1 /* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core (at) openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51 #include <openssl/opensslconf.h> 52 #ifndef OPENSSL_NO_AES 53 #include <openssl/evp.h> 54 #include <openssl/err.h> 55 #include <string.h> 56 #include <assert.h> 57 #include <openssl/aes.h> 58 #include "evp_locl.h" 59 #ifndef OPENSSL_FIPS 60 #include "modes_lcl.h" 61 #include <openssl/rand.h> 62 63 typedef struct 64 { 65 union { double align; AES_KEY ks; } ks; 66 block128_f block; 67 union { 68 cbc128_f cbc; 69 ctr128_f ctr; 70 } stream; 71 } EVP_AES_KEY; 72 73 typedef struct 74 { 75 union { double align; AES_KEY ks; } ks; /* AES key schedule to use */ 76 int key_set; /* Set if key initialised */ 77 int iv_set; /* Set if an iv is set */ 78 GCM128_CONTEXT gcm; 79 unsigned char *iv; /* Temporary IV store */ 80 int ivlen; /* IV length */ 81 int taglen; 82 int iv_gen; /* It is OK to generate IVs */ 83 int tls_aad_len; /* TLS AAD length */ 84 ctr128_f ctr; 85 } EVP_AES_GCM_CTX; 86 87 typedef struct 88 { 89 union { double align; AES_KEY ks; } ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, 92 unsigned char *out, size_t length, 93 const AES_KEY *key1, const AES_KEY *key2, 94 const unsigned char iv[16]); 95 } EVP_AES_XTS_CTX; 96 97 typedef struct 98 { 99 union { double align; AES_KEY ks; } ks; /* AES key schedule to use */ 100 int key_set; /* Set if key initialised */ 101 int iv_set; /* Set if an iv is set */ 102 int tag_set; /* Set if tag is valid */ 103 int len_set; /* Set if message length set */ 104 int L, M; /* L and M parameters from RFC3610 */ 105 CCM128_CONTEXT ccm; 106 ccm128_f str; 107 } EVP_AES_CCM_CTX; 108 109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 110 111 #ifdef VPAES_ASM 112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 115 AES_KEY *key); 116 117 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 120 const AES_KEY *key); 121 122 void vpaes_cbc_encrypt(const unsigned char *in, 123 unsigned char *out, 124 size_t length, 125 const AES_KEY *key, 126 unsigned char *ivec, int enc); 127 #endif 128 #ifdef BSAES_ASM 129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 130 size_t length, const AES_KEY *key, 131 unsigned char ivec[16], int enc); 132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 133 size_t len, const AES_KEY *key, 134 const unsigned char ivec[16]); 135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 136 size_t len, const AES_KEY *key1, 137 const AES_KEY *key2, const unsigned char iv[16]); 138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 139 size_t len, const AES_KEY *key1, 140 const AES_KEY *key2, const unsigned char iv[16]); 141 #endif 142 #ifdef AES_CTR_ASM 143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 144 size_t blocks, const AES_KEY *key, 145 const unsigned char ivec[AES_BLOCK_SIZE]); 146 #endif 147 #ifdef AES_XTS_ASM 148 void AES_xts_encrypt(const char *inp,char *out,size_t len, 149 const AES_KEY *key1, const AES_KEY *key2, 150 const unsigned char iv[16]); 151 void AES_xts_decrypt(const char *inp,char *out,size_t len, 152 const AES_KEY *key1, const AES_KEY *key2, 153 const unsigned char iv[16]); 154 #endif 155 156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 157 ((defined(__i386) || defined(__i386__) || \ 158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 159 defined(__x86_64) || defined(__x86_64__) || \ 160 defined(_M_AMD64) || defined(_M_X64) || \ 161 defined(__INTEL__) ) 162 163 extern unsigned int OPENSSL_ia32cap_P[]; 164 165 #ifdef VPAES_ASM 166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 167 #endif 168 #ifdef BSAES_ASM 169 #define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 170 #endif 171 /* 172 * AES-NI section 173 */ 174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 175 176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 177 AES_KEY *key); 178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 179 AES_KEY *key); 180 181 void aesni_encrypt(const unsigned char *in, unsigned char *out, 182 const AES_KEY *key); 183 void aesni_decrypt(const unsigned char *in, unsigned char *out, 184 const AES_KEY *key); 185 186 void aesni_ecb_encrypt(const unsigned char *in, 187 unsigned char *out, 188 size_t length, 189 const AES_KEY *key, 190 int enc); 191 void aesni_cbc_encrypt(const unsigned char *in, 192 unsigned char *out, 193 size_t length, 194 const AES_KEY *key, 195 unsigned char *ivec, int enc); 196 197 void aesni_ctr32_encrypt_blocks(const unsigned char *in, 198 unsigned char *out, 199 size_t blocks, 200 const void *key, 201 const unsigned char *ivec); 202 203 void aesni_xts_encrypt(const unsigned char *in, 204 unsigned char *out, 205 size_t length, 206 const AES_KEY *key1, const AES_KEY *key2, 207 const unsigned char iv[16]); 208 209 void aesni_xts_decrypt(const unsigned char *in, 210 unsigned char *out, 211 size_t length, 212 const AES_KEY *key1, const AES_KEY *key2, 213 const unsigned char iv[16]); 214 