e_aes.c 35 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406
  1. /* ====================================================================
  2. * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * 1. Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. *
  11. * 2. Redistributions in binary form must reproduce the above copyright
  12. * notice, this list of conditions and the following disclaimer in
  13. * the documentation and/or other materials provided with the
  14. * distribution.
  15. *
  16. * 3. All advertising materials mentioning features or use of this
  17. * software must display the following acknowledgment:
  18. * "This product includes software developed by the OpenSSL Project
  19. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20. *
  21. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22. * endorse or promote products derived from this software without
  23. * prior written permission. For written permission, please contact
  24. * openssl-core@openssl.org.
  25. *
  26. * 5. Products derived from this software may not be called "OpenSSL"
  27. * nor may "OpenSSL" appear in their names without prior written
  28. * permission of the OpenSSL Project.
  29. *
  30. * 6. Redistributions of any form whatsoever must retain the following
  31. * acknowledgment:
  32. * "This product includes software developed by the OpenSSL Project
  33. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34. *
  35. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46. * OF THE POSSIBILITY OF SUCH DAMAGE.
  47. * ====================================================================
  48. *
  49. */
  50. #define OPENSSL_FIPSAPI
  51. #include <openssl/opensslconf.h>
  52. #ifndef OPENSSL_NO_AES
  53. #include <openssl/evp.h>
  54. #include <openssl/err.h>
  55. #include <string.h>
  56. #include <assert.h>
  57. #include <openssl/aes.h>
  58. #include "evp_locl.h"
  59. #include "modes_lcl.h"
  60. #include <openssl/rand.h>
  61. typedef struct
  62. {
  63. AES_KEY ks;
  64. void (*block)(const unsigned char *in, unsigned char *out,
  65. const AES_KEY *key);
  66. void (*cbc)(const unsigned char *in,
  67. unsigned char *out,
  68. size_t length,
  69. const AES_KEY *key,
  70. unsigned char *ivec, int enc);
  71. } EVP_AES_KEY;
  72. typedef struct
  73. {
  74. AES_KEY ks; /* AES key schedule to use */
  75. int key_set; /* Set if key initialised */
  76. int iv_set; /* Set if an iv is set */
  77. GCM128_CONTEXT gcm;
  78. unsigned char *iv; /* Temporary IV store */
  79. int ivlen; /* IV length */
  80. int taglen;
  81. int iv_gen; /* It is OK to generate IVs */
  82. int tls_aad_len; /* TLS AAD length */
  83. } EVP_AES_GCM_CTX;
  84. typedef struct
  85. {
  86. AES_KEY ks1, ks2; /* AES key schedules to use */
  87. XTS128_CONTEXT xts;
  88. } EVP_AES_XTS_CTX;
  89. typedef struct
  90. {
  91. AES_KEY ks; /* AES key schedule to use */
  92. int key_set; /* Set if key initialised */
  93. int iv_set; /* Set if an iv is set */
  94. int tag_set; /* Set if tag is valid */
  95. int len_set; /* Set if message length set */
  96. int L, M; /* L and M parameters from RFC3610 */
  97. CCM128_CONTEXT ccm;
  98. } EVP_AES_CCM_CTX;
  99. #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  100. #ifdef VPAES_ASM
  101. int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
  102. AES_KEY *key);
  103. int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
  104. AES_KEY *key);
  105. void vpaes_encrypt(const unsigned char *in, unsigned char *out,
  106. const AES_KEY *key);
  107. void vpaes_decrypt(const unsigned char *in, unsigned char *out,
  108. const AES_KEY *key);
  109. void vpaes_cbc_encrypt(const unsigned char *in,
  110. unsigned char *out,
  111. size_t length,
  112. const AES_KEY *key,
  113. unsigned char *ivec, int enc);
  114. #endif
  115. #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
  116. ((defined(__i386) || defined(__i386__) || \
  117. defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
  118. defined(__x86_64) || defined(__x86_64__) || \
  119. defined(_M_AMD64) || defined(_M_X64) || \
  120. defined(__INTEL__) )
  121. extern unsigned int OPENSSL_ia32cap_P[2];
  122. #ifdef VPAES_ASM
  123. #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
  124. #endif
  125. /*
  126. * AES-NI section
  127. */
  128. #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
  129. int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
  130. AES_KEY *key);
  131. int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
  132. AES_KEY *key);
  133. void aesni_encrypt(const unsigned char *in, unsigned char *out,
  134. const AES_KEY *key);
  135. void aesni_decrypt(const unsigned char *in, unsigned char *out,
  136. const AES_KEY *key);
  137. void aesni_ecb_encrypt(const unsigned char *in,
  138. unsigned char *out,
  139. size_t length,
  140. const AES_KEY *key,
  141. int enc);
  142. void aesni_cbc_encrypt(const unsigned char *in,
  143. unsigned char *out,
  144. size_t length,
  145. const AES_KEY *key,
  146. unsigned char *ivec, int enc);
