e_aes.c 146 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382
  1. /*
  2. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/opensslconf.h>
  10. #include <openssl/crypto.h>
  11. #include <openssl/evp.h>
  12. #include <openssl/err.h>
  13. #include <string.h>
  14. #include <assert.h>
  15. #include <openssl/aes.h>
  16. #include "internal/evp_int.h"
  17. #include "modes_lcl.h"
  18. #include <openssl/rand.h>
  19. #include <openssl/cmac.h>
  20. #include "evp_locl.h"
  21. typedef struct {
  22. union {
  23. double align;
  24. AES_KEY ks;
  25. } ks;
  26. block128_f block;
  27. union {
  28. cbc128_f cbc;
  29. ctr128_f ctr;
  30. } stream;
  31. } EVP_AES_KEY;
  32. typedef struct {
  33. union {
  34. double align;
  35. AES_KEY ks;
  36. } ks; /* AES key schedule to use */
  37. int key_set; /* Set if key initialised */
  38. int iv_set; /* Set if an iv is set */
  39. GCM128_CONTEXT gcm;
  40. unsigned char *iv; /* Temporary IV store */
  41. int ivlen; /* IV length */
  42. int taglen;
  43. int iv_gen; /* It is OK to generate IVs */
  44. int tls_aad_len; /* TLS AAD length */
  45. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  46. ctr128_f ctr;
  47. } EVP_AES_GCM_CTX;
  48. typedef struct {
  49. union {
  50. double align;
  51. AES_KEY ks;
  52. } ks1, ks2; /* AES key schedules to use */
  53. XTS128_CONTEXT xts;
  54. void (*stream) (const unsigned char *in,
  55. unsigned char *out, size_t length,
  56. const AES_KEY *key1, const AES_KEY *key2,
  57. const unsigned char iv[16]);
  58. } EVP_AES_XTS_CTX;
  59. typedef struct {
  60. union {
  61. double align;
  62. AES_KEY ks;
  63. } ks; /* AES key schedule to use */
  64. int key_set; /* Set if key initialised */
  65. int iv_set; /* Set if an iv is set */
  66. int tag_set; /* Set if tag is valid */
  67. int len_set; /* Set if message length set */
  68. int L, M; /* L and M parameters from RFC3610 */
  69. int tls_aad_len; /* TLS AAD length */
  70. CCM128_CONTEXT ccm;
  71. ccm128_f str;
  72. } EVP_AES_CCM_CTX;
  73. #ifndef OPENSSL_NO_OCB
  74. typedef struct {
  75. union {
  76. double align;
  77. AES_KEY ks;
  78. } ksenc; /* AES key schedule to use for encryption */
  79. union {
  80. double align;
  81. AES_KEY ks;
  82. } ksdec; /* AES key schedule to use for decryption */
  83. int key_set; /* Set if key initialised */
  84. int iv_set; /* Set if an iv is set */
  85. OCB128_CONTEXT ocb;
  86. unsigned char *iv; /* Temporary IV store */
  87. unsigned char tag[16];
  88. unsigned char data_buf[16]; /* Store partial data blocks */
  89. unsigned char aad_buf[16]; /* Store partial AAD blocks */
  90. int data_buf_len;
  91. int aad_buf_len;
  92. int ivlen; /* IV length */
  93. int taglen;
  94. } EVP_AES_OCB_CTX;
  95. #endif
  96. #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  97. #ifdef VPAES_ASM
  98. int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
  99. AES_KEY *key);
  100. int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
  101. AES_KEY *key);
  102. void vpaes_encrypt(const unsigned char *in, unsigned char *out,
  103. const AES_KEY *key);
  104. void vpaes_decrypt(const unsigned char *in, unsigned char *out,
  105. const AES_KEY *key);
  106. void vpaes_cbc_encrypt(const unsigned char *in,
  107. unsigned char *out,
  108. size_t length,
  109. const AES_KEY *key, unsigned char *ivec, int enc);
  110. #endif
  111. #ifdef BSAES_ASM
  112. void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
  113. size_t length, const AES_KEY *key,
  114. unsigned char ivec[16], int enc);
  115. void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
  116. size_t len, const AES_KEY *key,
  117. const unsigned char ivec[16]);
  118. void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
  119. size_t len, const AES_KEY *key1,
  120. const AES_KEY *key2, const unsigned char iv[16]);
  121. void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
  122. size_t len, const AES_KEY *key1,
  123. const AES_KEY *key2, const unsigned char iv[16]);
  124. #endif
  125. #ifdef AES_CTR_ASM
  126. void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  127. size_t blocks, const AES_KEY *key,
  128. const unsigned char ivec[AES_BLOCK_SIZE]);
  129. #endif
  130. #ifdef AES_XTS_ASM
  131. void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
  132. const AES_KEY *key1, const AES_KEY *key2,
  133. const unsigned char iv[16]);
  134. void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
  135. const AES_KEY *key1, const AES_KEY *key2,
  136. const unsigned char iv[16]);
  137. #endif
  138. /* increment counter (64-bit int) by 1 */
  139. static void ctr64_inc(unsigned char *counter)
  140. {
  141. int n = 8;
  142. unsigned char c;
  143. do {
  144. --n;
  145. c = counter[n];
  146. ++c;
  147. counter[n] = c;
  148. if (c)
  149. return;
  150. } while (n);
  151. }
  152. #if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
  153. # include "ppc_arch.h"
  154. # ifdef VPAES_ASM
  155. # define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
  156. # endif
  157. # define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
  158. # define HWAES_set_encrypt_key aes_p8_set_encrypt_key
  159. # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
  160. # define HWAES_encrypt aes_p8_encrypt
  161. # define HWAES_decrypt aes_p8_decrypt
  162. # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
  163. # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
  164. # define HWAES_xts_encrypt aes_p8_xts_encrypt
  165. # define HWAES_xts_decrypt aes_p8_xts_decrypt
  166. #endif
  167. #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
  168. ((defined(__i386) || defined(__i386__) || \
  169. defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
  170. defined(__x86_64) || defined(__x86_64__) || \
  171. defined(_M_AMD64) || defined(_M_X64) )
  172. extern unsigned int OPENSSL_ia32cap_P[];
  173. # ifdef VPAES_ASM
  174. # define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
  175. # endif
  176. # ifdef BSAES_ASM
  177. # define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
  178. # endif
  179. /*
  180. * AES-NI section
  181. */
  182. # define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
  183. int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
  184. AES_KEY *key);
  185. int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
  186. AES_KEY *key);
  187. void aesni_encrypt(const unsigned char *in, unsigned char *out,
  188. const AES_KEY *key);
  189. void aesni_decrypt(const unsigned char *in, unsigned char *out,
  190. const AES_KEY *key);
  191. void aesni_ecb_encrypt(const unsigned char *in,
  192. unsigned char *out,
  193. size_t length, const AES_KEY *key, int enc);
  194. void aesni_cbc_encrypt(const unsigned char *in,
  195. unsigned char *out,
  196. size_t length,
  197. const AES_KEY *key, unsigned char *ivec, int enc);
  198. void aesni_ctr32_encrypt_blocks(const unsigned char *in,
  199. unsigned char *out,
  200. size_t blocks,
  201. const void *key, const unsigned char *ivec);
  202. void aesni_xts_encrypt(const unsigned char *in,
  203. unsigned char *out,
  204. size_t length,
  205. const AES_KEY *key1, const AES_KEY *key2,
  206. const unsigned char iv[16]);
  207. void aesni_xts_decrypt(const unsigned char *in,
  208. unsigned char *out,
  209. size_t length,
  210. const AES_KEY *key1, const AES_KEY *key2,
  211. const unsigned char iv[16]);
  212. void aesni_ccm64_encrypt_blocks(const unsigned char *in,
  213. unsigned char *out,
  214. size_t blocks,
  215. const void *key,
  216. const unsigned char ivec[16],
  217. unsigned char cmac[16]);
  218. void aesni_ccm64_decrypt_blocks(const unsigned char *in,
  219. unsigned char *out,
  220. size_t blocks,
  221. const void *key,
  222. const unsigned char ivec[16],
  223. unsigned char cmac[16]);
  224. # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
  225. size_t aesni_gcm_encrypt(const unsigned char *in,
  226. unsigned char *out,
  227. size_t len,
  228. const void *key, unsigned char ivec[16], u64 *Xi);
  229. # define AES_gcm_encrypt aesni_gcm_encrypt
  230. size_t aesni_gcm_decrypt(const unsigned char *in,
  231. unsigned char *out,
  232. size_t len,
  233. const void *key, unsigned char ivec[16], u64 *Xi);
  234. # define AES_gcm_decrypt aesni_gcm_decrypt
  235. void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
  236. size_t len);
  237. # define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
  238. gctx->gcm.ghash==gcm_ghash_avx)
  239. # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
  240. gctx->gcm.ghash==gcm_ghash_avx)
  241. # undef AES_GCM_ASM2 /* minor size optimization */
  242. # endif
  243. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  244. const unsigned char *iv, int enc)
  245. {
  246. int ret, mode;
  247. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  248. mode = EVP_CIPHER_CTX_mode(ctx);
  249. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  250. && !enc) {
  251. ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  252. &dat->ks.ks);
  253. dat->block = (block128_f) aesni_decrypt;
  254. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  255. (cbc128_f) aesni_cbc_encrypt : NULL;
  256. } else {
  257. ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  258. &dat->ks.ks);
  259. dat->block = (block128_f) aesni_encrypt;
  260. if (mode == EVP_CIPH_CBC_MODE)
  261. dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
  262. else if (mode == EVP_CIPH_CTR_MODE)
  263. dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  264. else
  265. dat->stream.cbc = NULL;
  266. }
  267. if (ret < 0) {
  268. EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  269. return 0;
  270. }
  271. return 1;
  272. }
  273. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  274. const unsigned char *in, size_t len)
  275. {
  276. aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  277. EVP_CIPHER_CTX_iv_noconst(ctx),
  278. EVP_CIPHER_CTX_encrypting(ctx));
  279. return 1;
  280. }
  281. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  282. const unsigned char *in, size_t len)
  283. {
  284. size_t bl = EVP_CIPHER_CTX_block_size(ctx);
  285. if (len < bl)
  286. return 1;
  287. aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  288. EVP_CIPHER_CTX_encrypting(ctx));
  289. return 1;
  290. }
  291. # define aesni_ofb_cipher aes_ofb_cipher
  292. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  293. const unsigned char *in, size_t len);
  294. # define aesni_cfb_cipher aes_cfb_cipher
  295. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  296. const unsigned char *in, size_t len);
  297. # define aesni_cfb8_cipher aes_cfb8_cipher
  298. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  299. const unsigned char *in, size_t len);
  300. # define aesni_cfb1_cipher aes_cfb1_cipher
  301. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  302. const unsigned char *in, size_t len);
  303. # define aesni_ctr_cipher aes_ctr_cipher
  304. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  305. const unsigned char *in, size_t len);
  306. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  307. const unsigned char *iv, int enc)
  308. {
  309. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  310. if (!iv && !key)
  311. return 1;
  312. if (key) {
  313. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  314. &gctx->ks.ks);
  315. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
  316. gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  317. /*
  318. * If we have an iv can set it directly, otherwise use saved IV.
  319. */
  320. if (iv == NULL && gctx->iv_set)
  321. iv = gctx->iv;
  322. if (iv) {
  323. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  324. gctx->iv_set = 1;
  325. }
  326. gctx->key_set = 1;
  327. } else {
  328. /* If key set use IV, otherwise copy */
  329. if (gctx->key_set)
  330. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  331. else
  332. memcpy(gctx->iv, iv, gctx->ivlen);
  333. gctx->iv_set = 1;
  334. gctx->iv_gen = 0;
  335. }
  336. return 1;
  337. }
  338. # define aesni_gcm_cipher aes_gcm_cipher
  339. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  340. const unsigned char *in, size_t len);
  341. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  342. const unsigned char *iv, int enc)
  343. {
  344. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  345. if (!iv && !key)
  346. return 1;
  347. if (key) {
  348. /* key_len is two AES keys */
  349. if (enc) {
  350. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
  351. &xctx->ks1.ks);
  352. xctx->xts.block1 = (block128_f) aesni_encrypt;
  353. xctx->stream = aesni_xts_encrypt;
  354. } else {
  355. aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
  356. &xctx->ks1.ks);
  357. xctx->xts.block1 = (block128_f) aesni_decrypt;
  358. xctx->stream = aesni_xts_decrypt;
  359. }
  360. aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
  361. EVP_CIPHER_CTX_key_length(ctx) * 4,
  362. &xctx->ks2.ks);
  363. xctx->xts.block2 = (block128_f) aesni_encrypt;
  364. xctx->xts.key1 = &xctx->ks1;
  365. }
  366. if (iv) {
  367. xctx->xts.key2 = &xctx->ks2;
  368. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
  369. }
  370. return 1;
  371. }
  372. # define aesni_xts_cipher aes_xts_cipher
  373. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  374. const unsigned char *in, size_t len);
  375. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  376. const unsigned char *iv, int enc)
  377. {
  378. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  379. if (!iv && !key)
  380. return 1;
  381. if (key) {
  382. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  383. &cctx->ks.ks);
  384. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  385. &cctx->ks, (block128_f) aesni_encrypt);
  386. cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
  387. (ccm128_f) aesni_ccm64_decrypt_blocks;
  388. cctx->key_set = 1;
  389. }
  390. if (iv) {
  391. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
  392. cctx->iv_set = 1;
  393. }
  394. return 1;
  395. }
  396. # define aesni_ccm_cipher aes_ccm_cipher
  397. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  398. const unsigned char *in, size_t len);
  399. # ifndef OPENSSL_NO_OCB
  400. void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
  401. size_t blocks, const void *key,
  402. size_t start_block_num,
  403. unsigned char offset_i[16],
  404. const unsigned char L_[][16],
  405. unsigned char checksum[16]);
  406. void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
  407. size_t blocks, const void *key,
  408. size_t start_block_num,
  409. unsigned char offset_i[16],
  410. const unsigned char L_[][16],
  411. unsigned char checksum[16]);
  412. static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  413. const unsigned char *iv, int enc)
  414. {
  415. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  416. if (!iv && !key)
  417. return 1;
  418. if (key) {
  419. do {
  420. /*
  421. * We set both the encrypt and decrypt key here because decrypt
  422. * needs both. We could possibly optimise to remove setting the
  423. * decrypt for an encryption operation.
