size = sizeof(EVP_AES_KEY), 1132 }; 1133 #endif 1134 1135 static const EVP_CIPHER aes_256_cfb = { 1136 .nid = NID_aes_256_cfb128, 1137 .block_size = 1, 1138 .key_len = 32, 1139 .iv_len = 16, 1140 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1141 .init = aes_init_key, 1142 .do_cipher = aes_cfb_cipher, 1143 .ctx_size = sizeof(EVP_AES_KEY), 1144 }; 1145 1146 const EVP_CIPHER * 1147 EVP_aes_256_cfb(void) 1148 { 1149 #ifdef AESNI_CAPABLE 1150 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; 1151 #else 1152 return &aes_256_cfb; 1153 #endif 1154 } 1155 1156 #ifdef AESNI_CAPABLE 1157 static const EVP_CIPHER aesni_256_cfb1 = { 1158 .nid = NID_aes_256_cfb1, 1159 .block_size = 1, 1160 .key_len = 32, 1161 .iv_len = 16, 1162 .flags = EVP_CIPH_CFB_MODE, 1163 .init = aesni_init_key, 1164 .do_cipher = aes_cfb1_cipher, 1165 .ctx_size = sizeof(EVP_AES_KEY), 1166 }; 1167 #endif 1168 1169 static const EVP_CIPHER aes_256_cfb1 = { 1170 .nid = NID_aes_256_cfb1, 1171 .block_size = 1, 1172 .key_len = 32, 1173 .iv_len = 16, 1174 .flags = EVP_CIPH_CFB_MODE, 1175 .init = aes_init_key, 1176 .do_cipher = aes_cfb1_cipher, 1177 .ctx_size = sizeof(EVP_AES_KEY), 1178 }; 1179 1180 const EVP_CIPHER * 1181 EVP_aes_256_cfb1(void) 1182 { 1183 #ifdef AESNI_CAPABLE 1184 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; 1185 #else 1186 return &aes_256_cfb1; 1187 #endif 1188 } 1189 1190 #ifdef AESNI_CAPABLE 1191 static const EVP_CIPHER aesni_256_cfb8 = { 1192 .nid = NID_aes_256_cfb8, 1193 .block_size = 1, 1194 .key_len = 32, 1195 .iv_len = 16, 1196 .flags = EVP_CIPH_CFB_MODE, 1197 .init = aesni_init_key, 1198 .do_cipher = aes_cfb8_cipher, 1199 .ctx_size = sizeof(EVP_AES_KEY), 1200 }; 1201 #endif 1202 1203 static const EVP_CIPHER aes_256_cfb8 = { 1204 .nid = NID_aes_256_cfb8, 1205 .block_size = 1, 1206 .key_len = 32, 1207 .iv_len = 16, 1208 .flags = EVP_CIPH_CFB_MODE, 1209 .init = aes_init_key, 1210 .do_cipher = aes_cfb8_cipher, 1211 .ctx_size = sizeof(EVP_AES_KEY), 1212 }; 1213 1214 const EVP_CIPHER * 1215 EVP_aes_256_cfb8(void) 1216 { 1217 #ifdef AESNI_CAPABLE 1218 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; 1219 #else 1220 return &aes_256_cfb8; 1221 #endif 1222 } 1223 1224 #ifdef AESNI_CAPABLE 1225 static const EVP_CIPHER aesni_256_ctr = { 1226 .nid = NID_aes_256_ctr, 1227 .block_size = 1, 1228 .key_len = 32, 1229 .iv_len = 16, 1230 .flags = EVP_CIPH_CTR_MODE, 1231 .init = aesni_init_key, 1232 .do_cipher = aes_ctr_cipher, 1233 .ctx_size = sizeof(EVP_AES_KEY), 1234 }; 1235 #endif 1236 1237 static const EVP_CIPHER aes_256_ctr = { 1238 .nid = NID_aes_256_ctr, 1239 .block_size = 1, 1240 .key_len = 32, 1241 .iv_len = 16, 1242 .flags = EVP_CIPH_CTR_MODE, 1243 .init = aes_init_key, 1244 .do_cipher = aes_ctr_cipher, 1245 .ctx_size = sizeof(EVP_AES_KEY), 1246 }; 1247 1248 const EVP_CIPHER * 1249 EVP_aes_256_ctr(void) 1250 { 1251 #ifdef AESNI_CAPABLE 1252 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; 1253 #else 1254 return &aes_256_ctr; 1255 #endif 1256 } 1257 1258 static void 1259 aes_gcm_cleanup(EVP_CIPHER_CTX *c) 1260 { 1261 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1262 1263 if (gctx->iv != c->iv) 1264 free(gctx->iv); 1265 1266 explicit_bzero(gctx, sizeof(*gctx)); 1267 } 1268 1269 /* increment counter (64-bit int) by 1 */ 1270 static void 1271 ctr64_inc(unsigned char *counter) 1272 { 1273 int n = 8; 1274 unsigned char c; 1275 1276 do { 1277 --n; 1278 c = counter[n]; 1279 ++c; 1280 counter[n] = c; 1281 if (c) 1282 return; 1283 } while (n); 1284 } 1285 1286 static int 1287 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1288 { 1289 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1290 1291 switch (type) { 1292 case EVP_CTRL_INIT: 1293 gctx->key_set = 0; 1294 gctx->iv_set = 0; 1295 if (c->cipher->iv_len == 0) { 1296 EVPerror(EVP_R_INVALID_IV_LENGTH); 1297 return 0; 1298 } 1299 gctx->ivlen = c->cipher->iv_len; 1300 gctx->iv = c->iv; 1301 gctx->taglen = -1; 1302 gctx->iv_gen = 0; 1303 gctx->tls_aad_len = -1; 1304 return 1; 1305 1306 case EVP_CTRL_GCM_SET_IVLEN: 1307 if (arg <= 0) 1308 return 0; 1309 /* Allocate memory for IV if needed */ 1310 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 1311 if (gctx->iv != c->iv) 1312 free(gctx->iv); 1313 gctx->iv = malloc(arg); 1314 if (!gctx->iv) 1315 return 0; 1316 } 1317 gctx->ivlen = arg; 1318 return 1; 1319 1320 case EVP_CTRL_GCM_SET_TAG: 1321 if (arg <= 0 || arg > 16 || c->encrypt) 1322 return 0; 1323 memcpy(c->buf, ptr, arg); 1324 gctx->taglen = arg; 1325 return 1; 1326 1327 case EVP_CTRL_GCM_GET_TAG: 1328 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 1329 return 0; 1330 memcpy(ptr, c->buf, arg); 1331 return 1; 1332 1333 case EVP_CTRL_GCM_SET_IV_FIXED: 1334 /* Special case: -1 length restores whole IV */ 1335 if (arg == -1) { 1336 memcpy(gctx->iv, ptr, gctx->ivlen); 1337 gctx->iv_gen = 1; 1338 return 1; 1339 } 1340 /* Fixed field must be at least 4 bytes and invocation field 1341 * at least 8. 