e_aes.c 134 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160
  1. /*
  2. * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file uses the low-level AES functions (which are deprecated for
  11. * non-internal use) in order to implement the EVP AES ciphers.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <string.h>
  15. #include <assert.h>
  16. #include <openssl/opensslconf.h>
  17. #include <openssl/crypto.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/err.h>
  20. #include <openssl/aes.h>
  21. #include <openssl/rand.h>
  22. #include <openssl/cmac.h>
  23. #include "crypto/evp.h"
  24. #include "internal/cryptlib.h"
  25. #include "crypto/modes.h"
  26. #include "crypto/siv.h"
  27. #include "crypto/aes_platform.h"
  28. #include "evp_local.h"
  29. typedef struct {
  30. union {
  31. OSSL_UNION_ALIGN;
  32. AES_KEY ks;
  33. } ks;
  34. block128_f block;
  35. union {
  36. cbc128_f cbc;
  37. ctr128_f ctr;
  38. } stream;
  39. } EVP_AES_KEY;
  40. typedef struct {
  41. union {
  42. OSSL_UNION_ALIGN;
  43. AES_KEY ks;
  44. } ks; /* AES key schedule to use */
  45. int key_set; /* Set if key initialised */
  46. int iv_set; /* Set if an iv is set */
  47. GCM128_CONTEXT gcm;
  48. unsigned char *iv; /* Temporary IV store */
  49. int ivlen; /* IV length */
  50. int taglen;
  51. int iv_gen; /* It is OK to generate IVs */
  52. int iv_gen_rand; /* No IV was specified, so generate a rand IV */
  53. int tls_aad_len; /* TLS AAD length */
  54. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  55. ctr128_f ctr;
  56. } EVP_AES_GCM_CTX;
  57. typedef struct {
  58. union {
  59. OSSL_UNION_ALIGN;
  60. AES_KEY ks;
  61. } ks1, ks2; /* AES key schedules to use */
  62. XTS128_CONTEXT xts;
  63. void (*stream) (const unsigned char *in,
  64. unsigned char *out, size_t length,
  65. const AES_KEY *key1, const AES_KEY *key2,
  66. const unsigned char iv[16]);
  67. } EVP_AES_XTS_CTX;
  68. #ifdef FIPS_MODULE
  69. static const int allow_insecure_decrypt = 0;
  70. #else
  71. static const int allow_insecure_decrypt = 1;
  72. #endif
  73. typedef struct {
  74. union {
  75. OSSL_UNION_ALIGN;
  76. AES_KEY ks;
  77. } ks; /* AES key schedule to use */
  78. int key_set; /* Set if key initialised */
  79. int iv_set; /* Set if an iv is set */
  80. int tag_set; /* Set if tag is valid */
  81. int len_set; /* Set if message length set */
  82. int L, M; /* L and M parameters from RFC3610 */
  83. int tls_aad_len; /* TLS AAD length */
  84. CCM128_CONTEXT ccm;
  85. ccm128_f str;
  86. } EVP_AES_CCM_CTX;
  87. #ifndef OPENSSL_NO_OCB
  88. typedef struct {
  89. union {
  90. OSSL_UNION_ALIGN;
  91. AES_KEY ks;
  92. } ksenc; /* AES key schedule to use for encryption */
  93. union {
  94. OSSL_UNION_ALIGN;
  95. AES_KEY ks;
  96. } ksdec; /* AES key schedule to use for decryption */
  97. int key_set; /* Set if key initialised */
  98. int iv_set; /* Set if an iv is set */
  99. OCB128_CONTEXT ocb;
  100. unsigned char *iv; /* Temporary IV store */
  101. unsigned char tag[16];
  102. unsigned char data_buf[16]; /* Store partial data blocks */
  103. unsigned char aad_buf[16]; /* Store partial AAD blocks */
  104. int data_buf_len;
  105. int aad_buf_len;
  106. int ivlen; /* IV length */
  107. int taglen;
  108. } EVP_AES_OCB_CTX;
  109. #endif
  110. #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  111. /* increment counter (64-bit int) by 1 */
  112. static void ctr64_inc(unsigned char *counter)
  113. {
  114. int n = 8;
  115. unsigned char c;
  116. do {
  117. --n;
  118. c = counter[n];
  119. ++c;
  120. counter[n] = c;
  121. if (c)
  122. return;
  123. } while (n);
  124. }
  125. #if defined(AESNI_CAPABLE)
  126. # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
  127. # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
  128. gctx->gcm.ghash==gcm_ghash_avx)
  129. # undef AES_GCM_ASM2 /* minor size optimization */
  130. # endif
  131. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  132. const unsigned char *iv, int enc)
  133. {
  134. int ret, mode;
  135. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  136. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  137. if (keylen <= 0) {
  138. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  139. return 0;
  140. }
  141. mode = EVP_CIPHER_CTX_get_mode(ctx);
  142. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  143. && !enc) {
  144. ret = aesni_set_decrypt_key(key, keylen, &dat->ks.ks);
  145. dat->block = (block128_f) aesni_decrypt;
  146. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  147. (cbc128_f) aesni_cbc_encrypt : NULL;
  148. } else {
  149. ret = aesni_set_encrypt_key(key, keylen, &dat->ks.ks);
  150. dat->block = (block128_f) aesni_encrypt;
  151. if (mode == EVP_CIPH_CBC_MODE)
  152. dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
  153. else if (mode == EVP_CIPH_CTR_MODE)
  154. dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  155. else
  156. dat->stream.cbc = NULL;
  157. }
  158. if (ret < 0) {
  159. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  160. return 0;
  161. }
  162. return 1;
  163. }
  164. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  165. const unsigned char *in, size_t len)
  166. {
  167. aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  168. ctx->iv, EVP_CIPHER_CTX_is_encrypting(ctx));
  169. return 1;
  170. }
  171. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  172. const unsigned char *in, size_t len)
  173. {
  174. size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
  175. if (len < bl)
  176. return 1;
  177. aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  178. EVP_CIPHER_CTX_is_encrypting(ctx));
  179. return 1;
  180. }
  181. # define aesni_ofb_cipher aes_ofb_cipher
  182. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  183. const unsigned char *in, size_t len);
  184. # define aesni_cfb_cipher aes_cfb_cipher
  185. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  186. const unsigned char *in, size_t len);
  187. # define aesni_cfb8_cipher aes_cfb8_cipher
  188. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  189. const unsigned char *in, size_t len);
  190. # define aesni_cfb1_cipher aes_cfb1_cipher
  191. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  192. const unsigned char *in, size_t len);
  193. # define aesni_ctr_cipher aes_ctr_cipher
  194. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  195. const unsigned char *in, size_t len);
  196. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  197. const unsigned char *iv, int enc)
  198. {
  199. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx);
  200. if (iv == NULL && key == NULL)
  201. return 1;
  202. if (key) {
  203. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  204. if (keylen <= 0) {
  205. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  206. return 0;
  207. }
  208. aesni_set_encrypt_key(key, keylen, &gctx->ks.ks);
  209. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
  210. gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  211. /*
  212. * If we have an iv can set it directly, otherwise use saved IV.
  213. */
  214. if (iv == NULL && gctx->iv_set)
  215. iv = gctx->iv;
  216. if (iv) {
  217. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  218. gctx->iv_set = 1;
  219. }
  220. gctx->key_set = 1;
  221. } else {
  222. /* If key set use IV, otherwise copy */
  223. if (gctx->key_set)
  224. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  225. else
  226. memcpy(gctx->iv, iv, gctx->ivlen);
  227. gctx->iv_set = 1;
  228. gctx->iv_gen = 0;
  229. }
  230. return 1;
  231. }
  232. # define aesni_gcm_cipher aes_gcm_cipher
  233. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  234. const unsigned char *in, size_t len);
  235. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  236. const unsigned char *iv, int enc)
  237. {
  238. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  239. if (iv == NULL && key == NULL)
  240. return 1;
  241. if (key) {
  242. /* The key is two half length keys in reality */
  243. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  244. const int bytes = keylen / 2;
  245. const int bits = bytes * 8;
  246. if (keylen <= 0) {
  247. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  248. return 0;
  249. }
  250. /*
  251. * Verify that the two keys are different.
  252. *
  253. * This addresses Rogaway's vulnerability.
  254. * See comment in aes_xts_init_key() below.
  255. */
  256. if ((!allow_insecure_decrypt || enc)
  257. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  258. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  259. return 0;
  260. }
  261. /* key_len is two AES keys */
  262. if (enc) {
  263. aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
  264. xctx->xts.block1 = (block128_f) aesni_encrypt;
  265. xctx->stream = aesni_xts_encrypt;
  266. } else {
  267. aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
  268. xctx->xts.block1 = (block128_f) aesni_decrypt;
  269. xctx->stream = aesni_xts_decrypt;
  270. }
  271. aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  272. xctx->xts.block2 = (block128_f) aesni_encrypt;
  273. xctx->xts.key1 = &xctx->ks1;
  274. }
  275. if (iv) {
  276. xctx->xts.key2 = &xctx->ks2;
  277. memcpy(ctx->iv, iv, 16);
  278. }
  279. return 1;
  280. }
  281. # define aesni_xts_cipher aes_xts_cipher
  282. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  283. const unsigned char *in, size_t len);
  284. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  285. const unsigned char *iv, int enc)
  286. {
  287. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  288. if (iv == NULL && key == NULL)
  289. return 1;
  290. if (key != NULL) {
  291. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  292. if (keylen <= 0) {
  293. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  294. return 0;
  295. }
  296. aesni_set_encrypt_key(key, keylen, &cctx->ks.ks);
  297. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  298. &cctx->ks, (block128_f) aesni_encrypt);
  299. cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
  300. (ccm128_f) aesni_ccm64_decrypt_blocks;
  301. cctx->key_set = 1;
  302. }
  303. if (iv) {
  304. memcpy(ctx->iv, iv, 15 - cctx->L);
  305. cctx->iv_set = 1;
  306. }
  307. return 1;
  308. }
  309. # define aesni_ccm_cipher aes_ccm_cipher
  310. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  311. const unsigned char *in, size_t len);
  312. # ifndef OPENSSL_NO_OCB
  313. static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  314. const unsigned char *iv, int enc)
  315. {
  316. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  317. if (iv == NULL && key == NULL)
  318. return 1;
  319. if (key != NULL) {
  320. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  321. if (keylen <= 0) {
  322. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  323. return 0;
  324. }
  325. do {
  326. /*
  327. * We set both the encrypt and decrypt key here because decrypt
  328. * needs both. We could possibly optimise to remove setting the
  329. * decrypt for an encryption operation.
  330. */
  331. aesni_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  332. aesni_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  333. if (!CRYPTO_ocb128_init(&octx->ocb,
  334. &octx->ksenc.ks, &octx->ksdec.ks,
  335. (block128_f) aesni_encrypt,
  336. (block128_f) aesni_decrypt,
  337. enc ? aesni_ocb_encrypt
  338. : aesni_ocb_decrypt))
  339. return 0;
  340. }
  341. while (0);
  342. /*
  343. * If we have an iv we can set it directly, otherwise use saved IV.
  344. */
  345. if (iv == NULL && octx->iv_set)
  346. iv = octx->iv;
  347. if (iv) {
  348. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  349. != 1)
  350. return 0;
  351. octx->iv_set = 1;
  352. }
  353. octx->key_set = 1;
  354. } else {
  355. /* If key set use IV, otherwise copy */
  356. if (octx->key_set)
  357. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  358. else
  359. memcpy(octx->iv, iv, octx->ivlen);
  360. octx->iv_set = 1;
  361. }
  362. return 1;
  363. }
  364. # define aesni_ocb_cipher aes_ocb_cipher
  365. static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  366. const unsigned char *in, size_t len);
  367. # endif /* OPENSSL_NO_OCB */
  368. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  369. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  370. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  371. flags|EVP_CIPH_##MODE##_MODE, \
  372. EVP_ORIG_GLOBAL, \
  373. aesni_init_key, \
  374. aesni_##mode##_cipher, \
  375. NULL, \
  376. sizeof(EVP_AES_KEY), \
  377. NULL,NULL,NULL,NULL }; \
  378. static const EVP_CIPHER aes_##keylen##_##mode = { \
  379. nid##_##keylen##_##nmode,blocksize, \
  380. keylen/8,ivlen, \
  381. flags|EVP_CIPH_##MODE##_MODE, \
  382. EVP_ORIG_GLOBAL, \
  383. aes_init_key, \
  384. aes_##mode##_cipher, \
  385. NULL, \
  386. sizeof(EVP_AES_KEY), \
  387. NULL,NULL,NULL,NULL }; \
  388. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  389. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  390. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  391. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  392. nid##_##keylen##_##mode,blocksize, \
  393. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  394. ivlen, \
  395. flags|EVP_CIPH_##MODE##_MODE, \
  396. EVP_ORIG_GLOBAL, \
  397. aesni_##mode##_init_key, \
  398. aesni_##mode##_cipher, \
  399. aes_##mode##_cleanup, \
  400. sizeof(EVP_AES_##MODE##_CTX), \
  401. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  402. static const EVP_CIPHER aes_##keylen##_##mode = { \
  403. nid##_##keylen##_##mode,blocksize, \
  404. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  405. ivlen, \
  406. flags|EVP_CIPH_##MODE##_MODE, \
  407. EVP_ORIG_GLOBAL, \
  408. aes_##mode##_init_key, \
  409. aes_##mode##_cipher, \
  410. aes_##mode##_cleanup, \
  411. sizeof(EVP_AES_##MODE##_CTX), \
  412. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  413. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  414. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  415. #elif defined(SPARC_AES_CAPABLE)
  416. static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  417. const unsigned char *iv, int enc)
  418. {
  419. int ret, mode, bits;
  420. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  421. mode = EVP_CIPHER_CTX_get_mode(ctx);
  422. bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  423. if (bits <= 0) {
  424. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  425. return 0;
  426. }
  427. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  428. && !enc) {
  429. ret = 0;
  430. aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
  431. dat->block = (block128_f) aes_t4_decrypt;
  432. switch (bits) {
  433. case 128:
  434. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  435. (cbc128_f) aes128_t4_cbc_decrypt : NULL;
  436. break;
  437. case 192:
  438. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  439. (cbc128_f) aes192_t4_cbc_decrypt : NULL;
  440. break;
  441. case 256:
  442. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  443. (cbc128_f) aes256_t4_cbc_decrypt : NULL;
  444. break;
  445. default:
  446. ret = -1;
  447. }
  448. } else {
  449. ret = 0;
  450. aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
  451. dat->block = (block128_f) aes_t4_encrypt;
  452. switch (bits) {
  453. case 128:
  454. if (mode == EVP_CIPH_CBC_MODE)
  455. dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
  456. else if (mode == EVP_CIPH_CTR_MODE)
  457. dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  458. else
  459. dat->stream.cbc = NULL;
  460. break;
  461. case 192:
  462. if (mode == EVP_CIPH_CBC_MODE)
  463. dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
  464. else if (mode == EVP_CIPH_CTR_MODE)
  465. dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  466. else
  467. dat->stream.cbc = NULL;
  468. break;
  469. case 256:
  470. if (mode == EVP_CIPH_CBC_MODE)
  471. dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
  472. else if (mode == EVP_CIPH_CTR_MODE)
  473. dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  474. else
  475. dat->stream.cbc = NULL;
  476. break;
  477. default:
  478. ret = -1;
  479. }
  480. }
  481. if (ret < 0) {
  482. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  483. return 0;
  484. }
  485. return 1;
  486. }
  487. # define aes_t4_cbc_cipher aes_cbc_cipher
  488. static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  489. const unsigned char *in, size_t len);
  490. # define aes_t4_ecb_cipher aes_ecb_cipher
  491. static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  492. const unsigned char *in, size_t len);
  493. # define aes_t4_ofb_cipher aes_ofb_cipher
  494. static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  495. const unsigned char *in, size_t len);
  496. # define aes_t4_cfb_cipher aes_cfb_cipher
  497. static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  498. const unsigned char *in, size_t len);
  499. # define aes_t4_cfb8_cipher aes_cfb8_cipher
  500. static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  501. const unsigned char *in, size_t len);
  502. # define aes_t4_cfb1_cipher aes_cfb1_cipher
  503. static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  504. const unsigned char *in, size_t len);
  505. # define aes_t4_ctr_cipher aes_ctr_cipher
  506. static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  507. const unsigned char *in, size_t len);
  508. static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  509. const unsigned char *iv, int enc)
  510. {
  511. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  512. if (iv == NULL && key == NULL)
  513. return 1;
  514. if (key) {
  515. const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  516. if (bits <= 0) {
  517. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  518. return 0;
  519. }
  520. aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
  521. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  522. (block128_f) aes_t4_encrypt);
  523. switch (bits) {
  524. case 128:
  525. gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  526. break;
  527. case 192:
  528. gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  529. break;
  530. case 256:
  531. gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  532. break;
  533. default:
  534. return 0;
  535. }
  536. /*
  537. * If we have an iv can set it directly, otherwise use saved IV.