  424. */
  425. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  426. &octx->ksenc.ks);
  427. aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  428. &octx->ksdec.ks);
  429. if (!CRYPTO_ocb128_init(&octx->ocb,
  430. &octx->ksenc.ks, &octx->ksdec.ks,
  431. (block128_f) aesni_encrypt,
  432. (block128_f) aesni_decrypt,
  433. enc ? aesni_ocb_encrypt
  434. : aesni_ocb_decrypt))
  435. return 0;
  436. }
  437. while (0);
  438. /*
  439. * If we have an iv we can set it directly, otherwise use saved IV.
  440. */
  441. if (iv == NULL && octx->iv_set)
  442. iv = octx->iv;
  443. if (iv) {
  444. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  445. != 1)
  446. return 0;
  447. octx->iv_set = 1;
  448. }
  449. octx->key_set = 1;
  450. } else {
  451. /* If key set use IV, otherwise copy */
  452. if (octx->key_set)
  453. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  454. else
  455. memcpy(octx->iv, iv, octx->ivlen);
  456. octx->iv_set = 1;
  457. }
  458. return 1;
  459. }
  460. # define aesni_ocb_cipher aes_ocb_cipher
  461. static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  462. const unsigned char *in, size_t len);
  463. # endif /* OPENSSL_NO_OCB */
  464. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  465. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  466. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  467. flags|EVP_CIPH_##MODE##_MODE, \
  468. aesni_init_key, \
  469. aesni_##mode##_cipher, \
  470. NULL, \
  471. sizeof(EVP_AES_KEY), \
  472. NULL,NULL,NULL,NULL }; \
  473. static const EVP_CIPHER aes_##keylen##_##mode = { \
  474. nid##_##keylen##_##nmode,blocksize, \
  475. keylen/8,ivlen, \
  476. flags|EVP_CIPH_##MODE##_MODE, \
  477. aes_init_key, \
  478. aes_##mode##_cipher, \
  479. NULL, \
  480. sizeof(EVP_AES_KEY), \
  481. NULL,NULL,NULL,NULL }; \
  482. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  483. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  484. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  485. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  486. nid##_##keylen##_##mode,blocksize, \
  487. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  488. ivlen, \
  489. flags|EVP_CIPH_##MODE##_MODE, \
  490. aesni_##mode##_init_key, \
  491. aesni_##mode##_cipher, \
  492. aes_##mode##_cleanup, \
  493. sizeof(EVP_AES_##MODE##_CTX), \
  494. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  495. static const EVP_CIPHER aes_##keylen##_##mode = { \
  496. nid##_##keylen##_##mode,blocksize, \
  497. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  498. ivlen, \
  499. flags|EVP_CIPH_##MODE##_MODE, \
  500. aes_##mode##_init_key, \
  501. aes_##mode##_cipher, \
  502. aes_##mode##_cleanup, \
  503. sizeof(EVP_AES_##MODE##_CTX), \
  504. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  505. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  506. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  507. #elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
  508. # include "sparc_arch.h"
  509. extern unsigned int OPENSSL_sparcv9cap_P[];
  510. /*
  511. * Initial Fujitsu SPARC64 X support
  512. */
  513. # define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
  514. # define HWAES_set_encrypt_key aes_fx_set_encrypt_key
  515. # define HWAES_set_decrypt_key aes_fx_set_decrypt_key
  516. # define HWAES_encrypt aes_fx_encrypt
  517. # define HWAES_decrypt aes_fx_decrypt
  518. # define HWAES_cbc_encrypt aes_fx_cbc_encrypt
  519. # define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
  520. # define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
  521. void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
  522. void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
  523. void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
  524. const AES_KEY *key);
  525. void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
  526. const AES_KEY *key);
  527. /*
  528. * Key-length specific subroutines were chosen for following reason.
  529. * Each SPARC T4 core can execute up to 8 threads which share core's
  530. * resources. Loading as much key material to registers allows to
  531. * minimize references to shared memory interface, as well as amount
  532. * of instructions in inner loops [much needed on T4]. But then having
  533. * non-key-length specific routines would require conditional branches
  534. * either in inner loops or on subroutines' entries. Former is hardly
  535. * acceptable, while latter means code size increase to size occupied
  536. * by multiple key-length specific subroutines, so why fight?
  537. */
  538. void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  539. size_t len, const AES_KEY *key,
  540. unsigned char *ivec);
  541. void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  542. size_t len, const AES_KEY *key,
  543. unsigned char *ivec);
  544. void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  545. size_t len, const AES_KEY *key,
  546. unsigned char *ivec);
  547. void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  548. size_t len, const AES_KEY *key,
  549. unsigned char *ivec);
  550. void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  551. size_t len, const AES_KEY *key,
  552. unsigned char *ivec);
  553. void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  554. size_t len, const AES_KEY *key,
  555. unsigned char *ivec);
  556. void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  557. size_t blocks, const AES_KEY *key,
  558. unsigned char *ivec);
  559. void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  560. size_t blocks, const AES_KEY *key,
  561. unsigned char *ivec);
  562. void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  563. size_t blocks, const AES_KEY *key,
  564. unsigned char *ivec);
  565. void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
  566. size_t blocks, const AES_KEY *key1,
  567. const AES_KEY *key2, const unsigned char *ivec);
  568. void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
  569. size_t blocks, const AES_KEY *key1,
  570. const AES_KEY *key2, const unsigned char *ivec);
  571. void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
  572. size_t blocks, const AES_KEY *key1,
  573. const AES_KEY *key2, const unsigned char *ivec);
  574. void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
  575. size_t blocks, const AES_KEY *key1,
  576. const AES_KEY *key2, const unsigned char *ivec);
  577. static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  578. const unsigned char *iv, int enc)
  579. {
  580. int ret, mode, bits;
  581. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  582. mode = EVP_CIPHER_CTX_mode(ctx);
  583. bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  584. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  585. && !enc) {
  586. ret = 0;
  587. aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
  588. dat->block = (block128_f) aes_t4_decrypt;
  589. switch (bits) {
  590. case 128:
  591. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  592. (cbc128_f) aes128_t4_cbc_decrypt : NULL;
  593. break;
  594. case 192:
  595. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  596. (cbc128_f) aes192_t4_cbc_decrypt : NULL;
  597. break;
  598. case 256:
  599. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  600. (cbc128_f) aes256_t4_cbc_decrypt : NULL;
  601. break;
  602. default:
  603. ret = -1;
  604. }
  605. } else {
  606. ret = 0;
  607. aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
  608. dat->block = (block128_f) aes_t4_encrypt;
  609. switch (bits) {
  610. case 128:
  611. if (mode == EVP_CIPH_CBC_MODE)
  612. dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
  613. else if (mode == EVP_CIPH_CTR_MODE)
  614. dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  615. else
  616. dat->stream.cbc = NULL;
  617. break;
  618. case 192:
  619. if (mode == EVP_CIPH_CBC_MODE)
  620. dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
  621. else if (mode == EVP_CIPH_CTR_MODE)
  622. dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  623. else
  624. dat->stream.cbc = NULL;
  625. break;
  626. case 256:
  627. if (mode == EVP_CIPH_CBC_MODE)
  628. dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
  629. else if (mode == EVP_CIPH_CTR_MODE)
  630. dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  631. else
  632. dat->stream.cbc = NULL;
  633. break;
  634. default:
  635. ret = -1;
  636. }
  637. }
  638. if (ret < 0) {
  639. EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  640. return 0;
  641. }
  642. return 1;
  643. }
  644. # define aes_t4_cbc_cipher aes_cbc_cipher
  645. static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  646. const unsigned char *in, size_t len);
  647. # define aes_t4_ecb_cipher aes_ecb_cipher
  648. static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  649. const unsigned char *in, size_t len);
  650. # define aes_t4_ofb_cipher aes_ofb_cipher
  651. static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  652. const unsigned char *in, size_t len);
  653. # define aes_t4_cfb_cipher aes_cfb_cipher
  654. static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  655. const unsigned char *in, size_t len);
  656. # define aes_t4_cfb8_cipher aes_cfb8_cipher
  657. static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  658. const unsigned char *in, size_t len);
  659. # define aes_t4_cfb1_cipher aes_cfb1_cipher
  660. static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  661. const unsigned char *in, size_t len);
  662. # define aes_t4_ctr_cipher aes_ctr_cipher
  663. static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  664. const unsigned char *in, size_t len);
  665. static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  666. const unsigned char *iv, int enc)
  667. {
  668. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  669. if (!iv && !key)
  670. return 1;
  671. if (key) {
  672. int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  673. aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
  674. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  675. (block128_f) aes_t4_encrypt);
  676. switch (bits) {
  677. case 128:
  678. gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  679. break;
  680. case 192:
  681. gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  682. break;
  683. case 256:
  684. gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  685. break;
  686. default:
  687. return 0;
  688. }
  689. /*
  690. * If we have an iv can set it directly, otherwise use saved IV.
  691. */
  692. if (iv == NULL && gctx->iv_set)
  693. iv = gctx->iv;
  694. if (iv) {
  695. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  696. gctx->iv_set = 1;
  697. }
  698. gctx->key_set = 1;
  699. } else {
  700. /* If key set use IV, otherwise copy */
  701. if (gctx->key_set)
  702. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  703. else
  704. memcpy(gctx->iv, iv, gctx->ivlen);
  705. gctx->iv_set = 1;
  706. gctx->iv_gen = 0;
  707. }
  708. return 1;
  709. }
  710. # define aes_t4_gcm_cipher aes_gcm_cipher
  711. static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  712. const unsigned char *in, size_t len);
  713. static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  714. const unsigned char *iv, int enc)
  715. {
  716. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  717. if (!iv && !key)
  718. return 1;
  719. if (key) {
  720. int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
  721. xctx->stream = NULL;
  722. /* key_len is two AES keys */
  723. if (enc) {
  724. aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
  725. xctx->xts.block1 = (block128_f) aes_t4_encrypt;
  726. switch (bits) {
  727. case 128:
  728. xctx->stream = aes128_t4_xts_encrypt;
  729. break;
  730. case 256:
  731. xctx->stream = aes256_t4_xts_encrypt;
  732. break;
  733. default:
  734. return 0;
  735. }
  736. } else {
  737. aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
  738. &xctx->ks1.ks);
  739. xctx->xts.block1 = (block128_f) aes_t4_decrypt;
  740. switch (bits) {
  741. case 128:
  742. xctx->stream = aes128_t4_xts_decrypt;
  743. break;
  744. case 256:
  745. xctx->stream = aes256_t4_xts_decrypt;
  746. break;
  747. default:
  748. return 0;
  749. }
  750. }
  751. aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
  752. EVP_CIPHER_CTX_key_length(ctx) * 4,
  753. &xctx->ks2.ks);
  754. xctx->xts.block2 = (block128_f) aes_t4_encrypt;
  755. xctx->xts.key1 = &xctx->ks1;
  756. }
  757. if (iv) {
  758. xctx->xts.key2 = &xctx->ks2;
  759. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
  760. }
  761. return 1;
  762. }
  763. # define aes_t4_xts_cipher aes_xts_cipher
  764. static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  765. const unsigned char *in, size_t len);
  766. static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  767. const unsigned char *iv, int enc)
  768. {
  769. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  770. if (!iv && !key)
  771. return 1;
  772. if (key) {
  773. int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  774. aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
  775. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  776. &cctx->ks, (block128_f) aes_t4_encrypt);
  777. cctx->str = NULL;
  778. cctx->key_set = 1;
  779. }
  780. if (iv) {
  781. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
  782. cctx->iv_set = 1;
  783. }
  784. return 1;
  785. }
  786. # define aes_t4_ccm_cipher aes_ccm_cipher
  787. static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  788. const unsigned char *in, size_t len);
  789. # ifndef OPENSSL_NO_OCB
  790. static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  791. const unsigned char *iv, int enc)
  792. {
  793. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  794. if (!iv && !key)
  795. return 1;
  796. if (key) {
  797. do {
  798. /*
  799. * We set both the encrypt and decrypt key here because decrypt
  800. * needs both. We could possibly optimise to remove setting the
  801. * decrypt for an encryption operation.
  802. */
  803. aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  804. &octx->ksenc.ks);
  805. aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  806. &octx->ksdec.ks);
  807. if (!CRYPTO_ocb128_init(&octx->ocb,
  808. &octx->ksenc.ks, &octx->ksdec.ks,
  809. (block128_f) aes_t4_encrypt,
  810. (block128_f) aes_t4_decrypt,
  811. NULL))
  812. return 0;
  813. }
  814. while (0);
  815. /*
  816. * If we have an iv we can set it directly, otherwise use saved IV.