  147. void aesni_ctr32_encrypt_blocks(const unsigned char *in,
  148. unsigned char *out,
  149. size_t blocks,
  150. const void *key,
  151. const unsigned char *ivec);
  152. void aesni_xts_encrypt(const unsigned char *in,
  153. unsigned char *out,
  154. size_t length,
  155. const AES_KEY *key1, const AES_KEY *key2,
  156. const unsigned char iv[16]);
  157. void aesni_xts_decrypt(const unsigned char *in,
  158. unsigned char *out,
  159. size_t length,
  160. const AES_KEY *key1, const AES_KEY *key2,
  161. const unsigned char iv[16]);
  162. void aesni_ccm64_encrypt_blocks (const unsigned char *in,
  163. unsigned char *out,
  164. size_t blocks,
  165. const void *key,
  166. const unsigned char ivec[16],
  167. unsigned char cmac[16]);
  168. void aesni_ccm64_decrypt_blocks (const unsigned char *in,
  169. unsigned char *out,
  170. size_t blocks,
  171. const void *key,
  172. const unsigned char ivec[16],
  173. unsigned char cmac[16]);
  174. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  175. const unsigned char *iv, int enc)
  176. {
  177. int ret;
  178. if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
  179. || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
  180. && !enc)
  181. ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
  182. else
  183. ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
  184. if(ret < 0)
  185. {
  186. EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
  187. return 0;
  188. }
  189. return 1;
  190. }
  191. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  192. const unsigned char *in, size_t len)
  193. {
  194. aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
  195. return 1;
  196. }
  197. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  198. const unsigned char *in, size_t len)
  199. {
  200. size_t bl = ctx->cipher->block_size;
  201. if (len<bl) return 1;
  202. aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
  203. return 1;
  204. }
  205. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  206. const unsigned char *in,size_t len)
  207. {
  208. CRYPTO_ofb128_encrypt(in,out,len,ctx->cipher_data,
  209. ctx->iv,&ctx->num,
  210. (block128_f)aesni_encrypt);
  211. return 1;
  212. }
  213. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  214. const unsigned char *in,size_t len)
  215. {
  216. CRYPTO_cfb128_encrypt(in,out,len,ctx->cipher_data,
  217. ctx->iv,&ctx->num,ctx->encrypt,
  218. (block128_f)aesni_encrypt);
  219. return 1;
  220. }
  221. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  222. const unsigned char *in,size_t len)
  223. {
  224. CRYPTO_cfb128_8_encrypt(in,out,len,ctx->cipher_data,
  225. ctx->iv,&ctx->num,ctx->encrypt,
  226. (block128_f)aesni_encrypt);
  227. return 1;
  228. }
  229. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  230. const unsigned char *in,size_t len)
  231. {
  232. if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
  233. CRYPTO_cfb128_1_encrypt(in,out,len,ctx->cipher_data,
  234. ctx->iv,&ctx->num,ctx->encrypt,
  235. (block128_f)aesni_encrypt);
  236. return 1;
  237. }
  238. while (len>=MAXBITCHUNK) {
  239. CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,ctx->cipher_data,
  240. ctx->iv,&ctx->num,ctx->encrypt,
  241. (block128_f)aesni_encrypt);
  242. len-=MAXBITCHUNK;
  243. }
  244. if (len)
  245. CRYPTO_cfb128_1_encrypt(in,out,len*8,ctx->cipher_data,
  246. ctx->iv,&ctx->num,ctx->encrypt,
  247. (block128_f)aesni_encrypt);
  248. return 1;
  249. }
  250. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  251. const unsigned char *in, size_t len)
  252. {
  253. unsigned int num;
  254. num = ctx->num;
  255. CRYPTO_ctr128_encrypt_ctr32(in,out,len,
  256. ctx->cipher_data,ctx->iv,ctx->buf,&num,
  257. (ctr128_f)aesni_ctr32_encrypt_blocks);
  258. ctx->num = (size_t)num;
  259. return 1;
  260. }
  261. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  262. const unsigned char *iv, int enc)
  263. {
  264. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  265. if (!iv && !key)
  266. return 1;
  267. if (key)
  268. {
  269. aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
  270. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  271. (block128_f)aesni_encrypt);
  272. /* If we have an iv can set it directly, otherwise use
  273. * saved IV.
  274. */
  275. if (iv == NULL && gctx->iv_set)
  276. iv = gctx->iv;
  277. if (iv)
  278. {
  279. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  280. gctx->iv_set = 1;
  281. }
  282. gctx->key_set = 1;
  283. }
  284. else
  285. {
  286. /* If key set use IV, otherwise copy */
  287. if (gctx->key_set)
  288. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  289. else
  290. memcpy(gctx->iv, iv, gctx->ivlen);
  291. gctx->iv_set = 1;
  292. gctx->iv_gen = 0;
  293. }
  294. return 1;
  295. }
  296. /* Handle TLS GCM packet format. This consists of the last portion of the IV
  297. * followed by the payload and finally the tag. On encrypt generate IV,
  298. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  299. * and verify tag.