  538. */
  539. if (iv == NULL && gctx->iv_set)
  540. iv = gctx->iv;
  541. if (iv) {
  542. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  543. gctx->iv_set = 1;
  544. }
  545. gctx->key_set = 1;
  546. } else {
  547. /* If key set use IV, otherwise copy */
  548. if (gctx->key_set)
  549. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  550. else
  551. memcpy(gctx->iv, iv, gctx->ivlen);
  552. gctx->iv_set = 1;
  553. gctx->iv_gen = 0;
  554. }
  555. return 1;
  556. }
  557. # define aes_t4_gcm_cipher aes_gcm_cipher
  558. static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  559. const unsigned char *in, size_t len);
  560. static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  561. const unsigned char *iv, int enc)
  562. {
  563. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  564. if (!iv && !key)
  565. return 1;
  566. if (key) {
  567. /* The key is two half length keys in reality */
  568. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  569. const int bytes = keylen / 2;
  570. const int bits = bytes * 8;
  571. if (keylen <= 0) {
  572. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  573. return 0;
  574. }
  575. /*
  576. * Verify that the two keys are different.
  577. *
  578. * This addresses Rogaway's vulnerability.
  579. * See comment in aes_xts_init_key() below.
  580. */
  581. if ((!allow_insecure_decrypt || enc)
  582. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  583. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  584. return 0;
  585. }
  586. xctx->stream = NULL;
  587. /* key_len is two AES keys */
  588. if (enc) {
  589. aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
  590. xctx->xts.block1 = (block128_f) aes_t4_encrypt;
  591. switch (bits) {
  592. case 128:
  593. xctx->stream = aes128_t4_xts_encrypt;
  594. break;
  595. case 256:
  596. xctx->stream = aes256_t4_xts_encrypt;
  597. break;
  598. default:
  599. return 0;
  600. }
  601. } else {
  602. aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
  603. xctx->xts.block1 = (block128_f) aes_t4_decrypt;
  604. switch (bits) {
  605. case 128:
  606. xctx->stream = aes128_t4_xts_decrypt;
  607. break;
  608. case 256:
  609. xctx->stream = aes256_t4_xts_decrypt;
  610. break;
  611. default:
  612. return 0;
  613. }
  614. }
  615. aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  616. xctx->xts.block2 = (block128_f) aes_t4_encrypt;
  617. xctx->xts.key1 = &xctx->ks1;
  618. }
  619. if (iv) {
  620. xctx->xts.key2 = &xctx->ks2;
  621. memcpy(ctx->iv, iv, 16);
  622. }
  623. return 1;
  624. }
  625. # define aes_t4_xts_cipher aes_xts_cipher
  626. static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  627. const unsigned char *in, size_t len);
  628. static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  629. const unsigned char *iv, int enc)
  630. {
  631. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  632. if (iv == NULL && key == NULL)
  633. return 1;
  634. if (key != NULL) {
  635. const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  636. if (bits <= 0) {
  637. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  638. return 0;
  639. }
  640. aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
  641. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  642. &cctx->ks, (block128_f) aes_t4_encrypt);
  643. cctx->str = NULL;
  644. cctx->key_set = 1;
  645. }
  646. if (iv) {
  647. memcpy(ctx->iv, iv, 15 - cctx->L);
  648. cctx->iv_set = 1;
  649. }
  650. return 1;
  651. }
  652. # define aes_t4_ccm_cipher aes_ccm_cipher
  653. static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  654. const unsigned char *in, size_t len);
  655. # ifndef OPENSSL_NO_OCB
  656. static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  657. const unsigned char *iv, int enc)
  658. {
  659. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  660. if (iv == NULL && key == NULL)
  661. return 1;
  662. if (key != NULL) {
  663. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  664. if (keylen <= 0) {
  665. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  666. return 0;
  667. }
  668. do {
  669. /*
  670. * We set both the encrypt and decrypt key here because decrypt
  671. * needs both. We could possibly optimise to remove setting the
  672. * decrypt for an encryption operation.
  673. */
  674. aes_t4_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  675. aes_t4_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  676. if (!CRYPTO_ocb128_init(&octx->ocb,
  677. &octx->ksenc.ks, &octx->ksdec.ks,
  678. (block128_f) aes_t4_encrypt,
  679. (block128_f) aes_t4_decrypt,
  680. NULL))
  681. return 0;
  682. }
  683. while (0);
  684. /*
  685. * If we have an iv we can set it directly, otherwise use saved IV.
  686. */
  687. if (iv == NULL && octx->iv_set)
  688. iv = octx->iv;
  689. if (iv) {
  690. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  691. != 1)
  692. return 0;
  693. octx->iv_set = 1;
  694. }
  695. octx->key_set = 1;
  696. } else {
  697. /* If key set use IV, otherwise copy */
  698. if (octx->key_set)
  699. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  700. else
  701. memcpy(octx->iv, iv, octx->ivlen);
  702. octx->iv_set = 1;
  703. }
  704. return 1;
  705. }
  706. # define aes_t4_ocb_cipher aes_ocb_cipher
  707. static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  708. const unsigned char *in, size_t len);
  709. # endif /* OPENSSL_NO_OCB */
  710. # ifndef OPENSSL_NO_SIV
  711. # define aes_t4_siv_init_key aes_siv_init_key
  712. # define aes_t4_siv_cipher aes_siv_cipher
  713. # endif /* OPENSSL_NO_SIV */
  714. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  715. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  716. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  717. flags|EVP_CIPH_##MODE##_MODE, \
  718. EVP_ORIG_GLOBAL, \
  719. aes_t4_init_key, \
  720. aes_t4_##mode##_cipher, \
  721. NULL, \
  722. sizeof(EVP_AES_KEY), \
  723. NULL,NULL,NULL,NULL }; \
  724. static const EVP_CIPHER aes_##keylen##_##mode = { \
  725. nid##_##keylen##_##nmode,blocksize, \
  726. keylen/8,ivlen, \
  727. flags|EVP_CIPH_##MODE##_MODE, \
  728. EVP_ORIG_GLOBAL, \
  729. aes_init_key, \
  730. aes_##mode##_cipher, \
  731. NULL, \
  732. sizeof(EVP_AES_KEY), \
  733. NULL,NULL,NULL,NULL }; \
  734. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  735. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  736. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  737. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  738. nid##_##keylen##_##mode,blocksize, \
  739. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  740. ivlen, \
  741. flags|EVP_CIPH_##MODE##_MODE, \
  742. EVP_ORIG_GLOBAL, \
  743. aes_t4_##mode##_init_key, \
  744. aes_t4_##mode##_cipher, \
  745. aes_##mode##_cleanup, \
  746. sizeof(EVP_AES_##MODE##_CTX), \
  747. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  748. static const EVP_CIPHER aes_##keylen##_##mode = { \
  749. nid##_##keylen##_##mode,blocksize, \
  750. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  751. ivlen, \
  752. flags|EVP_CIPH_##MODE##_MODE, \
  753. EVP_ORIG_GLOBAL, \
  754. aes_##mode##_init_key, \
  755. aes_##mode##_cipher, \
  756. aes_##mode##_cleanup, \
  757. sizeof(EVP_AES_##MODE##_CTX), \
  758. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  759. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  760. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  761. #elif defined(S390X_aes_128_CAPABLE)
  762. /* IBM S390X support */
  763. typedef struct {
  764. union {
  765. OSSL_UNION_ALIGN;
  766. /*-
  767. * KM-AES parameter block - begin
  768. * (see z/Architecture Principles of Operation >= SA22-7832-06)
  769. */
  770. struct {
  771. unsigned char k[32];
  772. } param;
  773. /* KM-AES parameter block - end */
  774. } km;
  775. unsigned int fc;
  776. } S390X_AES_ECB_CTX;
  777. typedef struct {
  778. union {
  779. OSSL_UNION_ALIGN;
  780. /*-
  781. * KMO-AES parameter block - begin
  782. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  783. */
  784. struct {
  785. unsigned char cv[16];
  786. unsigned char k[32];
  787. } param;
  788. /* KMO-AES parameter block - end */
  789. } kmo;
  790. unsigned int fc;
  791. int res;
  792. } S390X_AES_OFB_CTX;
  793. typedef struct {
  794. union {
  795. OSSL_UNION_ALIGN;
  796. /*-
  797. * KMF-AES parameter block - begin
  798. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  799. */
  800. struct {
  801. unsigned char cv[16];
  802. unsigned char k[32];
  803. } param;
  804. /* KMF-AES parameter block - end */
  805. } kmf;
  806. unsigned int fc;
  807. int res;
  808. } S390X_AES_CFB_CTX;
  809. typedef struct {
  810. union {
  811. OSSL_UNION_ALIGN;
  812. /*-
  813. * KMA-GCM-AES parameter block - begin
  814. * (see z/Architecture Principles of Operation >= SA22-7832-11)
  815. */
  816. struct {
  817. unsigned char reserved[12];
  818. union {
  819. unsigned int w;
  820. unsigned char b[4];
  821. } cv;
  822. union {
  823. unsigned long long g[2];
  824. unsigned char b[16];
  825. } t;
  826. unsigned char h[16];
  827. unsigned long long taadl;
  828. unsigned long long tpcl;
  829. union {
  830. unsigned long long g[2];
  831. unsigned int w[4];
  832. } j0;
  833. unsigned char k[32];
  834. } param;
  835. /* KMA-GCM-AES parameter block - end */
  836. } kma;
  837. unsigned int fc;
  838. int key_set;
  839. unsigned char *iv;
  840. int ivlen;
  841. int iv_set;
  842. int iv_gen;
  843. int taglen;
  844. unsigned char ares[16];
  845. unsigned char mres[16];
  846. unsigned char kres[16];
  847. int areslen;
  848. int mreslen;
  849. int kreslen;
  850. int tls_aad_len;
  851. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  852. } S390X_AES_GCM_CTX;
  853. typedef struct {
  854. union {
  855. OSSL_UNION_ALIGN;
  856. /*-
  857. * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
  858. * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
  859. * rounds field is used to store the function code and that the key
  860. * schedule is not stored (if aes hardware support is detected).