  817. */
  818. if (iv == NULL && octx->iv_set)
  819. iv = octx->iv;
  820. if (iv) {
  821. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  822. != 1)
  823. return 0;
  824. octx->iv_set = 1;
  825. }
  826. octx->key_set = 1;
  827. } else {
  828. /* If key set use IV, otherwise copy */
  829. if (octx->key_set)
  830. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  831. else
  832. memcpy(octx->iv, iv, octx->ivlen);
  833. octx->iv_set = 1;
  834. }
  835. return 1;
  836. }
  837. # define aes_t4_ocb_cipher aes_ocb_cipher
  838. static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  839. const unsigned char *in, size_t len);
  840. # endif /* OPENSSL_NO_OCB */
  841. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  842. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  843. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  844. flags|EVP_CIPH_##MODE##_MODE, \
  845. aes_t4_init_key, \
  846. aes_t4_##mode##_cipher, \
  847. NULL, \
  848. sizeof(EVP_AES_KEY), \
  849. NULL,NULL,NULL,NULL }; \
  850. static const EVP_CIPHER aes_##keylen##_##mode = { \
  851. nid##_##keylen##_##nmode,blocksize, \
  852. keylen/8,ivlen, \
  853. flags|EVP_CIPH_##MODE##_MODE, \
  854. aes_init_key, \
  855. aes_##mode##_cipher, \
  856. NULL, \
  857. sizeof(EVP_AES_KEY), \
  858. NULL,NULL,NULL,NULL }; \
  859. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  860. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  861. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  862. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  863. nid##_##keylen##_##mode,blocksize, \
  864. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  865. ivlen, \
  866. flags|EVP_CIPH_##MODE##_MODE, \
  867. aes_t4_##mode##_init_key, \
  868. aes_t4_##mode##_cipher, \
  869. aes_##mode##_cleanup, \
  870. sizeof(EVP_AES_##MODE##_CTX), \
  871. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  872. static const EVP_CIPHER aes_##keylen##_##mode = { \
  873. nid##_##keylen##_##mode,blocksize, \
  874. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  875. ivlen, \
  876. flags|EVP_CIPH_##MODE##_MODE, \
  877. aes_##mode##_init_key, \
  878. aes_##mode##_cipher, \
  879. aes_##mode##_cleanup, \
  880. sizeof(EVP_AES_##MODE##_CTX), \
  881. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  882. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  883. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  884. #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
  885. /*
  886. * IBM S390X support
  887. */
  888. # include "s390x_arch.h"
  889. typedef struct {
  890. union {
  891. double align;
  892. /*-
  893. * KM-AES parameter block - begin
  894. * (see z/Architecture Principles of Operation >= SA22-7832-06)
  895. */
  896. struct {
  897. unsigned char k[32];
  898. } param;
  899. /* KM-AES parameter block - end */
  900. } km;
  901. unsigned int fc;
  902. } S390X_AES_ECB_CTX;
  903. typedef struct {
  904. union {
  905. double align;
  906. /*-
  907. * KMO-AES parameter block - begin
  908. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  909. */
  910. struct {
  911. unsigned char cv[16];
  912. unsigned char k[32];
  913. } param;
  914. /* KMO-AES parameter block - end */
  915. } kmo;
  916. unsigned int fc;
  917. int res;
  918. } S390X_AES_OFB_CTX;
  919. typedef struct {
  920. union {
  921. double align;
  922. /*-
  923. * KMF-AES parameter block - begin
  924. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  925. */
  926. struct {
  927. unsigned char cv[16];
  928. unsigned char k[32];
  929. } param;
  930. /* KMF-AES parameter block - end */
  931. } kmf;
  932. unsigned int fc;
  933. int res;
  934. } S390X_AES_CFB_CTX;
  935. typedef struct {
  936. union {
  937. double align;
  938. /*-
  939. * KMA-GCM-AES parameter block - begin
  940. * (see z/Architecture Principles of Operation >= SA22-7832-11)
  941. */
  942. struct {
  943. unsigned char reserved[12];
  944. union {
  945. unsigned int w;
  946. unsigned char b[4];
  947. } cv;
  948. union {
  949. unsigned long long g[2];
  950. unsigned char b[16];
  951. } t;
  952. unsigned char h[16];
  953. unsigned long long taadl;
  954. unsigned long long tpcl;
  955. union {
  956. unsigned long long g[2];
  957. unsigned int w[4];
  958. } j0;
  959. unsigned char k[32];
  960. } param;
  961. /* KMA-GCM-AES parameter block - end */
  962. } kma;
  963. unsigned int fc;
  964. int key_set;
  965. unsigned char *iv;
  966. int ivlen;
  967. int iv_set;
  968. int iv_gen;
  969. int taglen;
  970. unsigned char ares[16];
  971. unsigned char mres[16];
  972. unsigned char kres[16];
  973. int areslen;
  974. int mreslen;
  975. int kreslen;
  976. int tls_aad_len;
  977. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  978. } S390X_AES_GCM_CTX;
  979. typedef struct {
  980. union {
  981. double align;
  982. /*-
  983. * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
  984. * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
  985. * rounds field is used to store the function code and that the key
  986. * schedule is not stored (if aes hardware support is detected).
  987. */
  988. struct {
  989. unsigned char pad[16];
  990. AES_KEY k;
  991. } key;
  992. struct {
  993. /*-
  994. * KMAC-AES parameter block - begin
  995. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  996. */
  997. struct {
  998. union {
  999. unsigned long long g[2];
  1000. unsigned char b[16];
  1001. } icv;
  1002. unsigned char k[32];
  1003. } kmac_param;
  1004. /* KMAC-AES paramater block - end */
  1005. union {
  1006. unsigned long long g[2];
  1007. unsigned char b[16];
  1008. } nonce;
  1009. union {
  1010. unsigned long long g[2];
  1011. unsigned char b[16];
  1012. } buf;
  1013. unsigned long long blocks;
  1014. int l;
  1015. int m;
  1016. int tls_aad_len;
  1017. int iv_set;
  1018. int tag_set;
  1019. int len_set;
  1020. int key_set;
  1021. unsigned char pad[140];
  1022. unsigned int fc;
  1023. } ccm;
  1024. } aes;
  1025. } S390X_AES_CCM_CTX;
  1026. /* Convert key size to function code: [16,24,32] -> [18,19,20]. */
  1027. # define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
  1028. /* Most modes of operation need km for partial block processing. */
  1029. # define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
  1030. S390X_CAPBIT(S390X_AES_128))
  1031. # define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
  1032. S390X_CAPBIT(S390X_AES_192))
  1033. # define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
  1034. S390X_CAPBIT(S390X_AES_256))
  1035. # define s390x_aes_init_key aes_init_key
  1036. static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1037. const unsigned char *iv, int enc);
  1038. # define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
  1039. # define S390X_aes_192_cbc_CAPABLE 1
  1040. # define S390X_aes_256_cbc_CAPABLE 1
  1041. # define S390X_AES_CBC_CTX EVP_AES_KEY
  1042. # define s390x_aes_cbc_init_key aes_init_key
  1043. # define s390x_aes_cbc_cipher aes_cbc_cipher
  1044. static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1045. const unsigned char *in, size_t len);
  1046. # define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
  1047. # define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
  1048. # define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
  1049. static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
  1050. const unsigned char *key,
  1051. const unsigned char *iv, int enc)
  1052. {
  1053. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  1054. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  1055. cctx->fc = S390X_AES_FC(keylen);
  1056. if (!enc)
  1057. cctx->fc |= S390X_DECRYPT;
  1058. memcpy(cctx->km.param.k, key, keylen);
  1059. return 1;
  1060. }
  1061. static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1062. const unsigned char *in, size_t len)
  1063. {
  1064. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  1065. s390x_km(in, len, out, cctx->fc, &cctx->km.param);
  1066. return 1;
  1067. }
  1068. # define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
  1069. (OPENSSL_s390xcap_P.kmo[0] & \
  1070. S390X_CAPBIT(S390X_AES_128)))
  1071. # define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
  1072. (OPENSSL_s390xcap_P.kmo[0] & \
  1073. S390X_CAPBIT(S390X_AES_192)))
  1074. # define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
  1075. (OPENSSL_s390xcap_P.kmo[0] & \
  1076. S390X_CAPBIT(S390X_AES_256)))
  1077. static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
  1078. const unsigned char *key,
  1079. const unsigned char *ivec, int enc)
  1080. {
  1081. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  1082. const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
  1083. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  1084. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  1085. memcpy(cctx->kmo.param.cv, iv, ivlen);
  1086. memcpy(cctx->kmo.param.k, key, keylen);
  1087. cctx->fc = S390X_AES_FC(keylen);
  1088. cctx->res = 0;
  1089. return 1;
  1090. }
  1091. static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1092. const unsigned char *in, size_t len)
  1093. {
  1094. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  1095. int n = cctx->res;
  1096. int rem;
  1097. while (n && len) {
  1098. *out = *in ^ cctx->kmo.param.cv[n];
  1099. n = (n + 1) & 0xf;
  1100. --len;
  1101. ++in;
  1102. ++out;
  1103. }
  1104. rem = len & 0xf;
  1105. len &= ~(size_t)0xf;
  1106. if (len) {
  1107. s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
  1108. out += len;
  1109. in += len;
  1110. }
  1111. if (rem) {
  1112. s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
  1113. cctx->kmo.param.k);
  1114. while (rem--) {
  1115. out[n] = in[n] ^ cctx->kmo.param.cv[n];
  1116. ++n;
  1117. }
  1118. }
  1119. cctx->res = n;
  1120. return 1;
  1121. }
  1122. # define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE && \
  1123. (OPENSSL_s390xcap_P.kmf[0] & \
  1124. S390X_CAPBIT(S390X_AES_128)))
  1125. # define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE && \
  1126. (OPENSSL_s390xcap_P.kmf[0] & \
  1127. S390X_CAPBIT(S390X_AES_192)))
  1128. # define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE && \
  1129. (OPENSSL_s390xcap_P.kmf[0] & \
  1130. S390X_CAPBIT(S390X_AES_256)))
  1131. static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
  1132. const unsigned char *key,
  1133. const unsigned char *ivec, int enc)
  1134. {
  1135. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1136. const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
  1137. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  1138. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  1139. cctx->fc = S390X_AES_FC(keylen);
  1140. cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
  1141. if (!enc)
  1142. cctx->fc |= S390X_DECRYPT;
  1143. cctx->res = 0;
  1144. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1145. memcpy(cctx->kmf.param.k, key, keylen);
  1146. return 1;
  1147. }
  1148. static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1149. const unsigned char *in, size_t len)
  1150. {
  1151. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1152. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  1153. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1154. int n = cctx->res;
  1155. int rem;
  1156. unsigned char tmp;
  1157. while (n && len) {
  1158. tmp = *in;
  1159. *out = cctx->kmf.param.cv[n] ^ tmp;
  1160. cctx->kmf.param.cv[n] = enc ? *out : tmp;
  1161. n = (n + 1) & 0xf;
  1162. --len;
  1163. ++in;
  1164. ++out;
  1165. }
  1166. rem = len & 0xf;
  1167. len &= ~(size_t)0xf;
  1168. if (len) {
  1169. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1170. out += len;
  1171. in += len;
  1172. }
  1173. if (rem) {
  1174. s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
  1175. S390X_AES_FC(keylen), cctx->kmf.param.k);
  1176. while (rem--) {
  1177. tmp = in[n];
  1178. out[n] = cctx->kmf.param.cv[n] ^ tmp;
  1179. cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
  1180. ++n;
  1181. }
  1182. }
  1183. cctx->res = n;
  1184. return 1;
  1185. }
  1186. # define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
  1187. S390X_CAPBIT(S390X_AES_128))
  1188. # define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
  1189. S390X_CAPBIT(S390X_AES_192))
  1190. # define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
  1191. S390X_CAPBIT(S390X_AES_256))
  1192. static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
  1193. const unsigned char *key,
  1194. const unsigned char *ivec, int enc)
  1195. {
  1196. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1197. const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
  1198. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  1199. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  1200. cctx->fc = S390X_AES_FC(keylen);
  1201. cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
  1202. if (!enc)
  1203. cctx->fc |= S390X_DECRYPT;
  1204. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1205. memcpy(cctx->kmf.param.k, key, keylen);
  1206. return 1;
  1207. }
  1208. static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1209. const unsigned char *in, size_t len)
  1210. {
  1211. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1212. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1213. return 1;
  1214. }
  1215. # define S390X_aes_128_cfb1_CAPABLE 0
  1216. # define S390X_aes_192_cfb1_CAPABLE 0
  1217. # define S390X_aes_256_cfb1_CAPABLE 0
  1218. # define s390x_aes_cfb1_init_key aes_init_key
  1219. # define s390x_aes_cfb1_cipher aes_cfb1_cipher
  1220. static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1221. const unsigned char *in, size_t len);
  1222. # define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
  1223. # define S390X_aes_192_ctr_CAPABLE 1
  1224. # define S390X_aes_256_ctr_CAPABLE 1
  1225. # define S390X_AES_CTR_CTX EVP_AES_KEY
  1226. # define s390x_aes_ctr_init_key aes_init_key
  1227. # define s390x_aes_ctr_cipher aes_ctr_cipher
  1228. static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1229. const unsigned char *in, size_t len);
  1230. # define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
  1231. (OPENSSL_s390xcap_P.kma[0] & \
  1232. S390X_CAPBIT(S390X_AES_128)))
  1233. # define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
  1234. (OPENSSL_s390xcap_P.kma[0] & \
  1235. S390X_CAPBIT(S390X_AES_192)))
  1236. # define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
  1237. (OPENSSL_s390xcap_P.kma[0] & \
  1238. S390X_CAPBIT(S390X_AES_256)))
  1239. /* iv + padding length for iv lenghts != 12 */
  1240. # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
  1241. /*-
  1242. * Process additional authenticated data. Returns 0 on success. Code is
  1243. * big-endian.