  300. */
  301. static int aesni_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  302. const unsigned char *in, size_t len)
  303. {
  304. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  305. int rv = -1;
  306. /* Encrypt/decrypt must be performed in place */
  307. if (out != in)
  308. return -1;
  309. /* Set IV from start of buffer or generate IV and write to start
  310. * of buffer.
  311. */
  312. if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
  313. EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
  314. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  315. goto err;
  316. /* Use saved AAD */
  317. if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
  318. goto err;
  319. /* Fix buffer and length to point to payload */
  320. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  321. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  322. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  323. if (ctx->encrypt)
  324. {
  325. /* Encrypt payload */
  326. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
  327. aesni_ctr32_encrypt_blocks))
  328. out += len;
  329. /* Finally write tag */
  330. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  331. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  332. }
  333. else
  334. {
  335. /* Decrypt */
  336. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
  337. aesni_ctr32_encrypt_blocks))
  338. goto err;
  339. /* Retrieve tag */
  340. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
  341. EVP_GCM_TLS_TAG_LEN);
  342. /* If tag mismatch wipe buffer */
  343. if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
  344. {
  345. OPENSSL_cleanse(out, len);
  346. goto err;
  347. }
  348. rv = len;
  349. }
  350. err:
  351. gctx->iv_set = 0;
  352. gctx->tls_aad_len = -1;
  353. return rv;
  354. }
  355. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  356. const unsigned char *in, size_t len)
  357. {
  358. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  359. /* If not set up, return error */
  360. if (!gctx->key_set)
  361. return -1;
  362. if (gctx->tls_aad_len >= 0)
  363. return aesni_gcm_tls_cipher(ctx, out, in, len);
  364. if (!gctx->iv_set)
  365. return -1;
  366. if (!ctx->encrypt && gctx->taglen < 0)
  367. return -1;
  368. if (in)
  369. {
  370. if (out == NULL)
  371. {
  372. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  373. return -1;
  374. }
  375. else if (ctx->encrypt)
  376. {
  377. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  378. in, out, len,
  379. aesni_ctr32_encrypt_blocks))
  380. return -1;
  381. }
  382. else
  383. {
  384. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  385. in, out, len,
  386. aesni_ctr32_encrypt_blocks))
  387. return -1;
  388. }
  389. return len;
  390. }
  391. else
  392. {
  393. if (!ctx->encrypt)
  394. {
  395. if (CRYPTO_gcm128_finish(&gctx->gcm,
  396. ctx->buf, gctx->taglen) != 0)
  397. return -1;
  398. gctx->iv_set = 0;
  399. return 0;
  400. }
  401. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
  402. gctx->taglen = 16;
  403. /* Don't reuse the IV */
  404. gctx->iv_set = 0;
  405. return 0;
  406. }
  407. }
  408. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  409. const unsigned char *iv, int enc)
  410. {
  411. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  412. if (!iv && !key)
  413. return 1;
  414. if (key)
  415. {
  416. /* key_len is two AES keys */
  417. if (enc)
  418. {
  419. aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  420. xctx->xts.block1 = (block128_f)aesni_encrypt;
  421. }
  422. else
  423. {
  424. aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  425. xctx->xts.block1 = (block128_f)aesni_decrypt;
  426. }
  427. aesni_set_encrypt_key(key + ctx->key_len/2,
  428. ctx->key_len * 4, &xctx->ks2);
  429. xctx->xts.block2 = (block128_f)aesni_encrypt;
  430. xctx->xts.key1 = &xctx->ks1;
  431. }
  432. if (iv)
  433. {
  434. xctx->xts.key2 = &xctx->ks2;
  435. memcpy(ctx->iv, iv, 16);
  436. }
  437. return 1;
  438. }
  439. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  440. const unsigned char *in, size_t len)
  441. {
  442. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  443. if (!xctx->xts.key1 || !xctx->xts.key2)
  444. return -1;
  445. if (!out || !in)
  446. return -1;
  447. #ifdef OPENSSL_FIPS
  448. /* Requirement of SP800-38E */
  449. if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
  450. (len > (1L<<20)*16))
  451. {
  452. EVPerr(EVP_F_AESNI_XTS_CIPHER, EVP_R_TOO_LARGE);
  453. return -1;
  454. }
  455. #endif
  456. if (ctx->encrypt)
  457. aesni_xts_encrypt(in, out, len,
  458. xctx->xts.key1, xctx->xts.key2, ctx->iv);
  459. else
  460. aesni_xts_decrypt(in, out, len,
  461. xctx->xts.key1, xctx->xts.key2, ctx->iv);
  462. return len;
  463. }
  464. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  465. const unsigned char *iv, int enc)
  466. {
  467. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  468. if (!iv && !key)
  469. return 1;
  470. if (key)
  471. {
  472. aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