  861. */
  862. struct {
  863. unsigned char pad[16];
  864. AES_KEY k;
  865. } key;
  866. struct {
  867. /*-
  868. * KMAC-AES parameter block - begin
  869. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  870. */
  871. struct {
  872. union {
  873. unsigned long long g[2];
  874. unsigned char b[16];
  875. } icv;
  876. unsigned char k[32];
  877. } kmac_param;
  878. /* KMAC-AES parameter block - end */
  879. union {
  880. unsigned long long g[2];
  881. unsigned char b[16];
  882. } nonce;
  883. union {
  884. unsigned long long g[2];
  885. unsigned char b[16];
  886. } buf;
  887. unsigned long long blocks;
  888. int l;
  889. int m;
  890. int tls_aad_len;
  891. int iv_set;
  892. int tag_set;
  893. int len_set;
  894. int key_set;
  895. unsigned char pad[140];
  896. unsigned int fc;
  897. } ccm;
  898. } aes;
  899. } S390X_AES_CCM_CTX;
  900. # define s390x_aes_init_key aes_init_key
  901. static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  902. const unsigned char *iv, int enc);
  903. # define S390X_AES_CBC_CTX EVP_AES_KEY
  904. # define s390x_aes_cbc_init_key aes_init_key
  905. # define s390x_aes_cbc_cipher aes_cbc_cipher
  906. static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  907. const unsigned char *in, size_t len);
  908. static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
  909. const unsigned char *key,
  910. const unsigned char *iv, int enc)
  911. {
  912. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  913. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  914. if (keylen <= 0) {
  915. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  916. return 0;
  917. }
  918. cctx->fc = S390X_AES_FC(keylen);
  919. if (!enc)
  920. cctx->fc |= S390X_DECRYPT;
  921. memcpy(cctx->km.param.k, key, keylen);
  922. return 1;
  923. }
  924. static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  925. const unsigned char *in, size_t len)
  926. {
  927. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  928. s390x_km(in, len, out, cctx->fc, &cctx->km.param);
  929. return 1;
  930. }
  931. static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
  932. const unsigned char *key,
  933. const unsigned char *ivec, int enc)
  934. {
  935. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  936. const unsigned char *iv = ctx->oiv;
  937. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  938. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  939. if (keylen <= 0) {
  940. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  941. return 0;
  942. }
  943. if (ivlen <= 0) {
  944. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  945. return 0;
  946. }
  947. memcpy(cctx->kmo.param.cv, iv, ivlen);
  948. memcpy(cctx->kmo.param.k, key, keylen);
  949. cctx->fc = S390X_AES_FC(keylen);
  950. cctx->res = 0;
  951. return 1;
  952. }
  953. static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  954. const unsigned char *in, size_t len)
  955. {
  956. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  957. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  958. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  959. int n = cctx->res;
  960. int rem;
  961. memcpy(cctx->kmo.param.cv, iv, ivlen);
  962. while (n && len) {
  963. *out = *in ^ cctx->kmo.param.cv[n];
  964. n = (n + 1) & 0xf;
  965. --len;
  966. ++in;
  967. ++out;
  968. }
  969. rem = len & 0xf;
  970. len &= ~(size_t)0xf;
  971. if (len) {
  972. s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
  973. out += len;
  974. in += len;
  975. }
  976. if (rem) {
  977. s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
  978. cctx->kmo.param.k);
  979. while (rem--) {
  980. out[n] = in[n] ^ cctx->kmo.param.cv[n];
  981. ++n;
  982. }
  983. }
  984. memcpy(iv, cctx->kmo.param.cv, ivlen);
  985. cctx->res = n;
  986. return 1;
  987. }
  988. static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
  989. const unsigned char *key,
  990. const unsigned char *ivec, int enc)
  991. {
  992. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  993. const unsigned char *iv = ctx->oiv;
  994. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  995. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  996. if (keylen <= 0) {
  997. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  998. return 0;
  999. }
  1000. if (ivlen <= 0) {
  1001. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  1002. return 0;
  1003. }
  1004. cctx->fc = S390X_AES_FC(keylen);
  1005. cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
  1006. if (!enc)
  1007. cctx->fc |= S390X_DECRYPT;
  1008. cctx->res = 0;
  1009. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1010. memcpy(cctx->kmf.param.k, key, keylen);
  1011. return 1;
  1012. }
  1013. static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1014. const unsigned char *in, size_t len)
  1015. {
  1016. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1017. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1018. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1019. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1020. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  1021. int n = cctx->res;
  1022. int rem;
  1023. unsigned char tmp;
  1024. if (keylen <= 0) {
  1025. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1026. return 0;
  1027. }
  1028. if (ivlen <= 0) {
  1029. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  1030. return 0;
  1031. }
  1032. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1033. while (n && len) {
  1034. tmp = *in;
  1035. *out = cctx->kmf.param.cv[n] ^ tmp;
  1036. cctx->kmf.param.cv[n] = enc ? *out : tmp;
  1037. n = (n + 1) & 0xf;
  1038. --len;
  1039. ++in;
  1040. ++out;
  1041. }
  1042. rem = len & 0xf;
  1043. len &= ~(size_t)0xf;
  1044. if (len) {
  1045. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1046. out += len;
  1047. in += len;
  1048. }
  1049. if (rem) {
  1050. s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
  1051. S390X_AES_FC(keylen), cctx->kmf.param.k);
  1052. while (rem--) {
  1053. tmp = in[n];
  1054. out[n] = cctx->kmf.param.cv[n] ^ tmp;
  1055. cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
  1056. ++n;
  1057. }
  1058. }
  1059. memcpy(iv, cctx->kmf.param.cv, ivlen);
  1060. cctx->res = n;
  1061. return 1;
  1062. }
  1063. static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
  1064. const unsigned char *key,
  1065. const unsigned char *ivec, int enc)
  1066. {
  1067. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1068. const unsigned char *iv = ctx->oiv;
  1069. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1070. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1071. if (keylen <= 0) {
  1072. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1073. return 0;
  1074. }
  1075. if (ivlen <= 0) {
  1076. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  1077. return 0;
  1078. }
  1079. cctx->fc = S390X_AES_FC(keylen);
  1080. cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
  1081. if (!enc)
  1082. cctx->fc |= S390X_DECRYPT;
  1083. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1084. memcpy(cctx->kmf.param.k, key, keylen);
  1085. return 1;
  1086. }
  1087. static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1088. const unsigned char *in, size_t len)
  1089. {
  1090. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1091. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1092. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  1093. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1094. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1095. memcpy(iv, cctx->kmf.param.cv, ivlen);
  1096. return 1;
  1097. }
  1098. # define s390x_aes_cfb1_init_key aes_init_key
  1099. # define s390x_aes_cfb1_cipher aes_cfb1_cipher
  1100. static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1101. const unsigned char *in, size_t len);
  1102. # define S390X_AES_CTR_CTX EVP_AES_KEY
  1103. # define s390x_aes_ctr_init_key aes_init_key
  1104. # define s390x_aes_ctr_cipher aes_ctr_cipher
  1105. static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1106. const unsigned char *in, size_t len);
  1107. /* iv + padding length for iv lengths != 12 */
  1108. # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
  1109. /*-
  1110. * Process additional authenticated data. Returns 0 on success. Code is
  1111. * big-endian.
  1112. */
  1113. static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
  1114. size_t len)
  1115. {
  1116. unsigned long long alen;
  1117. int n, rem;
  1118. if (ctx->kma.param.tpcl)
  1119. return -2;
  1120. alen = ctx->kma.param.taadl + len;
  1121. if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
  1122. return -1;
  1123. ctx->kma.param.taadl = alen;
  1124. n = ctx->areslen;
  1125. if (n) {
  1126. while (n && len) {
  1127. ctx->ares[n] = *aad;
  1128. n = (n + 1) & 0xf;
  1129. ++aad;
  1130. --len;
  1131. }
  1132. /* ctx->ares contains a complete block if offset has wrapped around */
  1133. if (!n) {
  1134. s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1135. ctx->fc |= S390X_KMA_HS;
  1136. }
  1137. ctx->areslen = n;
  1138. }
  1139. rem = len & 0xf;
  1140. len &= ~(size_t)0xf;
  1141. if (len) {
  1142. s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1143. aad += len;
  1144. ctx->fc |= S390X_KMA_HS;
  1145. }
  1146. if (rem) {
  1147. ctx->areslen = rem;
  1148. do {
  1149. --rem;
  1150. ctx->ares[rem] = aad[rem];
  1151. } while (rem);
  1152. }
  1153. return 0;
  1154. }
  1155. /*-
  1156. * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
  1157. * success. Code is big-endian.
  1158. */
  1159. static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
  1160. unsigned char *out, size_t len)
  1161. {
  1162. const unsigned char *inptr;
  1163. unsigned long long mlen;
  1164. union {
  1165. unsigned int w[4];
  1166. unsigned char b[16];
  1167. } buf;
  1168. size_t inlen;
  1169. int n, rem, i;
  1170. mlen = ctx->kma.param.tpcl + len;
  1171. if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
  1172. return -1;
  1173. ctx->kma.param.tpcl = mlen;
  1174. n = ctx->mreslen;
  1175. if (n) {
  1176. inptr = in;
  1177. inlen = len;
  1178. while (n && inlen) {
  1179. ctx->mres[n] = *inptr;
  1180. n = (n + 1) & 0xf;
  1181. ++inptr;
  1182. --inlen;
  1183. }
  1184. /* ctx->mres contains a complete block if offset has wrapped around */
  1185. if (!n) {
  1186. s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
  1187. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1188. ctx->fc |= S390X_KMA_HS;
  1189. ctx->areslen = 0;
  1190. /* previous call already encrypted/decrypted its remainder,
  1191. * see comment below */
  1192. n = ctx->mreslen;
  1193. while (n) {
  1194. *out = buf.b[n];
  1195. n = (n + 1) & 0xf;
  1196. ++out;
  1197. ++in;
  1198. --len;
  1199. }
  1200. ctx->mreslen = 0;
  1201. }
  1202. }
  1203. rem = len & 0xf;
  1204. len &= ~(size_t)0xf;
  1205. if (len) {
  1206. s390x_kma(ctx->ares, ctx->areslen, in, len, out,
  1207. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1208. in += len;
  1209. out += len;
  1210. ctx->fc |= S390X_KMA_HS;
  1211. ctx->areslen = 0;
  1212. }
  1213. /*-
  1214. * If there is a remainder, it has to be saved such that it can be
  1215. * processed by kma later. However, we also have to do the for-now
  1216. * unauthenticated encryption/decryption part here and now...
  1217. */
  1218. if (rem) {
  1219. if (!ctx->mreslen) {
  1220. buf.w[0] = ctx->kma.param.j0.w[0];
  1221. buf.w[1] = ctx->kma.param.j0.w[1];
  1222. buf.w[2] = ctx->kma.param.j0.w[2];
  1223. buf.w[3] = ctx->kma.param.cv.w + 1;
  1224. s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
  1225. }
  1226. n = ctx->mreslen;
  1227. for (i = 0; i < rem; i++) {
  1228. ctx->mres[n + i] = in[i];
  1229. out[i] = in[i] ^ ctx->kres[n + i];
  1230. }
  1231. ctx->mreslen += rem;
  1232. }
  1233. return 0;
  1234. }
  1235. /*-
  1236. * Initialize context structure. Code is big-endian.
  1237. */
  1238. static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
  1239. const unsigned char *iv)
  1240. {
  1241. ctx->kma.param.t.g[0] = 0;
  1242. ctx->kma.param.t.g[1] = 0;
  1243. ctx->kma.param.tpcl = 0;
  1244. ctx->kma.param.taadl = 0;
  1245. ctx->mreslen = 0;
  1246. ctx->areslen = 0;
  1247. ctx->kreslen = 0;
  1248. if (ctx->ivlen == 12) {
  1249. memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
  1250. ctx->kma.param.j0.w[3] = 1;
  1251. ctx->kma.param.cv.w = 1;
  1252. } else {
  1253. /* ctx->iv has the right size and is already padded. */
  1254. memcpy(ctx->iv, iv, ctx->ivlen);
  1255. s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
  1256. ctx->fc, &ctx->kma.param);
  1257. ctx->fc |= S390X_KMA_HS;
  1258. ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
  1259. ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
  1260. ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
  1261. ctx->kma.param.t.g[0] = 0;
  1262. ctx->kma.param.t.g[1] = 0;
  1263. }
  1264. }
  1265. /*-
  1266. * Performs various operations on the context structure depending on control
  1267. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1268. * Code is big-endian.
  1269. */
  1270. static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1271. {
  1272. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1273. S390X_AES_GCM_CTX *gctx_out;
  1274. EVP_CIPHER_CTX *out;
  1275. unsigned char *buf;
  1276. int ivlen, enc, len;
  1277. switch (type) {
  1278. case EVP_CTRL_INIT:
  1279. ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  1280. gctx->key_set = 0;
  1281. gctx->iv_set = 0;
  1282. gctx->ivlen = ivlen;
  1283. gctx->iv = c->iv;
  1284. gctx->taglen = -1;
  1285. gctx->iv_gen = 0;
  1286. gctx->tls_aad_len = -1;
  1287. return 1;
  1288. case EVP_CTRL_GET_IVLEN:
  1289. *(int *)ptr = gctx->ivlen;
  1290. return 1;
  1291. case EVP_CTRL_AEAD_SET_IVLEN:
  1292. if (arg <= 0)
  1293. return 0;
  1294. if (arg != 12) {
  1295. len = S390X_gcm_ivpadlen(arg);
  1296. /* Allocate memory for iv if needed. */
  1297. if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
  1298. if (gctx->iv != c->iv)
  1299. OPENSSL_free(gctx->iv);
  1300. if ((gctx->iv = OPENSSL_malloc(len)) == NULL)
  1301. return 0;
  1302. }
  1303. /* Add padding. */
  1304. memset(gctx->iv + arg, 0, len - arg - 8);
  1305. *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
  1306. }
  1307. gctx->ivlen = arg;
  1308. return 1;
  1309. case EVP_CTRL_AEAD_SET_TAG:
  1310. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1311. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1312. if (arg <= 0 || arg > 16 || enc)
  1313. return 0;
  1314. memcpy(buf, ptr, arg);
  1315. gctx->taglen = arg;
  1316. return 1;
  1317. case EVP_CTRL_AEAD_GET_TAG:
  1318. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1319. if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
  1320. return 0;
  1321. memcpy(ptr, gctx->kma.param.t.b, arg);
  1322. return 1;
  1323. case EVP_CTRL_GCM_SET_IV_FIXED:
  1324. /* Special case: -1 length restores whole iv */
  1325. if (arg == -1) {
  1326. memcpy(gctx->iv, ptr, gctx->ivlen);
  1327. gctx->iv_gen = 1;
  1328. return 1;
  1329. }
  1330. /*
  1331. * Fixed field must be at least 4 bytes and invocation field at least
  1332. * 8.
  1333. */
  1334. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  1335. return 0;
  1336. if (arg)
  1337. memcpy(gctx->iv, ptr, arg);
  1338. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1339. if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  1340. return 0;
  1341. gctx->iv_gen = 1;
  1342. return 1;
  1343. case EVP_CTRL_GCM_IV_GEN:
  1344. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  1345. return 0;
  1346. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1347. if (arg <= 0 || arg > gctx->ivlen)
  1348. arg = gctx->ivlen;
  1349. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  1350. /*
  1351. * Invocation field will be at least 8 bytes in size and so no need
  1352. * to check wrap around or increment more than last 8 bytes.
  1353. */
  1354. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  1355. gctx->iv_set = 1;
  1356. return 1;
  1357. case EVP_CTRL_GCM_SET_IV_INV:
  1358. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1359. if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
  1360. return 0;
  1361. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  1362. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1363. gctx->iv_set = 1;
  1364. return 1;
  1365. case EVP_CTRL_AEAD_TLS1_AAD:
  1366. /* Save the aad for later use. */
  1367. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1368. return 0;
  1369. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1370. memcpy(buf, ptr, arg);
  1371. gctx->tls_aad_len = arg;
  1372. gctx->tls_enc_records = 0;
  1373. len = buf[arg - 2] << 8 | buf[arg - 1];
  1374. /* Correct length for explicit iv. */
  1375. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  1376. return 0;
  1377. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1378. /* If decrypting correct for tag too. */
  1379. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1380. if (!enc) {
  1381. if (len < EVP_GCM_TLS_TAG_LEN)
  1382. return 0;
  1383. len -= EVP_GCM_TLS_TAG_LEN;
  1384. }
  1385. buf[arg - 2] = len >> 8;
  1386. buf[arg - 1] = len & 0xff;
  1387. /* Extra padding: tag appended to record. */
  1388. return EVP_GCM_TLS_TAG_LEN;
  1389. case EVP_CTRL_COPY:
  1390. out = ptr;
  1391. gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
  1392. if (gctx->iv == c->iv) {
  1393. gctx_out->iv = out->iv;
  1394. } else {
  1395. len = S390X_gcm_ivpadlen(gctx->ivlen);
  1396. if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL)
  1397. return 0;
  1398. memcpy(gctx_out->iv, gctx->iv, len);
  1399. }
  1400. return 1;
  1401. default:
  1402. return -1;
  1403. }
  1404. }
  1405. /*-
  1406. * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
  1407. */
  1408. static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
  1409. const unsigned char *key,
  1410. const unsigned char *iv, int enc)
  1411. {
  1412. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1413. int keylen;
  1414. if (iv == NULL && key == NULL)
  1415. return 1;
  1416. if (key != NULL) {
  1417. keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1418. if (keylen <= 0) {
  1419. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1420. return 0;
  1421. }
  1422. memcpy(&gctx->kma.param.k, key, keylen);
  1423. gctx->fc = S390X_AES_FC(keylen);
  1424. if (!enc)
  1425. gctx->fc |= S390X_DECRYPT;
  1426. if (iv == NULL && gctx->iv_set)
  1427. iv = gctx->iv;
  1428. if (iv != NULL) {
  1429. s390x_aes_gcm_setiv(gctx, iv);
  1430. gctx->iv_set = 1;
  1431. }
  1432. gctx->key_set = 1;
  1433. } else {
  1434. if (gctx->key_set)
  1435. s390x_aes_gcm_setiv(gctx, iv);
  1436. else
  1437. memcpy(gctx->iv, iv, gctx->ivlen);
  1438. gctx->iv_set = 1;
  1439. gctx->iv_gen = 0;
  1440. }
  1441. return 1;
  1442. }
  1443. /*-
  1444. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1445. * if successful. Otherwise -1 is returned. Code is big-endian.