215 void aesni_ccm64_encrypt_blocks (const unsigned char *in, 216 unsigned char *out, 217 size_t blocks, 218 const void *key, 219 const unsigned char ivec[16], 220 unsigned char cmac[16]); 221 222 void aesni_ccm64_decrypt_blocks (const unsigned char *in, 223 unsigned char *out, 224 size_t blocks, 225 const void *key, 226 const unsigned char ivec[16], 227 unsigned char cmac[16]); 228 229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 230 const unsigned char *iv, int enc) 231 { 232 int ret, mode; 233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 234 235 mode = ctx->cipher->flags & EVP_CIPH_MODE; 236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 237 && !enc) 238 { 239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data); 240 dat->block = (block128_f)aesni_decrypt; 241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 242 (cbc128_f)aesni_cbc_encrypt : 243 NULL; 244 } 245 else { 246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data); 247 dat->block = (block128_f)aesni_encrypt; 248 if (mode==EVP_CIPH_CBC_MODE) 249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 250 else if (mode==EVP_CIPH_CTR_MODE) 251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 252 else 253 dat->stream.cbc = NULL; 254 } 255 256 if(ret < 0) 257 { 258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 259 return 0; 260 } 261 262 return 1; 263 } 264 265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 266 const unsigned char *in, size_t len) 267 { 268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); 269 270 return 1; 271 } 272 273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 274 const unsigned char *in, size_t len) 275 { 276 size_t bl = ctx->cipher->block_size; 277 278 if (len<bl) return 1; 279 280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); 281 282 return 1; 283 } 284 285 #define aesni_ofb_cipher aes_ofb_cipher 286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 287 const unsigned char *in,size_t len); 288 289 #define aesni_cfb_cipher aes_cfb_cipher 290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 291 const unsigned char *in,size_t len); 292 293 #define aesni_cfb8_cipher aes_cfb8_cipher 294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 295 const unsigned char *in,size_t len); 296 297 #define aesni_cfb1_cipher aes_cfb1_cipher 298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 299 const unsigned char *in,size_t len); 300 301 #define aesni_ctr_cipher aes_ctr_cipher 302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 303 const unsigned char *in, size_t len); 304 305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 306 const unsigned char *iv, int enc) 307 { 308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 309 if (!iv && !key) 310 return 1; 311 if (key) 312 { 313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); 314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 315 (block128_f)aesni_encrypt); 316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 317 /* If we have an iv can set it directly, otherwise use 318 * saved IV. 319 */ 320 if (iv == NULL && gctx->iv_set) 321 iv = gctx->iv; 322 if (iv) 323 { 324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 325 gctx->iv_set = 1; 326 } 327 gctx->key_set = 1; 328 } 329 else 330 { 331 /* If key set use IV, otherwise copy */ 332 if (gctx->key_set) 333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 334 else 335 memcpy(gctx->iv, iv, gctx->ivlen); 336 gctx->iv_set = 1; 337 gctx->iv_gen = 0; 338 } 339 return 1; 340 } 341 342 #define aesni_gcm_cipher aes_gcm_cipher 343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 344 const unsigned char *in, size_t len); 345 346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 347 const unsigned char *iv, int enc) 348 { 349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 350 if (!iv && !key) 351 return 1; 352 353 if (key) 354 { 355 /* key_len is two AES keys */ 356 if (enc) 357 { 358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 359 xctx->xts.block1 = (block128_f)aesni_encrypt; 360 xctx->stream = aesni_xts_encrypt; 361 } 362 else 363 { 364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 365 xctx->xts.block1 = (block128_f)aesni_decrypt; 366 xctx->stream = aesni_xts_decrypt; 367 } 368 369 aesni_set_encrypt_key(key + ctx->key_len/2, 370 ctx->key_len * 4, &xctx->ks2.ks); 371 xctx->xts.block2 = (block128_f)aesni_encrypt; 372 373 xctx->xts.key1 = &xctx->ks1; 374 } 375 376 if (iv) 377 { 378 xctx->xts.key2 = &xctx->ks2; 379 memcpy(ctx->iv, iv, 16); 380 } 381 382 return 1; 383 } 384 385 #define aesni_xts_cipher aes_xts_cipher 386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 387 const unsigned char *in, size_t len); 388 389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 390 const unsigned char *iv, int enc) 391 { 392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 393 if (!iv && !key) 394 return 1; 395 if (key) 396 { 397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks); 