  1244. */
  1245. static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
  1246. size_t len)
  1247. {
  1248. unsigned long long alen;
  1249. int n, rem;
  1250. if (ctx->kma.param.tpcl)
  1251. return -2;
  1252. alen = ctx->kma.param.taadl + len;
  1253. if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
  1254. return -1;
  1255. ctx->kma.param.taadl = alen;
  1256. n = ctx->areslen;
  1257. if (n) {
  1258. while (n && len) {
  1259. ctx->ares[n] = *aad;
  1260. n = (n + 1) & 0xf;
  1261. ++aad;
  1262. --len;
  1263. }
  1264. /* ctx->ares contains a complete block if offset has wrapped around */
  1265. if (!n) {
  1266. s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1267. ctx->fc |= S390X_KMA_HS;
  1268. }
  1269. ctx->areslen = n;
  1270. }
  1271. rem = len & 0xf;
  1272. len &= ~(size_t)0xf;
  1273. if (len) {
  1274. s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1275. aad += len;
  1276. ctx->fc |= S390X_KMA_HS;
  1277. }
  1278. if (rem) {
  1279. ctx->areslen = rem;
  1280. do {
  1281. --rem;
  1282. ctx->ares[rem] = aad[rem];
  1283. } while (rem);
  1284. }
  1285. return 0;
  1286. }
  1287. /*-
  1288. * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
  1289. * success. Code is big-endian.
  1290. */
  1291. static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
  1292. unsigned char *out, size_t len)
  1293. {
  1294. const unsigned char *inptr;
  1295. unsigned long long mlen;
  1296. union {
  1297. unsigned int w[4];
  1298. unsigned char b[16];
  1299. } buf;
  1300. size_t inlen;
  1301. int n, rem, i;
  1302. mlen = ctx->kma.param.tpcl + len;
  1303. if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
  1304. return -1;
  1305. ctx->kma.param.tpcl = mlen;
  1306. n = ctx->mreslen;
  1307. if (n) {
  1308. inptr = in;
  1309. inlen = len;
  1310. while (n && inlen) {
  1311. ctx->mres[n] = *inptr;
  1312. n = (n + 1) & 0xf;
  1313. ++inptr;
  1314. --inlen;
  1315. }
  1316. /* ctx->mres contains a complete block if offset has wrapped around */
  1317. if (!n) {
  1318. s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
  1319. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1320. ctx->fc |= S390X_KMA_HS;
  1321. ctx->areslen = 0;
  1322. /* previous call already encrypted/decrypted its remainder,
  1323. * see comment below */
  1324. n = ctx->mreslen;
  1325. while (n) {
  1326. *out = buf.b[n];
  1327. n = (n + 1) & 0xf;
  1328. ++out;
  1329. ++in;
  1330. --len;
  1331. }
  1332. ctx->mreslen = 0;
  1333. }
  1334. }
  1335. rem = len & 0xf;
  1336. len &= ~(size_t)0xf;
  1337. if (len) {
  1338. s390x_kma(ctx->ares, ctx->areslen, in, len, out,
  1339. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1340. in += len;
  1341. out += len;
  1342. ctx->fc |= S390X_KMA_HS;
  1343. ctx->areslen = 0;
  1344. }
  1345. /*-
  1346. * If there is a remainder, it has to be saved such that it can be
  1347. * processed by kma later. However, we also have to do the for-now
  1348. * unauthenticated encryption/decryption part here and now...
  1349. */
  1350. if (rem) {
  1351. if (!ctx->mreslen) {
  1352. buf.w[0] = ctx->kma.param.j0.w[0];
  1353. buf.w[1] = ctx->kma.param.j0.w[1];
  1354. buf.w[2] = ctx->kma.param.j0.w[2];
  1355. buf.w[3] = ctx->kma.param.cv.w + 1;
  1356. s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
  1357. }
  1358. n = ctx->mreslen;
  1359. for (i = 0; i < rem; i++) {
  1360. ctx->mres[n + i] = in[i];
  1361. out[i] = in[i] ^ ctx->kres[n + i];
  1362. }
  1363. ctx->mreslen += rem;
  1364. }
  1365. return 0;
  1366. }
  1367. /*-
  1368. * Initialize context structure. Code is big-endian.
  1369. */
  1370. static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
  1371. const unsigned char *iv)
  1372. {
  1373. ctx->kma.param.t.g[0] = 0;
  1374. ctx->kma.param.t.g[1] = 0;
  1375. ctx->kma.param.tpcl = 0;
  1376. ctx->kma.param.taadl = 0;
  1377. ctx->mreslen = 0;
  1378. ctx->areslen = 0;
  1379. ctx->kreslen = 0;
  1380. if (ctx->ivlen == 12) {
  1381. memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
  1382. ctx->kma.param.j0.w[3] = 1;
  1383. ctx->kma.param.cv.w = 1;
  1384. } else {
  1385. /* ctx->iv has the right size and is already padded. */
  1386. memcpy(ctx->iv, iv, ctx->ivlen);
  1387. s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
  1388. ctx->fc, &ctx->kma.param);
  1389. ctx->fc |= S390X_KMA_HS;
  1390. ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
  1391. ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
  1392. ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
  1393. ctx->kma.param.t.g[0] = 0;
  1394. ctx->kma.param.t.g[1] = 0;
  1395. }
  1396. }
  1397. /*-
  1398. * Performs various operations on the context structure depending on control
  1399. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1400. * Code is big-endian.
  1401. */
  1402. static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1403. {
  1404. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1405. S390X_AES_GCM_CTX *gctx_out;
  1406. EVP_CIPHER_CTX *out;
  1407. unsigned char *buf, *iv;
  1408. int ivlen, enc, len;
  1409. switch (type) {
  1410. case EVP_CTRL_INIT:
  1411. ivlen = EVP_CIPHER_CTX_iv_length(c);
  1412. iv = EVP_CIPHER_CTX_iv_noconst(c);
  1413. gctx->key_set = 0;
  1414. gctx->iv_set = 0;
  1415. gctx->ivlen = ivlen;
  1416. gctx->iv = iv;
  1417. gctx->taglen = -1;
  1418. gctx->iv_gen = 0;
  1419. gctx->tls_aad_len = -1;
  1420. return 1;
  1421. case EVP_CTRL_AEAD_SET_IVLEN:
  1422. if (arg <= 0)
  1423. return 0;
  1424. if (arg != 12) {
  1425. iv = EVP_CIPHER_CTX_iv_noconst(c);
  1426. len = S390X_gcm_ivpadlen(arg);
  1427. /* Allocate memory for iv if needed. */
  1428. if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
  1429. if (gctx->iv != iv)
  1430. OPENSSL_free(gctx->iv);
  1431. if ((gctx->iv = OPENSSL_malloc(len)) == NULL) {
  1432. EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
  1433. return 0;
  1434. }
  1435. }
  1436. /* Add padding. */
  1437. memset(gctx->iv + arg, 0, len - arg - 8);
  1438. *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
  1439. }
  1440. gctx->ivlen = arg;
  1441. return 1;
  1442. case EVP_CTRL_AEAD_SET_TAG:
  1443. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1444. enc = EVP_CIPHER_CTX_encrypting(c);
  1445. if (arg <= 0 || arg > 16 || enc)
  1446. return 0;
  1447. memcpy(buf, ptr, arg);
  1448. gctx->taglen = arg;
  1449. return 1;
  1450. case EVP_CTRL_AEAD_GET_TAG:
  1451. enc = EVP_CIPHER_CTX_encrypting(c);
  1452. if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
  1453. return 0;
  1454. memcpy(ptr, gctx->kma.param.t.b, arg);
  1455. return 1;
  1456. case EVP_CTRL_GCM_SET_IV_FIXED:
  1457. /* Special case: -1 length restores whole iv */
  1458. if (arg == -1) {
  1459. memcpy(gctx->iv, ptr, gctx->ivlen);
  1460. gctx->iv_gen = 1;
  1461. return 1;
  1462. }
  1463. /*
  1464. * Fixed field must be at least 4 bytes and invocation field at least
  1465. * 8.
  1466. */
  1467. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  1468. return 0;
  1469. if (arg)
  1470. memcpy(gctx->iv, ptr, arg);
  1471. enc = EVP_CIPHER_CTX_encrypting(c);
  1472. if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  1473. return 0;
  1474. gctx->iv_gen = 1;
  1475. return 1;
  1476. case EVP_CTRL_GCM_IV_GEN:
  1477. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  1478. return 0;
  1479. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1480. if (arg <= 0 || arg > gctx->ivlen)
  1481. arg = gctx->ivlen;
  1482. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  1483. /*
  1484. * Invocation field will be at least 8 bytes in size and so no need
  1485. * to check wrap around or increment more than last 8 bytes.
  1486. */
  1487. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  1488. gctx->iv_set = 1;
  1489. return 1;
  1490. case EVP_CTRL_GCM_SET_IV_INV:
  1491. enc = EVP_CIPHER_CTX_encrypting(c);
  1492. if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
  1493. return 0;
  1494. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  1495. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1496. gctx->iv_set = 1;
  1497. return 1;
  1498. case EVP_CTRL_AEAD_TLS1_AAD:
  1499. /* Save the aad for later use. */
  1500. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1501. return 0;
  1502. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1503. memcpy(buf, ptr, arg);
  1504. gctx->tls_aad_len = arg;
  1505. gctx->tls_enc_records = 0;
  1506. len = buf[arg - 2] << 8 | buf[arg - 1];
  1507. /* Correct length for explicit iv. */
  1508. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  1509. return 0;
  1510. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1511. /* If decrypting correct for tag too. */
  1512. enc = EVP_CIPHER_CTX_encrypting(c);
  1513. if (!enc) {
  1514. if (len < EVP_GCM_TLS_TAG_LEN)
  1515. return 0;
  1516. len -= EVP_GCM_TLS_TAG_LEN;
  1517. }
  1518. buf[arg - 2] = len >> 8;
  1519. buf[arg - 1] = len & 0xff;
  1520. /* Extra padding: tag appended to record. */
  1521. return EVP_GCM_TLS_TAG_LEN;
  1522. case EVP_CTRL_COPY:
  1523. out = ptr;
  1524. gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
  1525. iv = EVP_CIPHER_CTX_iv_noconst(c);
  1526. if (gctx->iv == iv) {
  1527. gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
  1528. } else {
  1529. len = S390X_gcm_ivpadlen(gctx->ivlen);
  1530. if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL) {
  1531. EVPerr(EVP_F_S390X_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
  1532. return 0;
  1533. }
  1534. memcpy(gctx_out->iv, gctx->iv, len);
  1535. }
  1536. return 1;
  1537. default:
  1538. return -1;
  1539. }
  1540. }
  1541. /*-
  1542. * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
  1543. */
  1544. static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
  1545. const unsigned char *key,
  1546. const unsigned char *iv, int enc)
  1547. {
  1548. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1549. int keylen;
  1550. if (iv == NULL && key == NULL)
  1551. return 1;
  1552. if (key != NULL) {
  1553. keylen = EVP_CIPHER_CTX_key_length(ctx);
  1554. memcpy(&gctx->kma.param.k, key, keylen);
  1555. gctx->fc = S390X_AES_FC(keylen);
  1556. if (!enc)
  1557. gctx->fc |= S390X_DECRYPT;
  1558. if (iv == NULL && gctx->iv_set)
  1559. iv = gctx->iv;
  1560. if (iv != NULL) {
  1561. s390x_aes_gcm_setiv(gctx, iv);
  1562. gctx->iv_set = 1;
  1563. }
  1564. gctx->key_set = 1;
  1565. } else {
  1566. if (gctx->key_set)
  1567. s390x_aes_gcm_setiv(gctx, iv);
  1568. else
  1569. memcpy(gctx->iv, iv, gctx->ivlen);
  1570. gctx->iv_set = 1;
  1571. gctx->iv_gen = 0;
  1572. }
  1573. return 1;
  1574. }
  1575. /*-
  1576. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1577. * if successful. Otherwise -1 is returned. Code is big-endian.
  1578. */
  1579. static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1580. const unsigned char *in, size_t len)
  1581. {
  1582. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1583. const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1584. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1585. int rv = -1;
  1586. if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  1587. return -1;
  1588. /*
  1589. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  1590. * Requirements from SP 800-38D". The requirements is for one party to the
  1591. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  1592. * side only.
  1593. */
  1594. if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
  1595. EVPerr(EVP_F_S390X_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
  1596. goto err;
  1597. }
  1598. if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
  1599. : EVP_CTRL_GCM_SET_IV_INV,
  1600. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  1601. goto err;
  1602. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1603. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1604. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1605. gctx->kma.param.taadl = gctx->tls_aad_len << 3;
  1606. gctx->kma.param.tpcl = len << 3;
  1607. s390x_kma(buf, gctx->tls_aad_len, in, len, out,
  1608. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1609. if (enc) {
  1610. memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
  1611. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1612. } else {
  1613. if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
  1614. EVP_GCM_TLS_TAG_LEN)) {
  1615. OPENSSL_cleanse(out, len);
  1616. goto err;
  1617. }
  1618. rv = len;
  1619. }
  1620. err:
  1621. gctx->iv_set = 0;
  1622. gctx->tls_aad_len = -1;
  1623. return rv;
  1624. }
  1625. /*-
  1626. * Called from EVP layer to initialize context, process additional
  1627. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1628. * ciphertext or process a TLS packet, depending on context. Returns bytes
  1629. * written on success. Otherwise -1 is returned. Code is big-endian.
