1 /* $OpenBSD: e_aes.c,v 1.56 2024/01/04 17:38:36 tb Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #include <limits.h> 53 #include <stdlib.h> 54 #include <string.h> 55 56 #include <openssl/opensslconf.h> 57 58 #ifndef OPENSSL_NO_AES 59 #include <openssl/aes.h> 60 #include <openssl/err.h> 61 #include <openssl/evp.h> 62 63 #include "evp_local.h" 64 #include "modes_local.h" 65 66 typedef struct { 67 AES_KEY ks; 68 block128_f block; 69 union { 70 cbc128_f cbc; 71 ctr128_f ctr; 72 } stream; 73 } EVP_AES_KEY; 74 75 typedef struct { 76 AES_KEY ks; /* AES key schedule to use */ 77 int key_set; /* Set if key initialised */ 78 int iv_set; /* Set if an iv is set */ 79 GCM128_CONTEXT gcm; 80 unsigned char *iv; /* Temporary IV store */ 81 int ivlen; /* IV length */ 82 int taglen; 83 int iv_gen; /* It is OK to generate IVs */ 84 int tls_aad_len; /* TLS AAD length */ 85 ctr128_f ctr; 86 } EVP_AES_GCM_CTX; 87 88 typedef struct { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, unsigned char *out, 92 size_t length, const AES_KEY *key1, const AES_KEY *key2, 93 const unsigned char iv[16]); 94 } EVP_AES_XTS_CTX; 95 96 typedef struct { 97 AES_KEY ks; /* AES key schedule to use */ 98 int key_set; /* Set if key initialised */ 99 int iv_set; /* Set if an iv is set */ 100 int tag_set; /* Set if tag is valid */ 101 int len_set; /* Set if message length set */ 102 int L, M; /* L and M parameters from RFC3610 */ 103 CCM128_CONTEXT ccm; 104 ccm128_f str; 105 } EVP_AES_CCM_CTX; 106 107 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 108 109 #ifdef VPAES_ASM 110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 111 AES_KEY *key); 112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 115 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 116 const AES_KEY *key); 117 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 122 #endif 123 #ifdef BSAES_ASM 124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); 126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 127 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 129 size_t len, const AES_KEY *key1, const AES_KEY *key2, 130 const unsigned char iv[16]); 131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 132 size_t len, const AES_KEY *key1, const AES_KEY *key2, 133 const unsigned char iv[16]); 134 #endif 135 #ifdef AES_CTR_ASM 136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 137 size_t blocks, const AES_KEY *key, 138 const unsigned char ivec[AES_BLOCK_SIZE]); 139 #endif 140 #ifdef AES_XTS_ASM 141 void AES_xts_encrypt(const char *inp, char *out, size_t len, 142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 143 void AES_xts_decrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 145 #endif 146 147 #if defined(AES_ASM) && ( \ 148 ((defined(__i386) || defined(__i386__) || \ 149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 150 defined(__x86_64) || defined(__x86_64__) || \ 151 defined(_M_AMD64) || defined(_M_X64) || \ 152 defined(__INTEL__) ) 153 154 #include "x86_arch.h" 155 156 #ifdef VPAES_ASM 157 #define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3) 158 #endif 159 #ifdef BSAES_ASM 160 #define BSAES_CAPABLE VPAES_CAPABLE 161 #endif 162 /* 163 * AES-NI section 164 */ 165 #define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) 166 167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 168 AES_KEY *key); 169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 170 AES_KEY *key); 171 172 void aesni_encrypt(const unsigned char *in, unsigned char *out, 173 const AES_KEY *key); 174 void aesni_decrypt(const unsigned char *in, unsigned char *out, 175 const AES_KEY *key); 176 177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, 178 size_t length, const AES_KEY *key, int enc); 179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, 180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 181 182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 183 size_t blocks, const void *key, const unsigned char *ivec); 184 185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, 186 size_t length, const AES_KEY *key1, const AES_KEY *key2, 187 const unsigned char iv[16]); 188 189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, 190 size_t length, const AES_KEY *key1, const AES_KEY *key2, 191 const unsigned char iv[16]); 192 193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, 194 size_t blocks, const void *key, const unsigned char ivec[16], 195 unsigned char cmac[16]); 196 197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, 198 size_t blocks, const void *key, const unsigned char ivec[16], 199 unsigned char cmac[16]); 200 201 static int 202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 203 const unsigned char *iv, int enc) 204 { 205 int ret, mode; 206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 207 208 mode = ctx->cipher->flags & EVP_CIPH_MODE; 209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 210 !enc) { 211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, 212 ctx->cipher_data); 213 dat->block = (block128_f)aesni_decrypt; 214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 215 (cbc128_f)aesni_cbc_encrypt : NULL; 216 } else { 217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, 218 ctx->cipher_data); 219 dat->block = (block128_f)aesni_encrypt; 220 if (mode == EVP_CIPH_CBC_MODE) 221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 222 else if (mode == EVP_CIPH_CTR_MODE) 223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 224 else 225 dat->stream.cbc = NULL; 226 } 227 228 if (ret < 0) { 229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 230 return 0; 231 } 232 233 return 1; 234 } 235 236 static int 237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 238 const unsigned char *in, size_t len) 239 { 240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, 241 ctx->encrypt); 242 243 return 1; 244 } 245 246 static int 247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 248 const unsigned char *in, size_t len) 249 { 250 size_t bl = ctx->cipher->block_size; 251 252 if (len < bl) 253 return 1; 254 255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 256 257 return 1; 258 } 259 260 static int 261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 262 const unsigned char *iv, int enc) 263 { 264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 265 266 if (!iv && !key) 267 return 1; 268 if (key) { 269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 271 (block128_f)aesni_encrypt); 272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 273 /* If we have an iv can set it directly, otherwise use 274 * saved IV. 275 */ 276 if (iv == NULL && gctx->iv_set) 277 iv = gctx->iv; 278 if (iv) { 279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 280 gctx->iv_set = 1; 281 } 282 gctx->key_set = 1; 283 } else { 284 /* If key set use IV, otherwise copy */ 285 if (gctx->key_set) 286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 287 else 288 memcpy(gctx->iv, iv, gctx->ivlen); 289 gctx->iv_set = 1; 290 gctx->iv_gen = 0; 291 } 292 return 1; 293 } 294 295 static int 296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 297 const unsigned char *iv, int enc) 298 { 299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 300 301 if (!iv && !key) 302 return 1; 303 304 if (key) { 305 /* key_len is two AES keys */ 306 if (enc) { 307 aesni_set_encrypt_key(key, ctx->key_len * 4, 308 &xctx->ks1); 309 xctx->xts.block1 = (block128_f)aesni_encrypt; 310 xctx->stream = aesni_xts_encrypt; 311 } else { 312 aesni_set_decrypt_key(key, ctx->key_len * 4, 313 &xctx->ks1); 314 xctx->xts.block1 = (block128_f)aesni_decrypt; 315 xctx->stream = aesni_xts_decrypt; 316 } 317 318 aesni_set_encrypt_key(key + ctx->key_len / 2, 319 ctx->key_len * 4, &xctx->ks2); 320 xctx->xts.block2 = (block128_f)aesni_encrypt; 321 322 xctx->xts.key1 = &xctx->ks1; 323 } 324 325 if (iv) { 326 xctx->xts.key2 = &xctx->ks2; 327 memcpy(ctx->iv, iv, 16); 328 } 329 330 return 1; 331 } 332 333 static int 334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 335 const unsigned char *iv, int enc) 336 { 337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 338 339 if (!iv && !key) 340 return 1; 341 if (key) { 