1342 */ 1343 if ((arg < 4) || (gctx->ivlen - arg) < 8) 1344 return 0; 1345 if (arg) 1346 memcpy(gctx->iv, ptr, arg); 1347 if (c->encrypt) 1348 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); 1349 gctx->iv_gen = 1; 1350 return 1; 1351 1352 case EVP_CTRL_GCM_IV_GEN: 1353 if (gctx->iv_gen == 0 || gctx->key_set == 0) 1354 return 0; 1355 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1356 if (arg <= 0 || arg > gctx->ivlen) 1357 arg = gctx->ivlen; 1358 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 1359 /* Invocation field will be at least 8 bytes in size and 1360 * so no need to check wrap around or increment more than 1361 * last 8 bytes. 1362 */ 1363 ctr64_inc(gctx->iv + gctx->ivlen - 8); 1364 gctx->iv_set = 1; 1365 return 1; 1366 1367 case EVP_CTRL_GCM_SET_IV_INV: 1368 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 1369 return 0; 1370 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 1371 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1372 gctx->iv_set = 1; 1373 return 1; 1374 1375 case EVP_CTRL_AEAD_TLS1_AAD: 1376 /* Save the AAD for later use */ 1377 if (arg != 13) 1378 return 0; 1379 memcpy(c->buf, ptr, arg); 1380 gctx->tls_aad_len = arg; 1381 { 1382 unsigned int len = c->buf[arg - 2] << 8 | 1383 c->buf[arg - 1]; 1384 1385 /* Correct length for explicit IV */ 1386 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) 1387 return 0; 1388 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1389 1390 /* If decrypting correct for tag too */ 1391 if (!c->encrypt) { 1392 if (len < EVP_GCM_TLS_TAG_LEN) 1393 return 0; 1394 len -= EVP_GCM_TLS_TAG_LEN; 1395 } 1396 c->buf[arg - 2] = len >> 8; 1397 c->buf[arg - 1] = len & 0xff; 1398 } 1399 /* Extra padding: tag appended to record */ 1400 return EVP_GCM_TLS_TAG_LEN; 1401 1402 case EVP_CTRL_COPY: 1403 { 1404 EVP_CIPHER_CTX *out = ptr; 1405 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 1406 1407 if (gctx->gcm.key) { 1408 if (gctx->gcm.key != &gctx->ks) 1409 return 0; 1410 gctx_out->gcm.key = &gctx_out->ks; 1411 } 1412 1413 if (gctx->iv == c->iv) { 1414 gctx_out->iv = out->iv; 1415 } else { 1416 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) 1417 return 0; 1418 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 1419 } 1420 return 1; 1421 } 1422 1423 default: 1424 return -1; 1425 1426 } 1427 } 1428 1429 static ctr128_f 1430 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, 1431 const unsigned char *key, size_t key_len) 1432 { 1433 #ifdef BSAES_CAPABLE 1434 if (BSAES_CAPABLE) { 1435 AES_set_encrypt_key(key, key_len * 8, aes_key); 1436 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1437 return (ctr128_f)bsaes_ctr32_encrypt_blocks; 1438 } else 1439 #endif 1440 #ifdef VPAES_CAPABLE 1441 if (VPAES_CAPABLE) { 1442 vpaes_set_encrypt_key(key, key_len * 8, aes_key); 1443 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); 1444 return NULL; 1445 } else 1446 #endif 1447 (void)0; /* terminate potentially open 'else' */ 1448 1449 AES_set_encrypt_key(key, key_len * 8, aes_key); 1450 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1451 #ifdef AES_CTR_ASM 1452 return (ctr128_f)AES_ctr32_encrypt; 1453 #else 1454 return NULL; 1455 #endif 1456 } 1457 1458 static int 1459 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1460 const unsigned char *iv, int enc) 1461 { 1462 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1463 1464 if (!iv && !key) 1465 return 1; 1466 if (key) { 1467 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, 1468 key, ctx->key_len); 1469 1470 /* If we have an iv can set it directly, otherwise use 1471 * saved IV. 1472 */ 1473 if (iv == NULL && gctx->iv_set) 1474 iv = gctx->iv; 1475 if (iv) { 1476 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1477 gctx->iv_set = 1; 1478 } 1479 gctx->key_set = 1; 1480 } else { 1481 /* If key set use IV, otherwise copy */ 1482 if (gctx->key_set) 1483 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1484 else 1485 memcpy(gctx->iv, iv, gctx->ivlen); 1486 gctx->iv_set = 1; 1487 gctx->iv_gen = 0; 1488 } 1489 return 1; 1490 } 1491 1492 /* Handle TLS GCM packet format. This consists of the last portion of the IV 1493 * followed by the payload and finally the tag. On encrypt generate IV, 1494 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 1495 * and verify tag. 1496 */ 1497 1498 static int 1499 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1500 const unsigned char *in, size_t len) 1501 { 1502 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1503 int rv = -1; 1504 1505 /* Encrypt/decrypt must be performed in place */ 1506 if (out != in || 1507 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 1508 return -1; 1509 1510 /* Set IV from start of buffer or generate IV and write to start 1511 * of buffer. 