398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 399 &cctx->ks, (block128_f)aesni_encrypt); 400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : 401 (ccm128_f)aesni_ccm64_decrypt_blocks; 402 cctx->key_set = 1; 403 } 404 if (iv) 405 { 406 memcpy(ctx->iv, iv, 15 - cctx->L); 407 cctx->iv_set = 1; 408 } 409 return 1; 410 } 411 412 #define aesni_ccm_cipher aes_ccm_cipher 413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 414 const unsigned char *in, size_t len); 415 416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 417 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 419 flags|EVP_CIPH_##MODE##_MODE, \ 420 aesni_init_key, \ 421 aesni_##mode##_cipher, \ 422 NULL, \ 423 sizeof(EVP_AES_KEY), \ 424 NULL,NULL,NULL,NULL }; \ 425 static const EVP_CIPHER aes_##keylen##_##mode = { \ 426 nid##_##keylen##_##nmode,blocksize, \ 427 keylen/8,ivlen, \ 428 flags|EVP_CIPH_##MODE##_MODE, \ 429 aes_init_key, \ 430 aes_##mode##_cipher, \ 431 NULL, \ 432 sizeof(EVP_AES_KEY), \ 433 NULL,NULL,NULL,NULL }; \ 434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 436 437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 438 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 439 nid##_##keylen##_##mode,blocksize, \ 440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 441 flags|EVP_CIPH_##MODE##_MODE, \ 442 aesni_##mode##_init_key, \ 443 aesni_##mode##_cipher, \ 444 aes_##mode##_cleanup, \ 445 sizeof(EVP_AES_##MODE##_CTX), \ 446 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 447 static const EVP_CIPHER aes_##keylen##_##mode = { \ 448 nid##_##keylen##_##mode,blocksize, \ 449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 450 flags|EVP_CIPH_##MODE##_MODE, \ 451 aes_##mode##_init_key, \ 452 aes_##mode##_cipher, \ 453 aes_##mode##_cleanup, \ 454 sizeof(EVP_AES_##MODE##_CTX), \ 455 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 458 459 #else 460 461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 462 static const EVP_CIPHER aes_##keylen##_##mode = { \ 463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 464 flags|EVP_CIPH_##MODE##_MODE, \ 465 aes_init_key, \ 466 aes_##mode##_cipher, \ 467 NULL, \ 468 sizeof(EVP_AES_KEY), \ 469 NULL,NULL,NULL,NULL }; \ 470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 471 { return &aes_##keylen##_##mode; } 472 473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 474 static const EVP_CIPHER aes_##keylen##_##mode = { \ 475 nid##_##keylen##_##mode,blocksize, \ 476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 477 flags|EVP_CIPH_##MODE##_MODE, \ 478 aes_##mode##_init_key, \ 479 aes_##mode##_cipher, \ 480 aes_##mode##_cleanup, \ 481 sizeof(EVP_AES_##MODE##_CTX), \ 482 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 484 { return &aes_##keylen##_##mode; } 485 #endif 486 487 #if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__)) 488 #include "arm_arch.h" 489 #if __ARM_ARCH__>=7 490 # if defined(BSAES_ASM) 491 # define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON) 492 # endif 493 # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES) 494 # define HWAES_set_encrypt_key aes_v8_set_encrypt_key 495 # define HWAES_set_decrypt_key aes_v8_set_decrypt_key 496 # define HWAES_encrypt aes_v8_encrypt 497 # define HWAES_decrypt aes_v8_decrypt 498 # define HWAES_cbc_encrypt aes_v8_cbc_encrypt 499 # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks 500 #endif 501 #endif 502 503 #if defined(HWAES_CAPABLE) 504 int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits, 505 AES_KEY *key); 506 int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits, 507 AES_KEY *key); 508 void HWAES_encrypt(const unsigned char *in, unsigned char *out, 509 const AES_KEY *key); 510 void HWAES_decrypt(const unsigned char *in, unsigned char *out, 511 const AES_KEY *key); 512 void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out, 513 size_t length, const AES_KEY *key, 514 unsigned char *ivec, const int enc); 515 void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 516 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 517 #endif 518 519 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 520 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 521 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 522 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 523 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 524 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 525 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 526 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 527 528 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 529 const unsigned char *iv, int enc) 530 { 531 int ret, mode; 532 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 533 534 mode = ctx->cipher->flags & EVP_CIPH_MODE; 535 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 536 && !enc) 537 #ifdef HWAES_CAPABLE 538 if (HWAES_CAPABLE) 539 { 