342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 344 &cctx->ks, (block128_f)aesni_encrypt); 345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : 346 (ccm128_f)aesni_ccm64_decrypt_blocks; 347 cctx->key_set = 1; 348 } 349 if (iv) { 350 memcpy(ctx->iv, iv, 15 - cctx->L); 351 cctx->iv_set = 1; 352 } 353 return 1; 354 } 355 356 #endif 357 358 static int 359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 360 const unsigned char *iv, int enc) 361 { 362 int ret, mode; 363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 364 365 mode = ctx->cipher->flags & EVP_CIPH_MODE; 366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 367 !enc) 368 #ifdef BSAES_CAPABLE 369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 370 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 371 &dat->ks); 372 dat->block = (block128_f)AES_decrypt; 373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 374 } else 375 #endif 376 #ifdef VPAES_CAPABLE 377 if (VPAES_CAPABLE) { 378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, 379 &dat->ks); 380 dat->block = (block128_f)vpaes_decrypt; 381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 382 (cbc128_f)vpaes_cbc_encrypt : NULL; 383 } else 384 #endif 385 { 386 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 387 &dat->ks); 388 dat->block = (block128_f)AES_decrypt; 389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 390 (cbc128_f)AES_cbc_encrypt : NULL; 391 } else 392 #ifdef BSAES_CAPABLE 393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 394 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 395 &dat->ks); 396 dat->block = (block128_f)AES_encrypt; 397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 398 } else 399 #endif 400 #ifdef VPAES_CAPABLE 401 if (VPAES_CAPABLE) { 402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, 403 &dat->ks); 404 dat->block = (block128_f)vpaes_encrypt; 405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 406 (cbc128_f)vpaes_cbc_encrypt : NULL; 407 } else 408 #endif 409 { 410 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 411 &dat->ks); 412 dat->block = (block128_f)AES_encrypt; 413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 414 (cbc128_f)AES_cbc_encrypt : NULL; 415 #ifdef AES_CTR_ASM 416 if (mode == EVP_CIPH_CTR_MODE) 417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 418 #endif 419 } 420 421 if (ret < 0) { 422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 423 return 0; 424 } 425 426 return 1; 427 } 428 429 static int 430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 431 const unsigned char *in, size_t len) 432 { 433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 434 435 if (dat->stream.cbc) 436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, 437 ctx->encrypt); 438 else if (ctx->encrypt) 439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, 440 dat->block); 441 else 442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, 443 dat->block); 444 445 return 1; 446 } 447 448 static int 449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 450 const unsigned char *in, size_t len) 451 { 452 size_t bl = ctx->cipher->block_size; 453 size_t i; 454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 455 456 if (len < bl) 457 return 1; 458 459 for (i = 0, len -= bl; i <= len; i += bl) 460 (*dat->block)(in + i, out + i, &dat->ks); 461 462 return 1; 463 } 464 465 static int 466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 467 const unsigned char *in, size_t len) 468 { 469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 470 471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 472 dat->block); 473 return 1; 474 } 475 476 static int 477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 478 const unsigned char *in, size_t len) 479 { 480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 481 482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 483 ctx->encrypt, dat->block); 484 return 1; 485 } 486 487 static int 488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 489 const unsigned char *in, size_t len) 490 { 491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 492 493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 494 ctx->encrypt, dat->block); 495 return 1; 496 } 497 498 static int 499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 500 const unsigned char *in, size_t len) 501 { 502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 503 504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, 506 &ctx->num, ctx->encrypt, dat->block); 507 return 1; 508 } 509 510 while (len >= MAXBITCHUNK) { 511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, 512 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 513 len -= MAXBITCHUNK; 514 in += MAXBITCHUNK; 515 out += MAXBITCHUNK; 516 } 517 if (len) 518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, 519 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 520 521 return 1; 522 } 523 524 static int 525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 526 const unsigned char *in, size_t len) 527 { 528 unsigned int num = ctx->num; 529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 530 531 if (dat->stream.ctr) 532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 533 ctx->iv, ctx->buf, &num, dat->stream.ctr); 534 else 535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 536 ctx->iv, ctx->buf, &num, dat->block); 537 ctx->num = (size_t)num; 538 return 1; 539 } 540 541 542 #ifdef AESNI_CAPABLE 543 static const EVP_CIPHER aesni_128_cbc = { 544 .nid = NID_aes_128_cbc, 545 .block_size = 16, 546 .key_len = 16, 547 .iv_len = 16, 548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 549 .init = aesni_init_key, 550 .do_cipher = aesni_cbc_cipher, 551 .ctx_size = sizeof(EVP_AES_KEY), 552 }; 553 #endif 554 555 static const EVP_CIPHER aes_128_cbc = { 556 .nid = NID_aes_128_cbc, 557 .block_size = 16, 558 .key_len = 16, 559 .iv_len = 16, 560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 561 .init = aes_init_key, 562 .do_cipher = aes_cbc_cipher, 563 .ctx_size = sizeof(EVP_AES_KEY), 564 }; 565 566 const EVP_CIPHER * 567 EVP_aes_128_cbc(void) 568 { 569 #ifdef AESNI_CAPABLE 570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; 571 #else 572 return &aes_128_cbc; 573 #endif 574 } 575 576 #ifdef AESNI_CAPABLE 577 static const EVP_CIPHER aesni_128_ecb = { 578 .nid = NID_aes_128_ecb, 579 .block_size = 16, 580 .key_len = 16, 581 .iv_len = 0, 582 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 583 .init = aesni_init_key, 584 .do_cipher = aesni_ecb_cipher, 585 .ctx_size = sizeof(EVP_AES_KEY), 586 }; 587 #endif 588 589 static const EVP_CIPHER aes_128_ecb = { 590 .nid = NID_aes_128_ecb, 591 .block_size = 16, 592 .key_len = 16, 593 .iv_len = 0, 594 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 595 .init = aes_init_key, 596 .do_cipher = aes_ecb_cipher, 597 .ctx_size = sizeof(EVP_AES_KEY), 598 }; 599 600 const EVP_CIPHER * 601 EVP_aes_128_ecb(void) 602 { 603 #ifdef AESNI_CAPABLE 604 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; 605 #else 606 return &aes_128_ecb; 607 #endif 608 } 609 610 #ifdef AESNI_CAPABLE 611 static const EVP_CIPHER aesni_128_ofb = { 612 .nid = NID_aes_128_ofb128, 613 .block_size = 1, 614 .key_len = 16, 615 .iv_len = 16, 616 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 617 .init = aesni_init_key, 618 .do_cipher = aes_ofb_cipher, 619 .ctx_size = sizeof(EVP_AES_KEY), 620 }; 621 #endif 622 623 static const EVP_CIPHER aes_128_ofb = { 624 .nid = NID_aes_128_ofb128, 625 .block_size = 1, 626 .key_len = 16, 627 .iv_len = 16, 628 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 629 .init = aes_init_key, 630 .do_cipher = aes_ofb_cipher, 631 .ctx_size = sizeof(EVP_AES_KEY), 632 }; 633 634 const EVP_CIPHER * 635 EVP_aes_128_ofb(void) 636 { 637 #ifdef AESNI_CAPABLE 638 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; 639 #else 640 return &aes_128_ofb; 641 #endif 642 } 643 644 #ifdef AESNI_CAPABLE 645 static const EVP_CIPHER aesni_128_cfb = { 646 .nid = NID_aes_128_cfb128, 647 .block_size = 1, 648 .key_len = 16, 649 .iv_len = 16, 650 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 651 .init = aesni_init_key, 652 .do_cipher = aes_cfb_cipher, 653 .ctx_size = sizeof(EVP_AES_KEY), 654 }; 655 #endif 656 657 static const EVP_CIPHER aes_128_cfb = { 658 .nid = NID_aes_128_cfb128, 659 .block_size = 1, 660 .key_len = 16, 661 .iv_len = 16, 662 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 663 .init = aes_init_key, 664 .do_cipher = aes_cfb_cipher, 665 .ctx_size = sizeof(EVP_AES_KEY), 666 }; 667 668 const EVP_CIPHER * 669 EVP_aes_128_cfb(void) 670 { 671 #ifdef AESNI_CAPABLE 672 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; 673 #else 674 return &aes_128_cfb; 675 #endif 676 } 677 678 #ifdef AESNI_CAPABLE 679 static const EVP_CIPHER aesni_128_cfb1 = { 680 .nid = NID_aes_128_cfb1, 681 .block_size = 1, 682 .key_len = 16, 683 .iv_len = 16, 684 .flags = EVP_CIPH_CFB_MODE, 685 .init = aesni_init_key, 686 .do_cipher = aes_cfb1_cipher, 687 .ctx_size = sizeof(EVP_AES_KEY), 688 }; 689 #endif 690 691 static const EVP_CIPHER aes_128_cfb1 = { 692 .nid = NID_aes_128_cfb1, 693 .block_size = 1, 694 .key_len = 16, 695 .iv_len = 16, 696 .flags = EVP_CIPH_CFB_MODE, 697 .init = aes_init_key, 698 .do_cipher = aes_cfb1_cipher, 699 .ctx_size = sizeof(EVP_AES_KEY), 700 }; 701 702 const EVP_CIPHER * 703 EVP_aes_128_cfb1(void) 704 { 705 #ifdef AESNI_CAPABLE 706 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; 707 #else 708 return &aes_128_cfb1; 709 #endif 710 } 711 712 #ifdef AESNI_CAPABLE 713 static const EVP_CIPHER aesni_128_cfb8 = { 714 .nid = NID_aes_128_cfb8, 715 .block_size = 1, 716 .key_len = 16, 717 .iv_len = 16, 718 .flags = EVP_CIPH_CFB_MODE, 719 .init = aesni_init_key, 720 .do_cipher = aes_cfb8_cipher, 721 .ctx_size = sizeof(EVP_AES_KEY), 722 }; 723 #endif 724 725 static const EVP_CIPHER aes_128_cfb8 = { 726 .nid = NID_aes_128_cfb8, 727 .block_size = 1, 728 .key_len = 16, 729 .iv_len = 16, 730 .flags = EVP_CIPH_CFB_MODE, 731 .init = aes_init_key, 732 .do_cipher = aes_cfb8_cipher, 733 .ctx_size = sizeof(EVP_AES_KEY), 734 }; 735 736 const EVP_CIPHER * 737 EVP_aes_128_cfb8(void) 738 { 739 #ifdef AESNI_CAPABLE 740 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; 741 #else 742 return &aes_128_cfb8; 743 #endif 744 } 745 746 #ifdef AESNI_CAPABLE 747 static const EVP_CIPHER aesni_128_ctr = { 748 .nid = NID_aes_128_ctr, 749 .block_size = 1, 750 .key_len = 16, 751 .iv_len = 16, 752 .flags = EVP_CIPH_CTR_MODE, 753 .init = aesni_init_key, 754 .do_cipher = aes_ctr_cipher, 755 .ctx_size = sizeof(EVP_AES_KEY), 756 }; 757 #endif 758 759 static const EVP_CIPHER aes_128_ctr = { 760 .nid = NID_aes_128_ctr, 761 .block_size = 1, 762 .key_len = 16, 763 .iv_len = 16, 764 .flags = EVP_CIPH_CTR_MODE, 765 .init = aes_init_key, 766 .do_cipher = aes_ctr_cipher, 767 .ctx_size = sizeof(EVP_AES_KEY), 768 }; 769 770 const EVP_CIPHER * 771 EVP_aes_128_ctr(void) 772 { 773 #ifdef AESNI_CAPABLE 774 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; 775 #else 776 return &aes_128_ctr; 777 #endif 778 } 779 780 781 #ifdef AESNI_CAPABLE 782 static const EVP_CIPHER aesni_192_cbc = { 783 .nid = NID_aes_192_cbc, 784 .block_size = 16, 785 .key_len = 24, 786 .iv_len = 16, 787 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 788 .init = aesni_init_key, 789 .do_cipher = aesni_cbc_cipher, 790 .ctx_size = sizeof(EVP_AES_KEY), 791 }; 792 #endif 793 794 static const EVP_CIPHER aes_192_cbc = { 795 .nid = NID_aes_192_cbc, 796 .block_size = 16, 797 .key_len = 24, 798 .iv_len = 16, 799 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 800 .init = aes_init_key, 801 .do_cipher = aes_cbc_cipher, 802 .ctx_size = sizeof(EVP_AES_KEY), 803 }; 804 805 const EVP_CIPHER * 806 EVP_aes_192_cbc(void) 807 { 808 #ifdef AESNI_CAPABLE 809 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; 810 #else 811 return &aes_192_cbc; 812 #endif 813 } 814 815 #ifdef AESNI_CAPABLE 816 static const EVP_CIPHER aesni_192_ecb = { 817 .nid = NID_aes_192_ecb, 818 .block_size = 16, 819 .key_len = 24, 820 .iv_len = 0, 821 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 822 .init = aesni_init_key, 823 .do_cipher = aesni_ecb_cipher, 824 .ctx_size = sizeof(EVP_AES_KEY), 825 }; 826 #endif 827 828 static const EVP_CIPHER aes_192_ecb = { 829 .nid = NID_aes_192_ecb, 830 .block_size = 16, 831 .key_len = 24, 832 .iv_len = 0, 833 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 834 .init = aes_init_key, 835 .do_cipher = aes_ecb_cipher, 836 .ctx_size = sizeof(EVP_AES_KEY), 837 }; 838 839 const EVP_CIPHER * 840 EVP_aes_192_ecb(void) 841 { 842 #ifdef AESNI_CAPABLE 843 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; 844 #else 845 return &aes_192_ecb; 846 #endif 847 } 848 849 #ifdef AESNI_CAPABLE 850 static const EVP_CIPHER aesni_192_ofb = { 851 .nid = NID_aes_192_ofb128, 852 .block_size = 1, 853 .key_len = 24, 854 .iv_len = 16, 855 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 856 .init = aesni_init_key, 857 .do_cipher = aes_ofb_cipher, 858 .ctx_size = sizeof(EVP_AES_KEY), 859 }; 860 #endif 861 862 static const EVP_CIPHER aes_192_ofb = { 863 .nid = NID_aes_192_ofb128, 864 .block_size = 1, 865 .key_len = 24, 866 .iv_len = 16, 867 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 868 .init = aes_init_key, 869 .do_cipher = aes_ofb_cipher, 870 .ctx_size = sizeof(EVP_AES_KEY), 871 }; 872 873 const EVP_CIPHER * 874 EVP_aes_192_ofb(void) 875 { 876 #ifdef AESNI_CAPABLE 877 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; 878 #else 879 return &aes_192_ofb; 880 #endif 881 } 882 883 #ifdef AESNI_CAPABLE 884 static const EVP_CIPHER aesni_192_cfb = { 885 .nid = NID_aes_192_cfb128, 886 .block_size = 1, 887 .key_len = 24, 888 .iv_len = 16, 889 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 890 .init = aesni_init_key, 891 .do_cipher = aes_cfb_cipher, 892 .ctx_size = sizeof(EVP_AES_KEY), 893 }; 894 #endif 895 896 static const EVP_CIPHER aes_192_cfb = { 897 .nid = NID_aes_192_cfb128, 898 .block_size = 1, 899 .key_len = 24, 900 .iv_len = 16, 901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 902 .init = aes_init_key, 903 .do_cipher = aes_cfb_cipher, 904 .ctx_size = sizeof(EVP_AES_KEY), 905 }; 906 907 const EVP_CIPHER * 908 EVP_aes_192_cfb(void) 909 { 910 #ifdef AESNI_CAPABLE 911 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; 912 #else 913 return &aes_192_cfb; 914 #endif 915 } 916 917 #ifdef AESNI_CAPABLE 918 static const EVP_CIPHER aesni_192_cfb1 = { 919 .nid = NID_aes_192_cfb1, 920 .block_size = 1, 921 .key_len = 24, 922 .iv_len = 16, 923 .flags = EVP_CIPH_CFB_MODE, 924 .init = aesni_init_key, 925 .do_cipher = aes_cfb1_cipher, 926 .ctx_size = sizeof(EVP_AES_KEY), 927 }; 928 #endif 929 930 static const EVP_CIPHER aes_192_cfb1 = { 931 .nid = NID_aes_192_cfb1, 932 .block_size = 1, 933 .key_len = 24, 934 .iv_len = 16, 935 .flags = EVP_CIPH_CFB_MODE, 936 .init = aes_init_key, 937 .do_cipher = aes_cfb1_cipher, 938 .ctx_size = sizeof(EVP_AES_KEY), 939 }; 940 941 const EVP_CIPHER * 942 EVP_aes_192_cfb1(void) 943 { 944 #ifdef AESNI_CAPABLE 945 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; 946 #else 947 return &aes_192_cfb1; 948 #endif 949 } 950 951 #ifdef AESNI_CAPABLE 952 static const EVP_CIPHER aesni_192_cfb8 = { 953 .nid = NID_aes_192_cfb8, 954 .block_size = 1, 955 .key_len = 24, 956 .iv_len = 16, 957 .flags = EVP_CIPH_CFB_MODE, 958 .init = aesni_init_key, 959 .do_cipher = aes_cfb8_cipher, 960 .ctx_size = sizeof(EVP_AES_KEY), 961 }; 962 #endif 963 964 static const EVP_CIPHER aes_192_cfb8 = { 965 .nid = NID_aes_192_cfb8, 966 .block_size = 1, 967 .key_len = 24, 968 .iv_len = 16, 969 .flags = EVP_CIPH_CFB_MODE, 970 .init = aes_init_key, 971 .do_cipher = aes_cfb8_cipher, 972 .ctx_size = sizeof(EVP_AES_KEY), 973 }; 974 975 const EVP_CIPHER * 976 EVP_aes_192_cfb8(void) 977 { 978 #ifdef AESNI_CAPABLE 979 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; 980 #else 981 return &aes_192_cfb8; 982 #endif 983 } 984 985 #ifdef AESNI_CAPABLE 986 static const EVP_CIPHER aesni_192_ctr = { 987 .nid = NID_aes_192_ctr, 988 .block_size = 1, 989 .key_len = 24, 990 .iv_len = 16, 991 .flags = EVP_CIPH_CTR_MODE, 992 .init = aesni_init_key, 993 .do_cipher = aes_ctr_cipher, 994 .ctx_size = sizeof(EVP_AES_KEY), 995 }; 996 #endif 997 998 static const EVP_CIPHER aes_192_ctr = { 999 .nid = NID_aes_192_ctr, 1000 .block_size = 1, 1001 .key_len = 24, 1002 .iv_len = 16, 1003 .flags = EVP_CIPH_CTR_MODE, 1004 .init = aes_init_key, 1005 .do_cipher = aes_ctr_cipher, 1006 .ctx_size = sizeof(EVP_AES_KEY), 1007 }; 1008 1009 const EVP_CIPHER * 1010 EVP_aes_192_ctr(void) 1011 { 1012 #ifdef AESNI_CAPABLE 1013 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; 1014 #else 1015 return &aes_192_ctr; 1016 #endif 1017 } 1018 1019 1020 #ifdef AESNI_CAPABLE 1021 static const EVP_CIPHER aesni_256_cbc = { 1022 .nid = NID_aes_256_cbc, 1023 .block_size = 16, 1024 .key_len = 32, 1025 .iv_len = 16, 1026 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1027 .init = aesni_init_key, 1028 .do_cipher = aesni_cbc_cipher, 1029 .ctx_size = sizeof(EVP_AES_KEY), 1030 }; 1031 #endif 1032 1033 static const EVP_CIPHER aes_256_cbc = { 1034 .nid = NID_aes_256_cbc, 1035 .block_size = 16, 1036 .key_len = 32, 1037 .iv_len = 16, 1038 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1039 .init = aes_init_key, 1040 .do_cipher = aes_cbc_cipher, 1041 .ctx_size = sizeof(EVP_AES_KEY), 1042 }; 1043 1044 const EVP_CIPHER * 1045 EVP_aes_256_cbc(void) 1046 { 1047 #ifdef AESNI_CAPABLE 1048 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; 1049 #else 1050 return &aes_256_cbc; 1051 #endif 1052 } 1053 1054 #ifdef AESNI_CAPABLE 1055 static const EVP_CIPHER aesni_256_ecb = { 1056 .nid = NID_aes_256_ecb, 1057 .block_size = 16, 1058 .key_len = 32, 1059 .iv_len = 0, 1060 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1061 .init = aesni_init_key, 1062 .do_cipher = aesni_ecb_cipher, 1063 .ctx_size = sizeof(EVP_AES_KEY), 1064 }; 1065 #endif 1066 1067 static const EVP_CIPHER aes_256_ecb = { 1068 .nid = NID_aes_256_ecb, 1069 .block_size = 16, 1070 .key_len = 32, 1071 .iv_len = 0, 1072 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1073 .init = aes_init_key, 1074 .do_cipher = aes_ecb_cipher, 1075 .ctx_size = sizeof(EVP_AES_KEY), 1076 }; 1077 1078 const EVP_CIPHER * 1079 EVP_aes_256_ecb(void) 1080 { 1081 #ifdef AESNI_CAPABLE 1082 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; 1083 #else 1084 return &aes_256_ecb; 1085 #endif 1086 } 1087 1088 #ifdef AESNI_CAPABLE 1089 static const EVP_CIPHER aesni_256_ofb = { 1090 .nid = NID_aes_256_ofb128, 1091 .block_size = 1, 1092 .key_len = 32, 1093 .iv_len = 16, 1094 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1095 .init = aesni_init_key, 1096 .do_cipher = aes_ofb_cipher, 1097 .ctx_size = sizeof(EVP_AES_KEY), 1098 }; 1099 #endif 1100 1101 static const EVP_CIPHER aes_256_ofb = { 1102 .nid = NID_aes_256_ofb128, 1103 .block_size = 1, 1104 .key_len = 32, 1105 .iv_len = 16, 1106 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1107 .init = aes_init_key, 1108 .do_cipher = aes_ofb_cipher, 1109 .ctx_size = sizeof(EVP_AES_KEY), 1110 }; 1111 1112 const EVP_CIPHER * 1113 EVP_aes_256_ofb(void) 1114 { 1115 #ifdef AESNI_CAPABLE 1116 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; 1117 #else 1118 return &aes_256_ofb; 1119 #endif 1120 } 1121 1122 #ifdef AESNI_CAPABLE 1123 static const EVP_CIPHER aesni_256_cfb = { 1124 .nid = NID_aes_256_cfb128, 1125 .block_size = 1, 1126 .key_len = 32, 1127 .iv_len = 16, 1128 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1129 .init = aesni_init_key, 1130 .do_cipher = aes_cfb_cipher, 1131 .ctx_size = sizeof(EVP_AES_KEY), 1132 }; 1133 #endif 1134 1135 static const EVP_CIPHER aes_256_cfb = { 1136 .nid = NID_aes_256_cfb128, 1137 .block_size = 1, 1138 .key_len = 32, 1139 .iv_len = 16, 1140 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1141 .init = aes_init_key, 1142 .do_cipher = aes_cfb_cipher, 1143 .ctx_size = sizeof(EVP_AES_KEY), 1144 }; 1145 1146 const EVP_CIPHER * 1147 EVP_aes_256_cfb(void) 1148 { 1149 #ifdef AESNI_CAPABLE 1150 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; 1151 #else 1152 return &aes_256_cfb; 1153 #endif 1154 } 1155 1156 #ifdef AESNI_CAPABLE 1157 static const EVP_CIPHER aesni_256_cfb1 = { 1158 .nid = NID_aes_256_cfb1, 1159 .block_size = 1, 1160 .key_len = 32, 1161 .iv_len = 16, 1162 .flags = EVP_CIPH_CFB_MODE, 1163 .init = aesni_init_key, 1164 .do_cipher = aes_cfb1_cipher, 1165 .ctx_size = sizeof(EVP_AES_KEY), 1166 }; 1167 #endif 1168 1169 static const EVP_CIPHER aes_256_cfb1 = { 1170 .nid = NID_aes_256_cfb1, 1171 .block_size = 1, 1172 .key_len = 32, 1173 .iv_len = 16, 1174 .flags = EVP_CIPH_CFB_MODE, 1175 .init = aes_init_key, 1176 .do_cipher = aes_cfb1_cipher, 1177 .ctx_size = sizeof(EVP_AES_KEY), 1178 }; 1179 1180 const EVP_CIPHER * 1181 EVP_aes_256_cfb1(void) 1182 { 1183 #ifdef AESNI_CAPABLE 1184 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; 1185 #else 1186 return &aes_256_cfb1; 1187 #endif 1188 } 1189 1190 #ifdef AESNI_CAPABLE 1191 static const EVP_CIPHER aesni_256_cfb8 = { 1192 .nid = NID_aes_256_cfb8, 1193 .block_size = 1, 1194 .key_len = 32, 1195 .iv_len = 16, 1196 .flags = EVP_CIPH_CFB_MODE, 1197 .init = aesni_init_key, 1198 .do_cipher = aes_cfb8_cipher, 1199 .ctx_size = sizeof(EVP_AES_KEY), 1200 }; 1201 #endif 1202 1203 static const EVP_CIPHER aes_256_cfb8 = { 1204 .nid = NID_aes_256_cfb8, 1205 .block_size = 1, 1206 .key_len = 32, 1207 .iv_len = 16, 1208 .flags = EVP_CIPH_CFB_MODE, 1209 .init = aes_init_key, 1210 .do_cipher = aes_cfb8_cipher, 1211 .ctx_size = sizeof(EVP_AES_KEY), 1212 }; 1213 1214 const EVP_CIPHER * 1215 EVP_aes_256_cfb8(void) 1216 { 1217 #ifdef AESNI_CAPABLE 1218 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; 1219 #else 1220 return &aes_256_cfb8; 1221 #endif 1222 } 1223 1224 #ifdef AESNI_CAPABLE 1225 static const EVP_CIPHER aesni_256_ctr = { 1226 .nid = NID_aes_256_ctr, 1227 .block_size = 1, 1228 .key_len = 32, 1229 .iv_len = 16, 1230 .flags = EVP_CIPH_CTR_MODE, 1231 .init = aesni_init_key, 1232 .do_cipher = aes_ctr_cipher, 1233 .ctx_size = sizeof(EVP_AES_KEY), 1234 }; 1235 #endif 1236 1237 static const EVP_CIPHER aes_256_ctr = { 1238 .nid = NID_aes_256_ctr, 1239 .block_size = 1, 1240 .key_len = 32, 1241 .iv_len = 16, 1242 .flags = EVP_CIPH_CTR_MODE, 1243 .init = aes_init_key, 1244 .do_cipher = aes_ctr_cipher, 1245 .ctx_size = sizeof(EVP_AES_KEY), 1246 }; 1247 1248 const EVP_CIPHER * 1249 EVP_aes_256_ctr(void) 1250 { 1251 #ifdef AESNI_CAPABLE 1252 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; 1253 #else 1254 return &aes_256_ctr; 1255 #endif 1256 } 1257 1258 static int 1259 aes_gcm_cleanup(EVP_CIPHER_CTX *c) 1260 { 1261 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1262 1263 if (gctx->iv != c->iv) 1264 free(gctx->iv); 1265 1266 explicit_bzero(gctx, sizeof(*gctx)); 1267 1268 return 1; 1269 } 1270 1271 /* increment counter (64-bit int) by 1 */ 1272 static void 1273 ctr64_inc(unsigned char *counter) 1274 { 1275 int n = 8; 1276 unsigned char c; 1277 1278 do { 1279 --n; 1280 c = counter[n]; 1281 ++c; 1282 counter[n] = c; 1283 if (c) 1284 return; 1285 } while (n); 1286 } 1287 1288 static int 1289 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1290 { 1291 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1292 1293 switch (type) { 1294 case EVP_CTRL_INIT: 1295 gctx->key_set = 0; 1296 gctx->iv_set = 0; 1297 if (c->cipher->iv_len == 0) { 1298 EVPerror(EVP_R_INVALID_IV_LENGTH); 1299 return 0; 1300 } 1301 gctx->ivlen = c->cipher->iv_len; 1302 gctx->iv = c->iv; 1303 gctx->taglen = -1; 1304 gctx->iv_gen = 0; 1305 gctx->tls_aad_len = -1; 1306 return 1; 1307 1308 case EVP_CTRL_AEAD_GET_IVLEN: 1309 *(int *)ptr = gctx->ivlen; 1310 return 1; 1311 1312 case EVP_CTRL_AEAD_SET_IVLEN: 1313 if (arg <= 0) 1314 return 0; 1315 /* Allocate memory for IV if needed */ 1316 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 1317 if (gctx->iv != c->iv) 1318 free(gctx->iv); 1319 gctx->iv = malloc(arg); 1320 if (!gctx->iv) 1321 return 0; 1322 } 1323 gctx->ivlen = arg; 1324 return 1; 1325 1326 case EVP_CTRL_GCM_SET_TAG: 1327 if (arg <= 0 || arg > 16 || c->encrypt) 1328 return 0; 1329 memcpy(c->buf, ptr, arg); 1330 gctx->taglen = arg; 1331 return 1; 1332 1333 case EVP_CTRL_GCM_GET_TAG: 1334 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 1335 return 0; 1336 memcpy(ptr, c->buf, arg); 1337 return 1; 1338 1339 case EVP_CTRL_GCM_SET_IV_FIXED: 1340 /* Special case: -1 length restores whole IV */ 1341 if (arg == -1) { 1342 memcpy(gctx->iv, ptr, gctx->ivlen); 1343 gctx->iv_gen = 1; 1344 return 1; 1345 } 1346 /* Fixed field must be at least 4 bytes and invocation field 1347 * at least 8. 