1512 */ 1513 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1514 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1515 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1516 goto err; 1517 1518 /* Use saved AAD */ 1519 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1520 goto err; 1521 1522 /* Fix buffer and length to point to payload */ 1523 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1524 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1525 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1526 if (ctx->encrypt) { 1527 /* Encrypt payload */ 1528 if (gctx->ctr) { 1529 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, 1530 len, gctx->ctr)) 1531 goto err; 1532 } else { 1533 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1534 goto err; 1535 } 1536 out += len; 1537 1538 /* Finally write tag */ 1539 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1540 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1541 } else { 1542 /* Decrypt */ 1543 if (gctx->ctr) { 1544 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, 1545 len, gctx->ctr)) 1546 goto err; 1547 } else { 1548 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1549 goto err; 1550 } 1551 /* Retrieve tag */ 1552 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 1553 1554 /* If tag mismatch wipe buffer */ 1555 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 1556 explicit_bzero(out, len); 1557 goto err; 1558 } 1559 rv = len; 1560 } 1561 1562 err: 1563 gctx->iv_set = 0; 1564 gctx->tls_aad_len = -1; 1565 return rv; 1566 } 1567 1568 static int 1569 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1570 const unsigned char *in, size_t len) 1571 { 1572 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1573 1574 /* If not set up, return error */ 1575 if (!gctx->key_set) 1576 return -1; 1577 1578 if (gctx->tls_aad_len >= 0) 1579 return aes_gcm_tls_cipher(ctx, out, in, len); 1580 1581 if (!gctx->iv_set) 1582 return -1; 1583 1584 if (in) { 1585 if (out == NULL) { 1586 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1587 return -1; 1588 } else if (ctx->encrypt) { 1589 if (gctx->ctr) { 1590 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1591 in, out, len, gctx->ctr)) 1592 return -1; 1593 } else { 1594 if (CRYPTO_gcm128_encrypt(&gctx->gcm, 1595 in, out, len)) 1596 return -1; 1597 } 1598 } else { 1599 if (gctx->ctr) { 1600 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1601 in, out, len, gctx->ctr)) 1602 return -1; 1603 } else { 1604 if (CRYPTO_gcm128_decrypt(&gctx->gcm, 1605 in, out, len)) 1606 return -1; 1607 } 1608 } 1609 return len; 1610 } else { 1611 if (!ctx->encrypt) { 1612 if (gctx->taglen < 0) 1613 return -1; 1614 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, 1615 gctx->taglen) != 0) 1616 return -1; 1617 gctx->iv_set = 0; 1618 return 0; 1619 } 1620 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1621 gctx->taglen = 16; 1622 1623 /* Don't reuse the IV */ 1624 gctx->iv_set = 0; 1625 return 0; 1626 } 1627 1628 } 1629 1630 #define CUSTOM_FLAGS \ 1631 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1632 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ 1633 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1634 1635 1636 #ifdef AESNI_CAPABLE 1637 static const EVP_CIPHER aesni_128_gcm = { 1638 .nid = NID_aes_128_gcm, 1639 .block_size = 1, 1640 .key_len = 16, 1641 .iv_len = 12, 1642 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1643 .init = aesni_gcm_init_key, 1644 .do_cipher = aes_gcm_cipher, 1645 .cleanup = aes_gcm_cleanup, 1646 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1647 .ctrl = aes_gcm_ctrl, 1648 }; 1649 #endif 1650 1651 static const EVP_CIPHER aes_128_gcm = { 1652 .nid = NID_aes_128_gcm, 1653 .block_size = 1, 1654 .key_len = 16, 1655 .iv_len = 12, 1656 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1657 .init = aes_gcm_init_key, 1658 .do_cipher = aes_gcm_cipher, 1659 .cleanup = aes_gcm_cleanup, 1660 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1661 .ctrl = aes_gcm_ctrl, 1662 }; 1663 1664 const EVP_CIPHER * 1665 EVP_aes_128_gcm(void) 1666 { 1667 #ifdef AESNI_CAPABLE 1668 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; 1669 #else 1670 return &aes_128_gcm; 1671 #endif 