  1446. */
  1447. static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1448. const unsigned char *in, size_t len)
  1449. {
  1450. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1451. const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1452. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1453. int rv = -1;
  1454. if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  1455. return -1;
  1456. /*
  1457. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  1458. * Requirements from SP 800-38D". The requirements is for one party to the
  1459. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  1460. * side only.
  1461. */
  1462. if (enc && ++gctx->tls_enc_records == 0) {
  1463. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  1464. goto err;
  1465. }
  1466. if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
  1467. : EVP_CTRL_GCM_SET_IV_INV,
  1468. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  1469. goto err;
  1470. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1471. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1472. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1473. gctx->kma.param.taadl = gctx->tls_aad_len << 3;
  1474. gctx->kma.param.tpcl = len << 3;
  1475. s390x_kma(buf, gctx->tls_aad_len, in, len, out,
  1476. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1477. if (enc) {
  1478. memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
  1479. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1480. } else {
  1481. if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
  1482. EVP_GCM_TLS_TAG_LEN)) {
  1483. OPENSSL_cleanse(out, len);
  1484. goto err;
  1485. }
  1486. rv = len;
  1487. }
  1488. err:
  1489. gctx->iv_set = 0;
  1490. gctx->tls_aad_len = -1;
  1491. return rv;
  1492. }
  1493. /*-
  1494. * Called from EVP layer to initialize context, process additional
  1495. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1496. * ciphertext or process a TLS packet, depending on context. Returns bytes
  1497. * written on success. Otherwise -1 is returned. Code is big-endian.
  1498. */
  1499. static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1500. const unsigned char *in, size_t len)
  1501. {
  1502. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1503. unsigned char *buf, tmp[16];
  1504. int enc;
  1505. if (!gctx->key_set)
  1506. return -1;
  1507. if (gctx->tls_aad_len >= 0)
  1508. return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
  1509. if (!gctx->iv_set)
  1510. return -1;
  1511. if (in != NULL) {
  1512. if (out == NULL) {
  1513. if (s390x_aes_gcm_aad(gctx, in, len))
  1514. return -1;
  1515. } else {
  1516. if (s390x_aes_gcm(gctx, in, out, len))
  1517. return -1;
  1518. }
  1519. return len;
  1520. } else {
  1521. gctx->kma.param.taadl <<= 3;
  1522. gctx->kma.param.tpcl <<= 3;
  1523. s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
  1524. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1525. /* recall that we already did en-/decrypt gctx->mres
  1526. * and returned it to caller... */
  1527. OPENSSL_cleanse(tmp, gctx->mreslen);
  1528. gctx->iv_set = 0;
  1529. enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1530. if (enc) {
  1531. gctx->taglen = 16;
  1532. } else {
  1533. if (gctx->taglen < 0)
  1534. return -1;
  1535. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1536. if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
  1537. return -1;
  1538. }
  1539. return 0;
  1540. }
  1541. }
  1542. static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  1543. {
  1544. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1545. if (gctx == NULL)
  1546. return 0;
  1547. if (gctx->iv != c->iv)
  1548. OPENSSL_free(gctx->iv);
  1549. OPENSSL_cleanse(gctx, sizeof(*gctx));
  1550. return 1;
  1551. }
  1552. # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
  1553. # define s390x_aes_xts_init_key aes_xts_init_key
  1554. static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
  1555. const unsigned char *key,
  1556. const unsigned char *iv, int enc);
  1557. # define s390x_aes_xts_cipher aes_xts_cipher
  1558. static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1559. const unsigned char *in, size_t len);
  1560. # define s390x_aes_xts_ctrl aes_xts_ctrl
  1561. static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1562. # define s390x_aes_xts_cleanup aes_xts_cleanup
  1563. /*-
  1564. * Set nonce and length fields. Code is big-endian.
  1565. */
  1566. static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
  1567. const unsigned char *nonce,
  1568. size_t mlen)
  1569. {
  1570. ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
  1571. ctx->aes.ccm.nonce.g[1] = mlen;
  1572. memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
  1573. }
  1574. /*-
  1575. * Process additional authenticated data. Code is big-endian.
  1576. */
  1577. static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
  1578. size_t alen)
  1579. {
  1580. unsigned char *ptr;
  1581. int i, rem;
  1582. if (!alen)
  1583. return;
  1584. ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
  1585. /* Suppress 'type-punned pointer dereference' warning. */
  1586. ptr = ctx->aes.ccm.buf.b;
  1587. if (alen < ((1 << 16) - (1 << 8))) {
  1588. *(uint16_t *)ptr = alen;
  1589. i = 2;
  1590. } else if (sizeof(alen) == 8
  1591. && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
  1592. *(uint16_t *)ptr = 0xffff;
  1593. *(uint64_t *)(ptr + 2) = alen;
  1594. i = 10;
  1595. } else {
  1596. *(uint16_t *)ptr = 0xfffe;
  1597. *(uint32_t *)(ptr + 2) = alen;
  1598. i = 6;
  1599. }
  1600. while (i < 16 && alen) {
  1601. ctx->aes.ccm.buf.b[i] = *aad;
  1602. ++aad;
  1603. --alen;
  1604. ++i;
  1605. }
  1606. while (i < 16) {
  1607. ctx->aes.ccm.buf.b[i] = 0;
  1608. ++i;
  1609. }
  1610. ctx->aes.ccm.kmac_param.icv.g[0] = 0;
  1611. ctx->aes.ccm.kmac_param.icv.g[1] = 0;
  1612. s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
  1613. &ctx->aes.ccm.kmac_param);
  1614. ctx->aes.ccm.blocks += 2;
  1615. rem = alen & 0xf;
  1616. alen &= ~(size_t)0xf;
  1617. if (alen) {
  1618. s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1619. ctx->aes.ccm.blocks += alen >> 4;
  1620. aad += alen;
  1621. }
  1622. if (rem) {
  1623. for (i = 0; i < rem; i++)
  1624. ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
  1625. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1626. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1627. ctx->aes.ccm.kmac_param.k);
  1628. ctx->aes.ccm.blocks++;
  1629. }
  1630. }
  1631. /*-
  1632. * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
  1633. * success.
  1634. */
  1635. static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
  1636. unsigned char *out, size_t len, int enc)
  1637. {
  1638. size_t n, rem;
  1639. unsigned int i, l, num;
  1640. unsigned char flags;
  1641. flags = ctx->aes.ccm.nonce.b[0];
  1642. if (!(flags & S390X_CCM_AAD_FLAG)) {
  1643. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
  1644. ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
  1645. ctx->aes.ccm.blocks++;
  1646. }
  1647. l = flags & 0x7;
  1648. ctx->aes.ccm.nonce.b[0] = l;
  1649. /*-
  1650. * Reconstruct length from encoded length field
  1651. * and initialize it with counter value.
  1652. */
  1653. n = 0;
  1654. for (i = 15 - l; i < 15; i++) {
  1655. n |= ctx->aes.ccm.nonce.b[i];
  1656. ctx->aes.ccm.nonce.b[i] = 0;
  1657. n <<= 8;
  1658. }
  1659. n |= ctx->aes.ccm.nonce.b[15];
  1660. ctx->aes.ccm.nonce.b[15] = 1;
  1661. if (n != len)
  1662. return -1; /* length mismatch */
  1663. if (enc) {
  1664. /* Two operations per block plus one for tag encryption */
  1665. ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
  1666. if (ctx->aes.ccm.blocks > (1ULL << 61))
  1667. return -2; /* too much data */
  1668. }
  1669. num = 0;
  1670. rem = len & 0xf;
  1671. len &= ~(size_t)0xf;
  1672. if (enc) {
  1673. /* mac-then-encrypt */
  1674. if (len)
  1675. s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1676. if (rem) {
  1677. for (i = 0; i < rem; i++)
  1678. ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
  1679. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1680. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1681. ctx->aes.ccm.kmac_param.k);
  1682. }
  1683. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1684. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1685. &num, (ctr128_f)AES_ctr32_encrypt);
  1686. } else {
  1687. /* decrypt-then-mac */
  1688. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1689. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1690. &num, (ctr128_f)AES_ctr32_encrypt);
  1691. if (len)
  1692. s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1693. if (rem) {
  1694. for (i = 0; i < rem; i++)
  1695. ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
  1696. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1697. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1698. ctx->aes.ccm.kmac_param.k);
  1699. }
  1700. }
  1701. /* encrypt tag */
  1702. for (i = 15 - l; i < 16; i++)
  1703. ctx->aes.ccm.nonce.b[i] = 0;
  1704. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
  1705. ctx->aes.ccm.kmac_param.k);
  1706. ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
  1707. ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
  1708. ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
  1709. return 0;
  1710. }
  1711. /*-
  1712. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1713. * if successful. Otherwise -1 is returned.
  1714. */
  1715. static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1716. const unsigned char *in, size_t len)
  1717. {
  1718. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1719. unsigned char *ivec = ctx->iv;
  1720. unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1721. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1722. if (out != in
  1723. || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
  1724. return -1;
  1725. if (enc) {
  1726. /* Set explicit iv (sequence number). */
  1727. memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1728. }
  1729. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1730. /*-
  1731. * Get explicit iv (sequence number). We already have fixed iv
  1732. * (server/client_write_iv) here.
  1733. */
  1734. memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1735. s390x_aes_ccm_setiv(cctx, ivec, len);
  1736. /* Process aad (sequence number|type|version|length) */
  1737. s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
  1738. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1739. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1740. if (enc) {
  1741. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1742. return -1;
  1743. memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1744. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1745. } else {
  1746. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1747. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
  1748. cctx->aes.ccm.m))
  1749. return len;
  1750. }
  1751. OPENSSL_cleanse(out, len);
  1752. return -1;
  1753. }
  1754. }
  1755. /*-
  1756. * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
  1757. * returned.
  1758. */
  1759. static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
  1760. const unsigned char *key,
  1761. const unsigned char *iv, int enc)
  1762. {
  1763. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1764. int keylen;
  1765. if (iv == NULL && key == NULL)
  1766. return 1;
  1767. if (key != NULL) {
  1768. keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1769. if (keylen <= 0) {
  1770. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1771. return 0;
  1772. }
  1773. cctx->aes.ccm.fc = S390X_AES_FC(keylen);
  1774. memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
  1775. /* Store encoded m and l. */
  1776. cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
  1777. | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
  1778. memset(cctx->aes.ccm.nonce.b + 1, 0,
  1779. sizeof(cctx->aes.ccm.nonce.b));
  1780. cctx->aes.ccm.blocks = 0;
  1781. cctx->aes.ccm.key_set = 1;
  1782. }
  1783. if (iv != NULL) {
  1784. memcpy(ctx->iv, iv, 15 - cctx->aes.ccm.l);
  1785. cctx->aes.ccm.iv_set = 1;
  1786. }
  1787. return 1;
  1788. }
  1789. /*-
  1790. * Called from EVP layer to initialize context, process additional
  1791. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1792. * plaintext or process a TLS packet, depending on context. Returns bytes
  1793. * written on success. Otherwise -1 is returned.
  1794. */
  1795. static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1796. const unsigned char *in, size_t len)
  1797. {
  1798. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1799. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1800. int rv;
  1801. unsigned char *buf;
  1802. if (!cctx->aes.ccm.key_set)
  1803. return -1;
  1804. if (cctx->aes.ccm.tls_aad_len >= 0)
  1805. return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
  1806. /*-
  1807. * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
  1808. * so integrity must be checked already at Update() i.e., before
  1809. * potentially corrupted data is output.
  1810. */
  1811. if (in == NULL && out != NULL)
  1812. return 0;
  1813. if (!cctx->aes.ccm.iv_set)
  1814. return -1;
  1815. if (out == NULL) {
  1816. /* Update(): Pass message length. */
  1817. if (in == NULL) {
  1818. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1819. cctx->aes.ccm.len_set = 1;
  1820. return len;
  1821. }
  1822. /* Update(): Process aad. */
  1823. if (!cctx->aes.ccm.len_set && len)
  1824. return -1;
  1825. s390x_aes_ccm_aad(cctx, in, len);
  1826. return len;
  1827. }
  1828. /* The tag must be set before actually decrypting data */
  1829. if (!enc && !cctx->aes.ccm.tag_set)
  1830. return -1;
  1831. /* Update(): Process message. */
  1832. if (!cctx->aes.ccm.len_set) {
  1833. /*-
  1834. * In case message length was not previously set explicitly via
  1835. * Update(), set it now.
  1836. */
  1837. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1838. cctx->aes.ccm.len_set = 1;
  1839. }
  1840. if (enc) {
  1841. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1842. return -1;
  1843. cctx->aes.ccm.tag_set = 1;
  1844. return len;
  1845. } else {
  1846. rv = -1;
  1847. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1848. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1849. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
  1850. cctx->aes.ccm.m))
  1851. rv = len;
  1852. }
  1853. if (rv == -1)
  1854. OPENSSL_cleanse(out, len);
  1855. cctx->aes.ccm.iv_set = 0;
  1856. cctx->aes.ccm.tag_set = 0;
  1857. cctx->aes.ccm.len_set = 0;
  1858. return rv;
  1859. }
  1860. }
  1861. /*-
  1862. * Performs various operations on the context structure depending on control
  1863. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1864. * Code is big-endian.