  1630. */
  1631. static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1632. const unsigned char *in, size_t len)
  1633. {
  1634. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1635. unsigned char *buf, tmp[16];
  1636. int enc;
  1637. if (!gctx->key_set)
  1638. return -1;
  1639. if (gctx->tls_aad_len >= 0)
  1640. return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
  1641. if (!gctx->iv_set)
  1642. return -1;
  1643. if (in != NULL) {
  1644. if (out == NULL) {
  1645. if (s390x_aes_gcm_aad(gctx, in, len))
  1646. return -1;
  1647. } else {
  1648. if (s390x_aes_gcm(gctx, in, out, len))
  1649. return -1;
  1650. }
  1651. return len;
  1652. } else {
  1653. gctx->kma.param.taadl <<= 3;
  1654. gctx->kma.param.tpcl <<= 3;
  1655. s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
  1656. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1657. /* recall that we already did en-/decrypt gctx->mres
  1658. * and returned it to caller... */
  1659. OPENSSL_cleanse(tmp, gctx->mreslen);
  1660. gctx->iv_set = 0;
  1661. enc = EVP_CIPHER_CTX_encrypting(ctx);
  1662. if (enc) {
  1663. gctx->taglen = 16;
  1664. } else {
  1665. if (gctx->taglen < 0)
  1666. return -1;
  1667. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1668. if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
  1669. return -1;
  1670. }
  1671. return 0;
  1672. }
  1673. }
  1674. static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  1675. {
  1676. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1677. const unsigned char *iv;
  1678. if (gctx == NULL)
  1679. return 0;
  1680. iv = EVP_CIPHER_CTX_iv(c);
  1681. if (iv != gctx->iv)
  1682. OPENSSL_free(gctx->iv);
  1683. OPENSSL_cleanse(gctx, sizeof(*gctx));
  1684. return 1;
  1685. }
  1686. # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
  1687. # define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
  1688. # define S390X_aes_256_xts_CAPABLE 1
  1689. # define s390x_aes_xts_init_key aes_xts_init_key
  1690. static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
  1691. const unsigned char *key,
  1692. const unsigned char *iv, int enc);
  1693. # define s390x_aes_xts_cipher aes_xts_cipher
  1694. static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1695. const unsigned char *in, size_t len);
  1696. # define s390x_aes_xts_ctrl aes_xts_ctrl
  1697. static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1698. # define s390x_aes_xts_cleanup aes_xts_cleanup
  1699. # define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
  1700. (OPENSSL_s390xcap_P.kmac[0] & \
  1701. S390X_CAPBIT(S390X_AES_128)))
  1702. # define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
  1703. (OPENSSL_s390xcap_P.kmac[0] & \
  1704. S390X_CAPBIT(S390X_AES_192)))
  1705. # define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
  1706. (OPENSSL_s390xcap_P.kmac[0] & \
  1707. S390X_CAPBIT(S390X_AES_256)))
  1708. # define S390X_CCM_AAD_FLAG 0x40
  1709. /*-
  1710. * Set nonce and length fields. Code is big-endian.
  1711. */
  1712. static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
  1713. const unsigned char *nonce,
  1714. size_t mlen)
  1715. {
  1716. ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
  1717. ctx->aes.ccm.nonce.g[1] = mlen;
  1718. memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
  1719. }
  1720. /*-
  1721. * Process additional authenticated data. Code is big-endian.
  1722. */
  1723. static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
  1724. size_t alen)
  1725. {
  1726. unsigned char *ptr;
  1727. int i, rem;
  1728. if (!alen)
  1729. return;
  1730. ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
  1731. /* Suppress 'type-punned pointer dereference' warning. */
  1732. ptr = ctx->aes.ccm.buf.b;
  1733. if (alen < ((1 << 16) - (1 << 8))) {
  1734. *(uint16_t *)ptr = alen;
  1735. i = 2;
  1736. } else if (sizeof(alen) == 8
  1737. && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
  1738. *(uint16_t *)ptr = 0xffff;
  1739. *(uint64_t *)(ptr + 2) = alen;
  1740. i = 10;
  1741. } else {
  1742. *(uint16_t *)ptr = 0xfffe;
  1743. *(uint32_t *)(ptr + 2) = alen;
  1744. i = 6;
  1745. }
  1746. while (i < 16 && alen) {
  1747. ctx->aes.ccm.buf.b[i] = *aad;
  1748. ++aad;
  1749. --alen;
  1750. ++i;
  1751. }
  1752. while (i < 16) {
  1753. ctx->aes.ccm.buf.b[i] = 0;
  1754. ++i;
  1755. }
  1756. ctx->aes.ccm.kmac_param.icv.g[0] = 0;
  1757. ctx->aes.ccm.kmac_param.icv.g[1] = 0;
  1758. s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
  1759. &ctx->aes.ccm.kmac_param);
  1760. ctx->aes.ccm.blocks += 2;
  1761. rem = alen & 0xf;
  1762. alen &= ~(size_t)0xf;
  1763. if (alen) {
  1764. s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1765. ctx->aes.ccm.blocks += alen >> 4;
  1766. aad += alen;
  1767. }
  1768. if (rem) {
  1769. for (i = 0; i < rem; i++)
  1770. ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
  1771. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1772. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1773. ctx->aes.ccm.kmac_param.k);
  1774. ctx->aes.ccm.blocks++;
  1775. }
  1776. }
  1777. /*-
  1778. * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
  1779. * success.
  1780. */
  1781. static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
  1782. unsigned char *out, size_t len, int enc)
  1783. {
  1784. size_t n, rem;
  1785. unsigned int i, l, num;
  1786. unsigned char flags;
  1787. flags = ctx->aes.ccm.nonce.b[0];
  1788. if (!(flags & S390X_CCM_AAD_FLAG)) {
  1789. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
  1790. ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
  1791. ctx->aes.ccm.blocks++;
  1792. }
  1793. l = flags & 0x7;
  1794. ctx->aes.ccm.nonce.b[0] = l;
  1795. /*-
  1796. * Reconstruct length from encoded length field
  1797. * and initialize it with counter value.
  1798. */
  1799. n = 0;
  1800. for (i = 15 - l; i < 15; i++) {
  1801. n |= ctx->aes.ccm.nonce.b[i];
  1802. ctx->aes.ccm.nonce.b[i] = 0;
  1803. n <<= 8;
  1804. }
  1805. n |= ctx->aes.ccm.nonce.b[15];
  1806. ctx->aes.ccm.nonce.b[15] = 1;
  1807. if (n != len)
  1808. return -1; /* length mismatch */
  1809. if (enc) {
  1810. /* Two operations per block plus one for tag encryption */
  1811. ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
  1812. if (ctx->aes.ccm.blocks > (1ULL << 61))
  1813. return -2; /* too much data */
  1814. }
  1815. num = 0;
  1816. rem = len & 0xf;
  1817. len &= ~(size_t)0xf;
  1818. if (enc) {
  1819. /* mac-then-encrypt */
  1820. if (len)
  1821. s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1822. if (rem) {
  1823. for (i = 0; i < rem; i++)
  1824. ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
  1825. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1826. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1827. ctx->aes.ccm.kmac_param.k);
  1828. }
  1829. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1830. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1831. &num, (ctr128_f)AES_ctr32_encrypt);
  1832. } else {
  1833. /* decrypt-then-mac */
  1834. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1835. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1836. &num, (ctr128_f)AES_ctr32_encrypt);
  1837. if (len)
  1838. s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1839. if (rem) {
  1840. for (i = 0; i < rem; i++)
  1841. ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
  1842. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1843. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1844. ctx->aes.ccm.kmac_param.k);
  1845. }
  1846. }
  1847. /* encrypt tag */
  1848. for (i = 15 - l; i < 16; i++)
  1849. ctx->aes.ccm.nonce.b[i] = 0;
  1850. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
  1851. ctx->aes.ccm.kmac_param.k);
  1852. ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
  1853. ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
  1854. ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
  1855. return 0;
  1856. }
  1857. /*-
  1858. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1859. * if successful. Otherwise -1 is returned.
  1860. */
  1861. static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1862. const unsigned char *in, size_t len)
  1863. {
  1864. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1865. unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
  1866. unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1867. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1868. if (out != in
  1869. || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
  1870. return -1;
  1871. if (enc) {
  1872. /* Set explicit iv (sequence number). */
  1873. memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1874. }
  1875. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1876. /*-
  1877. * Get explicit iv (sequence number). We already have fixed iv
  1878. * (server/client_write_iv) here.
  1879. */
  1880. memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1881. s390x_aes_ccm_setiv(cctx, ivec, len);
  1882. /* Process aad (sequence number|type|version|length) */
  1883. s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
  1884. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1885. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1886. if (enc) {
  1887. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1888. return -1;
  1889. memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1890. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1891. } else {
  1892. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1893. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
  1894. cctx->aes.ccm.m))
  1895. return len;
  1896. }
  1897. OPENSSL_cleanse(out, len);
  1898. return -1;
  1899. }
  1900. }
  1901. /*-
  1902. * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
  1903. * returned.
  1904. */
  1905. static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
  1906. const unsigned char *key,
  1907. const unsigned char *iv, int enc)
  1908. {
  1909. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1910. unsigned char *ivec;
  1911. int keylen;
  1912. if (iv == NULL && key == NULL)
  1913. return 1;
  1914. if (key != NULL) {
  1915. keylen = EVP_CIPHER_CTX_key_length(ctx);
  1916. cctx->aes.ccm.fc = S390X_AES_FC(keylen);
  1917. memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
  1918. /* Store encoded m and l. */
  1919. cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
  1920. | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
  1921. memset(cctx->aes.ccm.nonce.b + 1, 0,
  1922. sizeof(cctx->aes.ccm.nonce.b));
  1923. cctx->aes.ccm.blocks = 0;
  1924. cctx->aes.ccm.key_set = 1;
  1925. }
  1926. if (iv != NULL) {
  1927. ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
  1928. memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
  1929. cctx->aes.ccm.iv_set = 1;
  1930. }
  1931. return 1;
  1932. }
  1933. /*-
  1934. * Called from EVP layer to initialize context, process additional
  1935. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1936. * plaintext or process a TLS packet, depending on context. Returns bytes
  1937. * written on success. Otherwise -1 is returned.
  1938. */
  1939. static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1940. const unsigned char *in, size_t len)
  1941. {
  1942. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1943. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1944. int rv;
  1945. unsigned char *buf, *ivec;
  1946. if (!cctx->aes.ccm.key_set)
  1947. return -1;
  1948. if (cctx->aes.ccm.tls_aad_len >= 0)
  1949. return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
  1950. /*-
  1951. * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
  1952. * so integrity must be checked already at Update() i.e., before
  1953. * potentially corrupted data is output.
  1954. */
  1955. if (in == NULL && out != NULL)
  1956. return 0;
  1957. if (!cctx->aes.ccm.iv_set)
  1958. return -1;
  1959. if (!enc && !cctx->aes.ccm.tag_set)
  1960. return -1;
  1961. if (out == NULL) {
  1962. /* Update(): Pass message length. */
  1963. if (in == NULL) {
  1964. ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
  1965. s390x_aes_ccm_setiv(cctx, ivec, len);
  1966. cctx->aes.ccm.len_set = 1;
  1967. return len;
  1968. }
  1969. /* Update(): Process aad. */
  1970. if (!cctx->aes.ccm.len_set && len)
  1971. return -1;
  1972. s390x_aes_ccm_aad(cctx, in, len);
  1973. return len;
  1974. }
  1975. /* Update(): Process message. */
  1976. if (!cctx->aes.ccm.len_set) {
  1977. /*-
  1978. * In case message length was not previously set explicitly via
  1979. * Update(), set it now.
  1980. */
  1981. ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
  1982. s390x_aes_ccm_setiv(cctx, ivec, len);
  1983. cctx->aes.ccm.len_set = 1;
  1984. }
  1985. if (enc) {
  1986. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1987. return -1;
  1988. cctx->aes.ccm.tag_set = 1;
  1989. return len;
  1990. } else {
  1991. rv = -1;
  1992. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1993. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1994. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
  1995. cctx->aes.ccm.m))
  1996. rv = len;
  1997. }
  1998. if (rv == -1)
  1999. OPENSSL_cleanse(out, len);
  2000. cctx->aes.ccm.iv_set = 0;
  2001. cctx->aes.ccm.tag_set = 0;
  2002. cctx->aes.ccm.len_set = 0;
  2003. return rv;
  2004. }
  2005. }
  2006. /*-
  2007. * Performs various operations on the context structure depending on control
  2008. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  2009. * Code is big-endian.