1672 } 1673 1674 #ifdef AESNI_CAPABLE 1675 static const EVP_CIPHER aesni_192_gcm = { 1676 .nid = NID_aes_192_gcm, 1677 .block_size = 1, 1678 .key_len = 24, 1679 .iv_len = 12, 1680 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1681 .init = aesni_gcm_init_key, 1682 .do_cipher = aes_gcm_cipher, 1683 .cleanup = aes_gcm_cleanup, 1684 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1685 .ctrl = aes_gcm_ctrl, 1686 }; 1687 #endif 1688 1689 static const EVP_CIPHER aes_192_gcm = { 1690 .nid = NID_aes_192_gcm, 1691 .block_size = 1, 1692 .key_len = 24, 1693 .iv_len = 12, 1694 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1695 .init = aes_gcm_init_key, 1696 .do_cipher = aes_gcm_cipher, 1697 .cleanup = aes_gcm_cleanup, 1698 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1699 .ctrl = aes_gcm_ctrl, 1700 }; 1701 1702 const EVP_CIPHER * 1703 EVP_aes_192_gcm(void) 1704 { 1705 #ifdef AESNI_CAPABLE 1706 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; 1707 #else 1708 return &aes_192_gcm; 1709 #endif 1710 } 1711 1712 #ifdef AESNI_CAPABLE 1713 static const EVP_CIPHER aesni_256_gcm = { 1714 .nid = NID_aes_256_gcm, 1715 .block_size = 1, 1716 .key_len = 32, 1717 .iv_len = 12, 1718 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1719 .init = aesni_gcm_init_key, 1720 .do_cipher = aes_gcm_cipher, 1721 .cleanup = aes_gcm_cleanup, 1722 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1723 .ctrl = aes_gcm_ctrl, 1724 }; 1725 #endif 1726 1727 static const EVP_CIPHER aes_256_gcm = { 1728 .nid = NID_aes_256_gcm, 1729 .block_size = 1, 1730 .key_len = 32, 1731 .iv_len = 12, 1732 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1733 .init = aes_gcm_init_key, 1734 .do_cipher = aes_gcm_cipher, 1735 .cleanup = aes_gcm_cleanup, 1736 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1737 .ctrl = aes_gcm_ctrl, 1738 }; 1739 1740 const EVP_CIPHER * 1741 EVP_aes_256_gcm(void) 1742 { 1743 #ifdef AESNI_CAPABLE 1744 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; 1745 #else 1746 return &aes_256_gcm; 1747 #endif 1748 } 1749 1750 static int 1751 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1752 { 1753 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1754 1755 switch (type) { 1756 case EVP_CTRL_INIT: 1757 /* 1758 * key1 and key2 are used as an indicator both key and IV 1759 * are set 1760 */ 1761 xctx->xts.key1 = NULL; 1762 xctx->xts.key2 = NULL; 1763 return 1; 1764 1765 case EVP_CTRL_COPY: 1766 { 1767 EVP_CIPHER_CTX *out = ptr; 1768 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1769 1770 if (xctx->xts.key1) { 1771 if (xctx->xts.key1 != &xctx->ks1) 1772 return 0; 1773 xctx_out->xts.key1 = &xctx_out->ks1; 1774 } 1775 if (xctx->xts.key2) { 1776 if (xctx->xts.key2 != &xctx->ks2) 1777 return 0; 1778 xctx_out->xts.key2 = &xctx_out->ks2; 1779 } 1780 return 1; 1781 } 1782 } 1783 return -1; 1784 } 1785 1786 static int 1787 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1788 const unsigned char *iv, int enc) 1789 { 1790 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1791 1792 if (!iv && !key) 1793 return 1; 1794 1795 if (key) do { 1796 #ifdef AES_XTS_ASM 1797 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1798 #else 1799 xctx->stream = NULL; 1800 #endif 1801 /* key_len is two AES keys */ 1802 #ifdef BSAES_CAPABLE 1803 if (BSAES_CAPABLE) 1804 xctx->stream = enc ? bsaes_xts_encrypt : 1805 bsaes_xts_decrypt; 1806 else 1807 #endif 1808 #ifdef VPAES_CAPABLE 1809 if (VPAES_CAPABLE) { 1810 if (enc) { 1811 vpaes_set_encrypt_key(key, ctx->key_len * 4, 1812 &xctx->ks1); 1813 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1814 } else { 1815 vpaes_set_decrypt_key(key, ctx->key_len * 4, 1816 &xctx->ks1); 1817 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1818 } 1819 1820 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1821 ctx->key_len * 4, &xctx->ks2); 1822 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1823 1824 xctx->xts.key1 = &xctx->ks1; 1825 break; 1826 } else 1827 #endif 1828 (void)0; /* terminate potentially open 'else' */ 1829 1830 if (enc) { 1831 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1832 xctx->xts.block1 = (block128_f)AES_encrypt; 1833 } else { 1834 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1835 xctx->xts.block1 = (block128_f)AES_decrypt; 1836 } 1837 1838 AES_set_encrypt_key(key + ctx->key_len / 2, 1839 ctx->key_len * 4, &xctx->ks2); 1840 xctx->xts.block2 = (block128_f)AES_encrypt; 1841 1842 xctx->xts.key1 = &xctx->ks1; 1843 } while (0); 1844 1845 if (iv) { 1846 xctx->xts.key2 = &xctx->ks2; 1847 memcpy(ctx->iv, iv, 16); 1848 } 1849 1850 return 1; 1851 } 1852 1853 static int 1854 