  1865. */
  1866. static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1867. {
  1868. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
  1869. unsigned char *buf;
  1870. int enc, len;
  1871. switch (type) {
  1872. case EVP_CTRL_INIT:
  1873. cctx->aes.ccm.key_set = 0;
  1874. cctx->aes.ccm.iv_set = 0;
  1875. cctx->aes.ccm.l = 8;
  1876. cctx->aes.ccm.m = 12;
  1877. cctx->aes.ccm.tag_set = 0;
  1878. cctx->aes.ccm.len_set = 0;
  1879. cctx->aes.ccm.tls_aad_len = -1;
  1880. return 1;
  1881. case EVP_CTRL_GET_IVLEN:
  1882. *(int *)ptr = 15 - cctx->aes.ccm.l;
  1883. return 1;
  1884. case EVP_CTRL_AEAD_TLS1_AAD:
  1885. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1886. return 0;
  1887. /* Save the aad for later use. */
  1888. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1889. memcpy(buf, ptr, arg);
  1890. cctx->aes.ccm.tls_aad_len = arg;
  1891. len = buf[arg - 2] << 8 | buf[arg - 1];
  1892. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  1893. return 0;
  1894. /* Correct length for explicit iv. */
  1895. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1896. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1897. if (!enc) {
  1898. if (len < cctx->aes.ccm.m)
  1899. return 0;
  1900. /* Correct length for tag. */
  1901. len -= cctx->aes.ccm.m;
  1902. }
  1903. buf[arg - 2] = len >> 8;
  1904. buf[arg - 1] = len & 0xff;
  1905. /* Extra padding: tag appended to record. */
  1906. return cctx->aes.ccm.m;
  1907. case EVP_CTRL_CCM_SET_IV_FIXED:
  1908. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  1909. return 0;
  1910. /* Copy to first part of the iv. */
  1911. memcpy(c->iv, ptr, arg);
  1912. return 1;
  1913. case EVP_CTRL_AEAD_SET_IVLEN:
  1914. arg = 15 - arg;
  1915. /* fall-through */
  1916. case EVP_CTRL_CCM_SET_L:
  1917. if (arg < 2 || arg > 8)
  1918. return 0;
  1919. cctx->aes.ccm.l = arg;
  1920. return 1;
  1921. case EVP_CTRL_AEAD_SET_TAG:
  1922. if ((arg & 1) || arg < 4 || arg > 16)
  1923. return 0;
  1924. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1925. if (enc && ptr)
  1926. return 0;
  1927. if (ptr) {
  1928. cctx->aes.ccm.tag_set = 1;
  1929. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1930. memcpy(buf, ptr, arg);
  1931. }
  1932. cctx->aes.ccm.m = arg;
  1933. return 1;
  1934. case EVP_CTRL_AEAD_GET_TAG:
  1935. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1936. if (!enc || !cctx->aes.ccm.tag_set)
  1937. return 0;
  1938. if (arg < cctx->aes.ccm.m)
  1939. return 0;
  1940. memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1941. cctx->aes.ccm.tag_set = 0;
  1942. cctx->aes.ccm.iv_set = 0;
  1943. cctx->aes.ccm.len_set = 0;
  1944. return 1;
  1945. case EVP_CTRL_COPY:
  1946. return 1;
  1947. default:
  1948. return -1;
  1949. }
  1950. }
  1951. # define s390x_aes_ccm_cleanup aes_ccm_cleanup
  1952. # ifndef OPENSSL_NO_OCB
  1953. # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
  1954. # define s390x_aes_ocb_init_key aes_ocb_init_key
  1955. static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1956. const unsigned char *iv, int enc);
  1957. # define s390x_aes_ocb_cipher aes_ocb_cipher
  1958. static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1959. const unsigned char *in, size_t len);
  1960. # define s390x_aes_ocb_cleanup aes_ocb_cleanup
  1961. static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
  1962. # define s390x_aes_ocb_ctrl aes_ocb_ctrl
  1963. static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1964. # endif
  1965. # ifndef OPENSSL_NO_SIV
  1966. # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
  1967. # define s390x_aes_siv_init_key aes_siv_init_key
  1968. # define s390x_aes_siv_cipher aes_siv_cipher
  1969. # define s390x_aes_siv_cleanup aes_siv_cleanup
  1970. # define s390x_aes_siv_ctrl aes_siv_ctrl
  1971. # endif
  1972. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
  1973. MODE,flags) \
  1974. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  1975. nid##_##keylen##_##nmode,blocksize, \
  1976. keylen / 8, \
  1977. ivlen, \
  1978. flags | EVP_CIPH_##MODE##_MODE, \
  1979. EVP_ORIG_GLOBAL, \
  1980. s390x_aes_##mode##_init_key, \
  1981. s390x_aes_##mode##_cipher, \
  1982. NULL, \
  1983. sizeof(S390X_AES_##MODE##_CTX), \
  1984. NULL, \
  1985. NULL, \
  1986. NULL, \
  1987. NULL \
  1988. }; \
  1989. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1990. nid##_##keylen##_##nmode, \
  1991. blocksize, \
  1992. keylen / 8, \
  1993. ivlen, \
  1994. flags | EVP_CIPH_##MODE##_MODE, \
  1995. EVP_ORIG_GLOBAL, \
  1996. aes_init_key, \
  1997. aes_##mode##_cipher, \
  1998. NULL, \
  1999. sizeof(EVP_AES_KEY), \
  2000. NULL, \
  2001. NULL, \
  2002. NULL, \
  2003. NULL \
  2004. }; \
  2005. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2006. { \
  2007. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2008. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2009. }
  2010. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
  2011. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  2012. nid##_##keylen##_##mode, \
  2013. blocksize, \
  2014. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  2015. ivlen, \
  2016. flags | EVP_CIPH_##MODE##_MODE, \
  2017. EVP_ORIG_GLOBAL, \
  2018. s390x_aes_##mode##_init_key, \
  2019. s390x_aes_##mode##_cipher, \
  2020. s390x_aes_##mode##_cleanup, \
  2021. sizeof(S390X_AES_##MODE##_CTX), \
  2022. NULL, \
  2023. NULL, \
  2024. s390x_aes_##mode##_ctrl, \
  2025. NULL \
  2026. }; \
  2027. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2028. nid##_##keylen##_##mode,blocksize, \
  2029. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  2030. ivlen, \
  2031. flags | EVP_CIPH_##MODE##_MODE, \
  2032. EVP_ORIG_GLOBAL, \
  2033. aes_##mode##_init_key, \
  2034. aes_##mode##_cipher, \
  2035. aes_##mode##_cleanup, \
  2036. sizeof(EVP_AES_##MODE##_CTX), \
  2037. NULL, \
  2038. NULL, \
  2039. aes_##mode##_ctrl, \
  2040. NULL \
  2041. }; \
  2042. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2043. { \
  2044. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2045. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2046. }
  2047. #else
  2048. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  2049. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2050. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  2051. flags|EVP_CIPH_##MODE##_MODE, \
  2052. EVP_ORIG_GLOBAL, \
  2053. aes_init_key, \
  2054. aes_##mode##_cipher, \
  2055. NULL, \
  2056. sizeof(EVP_AES_KEY), \
  2057. NULL,NULL,NULL,NULL }; \
  2058. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2059. { return &aes_##keylen##_##mode; }
  2060. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  2061. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2062. nid##_##keylen##_##mode,blocksize, \
  2063. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  2064. ivlen, \
  2065. flags|EVP_CIPH_##MODE##_MODE, \
  2066. EVP_ORIG_GLOBAL, \
  2067. aes_##mode##_init_key, \
  2068. aes_##mode##_cipher, \
  2069. aes_##mode##_cleanup, \
  2070. sizeof(EVP_AES_##MODE##_CTX), \
  2071. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  2072. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2073. { return &aes_##keylen##_##mode; }
  2074. #endif
  2075. #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  2076. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2077. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2078. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2079. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2080. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  2081. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  2082. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  2083. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2084. const unsigned char *iv, int enc)
  2085. {
  2086. int ret, mode;
  2087. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2088. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  2089. if (keylen <= 0) {
  2090. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2091. return 0;
  2092. }
  2093. mode = EVP_CIPHER_CTX_get_mode(ctx);
  2094. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  2095. && !enc) {
  2096. #ifdef HWAES_CAPABLE
  2097. if (HWAES_CAPABLE) {
  2098. ret = HWAES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2099. dat->block = (block128_f) HWAES_decrypt;
  2100. dat->stream.cbc = NULL;
  2101. # ifdef HWAES_cbc_encrypt
  2102. if (mode == EVP_CIPH_CBC_MODE)
  2103. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2104. # endif
  2105. } else
  2106. #endif
  2107. #ifdef BSAES_CAPABLE
  2108. if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
  2109. ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2110. dat->block = (block128_f) AES_decrypt;
  2111. dat->stream.cbc = (cbc128_f) ossl_bsaes_cbc_encrypt;
  2112. } else
  2113. #endif
  2114. #ifdef VPAES_CAPABLE
  2115. if (VPAES_CAPABLE) {
  2116. ret = vpaes_set_decrypt_key(key, keylen, &dat->ks.ks);
  2117. dat->block = (block128_f) vpaes_decrypt;
  2118. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2119. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2120. } else
  2121. #endif
  2122. {
  2123. ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2124. dat->block = (block128_f) AES_decrypt;
  2125. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2126. (cbc128_f) AES_cbc_encrypt : NULL;
  2127. }
  2128. } else
  2129. #ifdef HWAES_CAPABLE
  2130. if (HWAES_CAPABLE) {
  2131. ret = HWAES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2132. dat->block = (block128_f) HWAES_encrypt;
  2133. dat->stream.cbc = NULL;
  2134. # ifdef HWAES_cbc_encrypt
  2135. if (mode == EVP_CIPH_CBC_MODE)
  2136. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2137. else
  2138. # endif
  2139. # ifdef HWAES_ctr32_encrypt_blocks
  2140. if (mode == EVP_CIPH_CTR_MODE)
  2141. dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2142. else
  2143. # endif
  2144. (void)0; /* terminate potentially open 'else' */
  2145. } else
  2146. #endif
  2147. #ifdef BSAES_CAPABLE
  2148. if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
  2149. ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2150. dat->block = (block128_f) AES_encrypt;
  2151. dat->stream.ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
  2152. } else
  2153. #endif
  2154. #ifdef VPAES_CAPABLE
  2155. if (VPAES_CAPABLE) {
  2156. ret = vpaes_set_encrypt_key(key, keylen, &dat->ks.ks);
  2157. dat->block = (block128_f) vpaes_encrypt;
  2158. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2159. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2160. } else
  2161. #endif
  2162. {
  2163. ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2164. dat->block = (block128_f) AES_encrypt;
  2165. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2166. (cbc128_f) AES_cbc_encrypt : NULL;
  2167. #ifdef AES_CTR_ASM
  2168. if (mode == EVP_CIPH_CTR_MODE)
  2169. dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
  2170. #endif
  2171. }
  2172. if (ret < 0) {
  2173. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  2174. return 0;
  2175. }
  2176. return 1;
  2177. }
  2178. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2179. const unsigned char *in, size_t len)
  2180. {
  2181. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2182. if (dat->stream.cbc)
  2183. (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv,
  2184. EVP_CIPHER_CTX_is_encrypting(ctx));
  2185. else if (EVP_CIPHER_CTX_is_encrypting(ctx))
  2186. CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
  2187. dat->block);
  2188. else
  2189. CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
  2190. ctx->iv, dat->block);
  2191. return 1;
  2192. }
  2193. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2194. const unsigned char *in, size_t len)
  2195. {
  2196. size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
  2197. size_t i;
  2198. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2199. if (len < bl)
  2200. return 1;
  2201. for (i = 0, len -= bl; i <= len; i += bl)
  2202. (*dat->block) (in + i, out + i, &dat->ks);
  2203. return 1;
  2204. }
  2205. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2206. const unsigned char *in, size_t len)
  2207. {
  2208. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2209. int num = EVP_CIPHER_CTX_get_num(ctx);
  2210. CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
  2211. ctx->iv, &num, dat->block);
  2212. EVP_CIPHER_CTX_set_num(ctx, num);
  2213. return 1;
  2214. }
  2215. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2216. const unsigned char *in, size_t len)
  2217. {
  2218. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2219. int num = EVP_CIPHER_CTX_get_num(ctx);
  2220. CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
  2221. ctx->iv, &num,
  2222. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2223. EVP_CIPHER_CTX_set_num(ctx, num);
  2224. return 1;
  2225. }
  2226. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2227. const unsigned char *in, size_t len)
  2228. {
  2229. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2230. int num = EVP_CIPHER_CTX_get_num(ctx);
  2231. CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
  2232. ctx->iv, &num,
  2233. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2234. EVP_CIPHER_CTX_set_num(ctx, num);
  2235. return 1;
  2236. }
  2237. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2238. const unsigned char *in, size_t len)
  2239. {
  2240. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2241. if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
  2242. int num = EVP_CIPHER_CTX_get_num(ctx);
  2243. CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
  2244. ctx->iv, &num,
  2245. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2246. EVP_CIPHER_CTX_set_num(ctx, num);
  2247. return 1;
  2248. }
  2249. while (len >= MAXBITCHUNK) {
  2250. int num = EVP_CIPHER_CTX_get_num(ctx);
  2251. CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
  2252. ctx->iv, &num,
  2253. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2254. EVP_CIPHER_CTX_set_num(ctx, num);
  2255. len -= MAXBITCHUNK;
  2256. out += MAXBITCHUNK;
  2257. in += MAXBITCHUNK;
  2258. }
  2259. if (len) {
  2260. int num = EVP_CIPHER_CTX_get_num(ctx);
  2261. CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
  2262. ctx->iv, &num,
  2263. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2264. EVP_CIPHER_CTX_set_num(ctx, num);
  2265. }
  2266. return 1;
  2267. }
  2268. static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2269. const unsigned char *in, size_t len)
  2270. {
  2271. int n = EVP_CIPHER_CTX_get_num(ctx);
  2272. unsigned int num;
  2273. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2274. if (n < 0)
  2275. return 0;
  2276. num = (unsigned int)n;
  2277. if (dat->stream.ctr)
  2278. CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
  2279. ctx->iv,
  2280. EVP_CIPHER_CTX_buf_noconst(ctx),
  2281. &num, dat->stream.ctr);
  2282. else
  2283. CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
  2284. ctx->iv,
  2285. EVP_CIPHER_CTX_buf_noconst(ctx), &num,
  2286. dat->block);
  2287. EVP_CIPHER_CTX_set_num(ctx, num);
  2288. return 1;
  2289. }
  2290. BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
  2291. BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
  2292. BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
  2293. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  2294. {
  2295. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2296. if (gctx == NULL)
  2297. return 0;
  2298. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  2299. if (gctx->iv != c->iv)
  2300. OPENSSL_free(gctx->iv);
  2301. return 1;
  2302. }
  2303. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2304. {
  2305. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2306. switch (type) {
  2307. case EVP_CTRL_INIT:
  2308. gctx->key_set = 0;
  2309. gctx->iv_set = 0;
  2310. gctx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  2311. gctx->iv = c->iv;
  2312. gctx->taglen = -1;
  2313. gctx->iv_gen = 0;
  2314. gctx->tls_aad_len = -1;
  2315. return 1;
  2316. case EVP_CTRL_GET_IVLEN:
  2317. *(int *)ptr = gctx->ivlen;
  2318. return 1;
  2319. case EVP_CTRL_AEAD_SET_IVLEN:
  2320. if (arg <= 0)
  2321. return 0;
  2322. /* Allocate memory for IV if needed */
  2323. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
  2324. if (gctx->iv != c->iv)
  2325. OPENSSL_free(gctx->iv);
  2326. if ((gctx->iv = OPENSSL_malloc(arg)) == NULL)
  2327. return 0;
  2328. }
  2329. gctx->ivlen = arg;
  2330. return 1;
  2331. case EVP_CTRL_AEAD_SET_TAG:
  2332. if (arg <= 0 || arg > 16 || c->encrypt)
  2333. return 0;
  2334. memcpy(c->buf, ptr, arg);
  2335. gctx->taglen = arg;
  2336. return 1;
  2337. case EVP_CTRL_AEAD_GET_TAG:
  2338. if (arg <= 0 || arg > 16 || !c->encrypt
  2339. || gctx->taglen < 0)
  2340. return 0;
  2341. memcpy(ptr, c->buf, arg);
  2342. return 1;
  2343. case EVP_CTRL_GCM_SET_IV_FIXED:
  2344. /* Special case: -1 length restores whole IV */
  2345. if (arg == -1) {
  2346. memcpy(gctx->iv, ptr, gctx->ivlen);
  2347. gctx->iv_gen = 1;
  2348. return 1;
  2349. }
  2350. /*
  2351. * Fixed field must be at least 4 bytes and invocation field at least
  2352. * 8.