540 ret = HWAES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks); 541 dat->block = (block128_f)HWAES_decrypt; 542 dat->stream.cbc = NULL; 543 #ifdef HWAES_cbc_encrypt 544 if (mode==EVP_CIPH_CBC_MODE) 545 dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt; 546 #endif 547 } 548 else 549 #endif 550 #ifdef BSAES_CAPABLE 551 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) 552 { 553 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks); 554 dat->block = (block128_f)AES_decrypt; 555 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 556 } 557 else 558 #endif 559 #ifdef VPAES_CAPABLE 560 if (VPAES_CAPABLE) 561 { 562 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks); 563 dat->block = (block128_f)vpaes_decrypt; 564 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 565 (cbc128_f)vpaes_cbc_encrypt : 566 NULL; 567 } 568 else 569 #endif 570 { 571 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks); 572 dat->block = (block128_f)AES_decrypt; 573 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 574 (cbc128_f)AES_cbc_encrypt : 575 NULL; 576 } 577 else 578 #ifdef HWAES_CAPABLE 579 if (HWAES_CAPABLE) 580 { 581 ret = HWAES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks); 582 dat->block = (block128_f)HWAES_encrypt; 583 dat->stream.cbc = NULL; 584 #ifdef HWAES_cbc_encrypt 585 if (mode==EVP_CIPH_CBC_MODE) 586 dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt; 587 else 588 #endif 589 #ifdef HWAES_ctr32_encrypt_blocks 590 if (mode==EVP_CIPH_CTR_MODE) 591 dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks; 592 else 593 #endif 594 (void)0; /* terminate potentially open 'else' */ 595 } 596 else 597 #endif 598 #ifdef BSAES_CAPABLE 599 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) 600 { 601 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks); 602 dat->block = (block128_f)AES_encrypt; 603 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 604 } 605 else 606 #endif 607 #ifdef VPAES_CAPABLE 608 if (VPAES_CAPABLE) 609 { 610 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks); 611 dat->block = (block128_f)vpaes_encrypt; 612 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 613 (cbc128_f)vpaes_cbc_encrypt : 614 NULL; 615 } 616 else 617 #endif 618 { 619 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks); 620 dat->block = (block128_f)AES_encrypt; 621 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 622 (cbc128_f)AES_cbc_encrypt : 623 NULL; 624 #ifdef AES_CTR_ASM 625 if (mode==EVP_CIPH_CTR_MODE) 626 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 627 #endif 628 } 629 630 if(ret < 0) 631 { 632 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 633 return 0; 634 } 635 636 return 1; 637 } 638 639 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 640 const unsigned char *in, size_t len) 641 { 642 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 643 644 if (dat->stream.cbc) 645 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); 646 else if (ctx->encrypt) 647 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 648 else 649 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 650 651 return 1; 652 } 653 654 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 655 const unsigned char *in, size_t len) 656 { 657 size_t bl = ctx->cipher->block_size; 658 size_t i; 659 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 660 661 if (len<bl) return 1; 662 663 for (i=0,len-=bl;i<=len;i+=bl) 664 (*dat->block)(in+i,out+i,&dat->ks); 665 666 return 1; 667 } 668 669 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 670 const unsigned char *in,size_t len) 671 { 672 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 673 674 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, 675 ctx->iv,&ctx->num,dat->block); 676 return 1; 677 } 678 679 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 680 const unsigned char *in,size_t len) 681 { 682 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 683 684 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, 685 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 686 return 1; 687 } 688 689 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 690 const unsigned char *in,size_t len) 691 { 692 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 693 694 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, 695 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 696 return 1; 697 } 698 699 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 700 const unsigned char *in,size_t len) 701 { 702 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 703 704 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 705 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, 706 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 707 return 1; 708 } 709 710 while (len>=MAXBITCHUNK) { 711 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, 712 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 713 len-=MAXBITCHUNK; 714 } 715 if (len) 