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1855 const unsigned char *in, size_t len) 1856 { 1857 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1858 1859 if (!xctx->xts.key1 || !xctx->xts.key2) 1860 return 0; 1861 if (!out || !in || len < AES_BLOCK_SIZE) 1862 return 0; 1863 1864 if (xctx->stream) 1865 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, 1866 ctx->iv); 1867 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1868 ctx->encrypt)) 1869 return 0; 1870 return 1; 1871 } 1872 1873 #define XTS_FLAGS \ 1874 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1875 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1876 1877 1878 #ifdef AESNI_CAPABLE 1879 static const EVP_CIPHER aesni_128_xts = { 1880 .nid = NID_aes_128_xts, 1881 .block_size = 1, 1882 .key_len = 2 * 16, 1883 .iv_len = 16, 1884 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1885 .init = aesni_xts_init_key, 1886 .do_cipher = aes_xts_cipher, 1887 .cleanup = NULL, 1888 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1889 .ctrl = aes_xts_ctrl, 1890 }; 1891 #endif 1892 1893 static const EVP_CIPHER aes_128_xts = { 1894 .nid = NID_aes_128_xts, 1895 .block_size = 1, 1896 .key_len = 2 * 16, 1897 .iv_len = 16, 1898 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1899 .init = aes_xts_init_key, 1900 .do_cipher = aes_xts_cipher, 1901 .cleanup = NULL, 1902 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1903 .ctrl = aes_xts_ctrl, 1904 }; 1905 1906 const EVP_CIPHER * 1907 EVP_aes_128_xts(void) 1908 { 1909 #ifdef AESNI_CAPABLE 1910 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; 1911 #else 1912 return &aes_128_xts; 1913 #endif 1914 } 1915 1916 #ifdef AESNI_CAPABLE 1917 static const EVP_CIPHER aesni_256_xts = { 1918 .nid = NID_aes_256_xts, 1919 .block_size = 1, 1920 .key_len = 2 * 32, 1921 .iv_len = 16, 1922 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1923 .init = aesni_xts_init_key, 1924 .do_cipher = aes_xts_cipher, 1925 .cleanup = NULL, 1926 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1927 .ctrl = aes_xts_ctrl, 1928 }; 1929 #endif 1930 1931 static const EVP_CIPHER aes_256_xts = { 1932 .nid = NID_aes_256_xts, 1933 .block_size = 1, 1934 .key_len = 2 * 32, 1935 .iv_len = 16, 1936 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1937 .init = aes_xts_init_key, 1938 .do_cipher = aes_xts_cipher, 1939 .cleanup = NULL, 1940 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1941 .ctrl = aes_xts_ctrl, 1942 }; 1943 1944 const EVP_CIPHER * 1945 EVP_aes_256_xts(void) 1946 { 1947 #ifdef AESNI_CAPABLE 1948 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; 1949 #else 1950 return &aes_256_xts; 1951 #endif 1952 } 1953 1954 static int 1955 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1956 { 1957 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1958 1959 switch (type) { 1960 case EVP_CTRL_INIT: 1961 cctx->key_set = 0; 1962 cctx->iv_set = 0; 1963 cctx->L = 8; 1964 cctx->M = 12; 1965 cctx->tag_set = 0; 1966 cctx->len_set = 0; 1967 return 1; 1968 1969 case EVP_CTRL_CCM_SET_IVLEN: 1970 arg = 15 - arg; 1971 1972 case EVP_CTRL_CCM_SET_L: 1973 if (arg < 2 || arg > 8) 1974 return 0; 1975 cctx->L = arg; 1976 return 1; 1977 1978 case EVP_CTRL_CCM_SET_TAG: 1979 if ((arg & 1) || arg < 4 || arg > 16) 1980 return 0; 1981 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1982 return 0; 1983 if (ptr) { 1984 cctx->tag_set = 1; 1985 memcpy(c->buf, ptr, arg); 1986 } 1987 cctx->M = arg; 1988 return 1; 1989 1990 case EVP_CTRL_CCM_GET_TAG: 1991 if (!c->encrypt || !cctx->tag_set) 1992 return 0; 1993 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1994 return 0; 1995 cctx->tag_set = 0; 1996 cctx->iv_set = 0; 1997 cctx->len_set = 0; 1998 return 1; 1999 2000 case EVP_CTRL_COPY: 2001 { 2002 EVP_CIPHER_CTX *out = ptr; 2003 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 2004 2005 if (cctx->ccm.key) { 2006 if (cctx->ccm.key != &cctx->ks) 2007 return 0; 2008 cctx_out->ccm.key = &cctx_out->ks; 2009 } 2010 return 1; 2011 } 2012 2013 default: 2014 return -1; 2015 } 2016 } 2017 2018 static int 2019 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2020 const unsigned char *iv, int enc) 2021 { 2022 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2023 2024 if (!iv && !key) 2025 return 1; 2026 if (key) do { 2027 #ifdef VPAES_CAPABLE 2028 if (VPAES_CAPABLE) { 2029 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 2030 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2031 &cctx->ks, (block128_f)vpaes_encrypt); 2032 cctx->str = NULL; 2033 cctx->key_set = 1; 2034 break; 2035 } 2036 #endif 2037 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 2038 