  2010. */
  2011. static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2012. {
  2013. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
  2014. unsigned char *buf, *iv;
  2015. int enc, len;
  2016. switch (type) {
  2017. case EVP_CTRL_INIT:
  2018. cctx->aes.ccm.key_set = 0;
  2019. cctx->aes.ccm.iv_set = 0;
  2020. cctx->aes.ccm.l = 8;
  2021. cctx->aes.ccm.m = 12;
  2022. cctx->aes.ccm.tag_set = 0;
  2023. cctx->aes.ccm.len_set = 0;
  2024. cctx->aes.ccm.tls_aad_len = -1;
  2025. return 1;
  2026. case EVP_CTRL_AEAD_TLS1_AAD:
  2027. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2028. return 0;
  2029. /* Save the aad for later use. */
  2030. buf = EVP_CIPHER_CTX_buf_noconst(c);
  2031. memcpy(buf, ptr, arg);
  2032. cctx->aes.ccm.tls_aad_len = arg;
  2033. len = buf[arg - 2] << 8 | buf[arg - 1];
  2034. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  2035. return 0;
  2036. /* Correct length for explicit iv. */
  2037. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  2038. enc = EVP_CIPHER_CTX_encrypting(c);
  2039. if (!enc) {
  2040. if (len < cctx->aes.ccm.m)
  2041. return 0;
  2042. /* Correct length for tag. */
  2043. len -= cctx->aes.ccm.m;
  2044. }
  2045. buf[arg - 2] = len >> 8;
  2046. buf[arg - 1] = len & 0xff;
  2047. /* Extra padding: tag appended to record. */
  2048. return cctx->aes.ccm.m;
  2049. case EVP_CTRL_CCM_SET_IV_FIXED:
  2050. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  2051. return 0;
  2052. /* Copy to first part of the iv. */
  2053. iv = EVP_CIPHER_CTX_iv_noconst(c);
  2054. memcpy(iv, ptr, arg);
  2055. return 1;
  2056. case EVP_CTRL_AEAD_SET_IVLEN:
  2057. arg = 15 - arg;
  2058. /* fall-through */
  2059. case EVP_CTRL_CCM_SET_L:
  2060. if (arg < 2 || arg > 8)
  2061. return 0;
  2062. cctx->aes.ccm.l = arg;
  2063. return 1;
  2064. case EVP_CTRL_AEAD_SET_TAG:
  2065. if ((arg & 1) || arg < 4 || arg > 16)
  2066. return 0;
  2067. enc = EVP_CIPHER_CTX_encrypting(c);
  2068. if (enc && ptr)
  2069. return 0;
  2070. if (ptr) {
  2071. cctx->aes.ccm.tag_set = 1;
  2072. buf = EVP_CIPHER_CTX_buf_noconst(c);
  2073. memcpy(buf, ptr, arg);
  2074. }
  2075. cctx->aes.ccm.m = arg;
  2076. return 1;
  2077. case EVP_CTRL_AEAD_GET_TAG:
  2078. enc = EVP_CIPHER_CTX_encrypting(c);
  2079. if (!enc || !cctx->aes.ccm.tag_set)
  2080. return 0;
  2081. if(arg < cctx->aes.ccm.m)
  2082. return 0;
  2083. memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  2084. cctx->aes.ccm.tag_set = 0;
  2085. cctx->aes.ccm.iv_set = 0;
  2086. cctx->aes.ccm.len_set = 0;
  2087. return 1;
  2088. case EVP_CTRL_COPY:
  2089. return 1;
  2090. default:
  2091. return -1;
  2092. }
  2093. }
  2094. # define s390x_aes_ccm_cleanup aes_ccm_cleanup
  2095. # ifndef OPENSSL_NO_OCB
  2096. # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
  2097. # define S390X_aes_128_ocb_CAPABLE 0
  2098. # define S390X_aes_192_ocb_CAPABLE 0
  2099. # define S390X_aes_256_ocb_CAPABLE 0
  2100. # define s390x_aes_ocb_init_key aes_ocb_init_key
  2101. static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2102. const unsigned char *iv, int enc);
  2103. # define s390x_aes_ocb_cipher aes_ocb_cipher
  2104. static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2105. const unsigned char *in, size_t len);
  2106. # define s390x_aes_ocb_cleanup aes_ocb_cleanup
  2107. static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
  2108. # define s390x_aes_ocb_ctrl aes_ocb_ctrl
  2109. static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  2110. # endif
  2111. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
  2112. MODE,flags) \
  2113. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  2114. nid##_##keylen##_##nmode,blocksize, \
  2115. keylen / 8, \
  2116. ivlen, \
  2117. flags | EVP_CIPH_##MODE##_MODE, \
  2118. s390x_aes_##mode##_init_key, \
  2119. s390x_aes_##mode##_cipher, \
  2120. NULL, \
  2121. sizeof(S390X_AES_##MODE##_CTX), \
  2122. NULL, \
  2123. NULL, \
  2124. NULL, \
  2125. NULL \
  2126. }; \
  2127. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2128. nid##_##keylen##_##nmode, \
  2129. blocksize, \
  2130. keylen / 8, \
  2131. ivlen, \
  2132. flags | EVP_CIPH_##MODE##_MODE, \
  2133. aes_init_key, \
  2134. aes_##mode##_cipher, \
  2135. NULL, \
  2136. sizeof(EVP_AES_KEY), \
  2137. NULL, \
  2138. NULL, \
  2139. NULL, \
  2140. NULL \
  2141. }; \
  2142. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2143. { \
  2144. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2145. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2146. }
  2147. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
  2148. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  2149. nid##_##keylen##_##mode, \
  2150. blocksize, \
  2151. (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
  2152. ivlen, \
  2153. flags | EVP_CIPH_##MODE##_MODE, \
  2154. s390x_aes_##mode##_init_key, \
  2155. s390x_aes_##mode##_cipher, \
  2156. s390x_aes_##mode##_cleanup, \
  2157. sizeof(S390X_AES_##MODE##_CTX), \
  2158. NULL, \
  2159. NULL, \
  2160. s390x_aes_##mode##_ctrl, \
  2161. NULL \
  2162. }; \
  2163. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2164. nid##_##keylen##_##mode,blocksize, \
  2165. (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
  2166. ivlen, \
  2167. flags | EVP_CIPH_##MODE##_MODE, \
  2168. aes_##mode##_init_key, \
  2169. aes_##mode##_cipher, \
  2170. aes_##mode##_cleanup, \
  2171. sizeof(EVP_AES_##MODE##_CTX), \
  2172. NULL, \
  2173. NULL, \
  2174. aes_##mode##_ctrl, \
  2175. NULL \
  2176. }; \
  2177. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2178. { \
  2179. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2180. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2181. }
  2182. #else
  2183. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  2184. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2185. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  2186. flags|EVP_CIPH_##MODE##_MODE, \
  2187. aes_init_key, \
  2188. aes_##mode##_cipher, \
  2189. NULL, \
  2190. sizeof(EVP_AES_KEY), \
  2191. NULL,NULL,NULL,NULL }; \
  2192. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2193. { return &aes_##keylen##_##mode; }
  2194. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  2195. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2196. nid##_##keylen##_##mode,blocksize, \
  2197. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  2198. ivlen, \
  2199. flags|EVP_CIPH_##MODE##_MODE, \
  2200. aes_##mode##_init_key, \
  2201. aes_##mode##_cipher, \
  2202. aes_##mode##_cleanup, \
  2203. sizeof(EVP_AES_##MODE##_CTX), \
  2204. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  2205. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2206. { return &aes_##keylen##_##mode; }
  2207. #endif
  2208. #if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
  2209. # include "arm_arch.h"
  2210. # if __ARM_MAX_ARCH__>=7
  2211. # if defined(BSAES_ASM)
  2212. # define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
  2213. # endif
  2214. # if defined(VPAES_ASM)
  2215. # define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
  2216. # endif
  2217. # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
  2218. # define HWAES_set_encrypt_key aes_v8_set_encrypt_key
  2219. # define HWAES_set_decrypt_key aes_v8_set_decrypt_key
  2220. # define HWAES_encrypt aes_v8_encrypt
  2221. # define HWAES_decrypt aes_v8_decrypt
  2222. # define HWAES_cbc_encrypt aes_v8_cbc_encrypt
  2223. # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
  2224. # endif
  2225. #endif
  2226. #if defined(HWAES_CAPABLE)
  2227. int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
  2228. AES_KEY *key);
  2229. int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
  2230. AES_KEY *key);
  2231. void HWAES_encrypt(const unsigned char *in, unsigned char *out,
  2232. const AES_KEY *key);
  2233. void HWAES_decrypt(const unsigned char *in, unsigned char *out,
  2234. const AES_KEY *key);
  2235. void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
  2236. size_t length, const AES_KEY *key,
  2237. unsigned char *ivec, const int enc);
  2238. void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
  2239. size_t len, const AES_KEY *key,
  2240. const unsigned char ivec[16]);
  2241. void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
  2242. size_t len, const AES_KEY *key1,
  2243. const AES_KEY *key2, const unsigned char iv[16]);
  2244. void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
  2245. size_t len, const AES_KEY *key1,
  2246. const AES_KEY *key2, const unsigned char iv[16]);
  2247. #endif
  2248. #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  2249. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2250. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2251. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2252. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2253. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  2254. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  2255. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  2256. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2257. const unsigned char *iv, int enc)
  2258. {
  2259. int ret, mode;
  2260. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2261. mode = EVP_CIPHER_CTX_mode(ctx);
  2262. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  2263. && !enc) {
  2264. #ifdef HWAES_CAPABLE
  2265. if (HWAES_CAPABLE) {
  2266. ret = HWAES_set_decrypt_key(key,
  2267. EVP_CIPHER_CTX_key_length(ctx) * 8,
  2268. &dat->ks.ks);
  2269. dat->block = (block128_f) HWAES_decrypt;
  2270. dat->stream.cbc = NULL;
  2271. # ifdef HWAES_cbc_encrypt
  2272. if (mode == EVP_CIPH_CBC_MODE)
  2273. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2274. # endif
  2275. } else
  2276. #endif
  2277. #ifdef BSAES_CAPABLE
  2278. if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
  2279. ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2280. &dat->ks.ks);
  2281. dat->block = (block128_f) AES_decrypt;
  2282. dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
  2283. } else
  2284. #endif
  2285. #ifdef VPAES_CAPABLE
  2286. if (VPAES_CAPABLE) {
  2287. ret = vpaes_set_decrypt_key(key,
  2288. EVP_CIPHER_CTX_key_length(ctx) * 8,
  2289. &dat->ks.ks);
  2290. dat->block = (block128_f) vpaes_decrypt;
  2291. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2292. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2293. } else
  2294. #endif
  2295. {
  2296. ret = AES_set_decrypt_key(key,
  2297. EVP_CIPHER_CTX_key_length(ctx) * 8,
  2298. &dat->ks.ks);
  2299. dat->block = (block128_f) AES_decrypt;
  2300. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2301. (cbc128_f) AES_cbc_encrypt : NULL;
  2302. }
  2303. } else
  2304. #ifdef HWAES_CAPABLE
  2305. if (HWAES_CAPABLE) {
  2306. ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2307. &dat->ks.ks);
  2308. dat->block = (block128_f) HWAES_encrypt;
  2309. dat->stream.cbc = NULL;
  2310. # ifdef HWAES_cbc_encrypt
  2311. if (mode == EVP_CIPH_CBC_MODE)
  2312. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2313. else
  2314. # endif
  2315. # ifdef HWAES_ctr32_encrypt_blocks
  2316. if (mode == EVP_CIPH_CTR_MODE)
  2317. dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2318. else
  2319. # endif
  2320. (void)0; /* terminate potentially open 'else' */
  2321. } else
  2322. #endif
  2323. #ifdef BSAES_CAPABLE
  2324. if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
  2325. ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2326. &dat->ks.ks);
  2327. dat->block = (block128_f) AES_encrypt;
  2328. dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  2329. } else
  2330. #endif
  2331. #ifdef VPAES_CAPABLE
  2332. if (VPAES_CAPABLE) {
  2333. ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2334. &dat->ks.ks);
  2335. dat->block = (block128_f) vpaes_encrypt;
  2336. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2337. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2338. } else
  2339. #endif
  2340. {
  2341. ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2342. &dat->ks.ks);
  2343. dat->block = (block128_f) AES_encrypt;
  2344. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2345. (cbc128_f) AES_cbc_encrypt : NULL;
  2346. #ifdef AES_CTR_ASM
  2347. if (mode == EVP_CIPH_CTR_MODE)
  2348. dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
  2349. #endif
  2350. }
  2351. if (ret < 0) {
  2352. EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  2353. return 0;