  473. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  474. &cctx->ks, (block128_f)aesni_encrypt);
  475. cctx->key_set = 1;
  476. }
  477. if (iv)
  478. {
  479. memcpy(ctx->iv, iv, 15 - cctx->L);
  480. cctx->iv_set = 1;
  481. }
  482. return 1;
  483. }
  484. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  485. const unsigned char *in, size_t len)
  486. {
  487. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  488. CCM128_CONTEXT *ccm = &cctx->ccm;
  489. /* If not set up, return error */
  490. if (!cctx->iv_set && !cctx->key_set)
  491. return -1;
  492. if (!ctx->encrypt && !cctx->tag_set)
  493. return -1;
  494. if (!out)
  495. {
  496. if (!in)
  497. {
  498. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
  499. return -1;
  500. cctx->len_set = 1;
  501. return len;
  502. }
  503. /* If have AAD need message length */
  504. if (!cctx->len_set && len)
  505. return -1;
  506. CRYPTO_ccm128_aad(ccm, in, len);
  507. return len;
  508. }
  509. /* EVP_*Final() doesn't return any data */
  510. if (!in)
  511. return 0;
  512. /* If not set length yet do it */
  513. if (!cctx->len_set)
  514. {
  515. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  516. return -1;
  517. cctx->len_set = 1;
  518. }
  519. if (ctx->encrypt)
  520. {
  521. if (CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  522. aesni_ccm64_encrypt_blocks))
  523. return -1;
  524. cctx->tag_set = 1;
  525. return len;
  526. }
  527. else
  528. {
  529. int rv = -1;
  530. if (!CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  531. aesni_ccm64_decrypt_blocks))
  532. {
  533. unsigned char tag[16];
  534. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
  535. {
  536. if (!memcmp(tag, ctx->buf, cctx->M))
  537. rv = len;
  538. }
  539. }
  540. if (rv == -1)
  541. OPENSSL_cleanse(out, len);
  542. cctx->iv_set = 0;
  543. cctx->tag_set = 0;
  544. cctx->len_set = 0;
  545. return rv;
  546. }
  547. }
  548. #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  549. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  550. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  551. flags|EVP_CIPH_##MODE##_MODE, \
  552. aesni_init_key, \
  553. aesni_##mode##_cipher, \
  554. NULL, \
  555. sizeof(EVP_AES_KEY), \
  556. NULL,NULL,NULL,NULL }; \
  557. static const EVP_CIPHER aes_##keylen##_##mode = { \
  558. nid##_##keylen##_##nmode,blocksize, \
  559. keylen/8,ivlen, \
  560. flags|EVP_CIPH_##MODE##_MODE, \
  561. aes_init_key, \
  562. aes_##mode##_cipher, \
  563. NULL, \
  564. sizeof(EVP_AES_KEY), \
  565. NULL,NULL,NULL,NULL }; \
  566. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  567. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  568. #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  569. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  570. nid##_##keylen##_##mode,blocksize, \
  571. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  572. flags|EVP_CIPH_##MODE##_MODE, \
  573. aesni_##mode##_init_key, \
  574. aesni_##mode##_cipher, \
  575. aes_##mode##_cleanup, \
  576. sizeof(EVP_AES_##MODE##_CTX), \
  577. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  578. static const EVP_CIPHER aes_##keylen##_##mode = { \
  579. nid##_##keylen##_##mode,blocksize, \
  580. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  581. flags|EVP_CIPH_##MODE##_MODE, \
  582. aes_##mode##_init_key, \
  583. aes_##mode##_cipher, \
  584. aes_##mode##_cleanup, \
  585. sizeof(EVP_AES_##MODE##_CTX), \
  586. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  587. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  588. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  589. #else
  590. #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  591. static const EVP_CIPHER aes_##keylen##_##mode = { \
  592. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  593. flags|EVP_CIPH_##MODE##_MODE, \
  594. aes_init_key, \
  595. aes_##mode##_cipher, \
  596. NULL, \
  597. sizeof(EVP_AES_KEY), \
  598. NULL,NULL,NULL,NULL }; \
  599. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  600. { return &aes_##keylen##_##mode; }
  601. #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  602. static const EVP_CIPHER aes_##keylen##_##mode = { \
  603. nid##_##keylen##_##mode,blocksize, \
  604. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  605. flags|EVP_CIPH_##MODE##_MODE, \
  606. aes_##mode##_init_key, \
  607. aes_##mode##_cipher, \
  608. aes_##mode##_cleanup, \
  609. sizeof(EVP_AES_##MODE##_CTX), \
  610. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  611. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  612. { return &aes_##keylen##_##mode; }
  613. #endif
  614. #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  615. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  616. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  617. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  618. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  619. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  620. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  621. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  622. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  623. const unsigned char *iv, int enc)