716 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, 717 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 718 719 return 1; 720 } 721 722 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, 723 const unsigned char *in, size_t len) 724 { 725 unsigned int num = ctx->num; 726 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 727 728 if (dat->stream.ctr) 729 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, 730 ctx->iv,ctx->buf,&num,dat->stream.ctr); 731 else 732 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, 733 ctx->iv,ctx->buf,&num,dat->block); 734 ctx->num = (size_t)num; 735 return 1; 736 } 737 738 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) 739 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) 740 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) 741 742 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 743 { 744 EVP_AES_GCM_CTX *gctx = c->cipher_data; 745 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 746 if (gctx->iv != c->iv) 747 OPENSSL_free(gctx->iv); 748 return 1; 749 } 750 751 /* increment counter (64-bit int) by 1 */ 752 static void ctr64_inc(unsigned char *counter) { 753 int n=8; 754 unsigned char c; 755 756 do { 757 --n; 758 c = counter[n]; 759 ++c; 760 counter[n] = c; 761 if (c) return; 762 } while (n); 763 } 764 765 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 766 { 767 EVP_AES_GCM_CTX *gctx = c->cipher_data; 768 switch (type) 769 { 770 case EVP_CTRL_INIT: 771 gctx->key_set = 0; 772 gctx->iv_set = 0; 773 gctx->ivlen = c->cipher->iv_len; 774 gctx->iv = c->iv; 775 gctx->taglen = -1; 776 gctx->iv_gen = 0; 777 gctx->tls_aad_len = -1; 778 return 1; 779 780 case EVP_CTRL_GCM_SET_IVLEN: 781 if (arg <= 0) 782 return 0; 783 #ifdef OPENSSL_FIPS 784 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 785 && arg < 12) 786 return 0; 787 #endif 788 /* Allocate memory for IV if needed */ 789 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) 790 { 791 if (gctx->iv != c->iv) 792 OPENSSL_free(gctx->iv); 793 gctx->iv = OPENSSL_malloc(arg); 794 if (!gctx->iv) 795 return 0; 796 } 797 gctx->ivlen = arg; 798 return 1; 799 800 case EVP_CTRL_GCM_SET_TAG: 801 if (arg <= 0 || arg > 16 || c->encrypt) 802 return 0; 803 memcpy(c->buf, ptr, arg); 804 gctx->taglen = arg; 805 return 1; 806 807 case EVP_CTRL_GCM_GET_TAG: 808 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 809 return 0; 810 memcpy(ptr, c->buf, arg); 811 return 1; 812 813 case EVP_CTRL_GCM_SET_IV_FIXED: 814 /* Special case: -1 length restores whole IV */ 815 if (arg == -1) 816 { 817 memcpy(gctx->iv, ptr, gctx->ivlen); 818 gctx->iv_gen = 1; 819 return 1; 820 } 821 /* Fixed field must be at least 4 bytes and invocation field 822 * at least 8. 823 */ 824 if ((arg < 4) || (gctx->ivlen - arg) < 8) 825 return 0; 826 if (arg) 827 memcpy(gctx->iv, ptr, arg); 828 if (c->encrypt && 829 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 830 return 0; 831 gctx->iv_gen = 1; 832 return 1; 833 834 case EVP_CTRL_GCM_IV_GEN: 835 if (gctx->iv_gen == 0 || gctx->key_set == 0) 836 return 0; 837 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 838 if (arg <= 0 || arg > gctx->ivlen) 839 arg = gctx->ivlen; 840 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 841 /* Invocation field will be at least 8 bytes in size and 842 * so no need to check wrap around or increment more than 843 * last 8 bytes. 844 */ 845 ctr64_inc(gctx->iv + gctx->ivlen - 8); 846 gctx->iv_set = 1; 847 return 1; 848 849 case EVP_CTRL_GCM_SET_IV_INV: 850 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 851 return 0; 852 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 853 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 854 gctx->iv_set = 1; 855 return 1; 856 857 case EVP_CTRL_AEAD_TLS1_AAD: 858 /* Save the AAD for later use */ 859 if (arg != 13) 860 return 0; 861 memcpy(c->buf, ptr, arg); 862 gctx->tls_aad_len = arg; 863 { 864 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; 865 /* Correct length for explicit IV */ 866 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 867 /* If decrypting correct for tag too */ 868 if (!c->encrypt) 869 len -= EVP_GCM_TLS_TAG_LEN; 870 c->buf[arg-2] = len>>8; 871 c->buf[arg-1] = len & 0xff; 872 } 873 /* Extra padding: tag appended to record */ 874 return EVP_GCM_TLS_TAG_LEN; 875 876 case EVP_CTRL_COPY: 877 { 878 EVP_CIPHER_CTX *out = ptr; 879 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 880 if (gctx->gcm.key) 881 { 882 if (gctx->gcm.key != &gctx->ks) 883 return 0; 884 gctx_out->gcm.key = &gctx_out->ks; 885 } 886 if (gctx->iv == c->iv) 887 gctx_out->iv = out->iv; 888 else 889 { 890 gctx_out->iv = OPENSSL_malloc(gctx->ivlen); 891 if (!gctx_out->iv) 892 return 0; 893 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 894 } 895 return 1; 896 } 897 898 default: 899 return -1; 900 901 } 902 } 903 904 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 905 const unsigned char *iv, int enc) 906 { 907 