  2354. }
  2355. return 1;
  2356. }
  2357. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2358. const unsigned char *in, size_t len)
  2359. {
  2360. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2361. if (dat->stream.cbc)
  2362. (*dat->stream.cbc) (in, out, len, &dat->ks,
  2363. EVP_CIPHER_CTX_iv_noconst(ctx),
  2364. EVP_CIPHER_CTX_encrypting(ctx));
  2365. else if (EVP_CIPHER_CTX_encrypting(ctx))
  2366. CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
  2367. EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
  2368. else
  2369. CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
  2370. EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
  2371. return 1;
  2372. }
  2373. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2374. const unsigned char *in, size_t len)
  2375. {
  2376. size_t bl = EVP_CIPHER_CTX_block_size(ctx);
  2377. size_t i;
  2378. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2379. if (len < bl)
  2380. return 1;
  2381. for (i = 0, len -= bl; i <= len; i += bl)
  2382. (*dat->block) (in + i, out + i, &dat->ks);
  2383. return 1;
  2384. }
  2385. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2386. const unsigned char *in, size_t len)
  2387. {
  2388. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2389. int num = EVP_CIPHER_CTX_num(ctx);
  2390. CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
  2391. EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
  2392. EVP_CIPHER_CTX_set_num(ctx, num);
  2393. return 1;
  2394. }
  2395. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2396. const unsigned char *in, size_t len)
  2397. {
  2398. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2399. int num = EVP_CIPHER_CTX_num(ctx);
  2400. CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
  2401. EVP_CIPHER_CTX_iv_noconst(ctx), &num,
  2402. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2403. EVP_CIPHER_CTX_set_num(ctx, num);
  2404. return 1;
  2405. }
  2406. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2407. const unsigned char *in, size_t len)
  2408. {
  2409. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2410. int num = EVP_CIPHER_CTX_num(ctx);
  2411. CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
  2412. EVP_CIPHER_CTX_iv_noconst(ctx), &num,
  2413. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2414. EVP_CIPHER_CTX_set_num(ctx, num);
  2415. return 1;
  2416. }
  2417. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2418. const unsigned char *in, size_t len)
  2419. {
  2420. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2421. if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
  2422. int num = EVP_CIPHER_CTX_num(ctx);
  2423. CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
  2424. EVP_CIPHER_CTX_iv_noconst(ctx), &num,
  2425. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2426. EVP_CIPHER_CTX_set_num(ctx, num);
  2427. return 1;
  2428. }
  2429. while (len >= MAXBITCHUNK) {
  2430. int num = EVP_CIPHER_CTX_num(ctx);
  2431. CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
  2432. EVP_CIPHER_CTX_iv_noconst(ctx), &num,
  2433. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2434. EVP_CIPHER_CTX_set_num(ctx, num);
  2435. len -= MAXBITCHUNK;
  2436. out += MAXBITCHUNK;
  2437. in += MAXBITCHUNK;
  2438. }
  2439. if (len) {
  2440. int num = EVP_CIPHER_CTX_num(ctx);
  2441. CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
  2442. EVP_CIPHER_CTX_iv_noconst(ctx), &num,
  2443. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2444. EVP_CIPHER_CTX_set_num(ctx, num);
  2445. }
  2446. return 1;
  2447. }
  2448. static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2449. const unsigned char *in, size_t len)
  2450. {
  2451. unsigned int num = EVP_CIPHER_CTX_num(ctx);
  2452. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2453. if (dat->stream.ctr)
  2454. CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
  2455. EVP_CIPHER_CTX_iv_noconst(ctx),
  2456. EVP_CIPHER_CTX_buf_noconst(ctx),
  2457. &num, dat->stream.ctr);
  2458. else
  2459. CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
  2460. EVP_CIPHER_CTX_iv_noconst(ctx),
  2461. EVP_CIPHER_CTX_buf_noconst(ctx), &num,
  2462. dat->block);
  2463. EVP_CIPHER_CTX_set_num(ctx, num);
  2464. return 1;
  2465. }
  2466. BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
  2467. BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
  2468. BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
  2469. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  2470. {
  2471. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2472. if (gctx == NULL)
  2473. return 0;
  2474. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  2475. if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
  2476. OPENSSL_free(gctx->iv);
  2477. return 1;
  2478. }
  2479. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2480. {
  2481. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2482. switch (type) {
  2483. case EVP_CTRL_INIT:
  2484. gctx->key_set = 0;
  2485. gctx->iv_set = 0;
  2486. gctx->ivlen = c->cipher->iv_len;
  2487. gctx->iv = c->iv;
  2488. gctx->taglen = -1;
  2489. gctx->iv_gen = 0;
  2490. gctx->tls_aad_len = -1;
  2491. return 1;
  2492. case EVP_CTRL_AEAD_SET_IVLEN:
  2493. if (arg <= 0)
  2494. return 0;
  2495. /* Allocate memory for IV if needed */
  2496. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
  2497. if (gctx->iv != c->iv)
  2498. OPENSSL_free(gctx->iv);
  2499. if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) {
  2500. EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
  2501. return 0;
  2502. }
  2503. }
  2504. gctx->ivlen = arg;
  2505. return 1;
  2506. case EVP_CTRL_AEAD_SET_TAG:
  2507. if (arg <= 0 || arg > 16 || c->encrypt)
  2508. return 0;
  2509. memcpy(c->buf, ptr, arg);
  2510. gctx->taglen = arg;
  2511. return 1;
  2512. case EVP_CTRL_AEAD_GET_TAG:
  2513. if (arg <= 0 || arg > 16 || !c->encrypt
  2514. || gctx->taglen < 0)
  2515. return 0;
  2516. memcpy(ptr, c->buf, arg);
  2517. return 1;
  2518. case EVP_CTRL_GET_IV:
  2519. if (gctx->iv_gen != 1)
  2520. return 0;
  2521. if (gctx->ivlen != arg)
  2522. return 0;
  2523. memcpy(ptr, gctx->iv, arg);
  2524. return 1;
  2525. case EVP_CTRL_GCM_SET_IV_FIXED:
  2526. /* Special case: -1 length restores whole IV */
  2527. if (arg == -1) {
  2528. memcpy(gctx->iv, ptr, gctx->ivlen);
  2529. gctx->iv_gen = 1;
  2530. return 1;
  2531. }
  2532. /*
  2533. * Fixed field must be at least 4 bytes and invocation field at least
  2534. * 8.
  2535. */
  2536. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  2537. return 0;
  2538. if (arg)
  2539. memcpy(gctx->iv, ptr, arg);
  2540. if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  2541. return 0;
  2542. gctx->iv_gen = 1;
  2543. return 1;
  2544. case EVP_CTRL_GCM_IV_GEN:
  2545. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  2546. return 0;
  2547. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2548. if (arg <= 0 || arg > gctx->ivlen)
  2549. arg = gctx->ivlen;
  2550. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  2551. /*
  2552. * Invocation field will be at least 8 bytes in size and so no need
  2553. * to check wrap around or increment more than last 8 bytes.
  2554. */
  2555. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  2556. gctx->iv_set = 1;
  2557. return 1;
  2558. case EVP_CTRL_GCM_SET_IV_INV:
  2559. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  2560. return 0;
  2561. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  2562. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2563. gctx->iv_set = 1;
  2564. return 1;
  2565. case EVP_CTRL_AEAD_TLS1_AAD:
  2566. /* Save the AAD for later use */
  2567. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2568. return 0;
  2569. memcpy(c->buf, ptr, arg);
  2570. gctx->tls_aad_len = arg;
  2571. gctx->tls_enc_records = 0;
  2572. {
  2573. unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
  2574. /* Correct length for explicit IV */
  2575. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  2576. return 0;
  2577. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2578. /* If decrypting correct for tag too */
  2579. if (!c->encrypt) {
  2580. if (len < EVP_GCM_TLS_TAG_LEN)
  2581. return 0;
  2582. len -= EVP_GCM_TLS_TAG_LEN;
  2583. }
  2584. c->buf[arg - 2] = len >> 8;
  2585. c->buf[arg - 1] = len & 0xff;
  2586. }
  2587. /* Extra padding: tag appended to record */
  2588. return EVP_GCM_TLS_TAG_LEN;
  2589. case EVP_CTRL_COPY:
  2590. {
  2591. EVP_CIPHER_CTX *out = ptr;
  2592. EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
  2593. if (gctx->gcm.key) {
  2594. if (gctx->gcm.key != &gctx->ks)
  2595. return 0;
  2596. gctx_out->gcm.key = &gctx_out->ks;
  2597. }
  2598. if (gctx->iv == c->iv)
  2599. gctx_out->iv = out->iv;
  2600. else {
  2601. if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) {
  2602. EVPerr(EVP_F_AES_GCM_CTRL, ERR_R_MALLOC_FAILURE);
  2603. return 0;
  2604. }
  2605. memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
  2606. }
  2607. return 1;
  2608. }
  2609. default:
  2610. return -1;
  2611. }
  2612. }
  2613. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2614. const unsigned char *iv, int enc)
  2615. {
  2616. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2617. if (!iv && !key)
  2618. return 1;
  2619. if (key) {
  2620. do {
  2621. #ifdef HWAES_CAPABLE
  2622. if (HWAES_CAPABLE) {
  2623. HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2624. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2625. (block128_f) HWAES_encrypt);
  2626. # ifdef HWAES_ctr32_encrypt_blocks
  2627. gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2628. # else
  2629. gctx->ctr = NULL;
  2630. # endif
  2631. break;
  2632. } else
  2633. #endif
  2634. #ifdef BSAES_CAPABLE
  2635. if (BSAES_CAPABLE) {
  2636. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2637. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2638. (block128_f) AES_encrypt);
  2639. gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  2640. break;
  2641. } else
  2642. #endif
  2643. #ifdef VPAES_CAPABLE
  2644. if (VPAES_CAPABLE) {
  2645. vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2646. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2647. (block128_f) vpaes_encrypt);
  2648. gctx->ctr = NULL;
  2649. break;
  2650. } else
  2651. #endif
  2652. (void)0; /* terminate potentially open 'else' */
  2653. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2654. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2655. (block128_f) AES_encrypt);
  2656. #ifdef AES_CTR_ASM
  2657. gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
  2658. #else
  2659. gctx->ctr = NULL;
  2660. #endif
  2661. } while (0);
  2662. /*
  2663. * If we have an iv can set it directly, otherwise use saved IV.
  2664. */
  2665. if (iv == NULL && gctx->iv_set)
  2666. iv = gctx->iv;
  2667. if (iv) {
  2668. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2669. gctx->iv_set = 1;
  2670. }
  2671. gctx->key_set = 1;
  2672. } else {
  2673. /* If key set use IV, otherwise copy */
  2674. if (gctx->key_set)
  2675. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2676. else
  2677. memcpy(gctx->iv, iv, gctx->ivlen);
  2678. gctx->iv_set = 1;
  2679. gctx->iv_gen = 0;
  2680. }
  2681. return 1;
  2682. }
  2683. /*
  2684. * Handle TLS GCM packet format. This consists of the last portion of the IV
  2685. * followed by the payload and finally the tag. On encrypt generate IV,
  2686. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  2687. * and verify tag.
  2688. */
  2689. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2690. const unsigned char *in, size_t len)
  2691. {
  2692. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2693. int rv = -1;
  2694. /* Encrypt/decrypt must be performed in place */
  2695. if (out != in
  2696. || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  2697. return -1;
  2698. /*
  2699. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  2700. * Requirements from SP 800-38D". The requirements is for one party to the
  2701. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  2702. * side only.
  2703. */
  2704. if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
  2705. EVPerr(EVP_F_AES_GCM_TLS_CIPHER, EVP_R_TOO_MANY_RECORDS);
  2706. goto err;
  2707. }
  2708. /*
  2709. * Set IV from start of buffer or generate IV and write to start of
  2710. * buffer.