1348 */ 1349 if ((arg < 4) || (gctx->ivlen - arg) < 8) 1350 return 0; 1351 if (arg) 1352 memcpy(gctx->iv, ptr, arg); 1353 if (c->encrypt) 1354 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); 1355 gctx->iv_gen = 1; 1356 return 1; 1357 1358 case EVP_CTRL_GCM_IV_GEN: 1359 if (gctx->iv_gen == 0 || gctx->key_set == 0) 1360 return 0; 1361 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1362 if (arg <= 0 || arg > gctx->ivlen) 1363 arg = gctx->ivlen; 1364 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 1365 /* Invocation field will be at least 8 bytes in size and 1366 * so no need to check wrap around or increment more than 1367 * last 8 bytes. 1368 */ 1369 ctr64_inc(gctx->iv + gctx->ivlen - 8); 1370 gctx->iv_set = 1; 1371 return 1; 1372 1373 case EVP_CTRL_GCM_SET_IV_INV: 1374 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 1375 return 0; 1376 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 1377 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1378 gctx->iv_set = 1; 1379 return 1; 1380 1381 case EVP_CTRL_AEAD_TLS1_AAD: 1382 /* Save the AAD for later use */ 1383 if (arg != 13) 1384 return 0; 1385 memcpy(c->buf, ptr, arg); 1386 gctx->tls_aad_len = arg; 1387 { 1388 unsigned int len = c->buf[arg - 2] << 8 | 1389 c->buf[arg - 1]; 1390 1391 /* Correct length for explicit IV */ 1392 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) 1393 return 0; 1394 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1395 1396 /* If decrypting correct for tag too */ 1397 if (!c->encrypt) { 1398 if (len < EVP_GCM_TLS_TAG_LEN) 1399 return 0; 1400 len -= EVP_GCM_TLS_TAG_LEN; 1401 } 1402 c->buf[arg - 2] = len >> 8; 1403 c->buf[arg - 1] = len & 0xff; 1404 } 1405 /* Extra padding: tag appended to record */ 1406 return EVP_GCM_TLS_TAG_LEN; 1407 1408 case EVP_CTRL_COPY: 1409 { 1410 EVP_CIPHER_CTX *out = ptr; 1411 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 1412 1413 if (gctx->gcm.key) { 1414 if (gctx->gcm.key != &gctx->ks) 1415 return 0; 1416 gctx_out->gcm.key = &gctx_out->ks; 1417 } 1418 1419 if (gctx->iv == c->iv) { 1420 gctx_out->iv = out->iv; 1421 } else { 1422 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) 1423 return 0; 1424 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 1425 } 1426 return 1; 1427 } 1428 1429 default: 1430 return -1; 1431 1432 } 1433 } 1434 1435 static ctr128_f 1436 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, 1437 const unsigned char *key, size_t key_len) 1438 { 1439 #ifdef BSAES_CAPABLE 1440 if (BSAES_CAPABLE) { 1441 AES_set_encrypt_key(key, key_len * 8, aes_key); 1442 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1443 return (ctr128_f)bsaes_ctr32_encrypt_blocks; 1444 } else 1445 #endif 1446 #ifdef VPAES_CAPABLE 1447 if (VPAES_CAPABLE) { 1448 vpaes_set_encrypt_key(key, key_len * 8, aes_key); 1449 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); 1450 return NULL; 1451 } else 1452 #endif 1453 (void)0; /* terminate potentially open 'else' */ 1454 1455 AES_set_encrypt_key(key, key_len * 8, aes_key); 1456 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1457 #ifdef AES_CTR_ASM 1458 return (ctr128_f)AES_ctr32_encrypt; 1459 #else 1460 return NULL; 1461 #endif 1462 } 1463 1464 static int 1465 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1466 const unsigned char *iv, int enc) 1467 { 1468 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1469 1470 if (!iv && !key) 1471 return 1; 1472 if (key) { 1473 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, 1474 key, ctx->key_len); 1475 1476 /* If we have an iv can set it directly, otherwise use 1477 * saved IV. 1478 */ 1479 if (iv == NULL && gctx->iv_set) 1480 iv = gctx->iv; 1481 if (iv) { 1482 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1483 gctx->iv_set = 1; 1484 } 1485 gctx->key_set = 1; 1486 } else { 1487 /* If key set use IV, otherwise copy */ 1488 if (gctx->key_set) 1489 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1490 else 1491 memcpy(gctx->iv, iv, gctx->ivlen); 1492 gctx->iv_set = 1; 1493 gctx->iv_gen = 0; 1494 } 1495 return 1; 1496 } 1497 1498 /* Handle TLS GCM packet format. This consists of the last portion of the IV 1499 * followed by the payload and finally the tag. On encrypt generate IV, 1500 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 1501 * and verify tag. 1502 */ 1503 1504 static int 1505 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1506 const unsigned char *in, size_t len) 1507 { 1508 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1509 int rv = -1; 1510 1511 /* Encrypt/decrypt must be performed in place */ 1512 if (out != in || 1513 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 1514 return -1; 1515 1516 /* Set IV from start of buffer or generate IV and write to start 1517 * of buffer. 1518 */ 1519 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1520 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1521 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1522 goto err; 1523 1524 /* Use saved AAD */ 1525 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1526 goto err; 1527 1528 /* Fix buffer and length to point to payload */ 1529 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1530 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1531 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1532 if (ctx->encrypt) { 1533 /* Encrypt payload */ 1534 if (gctx->ctr) { 1535 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, 1536 len, gctx->ctr)) 1537 goto err; 1538 } else { 1539 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1540 goto err; 1541 } 1542 out += len; 1543 1544 /* Finally write tag */ 1545 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1546 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1547 } else { 1548 /* Decrypt */ 1549 if (gctx->ctr) { 1550 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, 1551 len, gctx->ctr)) 1552 goto err; 1553 } else { 1554 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1555 goto err; 1556 } 1557 /* Retrieve tag */ 1558 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 1559 1560 /* If tag mismatch wipe buffer */ 1561 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 1562 explicit_bzero(out, len); 1563 goto err; 1564 } 1565 rv = len; 1566 } 1567 1568 err: 1569 gctx->iv_set = 0; 1570 gctx->tls_aad_len = -1; 1571 return rv; 1572 } 1573 1574 static int 1575 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1576 const unsigned char *in, size_t len) 1577 { 1578 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1579 1580 /* If not set up, return error */ 1581 if (!gctx->key_set) 1582 return -1; 1583 1584 if (gctx->tls_aad_len >= 0) 1585 return aes_gcm_tls_cipher(ctx, out, in, len); 1586 1587 if (!gctx->iv_set) 1588 return -1; 1589 1590 if (in) { 1591 if (out == NULL) { 1592 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1593 return -1; 1594 } else if (ctx->encrypt) { 1595 if (gctx->ctr) { 1596 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1597 in, out, len, gctx->ctr)) 1598 return -1; 1599 } else { 1600 if (CRYPTO_gcm128_encrypt(&gctx->gcm, 1601 in, out, len)) 1602 return -1; 1603 } 1604 } else { 1605 if (gctx->ctr) { 1606 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1607 in, out, len, gctx->ctr)) 1608 return -1; 1609 } else { 1610 if (CRYPTO_gcm128_decrypt(&gctx->gcm, 1611 in, out, len)) 1612 return -1; 1613 } 1614 } 1615 return len; 1616 } else { 1617 if (!ctx->encrypt) { 1618 if (gctx->taglen < 0) 1619 return -1; 1620 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, 1621 gctx->taglen) != 0) 1622 return -1; 1623 gctx->iv_set = 0; 1624 return 0; 1625 } 1626 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1627 gctx->taglen = 16; 1628 1629 /* Don't reuse the IV */ 1630 gctx->iv_set = 0; 1631 return 0; 1632 } 1633 1634 } 1635 1636 #define CUSTOM_FLAGS \ 1637 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1638 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \ 1639 