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 908 if (!iv && !key) 909 return 1; 910 if (key) 911 { do { 912 #ifdef HWAES_CAPABLE 913 if (HWAES_CAPABLE) 914 { 915 HWAES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks); 916 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 917 (block128_f)HWAES_encrypt); 918 #ifdef HWAES_ctr32_encrypt_blocks 919 gctx->ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks; 920 #else 921 gctx->ctr = NULL; 922 #endif 923 break; 924 } 925 else 926 #endif 927 #ifdef BSAES_CAPABLE 928 if (BSAES_CAPABLE) 929 { 930 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks); 931 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 932 (block128_f)AES_encrypt); 933 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 934 break; 935 } 936 else 937 #endif 938 #ifdef VPAES_CAPABLE 939 if (VPAES_CAPABLE) 940 { 941 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks); 942 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 943 (block128_f)vpaes_encrypt); 944 gctx->ctr = NULL; 945 break; 946 } 947 else 948 #endif 949 (void)0; /* terminate potentially open 'else' */ 950 951 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); 952 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 953 #ifdef AES_CTR_ASM 954 gctx->ctr = (ctr128_f)AES_ctr32_encrypt; 955 #else 956 gctx->ctr = NULL; 957 #endif 958 } while (0); 959 960 /* If we have an iv can set it directly, otherwise use 961 * saved IV. 962 */ 963 if (iv == NULL && gctx->iv_set) 964 iv = gctx->iv; 965 if (iv) 966 { 967 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 968 gctx->iv_set = 1; 969 } 970 gctx->key_set = 1; 971 } 972 else 973 { 974 /* If key set use IV, otherwise copy */ 975 if (gctx->key_set) 976 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 977 else 978 memcpy(gctx->iv, iv, gctx->ivlen); 979 gctx->iv_set = 1; 980 gctx->iv_gen = 0; 981 } 982 return 1; 983 } 984 985 /* Handle TLS GCM packet format. This consists of the last portion of the IV 986 * followed by the payload and finally the tag. On encrypt generate IV, 987 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 988 * and verify tag. 989 */ 990 991 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 992 const unsigned char *in, size_t len) 993 { 994 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 995 int rv = -1; 996 /* Encrypt/decrypt must be performed in place */ 997 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)) 998 return -1; 999 /* Set IV from start of buffer or generate IV and write to start 1000 * of buffer. 1001 */ 1002 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1003 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1004 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1005 goto err; 1006 /* Use saved AAD */ 1007 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1008 goto err; 1009 /* Fix buffer and length to point to payload */ 1010 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1011 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1012 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1013 if (ctx->encrypt) 1014 { 1015 /* Encrypt payload */ 1016 if (gctx->ctr) 1017 { 1018 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1019 in, out, len, 1020 gctx->ctr)) 1021 goto err; 1022 } 1023 else { 1024 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1025 goto err; 1026 } 1027 out += len; 1028 /* Finally write tag */ 1029 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1030 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1031 } 1032 else 1033 { 1034 /* Decrypt */ 1035 if (gctx->ctr) 1036 { 1037 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1038 in, out, len, 1039 gctx->ctr)) 1040 goto err; 1041 } 1042 else { 1043 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1044 goto err; 1045 } 1046 /* Retrieve tag */ 1047 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 1048 EVP_GCM_TLS_TAG_LEN); 1049 /* If tag mismatch wipe buffer */ 1050 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) 1051 { 1052 OPENSSL_cleanse(out, len); 1053 goto err; 1054 } 1055 rv = len; 1056 } 1057 1058 err: 1059 gctx->iv_set = 0; 1060 gctx->tls_aad_len = -1; 1061 return rv; 1062 } 1063 1064 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1065 const unsigned char *in, size_t len) 1066 { 1067 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1068 /* If not set up, return error */ 1069 if (!gctx->key_set) 1070 return -1; 1071 1072 if (gctx->tls_aad_len >= 0) 1073 return aes_gcm_tls_cipher(ctx, out, in, len); 1074 1075 if (!gctx->iv_set) 1076 return -1; 1077 if (in) 1078 { 1079 if (out == NULL) 1080 { 1081 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1082 return -1; 1083 } 1084 else if (ctx->encrypt) 1085 { 1086 if (gctx->ctr) 1087 { 1088 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1089 in, out, len, 1090 gctx->ctr)) 1091 return -1; 1092 } 1093 else { 1094 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1095 