  624. {
  625. int ret;
  626. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  627. if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
  628. || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
  629. && !enc)
  630. #ifdef VPAES_CAPABLE
  631. if (VPAES_CAPABLE)
  632. {
  633. ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
  634. dat->block = vpaes_decrypt;
  635. dat->cbc = vpaes_cbc_encrypt;
  636. }
  637. else
  638. #endif
  639. {
  640. ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
  641. dat->block = AES_decrypt;
  642. dat->cbc = AES_cbc_encrypt;
  643. }
  644. else
  645. #ifdef VPAES_CAPABLE
  646. if (VPAES_CAPABLE)
  647. {
  648. ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
  649. dat->block = vpaes_encrypt;
  650. dat->cbc = vpaes_cbc_encrypt;
  651. }
  652. else
  653. #endif
  654. {
  655. ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
  656. dat->block = AES_encrypt;
  657. dat->cbc = AES_cbc_encrypt;
  658. }
  659. if(ret < 0)
  660. {
  661. EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
  662. return 0;
  663. }
  664. return 1;
  665. }
  666. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  667. const unsigned char *in, size_t len)
  668. {
  669. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  670. (*dat->cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
  671. return 1;
  672. }
  673. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  674. const unsigned char *in, size_t len)
  675. {
  676. size_t bl = ctx->cipher->block_size;
  677. size_t i;
  678. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  679. if (len<bl) return 1;
  680. for (i=0,len-=bl;i<=len;i+=bl)
  681. (*dat->block)(in+i,out+i,&dat->ks);
  682. return 1;
  683. }
  684. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  685. const unsigned char *in,size_t len)
  686. {
  687. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  688. CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
  689. ctx->iv,&ctx->num,
  690. (block128_f)dat->block);
  691. return 1;
  692. }
  693. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  694. const unsigned char *in,size_t len)
  695. {
  696. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  697. CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
  698. ctx->iv,&ctx->num,ctx->encrypt,
  699. (block128_f)dat->block);
  700. return 1;
  701. }
  702. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  703. const unsigned char *in,size_t len)
  704. {
  705. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  706. CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
  707. ctx->iv,&ctx->num,ctx->encrypt,
  708. (block128_f)dat->block);
  709. return 1;
  710. }
  711. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
  712. const unsigned char *in,size_t len)
  713. {
  714. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  715. if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
  716. CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
  717. ctx->iv,&ctx->num,ctx->encrypt,
  718. (block128_f)dat->block);
  719. return 1;
  720. }
  721. while (len>=MAXBITCHUNK) {
  722. CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
  723. ctx->iv,&ctx->num,ctx->encrypt,
  724. (block128_f)dat->block);
  725. len-=MAXBITCHUNK;
  726. }
  727. if (len)
  728. CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
  729. ctx->iv,&ctx->num,ctx->encrypt,
  730. (block128_f)dat->block);
  731. return 1;
  732. }
  733. static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
  734. const unsigned char *in, size_t len)
  735. {
  736. unsigned int num = ctx->num;
  737. EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
  738. #ifdef AES_CTR_ASM
  739. void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  740. size_t blocks, const AES_KEY *key,
  741. const unsigned char ivec[AES_BLOCK_SIZE]);
  742. CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
  743. ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
  744. #else
  745. CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
  746. ctx->iv,ctx->buf,&num,(block128_f)dat->block);
  747. #endif
  748. ctx->num = (size_t)num;
  749. return 1;
  750. }
  751. BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
  752. BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
  753. BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
  754. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  755. {
  756. EVP_AES_GCM_CTX *gctx = c->cipher_data;
  757. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  758. if (gctx->iv != c->iv)
  759. OPENSSL_free(gctx->iv);
  760. return 1;
  761. }
  762. /* increment counter (64-bit int) by 1 */
  763. static void ctr64_inc(unsigned char *counter) {
  764. int n=8;
  765. unsigned char c;
  766. do {
  767. --n;
  768. c = counter[n];
  769. ++c;
  770. counter[n] = c;
  771. if (c) return;
  772. } while (n);
  773. }
  774. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  775. {