  2353. */
  2354. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  2355. return 0;
  2356. if (arg)
  2357. memcpy(gctx->iv, ptr, arg);
  2358. if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  2359. return 0;
  2360. gctx->iv_gen = 1;
  2361. return 1;
  2362. case EVP_CTRL_GCM_IV_GEN:
  2363. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  2364. return 0;
  2365. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2366. if (arg <= 0 || arg > gctx->ivlen)
  2367. arg = gctx->ivlen;
  2368. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  2369. /*
  2370. * Invocation field will be at least 8 bytes in size and so no need
  2371. * to check wrap around or increment more than last 8 bytes.
  2372. */
  2373. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  2374. gctx->iv_set = 1;
  2375. return 1;
  2376. case EVP_CTRL_GCM_SET_IV_INV:
  2377. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  2378. return 0;
  2379. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  2380. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2381. gctx->iv_set = 1;
  2382. return 1;
  2383. case EVP_CTRL_AEAD_TLS1_AAD:
  2384. /* Save the AAD for later use */
  2385. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2386. return 0;
  2387. memcpy(c->buf, ptr, arg);
  2388. gctx->tls_aad_len = arg;
  2389. gctx->tls_enc_records = 0;
  2390. {
  2391. unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
  2392. /* Correct length for explicit IV */
  2393. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  2394. return 0;
  2395. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2396. /* If decrypting correct for tag too */
  2397. if (!c->encrypt) {
  2398. if (len < EVP_GCM_TLS_TAG_LEN)
  2399. return 0;
  2400. len -= EVP_GCM_TLS_TAG_LEN;
  2401. }
  2402. c->buf[arg - 2] = len >> 8;
  2403. c->buf[arg - 1] = len & 0xff;
  2404. }
  2405. /* Extra padding: tag appended to record */
  2406. return EVP_GCM_TLS_TAG_LEN;
  2407. case EVP_CTRL_COPY:
  2408. {
  2409. EVP_CIPHER_CTX *out = ptr;
  2410. EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
  2411. if (gctx->gcm.key) {
  2412. if (gctx->gcm.key != &gctx->ks)
  2413. return 0;
  2414. gctx_out->gcm.key = &gctx_out->ks;
  2415. }
  2416. if (gctx->iv == c->iv)
  2417. gctx_out->iv = out->iv;
  2418. else {
  2419. if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL)
  2420. return 0;
  2421. memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
  2422. }
  2423. return 1;
  2424. }
  2425. default:
  2426. return -1;
  2427. }
  2428. }
  2429. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2430. const unsigned char *iv, int enc)
  2431. {
  2432. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2433. if (iv == NULL && key == NULL)
  2434. return 1;
  2435. if (key != NULL) {
  2436. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  2437. if (keylen <= 0) {
  2438. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2439. return 0;
  2440. }
  2441. do {
  2442. #ifdef HWAES_CAPABLE
  2443. if (HWAES_CAPABLE) {
  2444. HWAES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2445. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2446. (block128_f) HWAES_encrypt);
  2447. # ifdef HWAES_ctr32_encrypt_blocks
  2448. gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2449. # else
  2450. gctx->ctr = NULL;
  2451. # endif
  2452. break;
  2453. } else
  2454. #endif
  2455. #ifdef BSAES_CAPABLE
  2456. if (BSAES_CAPABLE) {
  2457. AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2458. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2459. (block128_f) AES_encrypt);
  2460. gctx->ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
  2461. break;
  2462. } else
  2463. #endif
  2464. #ifdef VPAES_CAPABLE
  2465. if (VPAES_CAPABLE) {
  2466. vpaes_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2467. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2468. (block128_f) vpaes_encrypt);
  2469. gctx->ctr = NULL;
  2470. break;
  2471. } else
  2472. #endif
  2473. (void)0; /* terminate potentially open 'else' */
  2474. AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2475. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2476. (block128_f) AES_encrypt);
  2477. #ifdef AES_CTR_ASM
  2478. gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
  2479. #else
  2480. gctx->ctr = NULL;
  2481. #endif
  2482. } while (0);
  2483. /*
  2484. * If we have an iv can set it directly, otherwise use saved IV.
  2485. */
  2486. if (iv == NULL && gctx->iv_set)
  2487. iv = gctx->iv;
  2488. if (iv) {
  2489. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2490. gctx->iv_set = 1;
  2491. }
  2492. gctx->key_set = 1;
  2493. } else {
  2494. /* If key set use IV, otherwise copy */
  2495. if (gctx->key_set)
  2496. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2497. else
  2498. memcpy(gctx->iv, iv, gctx->ivlen);
  2499. gctx->iv_set = 1;
  2500. gctx->iv_gen = 0;
  2501. }
  2502. return 1;
  2503. }
  2504. /*
  2505. * Handle TLS GCM packet format. This consists of the last portion of the IV
  2506. * followed by the payload and finally the tag. On encrypt generate IV,
  2507. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  2508. * and verify tag.
  2509. */
  2510. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2511. const unsigned char *in, size_t len)
  2512. {
  2513. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2514. int rv = -1;
  2515. /* Encrypt/decrypt must be performed in place */
  2516. if (out != in
  2517. || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  2518. return -1;
  2519. /*
  2520. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  2521. * Requirements from SP 800-38D". The requirements is for one party to the
  2522. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  2523. * side only.
  2524. */
  2525. if (EVP_CIPHER_CTX_is_encrypting(ctx) && ++gctx->tls_enc_records == 0) {
  2526. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  2527. goto err;
  2528. }
  2529. /*
  2530. * Set IV from start of buffer or generate IV and write to start of
  2531. * buffer.
  2532. */
  2533. if (EVP_CIPHER_CTX_ctrl(ctx,
  2534. EVP_CIPHER_CTX_is_encrypting(ctx) ?
  2535. EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
  2536. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  2537. goto err;
  2538. /* Use saved AAD */
  2539. if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
  2540. gctx->tls_aad_len))
  2541. goto err;
  2542. /* Fix buffer and length to point to payload */
  2543. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2544. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2545. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2546. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2547. /* Encrypt payload */
  2548. if (gctx->ctr) {
  2549. size_t bulk = 0;
  2550. #if defined(AES_GCM_ASM)
  2551. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2552. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2553. return -1;
  2554. bulk = AES_gcm_encrypt(in, out, len,
  2555. gctx->gcm.key,
  2556. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2557. gctx->gcm.len.u[1] += bulk;
  2558. }
  2559. #endif
  2560. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2561. in + bulk,
  2562. out + bulk,
  2563. len - bulk, gctx->ctr))
  2564. goto err;
  2565. } else {
  2566. size_t bulk = 0;
  2567. #if defined(AES_GCM_ASM2)
  2568. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2569. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2570. return -1;
  2571. bulk = AES_gcm_encrypt(in, out, len,
  2572. gctx->gcm.key,
  2573. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2574. gctx->gcm.len.u[1] += bulk;
  2575. }
  2576. #endif
  2577. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2578. in + bulk, out + bulk, len - bulk))
  2579. goto err;
  2580. }
  2581. out += len;
  2582. /* Finally write tag */
  2583. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  2584. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2585. } else {
  2586. /* Decrypt */
  2587. if (gctx->ctr) {
  2588. size_t bulk = 0;
  2589. #if defined(AES_GCM_ASM)
  2590. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2591. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2592. return -1;
  2593. bulk = AES_gcm_decrypt(in, out, len,
  2594. gctx->gcm.key,
  2595. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2596. gctx->gcm.len.u[1] += bulk;
  2597. }
  2598. #endif
  2599. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2600. in + bulk,
  2601. out + bulk,
  2602. len - bulk, gctx->ctr))
  2603. goto err;
  2604. } else {
  2605. size_t bulk = 0;
  2606. #if defined(AES_GCM_ASM2)
  2607. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2608. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2609. return -1;
  2610. bulk = AES_gcm_decrypt(in, out, len,
  2611. gctx->gcm.key,
  2612. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2613. gctx->gcm.len.u[1] += bulk;
  2614. }
  2615. #endif
  2616. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2617. in + bulk, out + bulk, len - bulk))
  2618. goto err;
  2619. }
  2620. /* Retrieve tag */
  2621. CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
  2622. EVP_GCM_TLS_TAG_LEN);
  2623. /* If tag mismatch wipe buffer */
  2624. if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
  2625. EVP_GCM_TLS_TAG_LEN)) {
  2626. OPENSSL_cleanse(out, len);
  2627. goto err;
  2628. }
  2629. rv = len;
  2630. }
  2631. err:
  2632. gctx->iv_set = 0;
  2633. gctx->tls_aad_len = -1;
  2634. return rv;
  2635. }
  2636. #ifdef FIPS_MODULE
  2637. /*
  2638. * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
  2639. *
  2640. * See also 8.2.2 RBG-based construction.
  2641. * Random construction consists of a free field (which can be NULL) and a
  2642. * random field which will use a DRBG that can return at least 96 bits of
  2643. * entropy strength. (The DRBG must be seeded by the FIPS module).
  2644. */
  2645. static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
  2646. {
  2647. int sz = gctx->ivlen - offset;
  2648. /* Must be at least 96 bits */
  2649. if (sz <= 0 || gctx->ivlen < 12)
  2650. return 0;
  2651. /* Use DRBG to generate random iv */
  2652. if (RAND_bytes(gctx->iv + offset, sz) <= 0)
  2653. return 0;
  2654. return 1;
  2655. }
  2656. #endif /* FIPS_MODULE */
  2657. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2658. const unsigned char *in, size_t len)
  2659. {
  2660. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2661. /* If not set up, return error */
  2662. if (!gctx->key_set)
  2663. return -1;
  2664. if (gctx->tls_aad_len >= 0)
  2665. return aes_gcm_tls_cipher(ctx, out, in, len);
  2666. #ifdef FIPS_MODULE
  2667. /*
  2668. * FIPS requires generation of AES-GCM IV's inside the FIPS module.
  2669. * The IV can still be set externally (the security policy will state that
  2670. * this is not FIPS compliant). There are some applications
  2671. * where setting the IV externally is the only option available.
  2672. */
  2673. if (!gctx->iv_set) {
  2674. if (!EVP_CIPHER_CTX_is_encrypting(ctx) || !aes_gcm_iv_generate(gctx, 0))
  2675. return -1;
  2676. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2677. gctx->iv_set = 1;
  2678. gctx->iv_gen_rand = 1;
  2679. }
  2680. #else
  2681. if (!gctx->iv_set)
  2682. return -1;
  2683. #endif /* FIPS_MODULE */
  2684. if (in) {
  2685. if (out == NULL) {
  2686. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  2687. return -1;
  2688. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2689. if (gctx->ctr) {
  2690. size_t bulk = 0;
  2691. #if defined(AES_GCM_ASM)
  2692. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2693. size_t res = (16 - gctx->gcm.mres) % 16;
  2694. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2695. return -1;
  2696. bulk = AES_gcm_encrypt(in + res,
  2697. out + res, len - res,
  2698. gctx->gcm.key, gctx->gcm.Yi.c,
  2699. gctx->gcm.Xi.u);
  2700. gctx->gcm.len.u[1] += bulk;
  2701. bulk += res;
  2702. }
  2703. #endif
  2704. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2705. in + bulk,
  2706. out + bulk,
  2707. len - bulk, gctx->ctr))
  2708. return -1;
  2709. } else {
  2710. size_t bulk = 0;
  2711. #if defined(AES_GCM_ASM2)
  2712. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2713. size_t res = (16 - gctx->gcm.mres) % 16;
  2714. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2715. return -1;
  2716. bulk = AES_gcm_encrypt(in + res,
  2717. out + res, len - res,
  2718. gctx->gcm.key, gctx->gcm.Yi.c,
  2719. gctx->gcm.Xi.u);
  2720. gctx->gcm.len.u[1] += bulk;
  2721. bulk += res;
  2722. }
  2723. #endif
  2724. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2725. in + bulk, out + bulk, len - bulk))
  2726. return -1;
  2727. }
  2728. } else {
  2729. if (gctx->ctr) {
  2730. size_t bulk = 0;
  2731. #if defined(AES_GCM_ASM)
  2732. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2733. size_t res = (16 - gctx->gcm.mres) % 16;
  2734. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2735. return -1;
  2736. bulk = AES_gcm_decrypt(in + res,
  2737. out + res, len - res,
  2738. gctx->gcm.key,
  2739. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2740. gctx->gcm.len.u[1] += bulk;
  2741. bulk += res;
  2742. }
  2743. #endif
  2744. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2745. in + bulk,
  2746. out + bulk,
  2747. len - bulk, gctx->ctr))
  2748. return -1;
  2749. } else {
  2750. size_t bulk = 0;
  2751. #if defined(AES_GCM_ASM2)
  2752. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2753. size_t res = (16 - gctx->gcm.mres) % 16;
  2754. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2755. return -1;
  2756. bulk = AES_gcm_decrypt(in + res,
  2757. out + res, len - res,
  2758. gctx->gcm.key,
  2759. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2760. gctx->gcm.len.u[1] += bulk;
  2761. bulk += res;
  2762. }
  2763. #endif
  2764. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2765. in + bulk, out + bulk, len - bulk))
  2766. return -1;
  2767. }
  2768. }
  2769. return len;
  2770. } else {
  2771. if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2772. if (gctx->taglen < 0)
  2773. return -1;
  2774. if (CRYPTO_gcm128_finish(&gctx->gcm,
  2775. EVP_CIPHER_CTX_buf_noconst(ctx),
  2776. gctx->taglen) != 0)
  2777. return -1;
  2778. gctx->iv_set = 0;
  2779. return 0;
  2780. }
  2781. CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
  2782. gctx->taglen = 16;
  2783. /* Don't reuse the IV */
  2784. gctx->iv_set = 0;
  2785. return 0;
  2786. }
  2787. }
  2788. #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  2789. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  2790. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2791. | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
  2792. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
  2793. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2794. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
  2795. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2796. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
  2797. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2798. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2799. {
  2800. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
  2801. if (type == EVP_CTRL_COPY) {
  2802. EVP_CIPHER_CTX *out = ptr;
  2803. EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
  2804. if (xctx->xts.key1) {
  2805. if (xctx->xts.key1 != &xctx->ks1)
  2806. return 0;
  2807. xctx_out->xts.key1 = &xctx_out->ks1;
  2808. }
  2809. if (xctx->xts.key2) {
  2810. if (xctx->xts.key2 != &xctx->ks2)
  2811. return 0;
  2812. xctx_out->xts.key2 = &xctx_out->ks2;
  2813. }
  2814. return 1;
  2815. } else if (type != EVP_CTRL_INIT)
  2816. return -1;
  2817. /* key1 and key2 are used as an indicator both key and IV are set */
  2818. xctx->xts.key1 = NULL;
  2819. xctx->xts.key2 = NULL;
  2820. return 1;
  2821. }
  2822. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2823. const unsigned char *iv, int enc)
  2824. {
  2825. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2826. if (iv == NULL && key == NULL)
  2827. return 1;
  2828. if (key != NULL) {
  2829. do {
  2830. /* The key is two half length keys in reality */
  2831. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  2832. const int bytes = keylen / 2;
  2833. const int bits = bytes * 8;
  2834. if (keylen <= 0) {
  2835. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2836. return 0;
  2837. }
  2838. /*
  2839. * Verify that the two keys are different.