return -1; 1096 } 1097 } 1098 else 1099 { 1100 if (gctx->ctr) 1101 { 1102 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1103 in, out, len, 1104 gctx->ctr)) 1105 return -1; 1106 } 1107 else { 1108 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1109 return -1; 1110 } 1111 } 1112 return len; 1113 } 1114 else 1115 { 1116 if (!ctx->encrypt) 1117 { 1118 if (gctx->taglen < 0) 1119 return -1; 1120 if (CRYPTO_gcm128_finish(&gctx->gcm, 1121 ctx->buf, gctx->taglen) != 0) 1122 return -1; 1123 gctx->iv_set = 0; 1124 return 0; 1125 } 1126 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1127 gctx->taglen = 16; 1128 /* Don't reuse the IV */ 1129 gctx->iv_set = 0; 1130 return 0; 1131 } 1132 1133 } 1134 1135 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 1136 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 1137 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1138 | EVP_CIPH_CUSTOM_COPY) 1139 1140 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, 1141 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1142 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, 1143 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1144 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, 1145 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1146 1147 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1148 { 1149 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1150 if (type == EVP_CTRL_COPY) 1151 { 1152 EVP_CIPHER_CTX *out = ptr; 1153 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1154 if (xctx->xts.key1) 1155 { 1156 if (xctx->xts.key1 != &xctx->ks1) 1157 return 0; 1158 xctx_out->xts.key1 = &xctx_out->ks1; 1159 } 1160 if (xctx->xts.key2) 1161 { 1162 if (xctx->xts.key2 != &xctx->ks2) 1163 return 0; 1164 xctx_out->xts.key2 = &xctx_out->ks2; 1165 } 1166 return 1; 1167 } 1168 else if (type != EVP_CTRL_INIT) 1169 return -1; 1170 /* key1 and key2 are used as an indicator both key and IV are set */ 1171 xctx->xts.key1 = NULL; 1172 xctx->xts.key2 = NULL; 1173 return 1; 1174 } 1175 1176 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1177 const unsigned char *iv, int enc) 1178 { 1179 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1180 if (!iv && !key) 1181 return 1; 1182 1183 if (key) do 1184 { 1185 #ifdef AES_XTS_ASM 1186 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1187 #else 1188 xctx->stream = NULL; 1189 #endif 1190 /* key_len is two AES keys */ 1191 #ifdef HWAES_CAPABLE 1192 if (HWAES_CAPABLE) 1193 { 1194 if (enc) 1195 { 1196 HWAES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1197 xctx->xts.block1 = (block128_f)HWAES_encrypt; 1198 } 1199 else 1200 { 1201 HWAES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1202 xctx->xts.block1 = (block128_f)HWAES_decrypt; 1203 } 1204 1205 HWAES_set_encrypt_key(key + ctx->key_len/2, 1206 ctx->key_len * 4, &xctx->ks2.ks); 1207 xctx->xts.block2 = (block128_f)HWAES_encrypt; 1208 1209 xctx->xts.key1 = &xctx->ks1; 1210 break; 1211 } 1212 else 1213 #endif 1214 #ifdef BSAES_CAPABLE 1215 if (BSAES_CAPABLE) 1216 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1217 else 1218 #endif 1219 #ifdef VPAES_CAPABLE 1220 if (VPAES_CAPABLE) 1221 { 1222 if (enc) 1223 { 1224 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1225 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1226 } 1227 else 1228 { 1229 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1230 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1231 } 1232 1233 vpaes_set_encrypt_key(key + ctx->key_len/2, 1234 ctx->key_len * 4, &xctx->ks2.ks); 1235 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1236 1237 xctx->xts.key1 = &xctx->ks1; 1238 break; 1239 } 1240 else 1241 #endif 1242 (void)0; /* terminate potentially open 'else' */ 1243 1244 if (enc) 1245 { 1246 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1247 xctx->xts.block1 = (block128_f)AES_encrypt; 1248 } 1249 else 1250 { 1251 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 1252 xctx->xts.block1 = (block128_f)AES_decrypt; 1253 } 1254 1255 AES_set_encrypt_key(key + ctx->key_len/2, 1256 ctx->key_len * 4, &xctx->ks2.ks); 1257 xctx->xts.block2 = (block128_f)AES_encrypt; 1258 1259 xctx->xts.key1 = &xctx->ks1; 1260 } while (0); 1261 1262 if (iv) 1263 { 1264 xctx->xts.key2 = &xctx->ks2; 1265 memcpy(ctx->iv, iv, 16); 1266 } 1267 1268 return 1; 1269 } 1270 1271 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1272 const unsigned char *in, size_t len) 1273 { 1274 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1275 if (!xctx->xts.key1 || !xctx->xts.key2) 1276 return 0; 1277 if (!out || !in || len<AES_BLOCK_SIZE) 1278 return 0; 1279 #ifdef OPENSSL_FIPS 1280 /* Requirement of SP800-38E */ 1281 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1282 (len > (1UL<<20)*16)) 1283 { 1284 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1285 return 0; 1286 } 1287 #endif 1288 if (xctx->stream) 1289 (*xctx->stream)(in, out, len, 1290 