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2039 &cctx->ks, (block128_f)AES_encrypt); 2040 cctx->str = NULL; 2041 cctx->key_set = 1; 2042 } while (0); 2043 if (iv) { 2044 memcpy(ctx->iv, iv, 15 - cctx->L); 2045 cctx->iv_set = 1; 2046 } 2047 return 1; 2048 } 2049 2050 static int 2051 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2052 const unsigned char *in, size_t len) 2053 { 2054 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2055 CCM128_CONTEXT *ccm = &cctx->ccm; 2056 2057 /* If not set up, return error */ 2058 if (!cctx->iv_set && !cctx->key_set) 2059 return -1; 2060 if (!ctx->encrypt && !cctx->tag_set) 2061 return -1; 2062 2063 if (!out) { 2064 if (!in) { 2065 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, 2066 len)) 2067 return -1; 2068 cctx->len_set = 1; 2069 return len; 2070 } 2071 /* If have AAD need message length */ 2072 if (!cctx->len_set && len) 2073 return -1; 2074 CRYPTO_ccm128_aad(ccm, in, len); 2075 return len; 2076 } 2077 /* EVP_*Final() doesn't return any data */ 2078 if (!in) 2079 return 0; 2080 /* If not set length yet do it */ 2081 if (!cctx->len_set) { 2082 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 2083 return -1; 2084 cctx->len_set = 1; 2085 } 2086 if (ctx->encrypt) { 2087 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 2088 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) 2089 return -1; 2090 cctx->tag_set = 1; 2091 return len; 2092 } else { 2093 int rv = -1; 2094 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 2095 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 2096 unsigned char tag[16]; 2097 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 2098 if (!memcmp(tag, ctx->buf, cctx->M)) 2099 rv = len; 2100 } 2101 } 2102 if (rv == -1) 2103 explicit_bzero(out, len); 2104 cctx->iv_set = 0; 2105 cctx->tag_set = 0; 2106 cctx->len_set = 0; 2107 return rv; 2108 } 2109 2110 } 2111 2112 #ifdef AESNI_CAPABLE 2113 static const EVP_CIPHER aesni_128_ccm = { 2114 .nid = NID_aes_128_ccm, 2115 .block_size = 1, 2116 .key_len = 16, 2117 .iv_len = 12, 2118 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2119 .init = aesni_ccm_init_key, 2120 .do_cipher = aes_ccm_cipher, 2121 .cleanup = NULL, 2122 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2123 .ctrl = aes_ccm_ctrl, 2124 }; 2125 #endif 2126 2127 static const EVP_CIPHER aes_128_ccm = { 2128 .nid = NID_aes_128_ccm, 2129 .block_size = 1, 2130 .key_len = 16, 2131 .iv_len = 12, 2132 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2133 .init = aes_ccm_init_key, 2134 .do_cipher = aes_ccm_cipher, 2135 .cleanup = NULL, 2136 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2137 .ctrl = aes_ccm_ctrl, 2138 }; 2139 2140 const EVP_CIPHER * 2141 EVP_aes_128_ccm(void) 2142 { 2143 #ifdef AESNI_CAPABLE 2144 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; 2145 #else 2146 return &aes_128_ccm; 2147 #endif 2148 } 2149 2150 #ifdef AESNI_CAPABLE 2151 static const EVP_CIPHER aesni_192_ccm = { 2152 .nid = NID_aes_192_ccm, 2153 .block_size = 1, 2154 .key_len = 24, 2155 .iv_len = 12, 2156 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2157 .init = aesni_ccm_init_key, 2158 .do_cipher = aes_ccm_cipher, 2159 .cleanup = NULL, 2160 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2161 .ctrl = aes_ccm_ctrl, 2162 }; 2163 #endif 2164 2165 static const EVP_CIPHER aes_192_ccm = { 2166 .nid = NID_aes_192_ccm, 2167 .block_size = 1, 2168 .key_len = 24, 2169 .iv_len = 12, 2170 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2171 .init = aes_ccm_init_key, 2172 .do_cipher = aes_ccm_cipher, 2173 .cleanup = NULL, 2174 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2175 .ctrl = aes_ccm_ctrl, 2176 }; 2177 2178 const EVP_CIPHER * 2179 EVP_aes_192_ccm(void) 2180 { 2181 #ifdef AESNI_CAPABLE 2182 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; 2183 #else 2184 return &aes_192_ccm; 2185 #endif 2186 } 2187 2188 #ifdef AESNI_CAPABLE 2189 static const EVP_CIPHER aesni_256_ccm = { 2190 .nid = NID_aes_256_ccm, 2191 .block_size = 1, 2192 .key_len = 32, 2193 .iv_len = 12, 2194 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2195 .init = aesni_ccm_init_key, 2196 .do_cipher = aes_ccm_cipher, 2197 .cleanup = NULL, 2198 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2199 .ctrl = aes_ccm_ctrl, 2200 }; 2201 #endif 2202 2203 static const EVP_CIPHER aes_256_ccm = { 2204 .nid = NID_aes_256_ccm, 2205 .block_size = 1, 2206 .key_len = 32, 2207 .iv_len = 12, 2208 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2209 .init = aes_ccm_init_key, 2210 .do_cipher = aes_ccm_cipher, 2211 .cleanup = NULL, 2212 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2213 .ctrl = aes_ccm_ctrl, 2214 }; 2215 2216 const EVP_CIPHER * 2217 EVP_aes_256_ccm(void) 2218 { 2219 #ifdef AESNI_CAPABLE 2220 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; 2221 #else 2222 return &aes_256_ccm; 2223 #endif 2224 } 2225 2226 #define EVP_AEAD_AES_GCM_TAG_LEN 16 2227 2228 struct aead_aes_gcm_ctx { 2229 union { 2230 double align; 2231 AES_KEY ks; 2232 } ks; 2233 GCM128_CONTEXT gcm; 2234 ctr128_f ctr; 2235 unsigned char tag_len; 2236 }; 2237 2238 static int 2239 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, 2240 size_t tag_len) 2241 { 2242 struct aead_aes_gcm_ctx *gcm_ctx; 2243 const size_t key_bits = key_len * 8; 2244 2245 /* EVP_AEAD_CTX_init should catch this. */ 2246 if (key_bits != 128 && key_bits != 256) { 2247 EVPerror(EVP_R_BAD_KEY_LENGTH); 2248 return 0; 2249 } 2250 2251 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) 2252 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 2253 2254 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 2255 EVPerror(EVP_R_TAG_TOO_LARGE); 2256 return 0; 2257 } 2258 2259 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) 2260 return 0; 2261 2262 #ifdef AESNI_CAPABLE 2263 if (AESNI_CAPABLE) { 2264 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); 2265 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, 2266 (block128_f)aesni_encrypt); 2267 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 2268 } else 2269 #endif 2270 { 2271 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, 2272 key, key_len); 2273 } 2274 gcm_ctx->tag_len = tag_len; 2275 ctx->aead_state = gcm_ctx; 2276 2277 return 1; 2278 } 2279 2280 static void 2281 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) 2282 { 2283 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2284 2285 freezero(gcm_ctx, sizeof(*gcm_ctx)); 2286 } 2287 2288 static int 2289 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2290 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2291 const unsigned char *in, size_t in_len, const unsigned char *ad, 2292 size_t ad_len) 2293 { 2294 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2295 GCM128_CONTEXT gcm; 2296 size_t bulk = 0; 2297 2298 if (max_out_len < in_len + gcm_ctx->tag_len) { 2299 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2300 return 0; 2301 } 2302 2303 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2304 2305 if (nonce_len == 0) { 2306 EVPerror(EVP_R_INVALID_IV_LENGTH); 2307 return 0; 2308 } 2309 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2310 2311 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2312 return 0; 2313 2314 if (gcm_ctx->ctr) { 2315 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, 2316 in_len - bulk, gcm_ctx->ctr)) 2317 return 0; 2318 } else { 2319 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, 2320 in_len - bulk)) 2321 return 0; 2322 } 2323 2324 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); 2325 *out_len = in_len + gcm_ctx->tag_len; 2326 2327 return 1; 2328 } 2329 2330 static int 2331 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2332 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2333 const unsigned char *in, size_t in_len, const unsigned char *ad, 2334 size_t ad_len) 2335 { 2336 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2337 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; 2338 GCM128_CONTEXT gcm; 2339 size_t plaintext_len; 2340 size_t bulk = 0; 2341 2342 if (in_len < gcm_ctx->tag_len) { 2343 EVPerror(EVP_R_BAD_DECRYPT); 2344 return 0; 2345 } 2346 2347 plaintext_len = in_len - gcm_ctx->tag_len; 2348 2349 if (max_out_len < plaintext_len) { 2350 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2351 return 0; 2352 } 2353 2354 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2355 2356 if (nonce_len == 0) { 2357 EVPerror(EVP_R_INVALID_IV_LENGTH); 2358 return 0; 2359 } 2360 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2361 2362 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2363 return 0; 2364 2365 if (gcm_ctx->ctr) { 2366 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 2367 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) 2368 return 0; 2369 } else { 2370 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 2371 in_len - bulk - gcm_ctx->tag_len)) 2372 return 0; 2373 } 2374 2375 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); 2376 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { 2377 EVPerror(EVP_R_BAD_DECRYPT); 2378 return 0; 2379 } 2380 2381 *out_len = plaintext_len; 2382 2383 return 1; 2384 } 2385 2386 static const EVP_AEAD aead_aes_128_gcm = { 2387 .key_len = 16, 2388 .nonce_len = 12, 2389 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2390 