  2840. *
  2841. * This addresses the vulnerability described in Rogaway's
  2842. * September 2004 paper:
  2843. *
  2844. * "Efficient Instantiations of Tweakable Blockciphers and
  2845. * Refinements to Modes OCB and PMAC".
  2846. * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
  2847. *
  2848. * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
  2849. * that:
  2850. * "The check for Key_1 != Key_2 shall be done at any place
  2851. * BEFORE using the keys in the XTS-AES algorithm to process
  2852. * data with them."
  2853. */
  2854. if ((!allow_insecure_decrypt || enc)
  2855. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  2856. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  2857. return 0;
  2858. }
  2859. #ifdef AES_XTS_ASM
  2860. xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
  2861. #else
  2862. xctx->stream = NULL;
  2863. #endif
  2864. /* key_len is two AES keys */
  2865. #ifdef HWAES_CAPABLE
  2866. if (HWAES_CAPABLE) {
  2867. if (enc) {
  2868. HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2869. xctx->xts.block1 = (block128_f) HWAES_encrypt;
  2870. # ifdef HWAES_xts_encrypt
  2871. xctx->stream = HWAES_xts_encrypt;
  2872. # endif
  2873. } else {
  2874. HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2875. xctx->xts.block1 = (block128_f) HWAES_decrypt;
  2876. # ifdef HWAES_xts_decrypt
  2877. xctx->stream = HWAES_xts_decrypt;
  2878. #endif
  2879. }
  2880. HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2881. xctx->xts.block2 = (block128_f) HWAES_encrypt;
  2882. xctx->xts.key1 = &xctx->ks1;
  2883. break;
  2884. } else
  2885. #endif
  2886. #ifdef BSAES_CAPABLE
  2887. if (BSAES_CAPABLE)
  2888. xctx->stream = enc ? ossl_bsaes_xts_encrypt : ossl_bsaes_xts_decrypt;
  2889. else
  2890. #endif
  2891. #ifdef VPAES_CAPABLE
  2892. if (VPAES_CAPABLE) {
  2893. if (enc) {
  2894. vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2895. xctx->xts.block1 = (block128_f) vpaes_encrypt;
  2896. } else {
  2897. vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2898. xctx->xts.block1 = (block128_f) vpaes_decrypt;
  2899. }
  2900. vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2901. xctx->xts.block2 = (block128_f) vpaes_encrypt;
  2902. xctx->xts.key1 = &xctx->ks1;
  2903. break;
  2904. } else
  2905. #endif
  2906. (void)0; /* terminate potentially open 'else' */
  2907. if (enc) {
  2908. AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2909. xctx->xts.block1 = (block128_f) AES_encrypt;
  2910. } else {
  2911. AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2912. xctx->xts.block1 = (block128_f) AES_decrypt;
  2913. }
  2914. AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2915. xctx->xts.block2 = (block128_f) AES_encrypt;
  2916. xctx->xts.key1 = &xctx->ks1;
  2917. } while (0);
  2918. }
  2919. if (iv) {
  2920. xctx->xts.key2 = &xctx->ks2;
  2921. memcpy(ctx->iv, iv, 16);
  2922. }
  2923. return 1;
  2924. }
  2925. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2926. const unsigned char *in, size_t len)
  2927. {
  2928. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2929. if (xctx->xts.key1 == NULL
  2930. || xctx->xts.key2 == NULL
  2931. || out == NULL
  2932. || in == NULL
  2933. || len < AES_BLOCK_SIZE)
  2934. return 0;
  2935. /*
  2936. * Impose a limit of 2^20 blocks per data unit as specified by
  2937. * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
  2938. * indicated that this was a SHOULD NOT rather than a MUST NOT.
  2939. * NIST SP 800-38E mandates the same limit.
  2940. */
  2941. if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
  2942. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
  2943. return 0;
  2944. }
  2945. if (xctx->stream)
  2946. (*xctx->stream) (in, out, len,
  2947. xctx->xts.key1, xctx->xts.key2,
  2948. ctx->iv);
  2949. else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
  2950. EVP_CIPHER_CTX_is_encrypting(ctx)))
  2951. return 0;
  2952. return 1;
  2953. }
  2954. #define aes_xts_cleanup NULL
  2955. #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
  2956. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2957. | EVP_CIPH_CUSTOM_COPY)
  2958. BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
  2959. BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
  2960. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2961. {
  2962. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
  2963. switch (type) {
  2964. case EVP_CTRL_INIT:
  2965. cctx->key_set = 0;
  2966. cctx->iv_set = 0;
  2967. cctx->L = 8;
  2968. cctx->M = 12;
  2969. cctx->tag_set = 0;
  2970. cctx->len_set = 0;
  2971. cctx->tls_aad_len = -1;
  2972. return 1;
  2973. case EVP_CTRL_GET_IVLEN:
  2974. *(int *)ptr = 15 - cctx->L;
  2975. return 1;
  2976. case EVP_CTRL_AEAD_TLS1_AAD:
  2977. /* Save the AAD for later use */
  2978. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2979. return 0;
  2980. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  2981. cctx->tls_aad_len = arg;
  2982. {
  2983. uint16_t len =
  2984. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
  2985. | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
  2986. /* Correct length for explicit IV */
  2987. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  2988. return 0;
  2989. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  2990. /* If decrypting correct for tag too */
  2991. if (!EVP_CIPHER_CTX_is_encrypting(c)) {
  2992. if (len < cctx->M)
  2993. return 0;
  2994. len -= cctx->M;
  2995. }
  2996. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
  2997. EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
  2998. }
  2999. /* Extra padding: tag appended to record */
  3000. return cctx->M;
  3001. case EVP_CTRL_CCM_SET_IV_FIXED:
  3002. /* Sanity check length */
  3003. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  3004. return 0;
  3005. /* Just copy to first part of IV */
  3006. memcpy(c->iv, ptr, arg);
  3007. return 1;
  3008. case EVP_CTRL_AEAD_SET_IVLEN:
  3009. arg = 15 - arg;
  3010. /* fall through */
  3011. case EVP_CTRL_CCM_SET_L:
  3012. if (arg < 2 || arg > 8)
  3013. return 0;
  3014. cctx->L = arg;
  3015. return 1;
  3016. case EVP_CTRL_AEAD_SET_TAG:
  3017. if ((arg & 1) || arg < 4 || arg > 16)
  3018. return 0;
  3019. if (EVP_CIPHER_CTX_is_encrypting(c) && ptr)
  3020. return 0;
  3021. if (ptr) {
  3022. cctx->tag_set = 1;
  3023. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  3024. }
  3025. cctx->M = arg;
  3026. return 1;
  3027. case EVP_CTRL_AEAD_GET_TAG:
  3028. if (!EVP_CIPHER_CTX_is_encrypting(c) || !cctx->tag_set)
  3029. return 0;
  3030. if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  3031. return 0;
  3032. cctx->tag_set = 0;
  3033. cctx->iv_set = 0;
  3034. cctx->len_set = 0;
  3035. return 1;
  3036. case EVP_CTRL_COPY:
  3037. {
  3038. EVP_CIPHER_CTX *out = ptr;
  3039. EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
  3040. if (cctx->ccm.key) {
  3041. if (cctx->ccm.key != &cctx->ks)
  3042. return 0;
  3043. cctx_out->ccm.key = &cctx_out->ks;
  3044. }
  3045. return 1;
  3046. }
  3047. default:
  3048. return -1;
  3049. }
  3050. }
  3051. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3052. const unsigned char *iv, int enc)
  3053. {
  3054. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3055. if (iv == NULL && key == NULL)
  3056. return 1;
  3057. if (key != NULL) {
  3058. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3059. if (keylen <= 0) {
  3060. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3061. return 0;
  3062. }
  3063. do {
  3064. #ifdef HWAES_CAPABLE
  3065. if (HWAES_CAPABLE) {
  3066. HWAES_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3067. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3068. &cctx->ks, (block128_f) HWAES_encrypt);
  3069. cctx->str = NULL;
  3070. cctx->key_set = 1;
  3071. break;
  3072. } else
  3073. #endif
  3074. #ifdef VPAES_CAPABLE
  3075. if (VPAES_CAPABLE) {
  3076. vpaes_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3077. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3078. &cctx->ks, (block128_f) vpaes_encrypt);
  3079. cctx->str = NULL;
  3080. cctx->key_set = 1;
  3081. break;
  3082. }
  3083. #endif
  3084. AES_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3085. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3086. &cctx->ks, (block128_f) AES_encrypt);
  3087. cctx->str = NULL;
  3088. cctx->key_set = 1;
  3089. } while (0);
  3090. }
  3091. if (iv != NULL) {
  3092. memcpy(ctx->iv, iv, 15 - cctx->L);
  3093. cctx->iv_set = 1;
  3094. }
  3095. return 1;
  3096. }
  3097. static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3098. const unsigned char *in, size_t len)
  3099. {
  3100. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3101. CCM128_CONTEXT *ccm = &cctx->ccm;
  3102. /* Encrypt/decrypt must be performed in place */
  3103. if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
  3104. return -1;
  3105. /* If encrypting set explicit IV from sequence number (start of AAD) */
  3106. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3107. memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
  3108. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3109. /* Get rest of IV from explicit IV */
  3110. memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in,
  3111. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3112. /* Correct length value */
  3113. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3114. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
  3115. len))
  3116. return -1;
  3117. /* Use saved AAD */
  3118. CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx),
  3119. cctx->tls_aad_len);
  3120. /* Fix buffer to point to payload */
  3121. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3122. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3123. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3124. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3125. cctx->str) :
  3126. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3127. return -1;
  3128. if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
  3129. return -1;
  3130. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3131. } else {
  3132. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3133. cctx->str) :
  3134. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3135. unsigned char tag[16];
  3136. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3137. if (!CRYPTO_memcmp(tag, in + len, cctx->M))
  3138. return len;
  3139. }
  3140. }
  3141. OPENSSL_cleanse(out, len);
  3142. return -1;
  3143. }
  3144. }
  3145. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3146. const unsigned char *in, size_t len)
  3147. {
  3148. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3149. CCM128_CONTEXT *ccm = &cctx->ccm;
  3150. /* If not set up, return error */
  3151. if (!cctx->key_set)
  3152. return -1;
  3153. if (cctx->tls_aad_len >= 0)
  3154. return aes_ccm_tls_cipher(ctx, out, in, len);
  3155. /* EVP_*Final() doesn't return any data */
  3156. if (in == NULL && out != NULL)
  3157. return 0;
  3158. if (!cctx->iv_set)
  3159. return -1;
  3160. if (!out) {
  3161. if (!in) {
  3162. if (CRYPTO_ccm128_setiv(ccm, ctx->iv,
  3163. 15 - cctx->L, len))
  3164. return -1;
  3165. cctx->len_set = 1;
  3166. return len;
  3167. }
  3168. /* If have AAD need message length */
  3169. if (!cctx->len_set && len)
  3170. return -1;
  3171. CRYPTO_ccm128_aad(ccm, in, len);
  3172. return len;
  3173. }
  3174. /* The tag must be set before actually decrypting data */
  3175. if (!EVP_CIPHER_CTX_is_encrypting(ctx) && !cctx->tag_set)
  3176. return -1;
  3177. /* If not set length yet do it */
  3178. if (!cctx->len_set) {
  3179. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  3180. return -1;
  3181. cctx->len_set = 1;
  3182. }
  3183. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3184. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3185. cctx->str) :
  3186. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3187. return -1;
  3188. cctx->tag_set = 1;
  3189. return len;
  3190. } else {
  3191. int rv = -1;
  3192. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3193. cctx->str) :
  3194. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3195. unsigned char tag[16];
  3196. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3197. if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
  3198. cctx->M))
  3199. rv = len;
  3200. }
  3201. }
  3202. if (rv == -1)
  3203. OPENSSL_cleanse(out, len);
  3204. cctx->iv_set = 0;
  3205. cctx->tag_set = 0;
  3206. cctx->len_set = 0;
  3207. return rv;
  3208. }
  3209. }
  3210. #define aes_ccm_cleanup NULL
  3211. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
  3212. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3213. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
  3214. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3215. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
  3216. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3217. typedef struct {
  3218. union {
  3219. OSSL_UNION_ALIGN;
  3220. AES_KEY ks;
  3221. } ks;
  3222. /* Indicates if IV has been set */
  3223. unsigned char *iv;
  3224. } EVP_AES_WRAP_CTX;
  3225. static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3226. const unsigned char *iv, int enc)
  3227. {
  3228. int len;
  3229. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3230. if (iv == NULL && key == NULL)
  3231. return 1;
  3232. if (key != NULL) {
  3233. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3234. if (keylen <= 0) {
  3235. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3236. return 0;
  3237. }
  3238. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3239. AES_set_encrypt_key(key, keylen, &wctx->ks.ks);
  3240. else
  3241. AES_set_decrypt_key(key, keylen, &wctx->ks.ks);
  3242. if (iv == NULL)
  3243. wctx->iv = NULL;
  3244. }
  3245. if (iv != NULL) {
  3246. if ((len = EVP_CIPHER_CTX_get_iv_length(ctx)) < 0)
  3247. return 0;
  3248. memcpy(ctx->iv, iv, len);
  3249. wctx->iv = ctx->iv;
  3250. }
  3251. return 1;
  3252. }
  3253. static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3254. const unsigned char *in, size_t inlen)
  3255. {
  3256. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3257. size_t rv;
  3258. /* AES wrap with padding has IV length of 4, without padding 8 */
  3259. int pad = EVP_CIPHER_CTX_get_iv_length(ctx) == 4;
  3260. /* No final operation so always return zero length */
  3261. if (!in)
  3262. return 0;
  3263. /* Input length must always be non-zero */
  3264. if (!inlen)
  3265. return -1;
  3266. /* If decrypting need at least 16 bytes and multiple of 8 */
  3267. if (!EVP_CIPHER_CTX_is_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
  3268. return -1;
  3269. /* If not padding input must be multiple of 8 */
  3270. if (!pad && inlen & 0x7)
  3271. return -1;
  3272. if (ossl_is_partially_overlapping(out, in, inlen)) {
  3273. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3274. return 0;
  3275. }
  3276. if (!out) {
  3277. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3278. /* If padding round up to multiple of 8 */
  3279. if (pad)
  3280. inlen = (inlen + 7) / 8 * 8;
  3281. /* 8 byte prefix */
  3282. return inlen + 8;
  3283. } else {
  3284. /*
  3285. * If not padding output will be exactly 8 bytes smaller than
  3286. * input. If padding it will be at least 8 bytes smaller but we
  3287. * don't know how much.