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ 1640 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1641 1642 1643 #ifdef AESNI_CAPABLE 1644 static const EVP_CIPHER aesni_128_gcm = { 1645 .nid = NID_aes_128_gcm, 1646 .block_size = 1, 1647 .key_len = 16, 1648 .iv_len = 12, 1649 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1650 .init = aesni_gcm_init_key, 1651 .do_cipher = aes_gcm_cipher, 1652 .cleanup = aes_gcm_cleanup, 1653 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1654 .ctrl = aes_gcm_ctrl, 1655 }; 1656 #endif 1657 1658 static const EVP_CIPHER aes_128_gcm = { 1659 .nid = NID_aes_128_gcm, 1660 .block_size = 1, 1661 .key_len = 16, 1662 .iv_len = 12, 1663 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1664 .init = aes_gcm_init_key, 1665 .do_cipher = aes_gcm_cipher, 1666 .cleanup = aes_gcm_cleanup, 1667 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1668 .ctrl = aes_gcm_ctrl, 1669 }; 1670 1671 const EVP_CIPHER * 1672 EVP_aes_128_gcm(void) 1673 { 1674 #ifdef AESNI_CAPABLE 1675 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; 1676 #else 1677 return &aes_128_gcm; 1678 #endif 1679 } 1680 1681 #ifdef AESNI_CAPABLE 1682 static const EVP_CIPHER aesni_192_gcm = { 1683 .nid = NID_aes_192_gcm, 1684 .block_size = 1, 1685 .key_len = 24, 1686 .iv_len = 12, 1687 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1688 .init = aesni_gcm_init_key, 1689 .do_cipher = aes_gcm_cipher, 1690 .cleanup = aes_gcm_cleanup, 1691 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1692 .ctrl = aes_gcm_ctrl, 1693 }; 1694 #endif 1695 1696 static const EVP_CIPHER aes_192_gcm = { 1697 .nid = NID_aes_192_gcm, 1698 .block_size = 1, 1699 .key_len = 24, 1700 .iv_len = 12, 1701 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1702 .init = aes_gcm_init_key, 1703 .do_cipher = aes_gcm_cipher, 1704 .cleanup = aes_gcm_cleanup, 1705 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1706 .ctrl = aes_gcm_ctrl, 1707 }; 1708 1709 const EVP_CIPHER * 1710 EVP_aes_192_gcm(void) 1711 { 1712 #ifdef AESNI_CAPABLE 1713 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; 1714 #else 1715 return &aes_192_gcm; 1716 #endif 1717 } 1718 1719 #ifdef AESNI_CAPABLE 1720 static const EVP_CIPHER aesni_256_gcm = { 1721 .nid = NID_aes_256_gcm, 1722 .block_size = 1, 1723 .key_len = 32, 1724 .iv_len = 12, 1725 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1726 .init = aesni_gcm_init_key, 1727 .do_cipher = aes_gcm_cipher, 1728 .cleanup = aes_gcm_cleanup, 1729 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1730 .ctrl = aes_gcm_ctrl, 1731 }; 1732 #endif 1733 1734 static const EVP_CIPHER aes_256_gcm = { 1735 .nid = NID_aes_256_gcm, 1736 .block_size = 1, 1737 .key_len = 32, 1738 .iv_len = 12, 1739 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1740 .init = aes_gcm_init_key, 1741 .do_cipher = aes_gcm_cipher, 1742 .cleanup = aes_gcm_cleanup, 1743 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1744 .ctrl = aes_gcm_ctrl, 1745 }; 1746 1747 const EVP_CIPHER * 1748 EVP_aes_256_gcm(void) 1749 { 1750 #ifdef AESNI_CAPABLE 1751 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; 1752 #else 1753 return &aes_256_gcm; 1754 #endif 1755 } 1756 1757 static int 1758 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1759 { 1760 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1761 1762 switch (type) { 1763 case EVP_CTRL_INIT: 1764 /* 1765 * key1 and key2 are used as an indicator both key and IV 1766 * are set 1767 */ 1768 xctx->xts.key1 = NULL; 1769 xctx->xts.key2 = NULL; 1770 return 1; 1771 1772 case EVP_CTRL_COPY: 1773 { 1774 EVP_CIPHER_CTX *out = ptr; 1775 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1776 1777 if (xctx->xts.key1) { 1778 if (xctx->xts.key1 != &xctx->ks1) 1779 return 0; 1780 xctx_out->xts.key1 = &xctx_out->ks1; 1781 } 1782 if (xctx->xts.key2) { 1783 if (xctx->xts.key2 != &xctx->ks2) 1784 return 0; 1785 xctx_out->xts.key2 = &xctx_out->ks2; 1786 } 1787 return 1; 1788 } 1789 } 1790 return -1; 1791 } 1792 1793 static int 1794 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1795 const unsigned char *iv, int enc) 1796 { 1797 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1798 1799 if (!iv && !key) 1800 return 1; 1801 1802 if (key) do { 1803 #ifdef AES_XTS_ASM 1804 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1805 #else 1806 xctx->stream = NULL; 1807 #endif 1808 /* key_len is two AES keys */ 1809 #ifdef BSAES_CAPABLE 1810 if (BSAES_CAPABLE) 1811 xctx->stream = enc ? bsaes_xts_encrypt : 1812 bsaes_xts_decrypt; 1813 else 1814 #endif 1815 #ifdef VPAES_CAPABLE 1816 if (VPAES_CAPABLE) { 1817 if (enc) { 1818 vpaes_set_encrypt_key(key, ctx->key_len * 4, 1819 &xctx->ks1); 1820 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1821 } else { 1822 vpaes_set_decrypt_key(key, ctx->key_len * 4, 1823 &xctx->ks1); 1824 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1825 } 1826 1827 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1828 ctx->key_len * 4, &xctx->ks2); 1829 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1830 1831 xctx->xts.key1 = &xctx->ks1; 1832 break; 1833 } else 1834 #endif 1835 (void)0; /* terminate potentially open 'else' */ 1836 1837 if (enc) { 1838 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1839 xctx->xts.block1 = (block128_f)AES_encrypt; 1840 } else { 1841 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1842 xctx->xts.block1 = (block128_f)AES_decrypt; 1843 } 1844 1845 AES_set_encrypt_key(key + ctx->key_len / 2, 1846 ctx->key_len * 4, &xctx->ks2); 1847 xctx->xts.block2 = (block128_f)AES_encrypt; 1848 1849 xctx->xts.key1 = &xctx->ks1; 1850 } while (0); 1851 1852 if (iv) { 1853 xctx->xts.key2 = &xctx->ks2; 1854 memcpy(ctx->iv, iv, 16); 1855 } 1856 1857 return 1; 1858 } 1859 1860 static int 1861 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1862 const unsigned char *in, size_t len) 1863 { 1864 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1865 1866 if (!xctx->xts.key1 || !xctx->xts.key2) 1867 return 0; 1868 if (!out || !in || len < AES_BLOCK_SIZE) 1869 return 0; 1870 1871 if (xctx->stream) 1872 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, 1873 ctx->iv); 1874 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1875 ctx->encrypt)) 1876 return 0; 1877 return 1; 1878 } 1879 1880 #define XTS_FLAGS \ 1881 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1882 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1883 1884 1885 #ifdef AESNI_CAPABLE 1886 static const EVP_CIPHER aesni_128_xts = { 1887 .nid = NID_aes_128_xts, 1888 .block_size = 1, 1889 .key_len = 2 * 16, 1890 .iv_len = 16, 1891 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1892 .init = aesni_xts_init_key, 1893 .do_cipher = aes_xts_cipher, 1894 .cleanup = NULL, 1895 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1896 .ctrl = aes_xts_ctrl, 1897 }; 1898 #endif 1899 1900 static const EVP_CIPHER aes_128_xts = { 1901 .nid = NID_aes_128_xts, 1902 .block_size = 1, 1903 .key_len = 2 * 16, 1904 .iv_len = 16, 1905 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1906 .init = aes_xts_init_key, 1907 .do_cipher = aes_xts_cipher, 1908 .cleanup = NULL, 1909 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1910 .ctrl = aes_xts_ctrl, 1911 }; 1912 1913 const EVP_CIPHER * 1914 EVP_aes_128_xts(void) 1915 { 1916 #ifdef AESNI_CAPABLE 1917 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; 1918 #else 1919 return &aes_128_xts; 1920 #endif 1921 } 1922 1923 #ifdef AESNI_CAPABLE 1924 static const EVP_CIPHER aesni_256_xts = { 1925 .nid = NID_aes_256_xts, 1926 .block_size = 1, 1927 .key_len = 2 * 32, 1928 .iv_len = 16, 1929 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1930 .init = aesni_xts_init_key, 1931 .do_cipher = aes_xts_cipher, 1932 .cleanup = NULL, 1933 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1934 .ctrl = aes_xts_ctrl, 1935 }; 1936 #endif 1937 1938 static const EVP_CIPHER aes_256_xts = { 1939 .nid = NID_aes_256_xts, 1940 .block_size = 1, 1941 .key_len = 2 * 32, 1942 .iv_len = 16, 1943 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1944 .init = aes_xts_init_key, 1945 .do_cipher = aes_xts_cipher, 1946 .cleanup = NULL, 1947 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1948 .ctrl = aes_xts_ctrl, 1949 }; 1950 1951 const EVP_CIPHER * 1952 EVP_aes_256_xts(void) 1953 { 1954 #ifdef AESNI_CAPABLE 1955 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; 1956 #else 1957 return &aes_256_xts; 1958 #endif 1959 } 1960 1961 static int 1962 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1963 { 1964 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1965 1966 switch (type) { 1967 case EVP_CTRL_INIT: 1968 cctx->key_set = 0; 1969 cctx->iv_set = 0; 1970 cctx->L = 8; 1971 cctx->M = 12; 1972 cctx->tag_set = 0; 1973 cctx->len_set = 0; 1974 return 1; 1975 1976 case EVP_CTRL_AEAD_GET_IVLEN: 1977 *(int *)ptr = 15 - cctx->L; 1978 return 1; 1979 1980 case EVP_CTRL_AEAD_SET_IVLEN: 1981 arg = 15 - arg; 1982 1983 case EVP_CTRL_CCM_SET_L: 1984 if (arg < 2 || arg > 8) 1985 return 0; 1986 cctx->L = arg; 1987 return 1; 1988 1989 case EVP_CTRL_CCM_SET_TAG: 1990 if ((arg & 1) || arg < 4 || arg > 16) 1991 return 0; 1992 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1993 return 0; 1994 if (ptr) { 1995 cctx->tag_set = 1; 1996 memcpy(c->buf, ptr, arg); 1997 } 1998 cctx->M = arg; 1999 return 1; 2000 2001 case EVP_CTRL_CCM_GET_TAG: 2002 if (!c->encrypt || !cctx->tag_set) 2003 return 0; 2004 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 2005 return 0; 2006 cctx->tag_set = 0; 2007 cctx->iv_set = 0; 2008 cctx->len_set = 0; 2009 return 1; 2010 2011 case EVP_CTRL_COPY: 2012 { 2013 EVP_CIPHER_CTX *out = ptr; 2014 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 2015 2016 if (cctx->ccm.key) { 2017 if (cctx->ccm.key != &cctx->ks) 2018 return 0; 2019 cctx_out->ccm.key = &cctx_out->ks; 2020 } 2021 return 1; 2022 } 2023 2024 default: 2025 return -1; 2026 } 2027 } 2028 2029 static int 2030 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2031 const unsigned char *iv, int enc) 2032 { 2033 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2034 2035 if (!iv && !key) 2036 return 1; 2037 if (key) do { 2038 #ifdef VPAES_CAPABLE 2039 if (VPAES_CAPABLE) { 2040 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 2041 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2042 &cctx->ks, (block128_f)vpaes_encrypt); 2043 cctx->str = NULL; 2044 cctx->key_set = 1; 2045 break; 2046 } 2047 #endif 2048 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 2049 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2050 &cctx->ks, (block128_f)AES_encrypt); 2051 cctx->str = NULL; 2052 cctx->key_set = 1; 2053 } while (0); 2054 if (iv) { 2055 memcpy(ctx->iv, iv, 15 - cctx->L); 2056 cctx->iv_set = 1; 2057 } 2058 return 1; 2059 } 2060 2061 static int 2062 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2063 const unsigned char *in, size_t len) 2064 { 2065 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2066 CCM128_CONTEXT *ccm = &cctx->ccm; 2067 2068 /* If not set up, return error */ 2069 if (!cctx->iv_set && !cctx->key_set) 2070 return -1; 2071 if (!ctx->encrypt && !cctx->tag_set) 2072 return -1; 2073 2074 if (!out) { 2075 if (!in) { 2076 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, 2077 len)) 2078 return -1; 2079 cctx->len_set = 1; 2080 return len; 2081 } 2082 /* If have AAD need message length */ 2083 if (!cctx->len_set && len) 2084 return -1; 2085 CRYPTO_ccm128_aad(ccm, in, len); 2086 return len; 2087 } 2088 /* EVP_*Final() doesn't return any data */ 2089 if (!in) 2090 return 0; 2091 /* If not set length yet do it */ 2092 if (!cctx->len_set) { 2093 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 2094 return -1; 2095 cctx->len_set = 1; 2096 } 2097 if (ctx->encrypt) { 2098 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 2099 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) 2100 return -1; 2101 cctx->tag_set = 1; 2102 return len; 2103 } else { 2104 int rv = -1; 2105 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 2106 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 2107 unsigned char tag[16]; 2108 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 2109 if (!memcmp(tag, ctx->buf, cctx->M)) 2110 rv = len; 2111 } 2112 } 2113 if (rv == -1) 2114 explicit_bzero(out, len); 2115 cctx->iv_set = 0; 2116 cctx->tag_set = 0; 2117 cctx->len_set = 0; 2118 return rv; 2119 } 2120 2121 } 2122 2123 #ifdef AESNI_CAPABLE 2124 static const EVP_CIPHER aesni_128_ccm = { 2125 .nid = NID_aes_128_ccm, 2126 .block_size = 1, 2127 .key_len = 16, 2128 .iv_len = 12, 2129 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2130 .init = aesni_ccm_init_key, 2131 .do_cipher = aes_ccm_cipher, 2132 .cleanup = NULL, 2133 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2134 .ctrl = aes_ccm_ctrl, 2135 }; 2136 #endif 2137 2138 static const EVP_CIPHER aes_128_ccm = { 2139 .nid = NID_aes_128_ccm, 2140 .block_size = 1, 2141 .key_len = 16, 2142 .iv_len = 12, 2143 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2144 .init = aes_ccm_init_key, 2145 .do_cipher = aes_ccm_cipher, 2146 .cleanup = NULL, 2147 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2148 .ctrl = aes_ccm_ctrl, 2149 }; 2150 2151 const EVP_CIPHER * 2152 EVP_aes_128_ccm(void) 2153 { 2154 #ifdef AESNI_CAPABLE 2155 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; 2156 #else 2157 return &aes_128_ccm; 2158 #endif 2159 } 2160 2161 #ifdef AESNI_CAPABLE 2162 static const EVP_CIPHER aesni_192_ccm = { 2163 .nid = NID_aes_192_ccm, 2164 .block_size = 1, 2165 .key_len = 24, 2166 .iv_len = 12, 2167 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2168 .init = aesni_ccm_init_key, 2169 .do_cipher = aes_ccm_cipher, 2170 .cleanup = NULL, 2171 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2172 .ctrl = aes_ccm_ctrl, 2173 }; 2174 #endif 2175 2176 static const EVP_CIPHER aes_192_ccm = { 2177 .nid = NID_aes_192_ccm, 2178 .block_size = 1, 2179 .key_len = 24, 2180 .iv_len = 12, 2181 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2182 .init = aes_ccm_init_key, 2183 .do_cipher = aes_ccm_cipher, 2184 .cleanup = NULL, 2185 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2186 .ctrl = aes_ccm_ctrl, 2187 }; 2188 2189 const EVP_CIPHER * 2190 EVP_aes_192_ccm(void) 2191 { 2192 #ifdef AESNI_CAPABLE 2193 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; 2194 #else 2195 return &aes_192_ccm; 2196 #endif 2197 } 2198 2199 #ifdef AESNI_CAPABLE 2200 static const EVP_CIPHER aesni_256_ccm = { 2201 .nid = NID_aes_256_ccm, 2202 .block_size = 1, 2203 .key_len = 32, 2204 .iv_len = 12, 2205 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2206 .init = aesni_ccm_init_key, 2207 .do_cipher = aes_ccm_cipher, 2208 .cleanup = NULL, 2209 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2210 .ctrl = aes_ccm_ctrl, 2211 }; 2212 #endif 2213 2214 static const EVP_CIPHER aes_256_ccm = { 2215 .nid = NID_aes_256_ccm, 2216 .block_size = 1, 2217 .key_len = 32, 2218 .iv_len = 12, 2219 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2220 .init = aes_ccm_init_key, 2221 .do_cipher = aes_ccm_cipher, 2222 .cleanup = NULL, 2223 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2224 .ctrl = aes_ccm_ctrl, 2225 }; 2226 2227 const EVP_CIPHER * 2228 EVP_aes_256_ccm(void) 2229 { 2230 #ifdef AESNI_CAPABLE 2231 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; 2232 #else 2233 return &aes_256_ccm; 2234 #endif 2235 } 2236 2237 #define EVP_AEAD_AES_GCM_TAG_LEN 16 2238 2239 struct aead_aes_gcm_ctx { 2240 union { 2241 double align; 2242 AES_KEY ks; 2243 } ks; 2244 GCM128_CONTEXT gcm; 2245 ctr128_f ctr; 2246 unsigned char tag_len; 2247 }; 2248 2249 static int 2250 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, 2251 size_t tag_len) 2252 { 2253 struct aead_aes_gcm_ctx *gcm_ctx; 2254 const size_t key_bits = key_len * 8; 2255 2256 /* EVP_AEAD_CTX_init should catch this. */ 2257 if (key_bits != 128 && key_bits != 256) { 2258 EVPerror(EVP_R_BAD_KEY_LENGTH); 2259 return 0; 2260 } 2261 2262 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) 2263 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 2264 2265 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 2266 EVPerror(EVP_R_TAG_TOO_LARGE); 2267 return 0; 2268 } 2269 2270 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) 2271 return 0; 2272 2273 #ifdef AESNI_CAPABLE 2274 