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2391 2392 .init = aead_aes_gcm_init, 2393 .cleanup = aead_aes_gcm_cleanup, 2394 .seal = aead_aes_gcm_seal, 2395 .open = aead_aes_gcm_open, 2396 }; 2397 2398 static const EVP_AEAD aead_aes_256_gcm = { 2399 .key_len = 32, 2400 .nonce_len = 12, 2401 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2402 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2403 2404 .init = aead_aes_gcm_init, 2405 .cleanup = aead_aes_gcm_cleanup, 2406 .seal = aead_aes_gcm_seal, 2407 .open = aead_aes_gcm_open, 2408 }; 2409 2410 const EVP_AEAD * 2411 EVP_aead_aes_128_gcm(void) 2412 { 2413 return &aead_aes_128_gcm; 2414 } 2415 2416 const EVP_AEAD * 2417 EVP_aead_aes_256_gcm(void) 2418 { 2419 return &aead_aes_256_gcm; 2420 } 2421 2422 typedef struct { 2423 union { 2424 double align; 2425 AES_KEY ks; 2426 } ks; 2427 unsigned char *iv; 2428 } EVP_AES_WRAP_CTX; 2429 2430 static int 2431 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2432 const unsigned char *iv, int enc) 2433 { 2434 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; 2435 2436 if (iv == NULL && key == NULL) 2437 return 1; 2438 2439 if (key != NULL) { 2440 if (ctx->encrypt) 2441 AES_set_encrypt_key(key, 8 * ctx->key_len, 2442 &wctx->ks.ks); 2443 else 2444 AES_set_decrypt_key(key, 8 * ctx->key_len, 2445 &wctx->ks.ks); 2446 2447 if (iv == NULL) 2448 wctx->iv = NULL; 2449 } 2450 2451 if (iv != NULL) { 2452 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 2453 wctx->iv = ctx->iv; 2454 } 2455 2456 return 1; 2457 } 2458 2459 static int 2460 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2461 const unsigned char *in, size_t inlen) 2462 { 2463 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; 2464 int ret; 2465 2466 if (in == NULL) 2467 return 0; 2468 2469 if (inlen % 8 != 0) 2470 return -1; 2471 if (ctx->encrypt && inlen < 8) 2472 return -1; 2473 if (!ctx->encrypt && inlen < 16) 2474 return -1; 2475 if (inlen > INT_MAX) 2476 return -1; 2477 2478 if (out == NULL) { 2479 if (ctx->encrypt) 2480 return inlen + 8; 2481 else 2482 return inlen - 8; 2483 } 2484 2485 if (ctx->encrypt) 2486 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, 2487 (unsigned int)inlen); 2488 else 2489 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, 2490 (unsigned int)inlen); 2491 2492 return ret != 0 ? ret : -1; 2493 } 2494 2495 static int 2496 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 2497 { 2498 EVP_AES_WRAP_CTX *wctx = c->cipher_data; 2499 2500 switch (type) { 2501 case EVP_CTRL_COPY: 2502 { 2503 EVP_CIPHER_CTX *out = ptr; 2504 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; 2505 2506 if (wctx->iv != NULL) { 2507 if (c->iv != wctx->iv) 2508 return 0; 2509 2510 wctx_out->iv = out->iv; 2511 } 2512 2513 return 1; 2514 } 2515 } 2516 2517 return -1; 2518 } 2519 2520 #define WRAP_FLAGS \ 2521 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ 2522 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ 2523 EVP_CIPH_CUSTOM_COPY ) 2524 2525 static const EVP_CIPHER aes_128_wrap = { 2526 .nid = NID_id_aes128_wrap, 2527 .block_size = 8, 2528 .key_len = 16, 2529 .iv_len = 8, 2530 .flags = WRAP_FLAGS, 2531 .init = aes_wrap_init_key, 2532 .do_cipher = aes_wrap_cipher, 2533 .cleanup = NULL, 2534 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2535 .set_asn1_parameters = NULL, 2536 .get_asn1_parameters = NULL, 2537 .ctrl = aes_wrap_ctrl, 2538 .app_data = NULL, 2539 }; 2540 2541 const EVP_CIPHER * 2542 EVP_aes_128_wrap(void) 2543 { 2544 return &aes_128_wrap; 2545 } 2546 2547 static const EVP_CIPHER aes_192_wrap = { 2548 .nid = NID_id_aes192_wrap, 2549 .block_size = 8, 2550 .key_len = 24, 2551 .iv_len = 8, 2552 .flags = WRAP_FLAGS, 2553 .init = aes_wrap_init_key, 2554 .do_cipher = aes_wrap_cipher, 2555 .cleanup = NULL, 2556 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2557 .set_asn1_parameters = NULL, 2558 .get_asn1_parameters = NULL, 2559 .ctrl = aes_wrap_ctrl, 2560 .app_data = NULL, 2561 }; 2562 2563 const EVP_CIPHER * 2564 EVP_aes_192_wrap(void) 2565 { 2566 return &aes_192_wrap; 2567 } 2568 2569 static const EVP_CIPHER aes_256_wrap = { 2570 .nid = NID_id_aes256_wrap, 2571 .block_size = 8, 2572 .key_len = 32, 2573 .iv_len = 8, 2574 .flags = WRAP_FLAGS, 2575 .init = aes_wrap_init_key, 2576 .do_cipher = aes_wrap_cipher, 2577 .cleanup = NULL, 2578 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2579 .set_asn1_parameters = NULL, 2580 .get_asn1_parameters = NULL, 2581 .ctrl = aes_wrap_ctrl, 2582 .app_data = NULL, 2583 }; 2584 2585 const EVP_CIPHER * 2586 EVP_aes_256_wrap(void) 2587 { 2588 return &aes_256_wrap; 2589 } 2590 2591 #endif 2592