  776. EVP_AES_GCM_CTX *gctx = c->cipher_data;
  777. switch (type)
  778. {
  779. case EVP_CTRL_INIT:
  780. gctx->key_set = 0;
  781. gctx->iv_set = 0;
  782. gctx->ivlen = c->cipher->iv_len;
  783. gctx->iv = c->iv;
  784. gctx->taglen = -1;
  785. gctx->iv_gen = 0;
  786. gctx->tls_aad_len = -1;
  787. return 1;
  788. case EVP_CTRL_GCM_SET_IVLEN:
  789. if (arg <= 0)
  790. return 0;
  791. #ifdef OPENSSL_FIPS
  792. if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
  793. && arg < 12)
  794. return 0;
  795. #endif
  796. /* Allocate memory for IV if needed */
  797. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
  798. {
  799. if (gctx->iv != c->iv)
  800. OPENSSL_free(gctx->iv);
  801. gctx->iv = OPENSSL_malloc(arg);
  802. if (!gctx->iv)
  803. return 0;
  804. }
  805. gctx->ivlen = arg;
  806. return 1;
  807. case EVP_CTRL_GCM_SET_TAG:
  808. if (arg <= 0 || arg > 16 || c->encrypt)
  809. return 0;
  810. memcpy(c->buf, ptr, arg);
  811. gctx->taglen = arg;
  812. return 1;
  813. case EVP_CTRL_GCM_GET_TAG:
  814. if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
  815. return 0;
  816. memcpy(ptr, c->buf, arg);
  817. return 1;
  818. case EVP_CTRL_GCM_SET_IV_FIXED:
  819. /* Special case: -1 length restores whole IV */
  820. if (arg == -1)
  821. {
  822. memcpy(gctx->iv, ptr, gctx->ivlen);
  823. gctx->iv_gen = 1;
  824. return 1;
  825. }
  826. /* Fixed field must be at least 4 bytes and invocation field
  827. * at least 8.
  828. */
  829. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  830. return 0;
  831. if (arg)
  832. memcpy(gctx->iv, ptr, arg);
  833. if (c->encrypt &&
  834. RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  835. return 0;
  836. gctx->iv_gen = 1;
  837. return 1;
  838. case EVP_CTRL_GCM_IV_GEN:
  839. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  840. return 0;
  841. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  842. if (arg <= 0 || arg > gctx->ivlen)
  843. arg = gctx->ivlen;
  844. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  845. /* Invocation field will be at least 8 bytes in size and
  846. * so no need to check wrap around or increment more than
  847. * last 8 bytes.
  848. */
  849. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  850. gctx->iv_set = 1;
  851. return 1;
  852. case EVP_CTRL_GCM_SET_IV_INV:
  853. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  854. return 0;
  855. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  856. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  857. gctx->iv_set = 1;
  858. return 1;
  859. case EVP_CTRL_AEAD_TLS1_AAD:
  860. /* Save the AAD for later use */
  861. if (arg != 13)
  862. return 0;
  863. memcpy(c->buf, ptr, arg);
  864. gctx->tls_aad_len = arg;
  865. {
  866. unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
  867. /* Correct length for explicit IV */
  868. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  869. /* If decrypting correct for tag too */
  870. if (!c->encrypt)
  871. len -= EVP_GCM_TLS_TAG_LEN;
  872. c->buf[arg-2] = len>>8;
  873. c->buf[arg-1] = len & 0xff;
  874. }
  875. /* Extra padding: tag appended to record */
  876. return EVP_GCM_TLS_TAG_LEN;
  877. default:
  878. return -1;
  879. }
  880. }
  881. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  882. const unsigned char *iv, int enc)
  883. {
  884. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  885. if (!iv && !key)
  886. return 1;
  887. if (key)
  888. { do {
  889. #ifdef VPAES_CAPABLE
  890. if (VPAES_CAPABLE)
  891. {
  892. vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
  893. CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
  894. (block128_f)vpaes_encrypt);
  895. break;
  896. }
  897. #endif
  898. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
  899. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
  900. } while (0);
  901. /* If we have an iv can set it directly, otherwise use
  902. * saved IV.
  903. */
  904. if (iv == NULL && gctx->iv_set)
  905. iv = gctx->iv;
  906. if (iv)
  907. {
  908. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  909. gctx->iv_set = 1;
  910. }
  911. gctx->key_set = 1;
  912. }
  913. else
  914. {
  915. /* If key set use IV, otherwise copy */
  916. if (gctx->key_set)
  917. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  918. else
  919. memcpy(gctx->iv, iv, gctx->ivlen);
  920. gctx->iv_set = 1;
  921. gctx->iv_gen = 0;
  922. }
  923. return 1;
  924. }
  925. /* Handle TLS GCM packet format. This consists of the last portion of the IV
  926. * followed by the payload and finally the tag. On encrypt generate IV,
  927. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  928. * and verify tag.
  929. */
  930. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  931. const unsigned char *in, size_t len)
  932. {
  933. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  934. int rv = -1;
  935. /* Encrypt/decrypt must be performed in place */
  936. if (out != in)
  937. return -1;
  938. /* Set IV from start of buffer or generate IV and write to start
  939. * of buffer.