if (AESNI_CAPABLE) { 2275 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); 2276 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, 2277 (block128_f)aesni_encrypt); 2278 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 2279 } else 2280 #endif 2281 { 2282 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, 2283 key, key_len); 2284 } 2285 gcm_ctx->tag_len = tag_len; 2286 ctx->aead_state = gcm_ctx; 2287 2288 return 1; 2289 } 2290 2291 static void 2292 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) 2293 { 2294 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2295 2296 freezero(gcm_ctx, sizeof(*gcm_ctx)); 2297 } 2298 2299 static int 2300 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2301 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2302 const unsigned char *in, size_t in_len, const unsigned char *ad, 2303 size_t ad_len) 2304 { 2305 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2306 GCM128_CONTEXT gcm; 2307 size_t bulk = 0; 2308 2309 if (max_out_len < in_len + gcm_ctx->tag_len) { 2310 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2311 return 0; 2312 } 2313 2314 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2315 2316 if (nonce_len == 0) { 2317 EVPerror(EVP_R_INVALID_IV_LENGTH); 2318 return 0; 2319 } 2320 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2321 2322 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2323 return 0; 2324 2325 if (gcm_ctx->ctr) { 2326 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, 2327 in_len - bulk, gcm_ctx->ctr)) 2328 return 0; 2329 } else { 2330 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, 2331 in_len - bulk)) 2332 return 0; 2333 } 2334 2335 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); 2336 *out_len = in_len + gcm_ctx->tag_len; 2337 2338 return 1; 2339 } 2340 2341 static int 2342 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2343 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2344 const unsigned char *in, size_t in_len, const unsigned char *ad, 2345 size_t ad_len) 2346 { 2347 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2348 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; 2349 GCM128_CONTEXT gcm; 2350 size_t plaintext_len; 2351 size_t bulk = 0; 2352 2353 if (in_len < gcm_ctx->tag_len) { 2354 EVPerror(EVP_R_BAD_DECRYPT); 2355 return 0; 2356 } 2357 2358 plaintext_len = in_len - gcm_ctx->tag_len; 2359 2360 if (max_out_len < plaintext_len) { 2361 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2362 return 0; 2363 } 2364 2365 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2366 2367 if (nonce_len == 0) { 2368 EVPerror(EVP_R_INVALID_IV_LENGTH); 2369 return 0; 2370 } 2371 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2372 2373 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2374 return 0; 2375 2376 if (gcm_ctx->ctr) { 2377 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 2378 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) 2379 return 0; 2380 } else { 2381 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 2382 in_len - bulk - gcm_ctx->tag_len)) 2383 return 0; 2384 } 2385 2386 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); 2387 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { 2388 EVPerror(EVP_R_BAD_DECRYPT); 2389 return 0; 2390 } 2391 2392 *out_len = plaintext_len; 2393 2394 return 1; 2395 } 2396 2397 static const EVP_AEAD aead_aes_128_gcm = { 2398 .key_len = 16, 2399 .nonce_len = 12, 2400 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2401 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2402 2403 .init = aead_aes_gcm_init, 2404 .cleanup = aead_aes_gcm_cleanup, 2405 .seal = aead_aes_gcm_seal, 2406 .open = aead_aes_gcm_open, 2407 }; 2408 2409 static const EVP_AEAD aead_aes_256_gcm = { 2410 .key_len = 32, 2411 .nonce_len = 12, 2412 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2413 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2414 2415 .init = aead_aes_gcm_init, 2416 .cleanup = aead_aes_gcm_cleanup, 2417 .seal = aead_aes_gcm_seal, 2418 .open = aead_aes_gcm_open, 2419 }; 2420 2421 const EVP_AEAD * 2422 EVP_aead_aes_128_gcm(void) 2423 { 2424 return &aead_aes_128_gcm; 2425 } 2426 2427 const EVP_AEAD * 2428 EVP_aead_aes_256_gcm(void) 2429 { 2430 return &aead_aes_256_gcm; 2431 } 2432 2433 typedef struct { 2434 union { 2435 double align; 2436 AES_KEY ks; 2437 } ks; 2438 unsigned char *iv; 2439 } EVP_AES_WRAP_CTX; 2440 2441 static int 2442 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2443 const unsigned char *iv, int enc) 2444 { 2445 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; 2446 2447 if (iv == NULL && key == NULL) 2448 return 1; 2449 2450 if (key != NULL) { 2451 if (ctx->encrypt) 2452 AES_set_encrypt_key(key, 8 * ctx->key_len, 2453 &wctx->ks.ks); 2454 else 2455 AES_set_decrypt_key(key, 8 * ctx->key_len, 2456 &wctx->ks.ks); 2457 2458 if (iv == NULL) 2459 wctx->iv = NULL; 2460 } 2461 2462 if (iv != NULL) { 2463 int iv_len = EVP_CIPHER_CTX_iv_length(ctx); 2464 2465 if (iv_len < 0 || iv_len > sizeof(ctx->iv)) 2466 return 0; 2467 memcpy(ctx->iv, iv, iv_len); 2468 wctx->iv = ctx->iv; 2469 } 2470 2471 return 1; 2472 } 2473 2474 static int 2475 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2476 const unsigned char *in, size_t inlen) 2477 { 2478 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; 2479 int ret; 2480 2481 if (in == NULL) 2482 return 0; 2483 2484 if (inlen % 8 != 0) 2485 return -1; 2486 if (ctx->encrypt && inlen < 8) 2487 return -1; 2488 if (!ctx->encrypt && inlen < 16) 2489 return -1; 2490 if (inlen > INT_MAX) 2491 return -1; 2492 2493 if (out == NULL) { 2494 if (ctx->encrypt) 2495 return inlen + 8; 2496 else 2497 return inlen - 8; 2498 } 2499 2500 if (ctx->encrypt) 2501 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, 2502 (unsigned int)inlen); 2503 else 2504 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, 2505 (unsigned int)inlen); 2506 2507 return ret != 0 ? ret : -1; 2508 } 2509 2510 static int 2511 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 2512 { 2513 EVP_AES_WRAP_CTX *wctx = c->cipher_data; 2514 2515 switch (type) { 2516 case EVP_CTRL_COPY: 2517 { 2518 EVP_CIPHER_CTX *out = ptr; 2519 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; 2520 2521 if (wctx->iv != NULL) { 2522 if (c->iv != wctx->iv) 2523 return 0; 2524 2525 wctx_out->iv = out->iv; 2526 } 2527 2528 return 1; 2529 } 2530 } 2531 2532 return -1; 2533 } 2534 2535 #define WRAP_FLAGS \ 2536 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ 2537 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ 2538 EVP_CIPH_CUSTOM_COPY ) 2539 2540 static const EVP_CIPHER aes_128_wrap = { 2541 .nid = NID_id_aes128_wrap, 2542 .block_size = 8, 2543 .key_len = 16, 2544 .iv_len = 8, 2545 .flags = WRAP_FLAGS, 2546 .init = aes_wrap_init_key, 2547 .do_cipher = aes_wrap_cipher, 2548 .cleanup = NULL, 2549 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2550 .set_asn1_parameters = NULL, 2551 .get_asn1_parameters = NULL, 2552 .ctrl = aes_wrap_ctrl, 2553 }; 2554 2555 const EVP_CIPHER * 2556 EVP_aes_128_wrap(void) 2557 { 2558 return &aes_128_wrap; 2559 } 2560 2561 static const EVP_CIPHER aes_192_wrap = { 2562 .nid = NID_id_aes192_wrap, 2563 .block_size = 8, 2564 .key_len = 24, 2565 .iv_len = 8, 2566 .flags = WRAP_FLAGS, 2567 .init = aes_wrap_init_key, 2568 .do_cipher = aes_wrap_cipher, 2569 .cleanup = NULL, 2570 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2571 .set_asn1_parameters = NULL, 2572 .get_asn1_parameters = NULL, 2573 .ctrl = aes_wrap_ctrl, 2574 }; 2575 2576 const EVP_CIPHER * 2577 EVP_aes_192_wrap(void) 2578 { 2579 return &aes_192_wrap; 2580 } 2581 2582 static const EVP_CIPHER aes_256_wrap = { 2583 .nid = NID_id_aes256_wrap, 2584 .block_size = 8, 2585 .key_len = 32, 2586 .iv_len = 8, 2587 .flags = WRAP_FLAGS, 2588 .init = aes_wrap_init_key, 2589 .do_cipher = aes_wrap_cipher, 2590 .cleanup = NULL, 2591 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2592 .set_asn1_parameters = NULL, 2593 .get_asn1_parameters = NULL, 2594 .ctrl = aes_wrap_ctrl, 2595 }; 2596 2597 const EVP_CIPHER * 2598 EVP_aes_256_wrap(void) 2599 { 2600 return &aes_256_wrap; 2601 } 2602 2603 #endif 2604