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1291 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1292 ctx->encrypt)) 1293 return 0; 1294 return 1; 1295 } 1296 1297 #define aes_xts_cleanup NULL 1298 1299 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1300 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1301 | EVP_CIPH_CUSTOM_COPY) 1302 1303 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1304 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1305 1306 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1307 { 1308 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1309 switch (type) 1310 { 1311 case EVP_CTRL_INIT: 1312 cctx->key_set = 0; 1313 cctx->iv_set = 0; 1314 cctx->L = 8; 1315 cctx->M = 12; 1316 cctx->tag_set = 0; 1317 cctx->len_set = 0; 1318 return 1; 1319 1320 case EVP_CTRL_CCM_SET_IVLEN: 1321 arg = 15 - arg; 1322 case EVP_CTRL_CCM_SET_L: 1323 if (arg < 2 || arg > 8) 1324 return 0; 1325 cctx->L = arg; 1326 return 1; 1327 1328 case EVP_CTRL_CCM_SET_TAG: 1329 if ((arg & 1) || arg < 4 || arg > 16) 1330 return 0; 1331 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1332 return 0; 1333 if (ptr) 1334 { 1335 cctx->tag_set = 1; 1336 memcpy(c->buf, ptr, arg); 1337 } 1338 cctx->M = arg; 1339 return 1; 1340 1341 case EVP_CTRL_CCM_GET_TAG: 1342 if (!c->encrypt || !cctx->tag_set) 1343 return 0; 1344 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1345 return 0; 1346 cctx->tag_set = 0; 1347 cctx->iv_set = 0; 1348 cctx->len_set = 0; 1349 return 1; 1350 1351 case EVP_CTRL_COPY: 1352 { 1353 EVP_CIPHER_CTX *out = ptr; 1354 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 1355 if (cctx->ccm.key) 1356 { 1357 if (cctx->ccm.key != &cctx->ks) 1358 return 0; 1359 cctx_out->ccm.key = &cctx_out->ks; 1360 } 1361 return 1; 1362 } 1363 1364 default: 1365 return -1; 1366 1367 } 1368 } 1369 1370 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1371 const unsigned char *iv, int enc) 1372 { 1373 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1374 if (!iv && !key) 1375 return 1; 1376 if (key) do 1377 { 1378 #ifdef HWAES_CAPABLE 1379 if (HWAES_CAPABLE) 1380 { 1381 HWAES_set_encrypt_key(key,ctx->key_len*8,&cctx->ks.ks); 1382 1383 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1384 &cctx->ks, (block128_f)HWAES_encrypt); 1385 cctx->str = NULL; 1386 cctx->key_set = 1; 1387 break; 1388 } 1389 else 1390 #endif 1391 #ifdef VPAES_CAPABLE 1392 if (VPAES_CAPABLE) 1393 { 1394 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks); 1395 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1396 &cctx->ks, (block128_f)vpaes_encrypt); 1397 cctx->str = NULL; 1398 cctx->key_set = 1; 1399 break; 1400 } 1401 #endif 1402 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks); 1403 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1404 &cctx->ks, (block128_f)AES_encrypt); 1405 cctx->str = NULL; 1406 cctx->key_set = 1; 1407 } while (0); 1408 if (iv) 1409 { 1410 memcpy(ctx->iv, iv, 15 - cctx->L); 1411 cctx->iv_set = 1; 1412 } 1413 return 1; 1414 } 1415 1416 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1417 const unsigned char *in, size_t len) 1418 { 1419 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1420 CCM128_CONTEXT *ccm = &cctx->ccm; 1421 /* If not set up, return error */ 1422 if (!cctx->iv_set && !cctx->key_set) 1423 return -1; 1424 if (!ctx->encrypt && !cctx->tag_set) 1425 return -1; 1426 if (!out) 1427 { 1428 if (!in) 1429 { 1430 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) 1431 return -1; 1432 cctx->len_set = 1; 1433 return len; 1434 } 1435 /* If have AAD need message length */ 1436 if (!cctx->len_set && len) 1437 return -1; 1438 CRYPTO_ccm128_aad(ccm, in, len); 1439 return len; 1440 } 1441 /* EVP_*Final() doesn't return any data */ 1442 if (!in) 1443 return 0; 1444 /* If not set length yet do it */ 1445 if (!cctx->len_set) 1446 { 1447 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1448 return -1; 1449 cctx->len_set = 1; 1450 } 1451 if (ctx->encrypt) 1452 { 1453 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1454 cctx->str) : 1455 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1456 return -1; 1457 cctx->tag_set = 1; 1458 return len; 1459 } 1460 else 1461 { 1462 int rv = -1; 1463 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1464 cctx->str) : 1465 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) 1466 { 1467 unsigned char tag[16]; 1468 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) 1469 { 1470 if (!memcmp(tag, ctx->buf, cctx->M)) 1471 rv = len; 1472 } 1473 } 1474 if (rv == -1) 1475 OPENSSL_cleanse(out, len); 1476 cctx->iv_set = 0; 1477 cctx->tag_set = 0; 1478 cctx->len_set = 0; 1479 return rv; 1480 } 1481 1482 } 1483 1484 #define aes_ccm_cleanup NULL 1485 1486 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1487 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1488 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1489 1490 #endif 1491 #endif 1492