  940. */
  941. if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
  942. EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
  943. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  944. goto err;
  945. /* Use saved AAD */
  946. if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
  947. goto err;
  948. /* Fix buffer and length to point to payload */
  949. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  950. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  951. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  952. if (ctx->encrypt)
  953. {
  954. /* Encrypt payload */
  955. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
  956. goto err;
  957. out += len;
  958. /* Finally write tag */
  959. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  960. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  961. }
  962. else
  963. {
  964. /* Decrypt */
  965. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
  966. goto err;
  967. /* Retrieve tag */
  968. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
  969. EVP_GCM_TLS_TAG_LEN);
  970. /* If tag mismatch wipe buffer */
  971. if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
  972. {
  973. OPENSSL_cleanse(out, len);
  974. goto err;
  975. }
  976. rv = len;
  977. }
  978. err:
  979. gctx->iv_set = 0;
  980. gctx->tls_aad_len = -1;
  981. return rv;
  982. }
  983. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  984. const unsigned char *in, size_t len)
  985. {
  986. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  987. /* If not set up, return error */
  988. if (!gctx->key_set)
  989. return -1;
  990. if (gctx->tls_aad_len >= 0)
  991. return aes_gcm_tls_cipher(ctx, out, in, len);
  992. if (!gctx->iv_set)
  993. return -1;
  994. if (!ctx->encrypt && gctx->taglen < 0)
  995. return -1;
  996. if (in)
  997. {
  998. if (out == NULL)
  999. {
  1000. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  1001. return -1;
  1002. }
  1003. else if (ctx->encrypt)
  1004. {
  1005. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
  1006. return -1;
  1007. }
  1008. else
  1009. {
  1010. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
  1011. return -1;
  1012. }
  1013. return len;
  1014. }
  1015. else
  1016. {
  1017. if (!ctx->encrypt)
  1018. {
  1019. if (CRYPTO_gcm128_finish(&gctx->gcm,
  1020. ctx->buf, gctx->taglen) != 0)
  1021. return -1;
  1022. gctx->iv_set = 0;
  1023. return 0;
  1024. }
  1025. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
  1026. gctx->taglen = 16;
  1027. /* Don't reuse the IV */
  1028. gctx->iv_set = 0;
  1029. return 0;
  1030. }
  1031. }
  1032. #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  1033. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  1034. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
  1035. BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
  1036. EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
  1037. BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
  1038. EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
  1039. BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
  1040. EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
  1041. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1042. {
  1043. EVP_AES_XTS_CTX *xctx = c->cipher_data;
  1044. if (type != EVP_CTRL_INIT)
  1045. return -1;
  1046. /* key1 and key2 are used as an indicator both key and IV are set */
  1047. xctx->xts.key1 = NULL;
  1048. xctx->xts.key2 = NULL;
  1049. return 1;
  1050. }
  1051. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1052. const unsigned char *iv, int enc)
  1053. {
  1054. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  1055. if (!iv && !key)
  1056. return 1;
  1057. if (key) do
  1058. {
  1059. /* key_len is two AES keys */
  1060. #ifdef VPAES_CAPABLE
  1061. if (VPAES_CAPABLE)
  1062. {
  1063. if (enc)
  1064. {
  1065. vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  1066. xctx->xts.block1 = (block128_f)vpaes_encrypt;
  1067. }
  1068. else
  1069. {
  1070. vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  1071. xctx->xts.block1 = (block128_f)vpaes_decrypt;
  1072. }
  1073. vpaes_set_encrypt_key(key + ctx->key_len/2,
  1074. ctx->key_len * 4, &xctx->ks2);
  1075. xctx->xts.block2 = (block128_f)vpaes_encrypt;
  1076. xctx->xts.key1 = &xctx->ks1;
  1077. break;
  1078. }
  1079. #endif
  1080. if (enc)
  1081. {
  1082. AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  1083. xctx->xts.block1 = (block128_f)AES_encrypt;
  1084. }
  1085. else
  1086. {
  1087. AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
  1088. xctx->xts.block1 = (block128_f)AES_decrypt;
  1089. }
  1090. AES_set_encrypt_key(key + ctx->key_len/2,
  1091. ctx->key_len * 4, &xctx->ks2);
  1092. xctx->xts.block2 = (block128_f)AES_encrypt;
  1093. xctx->xts.key1 = &xctx->ks1;
  1094. } while (0);
  1095. if (iv)