  3288. */
  3289. return inlen - 8;
  3290. }
  3291. }
  3292. if (pad) {
  3293. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3294. rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
  3295. out, in, inlen,
  3296. (block128_f) AES_encrypt);
  3297. else
  3298. rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
  3299. out, in, inlen,
  3300. (block128_f) AES_decrypt);
  3301. } else {
  3302. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3303. rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
  3304. out, in, inlen, (block128_f) AES_encrypt);
  3305. else
  3306. rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
  3307. out, in, inlen, (block128_f) AES_decrypt);
  3308. }
  3309. return rv ? (int)rv : -1;
  3310. }
  3311. #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
  3312. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  3313. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
  3314. static const EVP_CIPHER aes_128_wrap = {
  3315. NID_id_aes128_wrap,
  3316. 8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3317. aes_wrap_init_key, aes_wrap_cipher,
  3318. NULL,
  3319. sizeof(EVP_AES_WRAP_CTX),
  3320. NULL, NULL, NULL, NULL
  3321. };
  3322. const EVP_CIPHER *EVP_aes_128_wrap(void)
  3323. {
  3324. return &aes_128_wrap;
  3325. }
  3326. static const EVP_CIPHER aes_192_wrap = {
  3327. NID_id_aes192_wrap,
  3328. 8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3329. aes_wrap_init_key, aes_wrap_cipher,
  3330. NULL,
  3331. sizeof(EVP_AES_WRAP_CTX),
  3332. NULL, NULL, NULL, NULL
  3333. };
  3334. const EVP_CIPHER *EVP_aes_192_wrap(void)
  3335. {
  3336. return &aes_192_wrap;
  3337. }
  3338. static const EVP_CIPHER aes_256_wrap = {
  3339. NID_id_aes256_wrap,
  3340. 8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3341. aes_wrap_init_key, aes_wrap_cipher,
  3342. NULL,
  3343. sizeof(EVP_AES_WRAP_CTX),
  3344. NULL, NULL, NULL, NULL
  3345. };
  3346. const EVP_CIPHER *EVP_aes_256_wrap(void)
  3347. {
  3348. return &aes_256_wrap;
  3349. }
  3350. static const EVP_CIPHER aes_128_wrap_pad = {
  3351. NID_id_aes128_wrap_pad,
  3352. 8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3353. aes_wrap_init_key, aes_wrap_cipher,
  3354. NULL,
  3355. sizeof(EVP_AES_WRAP_CTX),
  3356. NULL, NULL, NULL, NULL
  3357. };
  3358. const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
  3359. {
  3360. return &aes_128_wrap_pad;
  3361. }
  3362. static const EVP_CIPHER aes_192_wrap_pad = {
  3363. NID_id_aes192_wrap_pad,
  3364. 8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3365. aes_wrap_init_key, aes_wrap_cipher,
  3366. NULL,
  3367. sizeof(EVP_AES_WRAP_CTX),
  3368. NULL, NULL, NULL, NULL
  3369. };
  3370. const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
  3371. {
  3372. return &aes_192_wrap_pad;
  3373. }
  3374. static const EVP_CIPHER aes_256_wrap_pad = {
  3375. NID_id_aes256_wrap_pad,
  3376. 8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3377. aes_wrap_init_key, aes_wrap_cipher,
  3378. NULL,
  3379. sizeof(EVP_AES_WRAP_CTX),
  3380. NULL, NULL, NULL, NULL
  3381. };
  3382. const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
  3383. {
  3384. return &aes_256_wrap_pad;
  3385. }
  3386. #ifndef OPENSSL_NO_OCB
  3387. static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3388. {
  3389. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3390. EVP_CIPHER_CTX *newc;
  3391. EVP_AES_OCB_CTX *new_octx;
  3392. switch (type) {
  3393. case EVP_CTRL_INIT:
  3394. octx->key_set = 0;
  3395. octx->iv_set = 0;
  3396. octx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  3397. octx->iv = c->iv;
  3398. octx->taglen = 16;
  3399. octx->data_buf_len = 0;
  3400. octx->aad_buf_len = 0;
  3401. return 1;
  3402. case EVP_CTRL_GET_IVLEN:
  3403. *(int *)ptr = octx->ivlen;
  3404. return 1;
  3405. case EVP_CTRL_AEAD_SET_IVLEN:
  3406. /* IV len must be 1 to 15 */
  3407. if (arg <= 0 || arg > 15)
  3408. return 0;
  3409. octx->ivlen = arg;
  3410. return 1;
  3411. case EVP_CTRL_AEAD_SET_TAG:
  3412. if (ptr == NULL) {
  3413. /* Tag len must be 0 to 16 */
  3414. if (arg < 0 || arg > 16)
  3415. return 0;
  3416. octx->taglen = arg;
  3417. return 1;
  3418. }
  3419. if (arg != octx->taglen || EVP_CIPHER_CTX_is_encrypting(c))
  3420. return 0;
  3421. memcpy(octx->tag, ptr, arg);
  3422. return 1;
  3423. case EVP_CTRL_AEAD_GET_TAG:
  3424. if (arg != octx->taglen || !EVP_CIPHER_CTX_is_encrypting(c))
  3425. return 0;
  3426. memcpy(ptr, octx->tag, arg);
  3427. return 1;
  3428. case EVP_CTRL_COPY:
  3429. newc = (EVP_CIPHER_CTX *)ptr;
  3430. new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
  3431. return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
  3432. &new_octx->ksenc.ks,
  3433. &new_octx->ksdec.ks);
  3434. default:
  3435. return -1;
  3436. }
  3437. }
  3438. static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3439. const unsigned char *iv, int enc)
  3440. {
  3441. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3442. if (iv == NULL && key == NULL)
  3443. return 1;
  3444. if (key != NULL) {
  3445. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3446. if (keylen <= 0) {
  3447. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3448. return 0;
  3449. }
  3450. do {
  3451. /*
  3452. * We set both the encrypt and decrypt key here because decrypt
  3453. * needs both. We could possibly optimise to remove setting the
  3454. * decrypt for an encryption operation.
  3455. */
  3456. # ifdef HWAES_CAPABLE
  3457. if (HWAES_CAPABLE) {
  3458. HWAES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3459. HWAES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3460. if (!CRYPTO_ocb128_init(&octx->ocb,
  3461. &octx->ksenc.ks, &octx->ksdec.ks,
  3462. (block128_f) HWAES_encrypt,
  3463. (block128_f) HWAES_decrypt,
  3464. enc ? HWAES_ocb_encrypt
  3465. : HWAES_ocb_decrypt))
  3466. return 0;
  3467. break;
  3468. }
  3469. # endif
  3470. # ifdef VPAES_CAPABLE
  3471. if (VPAES_CAPABLE) {
  3472. vpaes_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3473. vpaes_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3474. if (!CRYPTO_ocb128_init(&octx->ocb,
  3475. &octx->ksenc.ks, &octx->ksdec.ks,
  3476. (block128_f) vpaes_encrypt,
  3477. (block128_f) vpaes_decrypt,
  3478. NULL))
  3479. return 0;
  3480. break;
  3481. }
  3482. # endif
  3483. AES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3484. AES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3485. if (!CRYPTO_ocb128_init(&octx->ocb,
  3486. &octx->ksenc.ks, &octx->ksdec.ks,
  3487. (block128_f) AES_encrypt,
  3488. (block128_f) AES_decrypt,
  3489. NULL))
  3490. return 0;
  3491. }
  3492. while (0);
  3493. /*
  3494. * If we have an iv we can set it directly, otherwise use saved IV.
  3495. */
  3496. if (iv == NULL && octx->iv_set)
  3497. iv = octx->iv;
  3498. if (iv) {
  3499. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  3500. != 1)
  3501. return 0;
  3502. octx->iv_set = 1;
  3503. }
  3504. octx->key_set = 1;
  3505. } else {
  3506. /* If key set use IV, otherwise copy */
  3507. if (octx->key_set)
  3508. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  3509. else
  3510. memcpy(octx->iv, iv, octx->ivlen);
  3511. octx->iv_set = 1;
  3512. }
  3513. return 1;
  3514. }
  3515. static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3516. const unsigned char *in, size_t len)
  3517. {
  3518. unsigned char *buf;
  3519. int *buf_len;
  3520. int written_len = 0;
  3521. size_t trailing_len;
  3522. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3523. /* If IV or Key not set then return error */
  3524. if (!octx->iv_set)
  3525. return -1;
  3526. if (!octx->key_set)
  3527. return -1;
  3528. if (in != NULL) {
  3529. /*
  3530. * Need to ensure we are only passing full blocks to low-level OCB
  3531. * routines. We do it here rather than in EVP_EncryptUpdate/
  3532. * EVP_DecryptUpdate because we need to pass full blocks of AAD too
  3533. * and those routines don't support that
  3534. */
  3535. /* Are we dealing with AAD or normal data here? */
  3536. if (out == NULL) {
  3537. buf = octx->aad_buf;
  3538. buf_len = &(octx->aad_buf_len);
  3539. } else {
  3540. buf = octx->data_buf;
  3541. buf_len = &(octx->data_buf_len);
  3542. if (ossl_is_partially_overlapping(out + *buf_len, in, len)) {
  3543. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3544. return 0;
  3545. }
  3546. }
  3547. /*
  3548. * If we've got a partially filled buffer from a previous call then
  3549. * use that data first
  3550. */
  3551. if (*buf_len > 0) {
  3552. unsigned int remaining;
  3553. remaining = AES_BLOCK_SIZE - (*buf_len);
  3554. if (remaining > len) {
  3555. memcpy(buf + (*buf_len), in, len);
  3556. *(buf_len) += len;
  3557. return 0;
  3558. }
  3559. memcpy(buf + (*buf_len), in, remaining);
  3560. /*
  3561. * If we get here we've filled the buffer, so process it
  3562. */
  3563. len -= remaining;
  3564. in += remaining;
  3565. if (out == NULL) {
  3566. if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
  3567. return -1;
  3568. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3569. if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
  3570. AES_BLOCK_SIZE))
  3571. return -1;
  3572. } else {
  3573. if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
  3574. AES_BLOCK_SIZE))
  3575. return -1;
  3576. }
  3577. written_len = AES_BLOCK_SIZE;
  3578. *buf_len = 0;
  3579. if (out != NULL)
  3580. out += AES_BLOCK_SIZE;
  3581. }
  3582. /* Do we have a partial block to handle at the end? */
  3583. trailing_len = len % AES_BLOCK_SIZE;
  3584. /*
  3585. * If we've got some full blocks to handle, then process these first
  3586. */
  3587. if (len != trailing_len) {
  3588. if (out == NULL) {
  3589. if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
  3590. return -1;
  3591. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3592. if (!CRYPTO_ocb128_encrypt
  3593. (&octx->ocb, in, out, len - trailing_len))
  3594. return -1;
  3595. } else {
  3596. if (!CRYPTO_ocb128_decrypt
  3597. (&octx->ocb, in, out, len - trailing_len))
  3598. return -1;
  3599. }
  3600. written_len += len - trailing_len;
  3601. in += len - trailing_len;
  3602. }
  3603. /* Handle any trailing partial block */
  3604. if (trailing_len > 0) {
  3605. memcpy(buf, in, trailing_len);
  3606. *buf_len = trailing_len;
  3607. }
  3608. return written_len;
  3609. } else {
  3610. /*
  3611. * First of all empty the buffer of any partial block that we might
  3612. * have been provided - both for data and AAD
  3613. */
  3614. if (octx->data_buf_len > 0) {
  3615. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3616. if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
  3617. octx->data_buf_len))
  3618. return -1;
  3619. } else {
  3620. if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
  3621. octx->data_buf_len))
  3622. return -1;
  3623. }
  3624. written_len = octx->data_buf_len;
  3625. octx->data_buf_len = 0;
  3626. }
  3627. if (octx->aad_buf_len > 0) {
  3628. if (!CRYPTO_ocb128_aad
  3629. (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
  3630. return -1;
  3631. octx->aad_buf_len = 0;
  3632. }
  3633. /* If decrypting then verify */
  3634. if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3635. if (octx->taglen < 0)
  3636. return -1;
  3637. if (CRYPTO_ocb128_finish(&octx->ocb,
  3638. octx->tag, octx->taglen) != 0)
  3639. return -1;
  3640. octx->iv_set = 0;
  3641. return written_len;
  3642. }
  3643. /* If encrypting then just get the tag */
  3644. if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
  3645. return -1;
  3646. /* Don't reuse the IV */
  3647. octx->iv_set = 0;
  3648. return written_len;
  3649. }
  3650. }
  3651. static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
  3652. {
  3653. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3654. CRYPTO_ocb128_cleanup(&octx->ocb);
  3655. return 1;
  3656. }
  3657. BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
  3658. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3659. BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
  3660. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3661. BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
  3662. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3663. #endif /* OPENSSL_NO_OCB */