  1096. {
  1097. xctx->xts.key2 = &xctx->ks2;
  1098. memcpy(ctx->iv, iv, 16);
  1099. }
  1100. return 1;
  1101. }
  1102. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1103. const unsigned char *in, size_t len)
  1104. {
  1105. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  1106. if (!xctx->xts.key1 || !xctx->xts.key2)
  1107. return -1;
  1108. if (!out || !in)
  1109. return -1;
  1110. #ifdef OPENSSL_FIPS
  1111. /* Requirement of SP800-38E */
  1112. if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
  1113. (len > (1L<<20)*16))
  1114. {
  1115. EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
  1116. return -1;
  1117. }
  1118. #endif
  1119. if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
  1120. ctx->encrypt))
  1121. return -1;
  1122. return len;
  1123. }
  1124. #define aes_xts_cleanup NULL
  1125. BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  1126. BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  1127. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1128. {
  1129. EVP_AES_CCM_CTX *cctx = c->cipher_data;
  1130. switch (type)
  1131. {
  1132. case EVP_CTRL_INIT:
  1133. cctx->key_set = 0;
  1134. cctx->iv_set = 0;
  1135. cctx->L = 8;
  1136. cctx->M = 12;
  1137. cctx->tag_set = 0;
  1138. cctx->len_set = 0;
  1139. return 1;
  1140. case EVP_CTRL_CCM_SET_IVLEN:
  1141. arg = 15 - arg;
  1142. case EVP_CTRL_CCM_SET_L:
  1143. if (arg < 2 || arg > 8)
  1144. return 0;
  1145. cctx->L = arg;
  1146. return 1;
  1147. case EVP_CTRL_CCM_SET_TAG:
  1148. if ((arg & 1) || arg < 4 || arg > 16)
  1149. return 0;
  1150. if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
  1151. return 0;
  1152. if (ptr)
  1153. {
  1154. cctx->tag_set = 1;
  1155. memcpy(c->buf, ptr, arg);
  1156. }
  1157. cctx->M = arg;
  1158. return 1;
  1159. case EVP_CTRL_CCM_GET_TAG:
  1160. if (!c->encrypt || !cctx->tag_set)
  1161. return 0;
  1162. if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  1163. return 0;
  1164. cctx->tag_set = 0;
  1165. cctx->iv_set = 0;
  1166. cctx->len_set = 0;
  1167. return 1;
  1168. default:
  1169. return -1;
  1170. }
  1171. }
  1172. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1173. const unsigned char *iv, int enc)
  1174. {
  1175. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  1176. if (!iv && !key)
  1177. return 1;
  1178. if (key) do
  1179. {
  1180. #ifdef VPAES_CAPABLE
  1181. if (VPAES_CAPABLE)
  1182. {
  1183. vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
  1184. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  1185. &cctx->ks, (block128_f)vpaes_encrypt);
  1186. cctx->key_set = 1;
  1187. break;
  1188. }
  1189. #endif
  1190. AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
  1191. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  1192. &cctx->ks, (block128_f)AES_encrypt);
  1193. cctx->key_set = 1;
  1194. } while (0);
  1195. if (iv)
  1196. {
  1197. memcpy(ctx->iv, iv, 15 - cctx->L);
  1198. cctx->iv_set = 1;
  1199. }
  1200. return 1;
  1201. }
  1202. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1203. const unsigned char *in, size_t len)
  1204. {
  1205. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  1206. CCM128_CONTEXT *ccm = &cctx->ccm;
  1207. /* If not set up, return error */
  1208. if (!cctx->iv_set && !cctx->key_set)
  1209. return -1;
  1210. if (!ctx->encrypt && !cctx->tag_set)
  1211. return -1;
  1212. if (!out)
  1213. {
  1214. if (!in)
  1215. {
  1216. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
  1217. return -1;
  1218. cctx->len_set = 1;
  1219. return len;
  1220. }
  1221. /* If have AAD need message length */
  1222. if (!cctx->len_set && len)
  1223. return -1;
  1224. CRYPTO_ccm128_aad(ccm, in, len);
  1225. return len;
  1226. }
  1227. /* EVP_*Final() doesn't return any data */
  1228. if (!in)
  1229. return 0;
  1230. /* If not set length yet do it */
  1231. if (!cctx->len_set)
  1232. {
  1233. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  1234. return -1;
  1235. cctx->len_set = 1;
  1236. }
  1237. if (ctx->encrypt)
  1238. {
  1239. if (CRYPTO_ccm128_encrypt(ccm, in, out, len))
  1240. return -1;
  1241. cctx->tag_set = 1;
  1242. return len;
  1243. }
  1244. else
  1245. {
  1246. int rv = -1;
  1247. if (!CRYPTO_ccm128_decrypt(ccm, in, out, len))
  1248. {
  1249. unsigned char tag[16];
  1250. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
  1251. {
  1252. if (!memcmp(tag, ctx->buf, cctx->M))
  1253. rv = len;
  1254. }
  1255. }
  1256. if (rv == -1)
  1257. OPENSSL_cleanse(out, len);
  1258. cctx->iv_set = 0;
  1259. cctx->tag_set = 0;
  1260. cctx->len_set = 0;
  1261. return rv;
  1262. }
  1263. }
  1264. #define aes_ccm_cleanup NULL
  1265. BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  1266. BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  1267. BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  1268. #endif