  2711. */
  2712. if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? EVP_CTRL_GCM_IV_GEN
  2713. : EVP_CTRL_GCM_SET_IV_INV,
  2714. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  2715. goto err;
  2716. /* Use saved AAD */
  2717. if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
  2718. goto err;
  2719. /* Fix buffer and length to point to payload */
  2720. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2721. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2722. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2723. if (ctx->encrypt) {
  2724. /* Encrypt payload */
  2725. if (gctx->ctr) {
  2726. size_t bulk = 0;
  2727. #if defined(AES_GCM_ASM)
  2728. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2729. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2730. return -1;
  2731. bulk = AES_gcm_encrypt(in, out, len,
  2732. gctx->gcm.key,
  2733. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2734. gctx->gcm.len.u[1] += bulk;
  2735. }
  2736. #endif
  2737. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2738. in + bulk,
  2739. out + bulk,
  2740. len - bulk, gctx->ctr))
  2741. goto err;
  2742. } else {
  2743. size_t bulk = 0;
  2744. #if defined(AES_GCM_ASM2)
  2745. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2746. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2747. return -1;
  2748. bulk = AES_gcm_encrypt(in, out, len,
  2749. gctx->gcm.key,
  2750. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2751. gctx->gcm.len.u[1] += bulk;
  2752. }
  2753. #endif
  2754. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2755. in + bulk, out + bulk, len - bulk))
  2756. goto err;
  2757. }
  2758. out += len;
  2759. /* Finally write tag */
  2760. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  2761. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2762. } else {
  2763. /* Decrypt */
  2764. if (gctx->ctr) {
  2765. size_t bulk = 0;
  2766. #if defined(AES_GCM_ASM)
  2767. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2768. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2769. return -1;
  2770. bulk = AES_gcm_decrypt(in, out, len,
  2771. gctx->gcm.key,
  2772. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2773. gctx->gcm.len.u[1] += bulk;
  2774. }
  2775. #endif
  2776. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2777. in + bulk,
  2778. out + bulk,
  2779. len - bulk, gctx->ctr))
  2780. goto err;
  2781. } else {
  2782. size_t bulk = 0;
  2783. #if defined(AES_GCM_ASM2)
  2784. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2785. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2786. return -1;
  2787. bulk = AES_gcm_decrypt(in, out, len,
  2788. gctx->gcm.key,
  2789. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2790. gctx->gcm.len.u[1] += bulk;
  2791. }
  2792. #endif
  2793. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2794. in + bulk, out + bulk, len - bulk))
  2795. goto err;
  2796. }
  2797. /* Retrieve tag */
  2798. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
  2799. /* If tag mismatch wipe buffer */
  2800. if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
  2801. OPENSSL_cleanse(out, len);
  2802. goto err;
  2803. }
  2804. rv = len;
  2805. }
  2806. err:
  2807. gctx->iv_set = 0;
  2808. gctx->tls_aad_len = -1;
  2809. return rv;
  2810. }
  2811. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2812. const unsigned char *in, size_t len)
  2813. {
  2814. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2815. /* If not set up, return error */
  2816. if (!gctx->key_set)
  2817. return -1;
  2818. if (gctx->tls_aad_len >= 0)
  2819. return aes_gcm_tls_cipher(ctx, out, in, len);
  2820. if (!gctx->iv_set)
  2821. return -1;
  2822. if (in) {
  2823. if (out == NULL) {
  2824. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  2825. return -1;
  2826. } else if (ctx->encrypt) {
  2827. if (gctx->ctr) {
  2828. size_t bulk = 0;
  2829. #if defined(AES_GCM_ASM)
  2830. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2831. size_t res = (16 - gctx->gcm.mres) % 16;
  2832. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2833. return -1;
  2834. bulk = AES_gcm_encrypt(in + res,
  2835. out + res, len - res,
  2836. gctx->gcm.key, gctx->gcm.Yi.c,
  2837. gctx->gcm.Xi.u);
  2838. gctx->gcm.len.u[1] += bulk;
  2839. bulk += res;
  2840. }
  2841. #endif
  2842. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2843. in + bulk,
  2844. out + bulk,
  2845. len - bulk, gctx->ctr))
  2846. return -1;
  2847. } else {
  2848. size_t bulk = 0;
  2849. #if defined(AES_GCM_ASM2)
  2850. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2851. size_t res = (16 - gctx->gcm.mres) % 16;
  2852. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2853. return -1;
  2854. bulk = AES_gcm_encrypt(in + res,
  2855. out + res, len - res,
  2856. gctx->gcm.key, gctx->gcm.Yi.c,
  2857. gctx->gcm.Xi.u);
  2858. gctx->gcm.len.u[1] += bulk;
  2859. bulk += res;
  2860. }
  2861. #endif
  2862. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2863. in + bulk, out + bulk, len - bulk))
  2864. return -1;
  2865. }
  2866. } else {
  2867. if (gctx->ctr) {
  2868. size_t bulk = 0;
  2869. #if defined(AES_GCM_ASM)
  2870. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2871. size_t res = (16 - gctx->gcm.mres) % 16;
  2872. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2873. return -1;
  2874. bulk = AES_gcm_decrypt(in + res,
  2875. out + res, len - res,
  2876. gctx->gcm.key,
  2877. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2878. gctx->gcm.len.u[1] += bulk;
  2879. bulk += res;
  2880. }
  2881. #endif
  2882. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2883. in + bulk,
  2884. out + bulk,
  2885. len - bulk, gctx->ctr))
  2886. return -1;
  2887. } else {
  2888. size_t bulk = 0;
  2889. #if defined(AES_GCM_ASM2)
  2890. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2891. size_t res = (16 - gctx->gcm.mres) % 16;
  2892. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2893. return -1;
  2894. bulk = AES_gcm_decrypt(in + res,
  2895. out + res, len - res,
  2896. gctx->gcm.key,
  2897. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2898. gctx->gcm.len.u[1] += bulk;
  2899. bulk += res;
  2900. }
  2901. #endif
  2902. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2903. in + bulk, out + bulk, len - bulk))
  2904. return -1;
  2905. }
  2906. }
  2907. return len;
  2908. } else {
  2909. if (!ctx->encrypt) {
  2910. if (gctx->taglen < 0)
  2911. return -1;
  2912. if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
  2913. return -1;
  2914. gctx->iv_set = 0;
  2915. return 0;
  2916. }
  2917. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
  2918. gctx->taglen = 16;
  2919. /* Don't reuse the IV */
  2920. gctx->iv_set = 0;
  2921. return 0;
  2922. }
  2923. }
  2924. #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  2925. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  2926. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2927. | EVP_CIPH_CUSTOM_COPY)
  2928. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
  2929. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2930. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
  2931. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2932. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
  2933. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2934. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2935. {
  2936. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
  2937. if (type == EVP_CTRL_COPY) {
  2938. EVP_CIPHER_CTX *out = ptr;
  2939. EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
  2940. if (xctx->xts.key1) {
  2941. if (xctx->xts.key1 != &xctx->ks1)
  2942. return 0;
  2943. xctx_out->xts.key1 = &xctx_out->ks1;
  2944. }
  2945. if (xctx->xts.key2) {
  2946. if (xctx->xts.key2 != &xctx->ks2)
  2947. return 0;
  2948. xctx_out->xts.key2 = &xctx_out->ks2;
  2949. }
  2950. return 1;
  2951. } else if (type != EVP_CTRL_INIT)
  2952. return -1;
  2953. /* key1 and key2 are used as an indicator both key and IV are set */
  2954. xctx->xts.key1 = NULL;
  2955. xctx->xts.key2 = NULL;
  2956. return 1;
  2957. }
  2958. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2959. const unsigned char *iv, int enc)
  2960. {
  2961. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2962. if (!iv && !key)
  2963. return 1;
  2964. if (key)
  2965. do {
  2966. #ifdef AES_XTS_ASM
  2967. xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
  2968. #else
  2969. xctx->stream = NULL;
  2970. #endif
  2971. /* key_len is two AES keys */
  2972. #ifdef HWAES_CAPABLE
  2973. if (HWAES_CAPABLE) {
  2974. if (enc) {
  2975. HWAES_set_encrypt_key(key,
  2976. EVP_CIPHER_CTX_key_length(ctx) * 4,
  2977. &xctx->ks1.ks);
  2978. xctx->xts.block1 = (block128_f) HWAES_encrypt;
  2979. # ifdef HWAES_xts_encrypt
  2980. xctx->stream = HWAES_xts_encrypt;
  2981. # endif
  2982. } else {
  2983. HWAES_set_decrypt_key(key,
  2984. EVP_CIPHER_CTX_key_length(ctx) * 4,
  2985. &xctx->ks1.ks);
  2986. xctx->xts.block1 = (block128_f) HWAES_decrypt;
  2987. # ifdef HWAES_xts_decrypt
  2988. xctx->stream = HWAES_xts_decrypt;
  2989. #endif
  2990. }
  2991. HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
  2992. EVP_CIPHER_CTX_key_length(ctx) * 4,
  2993. &xctx->ks2.ks);
  2994. xctx->xts.block2 = (block128_f) HWAES_encrypt;
  2995. xctx->xts.key1 = &xctx->ks1;
  2996. break;
  2997. } else
  2998. #endif
  2999. #ifdef BSAES_CAPABLE
  3000. if (BSAES_CAPABLE)
  3001. xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
  3002. else
  3003. #endif
  3004. #ifdef VPAES_CAPABLE
  3005. if (VPAES_CAPABLE) {
  3006. if (enc) {
  3007. vpaes_set_encrypt_key(key,
  3008. EVP_CIPHER_CTX_key_length(ctx) * 4,
  3009. &xctx->ks1.ks);
  3010. xctx->xts.block1 = (block128_f) vpaes_encrypt;
  3011. } else {
  3012. vpaes_set_decrypt_key(key,
  3013. EVP_CIPHER_CTX_key_length(ctx) * 4,
  3014. &xctx->ks1.ks);
  3015. xctx->xts.block1 = (block128_f) vpaes_decrypt;
  3016. }
  3017. vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
  3018. EVP_CIPHER_CTX_key_length(ctx) * 4,
  3019. &xctx->ks2.ks);
  3020. xctx->xts.block2 = (block128_f) vpaes_encrypt;
  3021. xctx->xts.key1 = &xctx->ks1;
  3022. break;
  3023. } else
  3024. #endif
  3025. (void)0; /* terminate potentially open 'else' */
  3026. if (enc) {
  3027. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
  3028. &xctx->ks1.ks);
  3029. xctx->xts.block1 = (block128_f) AES_encrypt;
  3030. } else {
  3031. AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
  3032. &xctx->ks1.ks);
  3033. xctx->xts.block1 = (block128_f) AES_decrypt;
  3034. }
  3035. AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
  3036. EVP_CIPHER_CTX_key_length(ctx) * 4,
  3037. &xctx->ks2.ks);
  3038. xctx->xts.block2 = (block128_f) AES_encrypt;
  3039. xctx->xts.key1 = &xctx->ks1;
  3040. } while (0);
  3041. if (iv) {
  3042. xctx->xts.key2 = &xctx->ks2;
  3043. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
  3044. }
  3045. return 1;
  3046. }
  3047. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3048. const unsigned char *in, size_t len)
  3049. {
  3050. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  3051. if (xctx->xts.key1 == NULL
  3052. || xctx->xts.key2 == NULL
  3053. || out == NULL
  3054. || in == NULL
  3055. || len < AES_BLOCK_SIZE)
  3056. return 0;
  3057. /*
  3058. * Verify that the two keys are different.
  3059. *
  3060. * This addresses the vulnerability described in Rogaway's September 2004
  3061. * paper (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf):
  3062. * "Efficient Instantiations of Tweakable Blockciphers and Refinements
  3063. * to Modes OCB and PMAC".
  3064. *
  3065. * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states that:
  3066. * "The check for Key_1 != Key_2 shall be done at any place BEFORE
  3067. * using the keys in the XTS-AES algorithm to process data with them."
  3068. */
  3069. if (CRYPTO_memcmp(xctx->xts.key1, xctx->xts.key2,
  3070. EVP_CIPHER_CTX_key_length(ctx) / 2) == 0)
  3071. return 0;
  3072. if (xctx->stream)
  3073. (*xctx->stream) (in, out, len,
  3074. xctx->xts.key1, xctx->xts.key2,
  3075. EVP_CIPHER_CTX_iv_noconst(ctx));
  3076. else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
  3077. in, out, len,
  3078. EVP_CIPHER_CTX_encrypting(ctx)))
  3079. return 0;
  3080. return 1;
  3081. }
  3082. #define aes_xts_cleanup NULL
  3083. #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
  3084. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  3085. | EVP_CIPH_CUSTOM_COPY)
  3086. BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
  3087. BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
  3088. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3089. {
  3090. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
  3091. switch (type) {
  3092. case EVP_CTRL_INIT:
  3093. cctx->key_set = 0;
  3094. cctx->iv_set = 0;
  3095. cctx->L = 8;
  3096. cctx->M = 12;
  3097. cctx->tag_set = 0;
  3098. cctx->len_set = 0;
  3099. cctx->tls_aad_len = -1;
  3100. return 1;
  3101. case EVP_CTRL_AEAD_TLS1_AAD:
  3102. /* Save the AAD for later use */
  3103. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  3104. return 0;
  3105. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  3106. cctx->tls_aad_len = arg;
  3107. {
  3108. uint16_t len =
  3109. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
  3110. | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
  3111. /* Correct length for explicit IV */
  3112. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  3113. return 0;
  3114. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3115. /* If decrypting correct for tag too */
  3116. if (!EVP_CIPHER_CTX_encrypting(c)) {
  3117. if (len < cctx->M)
  3118. return 0;
  3119. len -= cctx->M;
  3120. }
  3121. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
  3122. EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
  3123. }
  3124. /* Extra padding: tag appended to record */
  3125. return cctx->M;
  3126. case EVP_CTRL_CCM_SET_IV_FIXED:
  3127. /* Sanity check length */
  3128. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  3129. return 0;
  3130. /* Just copy to first part of IV */
  3131. memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
  3132. return 1;
  3133. case EVP_CTRL_AEAD_SET_IVLEN:
  3134. arg = 15 - arg;
  3135. /* fall thru */
  3136. case EVP_CTRL_CCM_SET_L:
  3137. if (arg < 2 || arg > 8)
  3138. return 0;
  3139. cctx->L = arg;
  3140. return 1;
  3141. case EVP_CTRL_AEAD_SET_TAG:
  3142. if ((arg & 1) || arg < 4 || arg > 16)
  3143. return 0;
  3144. if (EVP_CIPHER_CTX_encrypting(c) && ptr)
  3145. return 0;
  3146. if (ptr) {
  3147. cctx->tag_set = 1;
  3148. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  3149. }
  3150. cctx->M = arg;
  3151. return 1;
  3152. case EVP_CTRL_AEAD_GET_TAG:
  3153. if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
  3154. return 0;
  3155. if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  3156. return 0;
  3157. cctx->tag_set = 0;
  3158. cctx->iv_set = 0;
  3159. cctx->len_set = 0;
  3160. return 1;
  3161. case EVP_CTRL_COPY:
  3162. {
  3163. EVP_CIPHER_CTX *out = ptr;
  3164. EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
  3165. if (cctx->ccm.key) {
  3166. if (cctx->ccm.key != &cctx->ks)
  3167. return 0;
  3168. cctx_out->ccm.key = &cctx_out->ks;
  3169. }
  3170. return 1;
  3171. }
  3172. default:
  3173. return -1;
  3174. }
  3175. }
  3176. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3177. const unsigned char *iv, int enc)
  3178. {
  3179. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3180. if (!iv && !key)
  3181. return 1;
  3182. if (key)
  3183. do {
  3184. #ifdef HWAES_CAPABLE
  3185. if (HWAES_CAPABLE) {
  3186. HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3187. &cctx->ks.ks);
  3188. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3189. &cctx->ks, (block128_f) HWAES_encrypt);
  3190. cctx->str = NULL;
  3191. cctx->key_set = 1;
  3192. break;
  3193. } else
  3194. #endif
  3195. #ifdef VPAES_CAPABLE
  3196. if (VPAES_CAPABLE) {
  3197. vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3198. &cctx->ks.ks);
  3199. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3200. &cctx->ks, (block128_f) vpaes_encrypt);
  3201. cctx->str = NULL;
  3202. cctx->key_set = 1;
  3203. break;
  3204. }
  3205. #endif
  3206. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3207. &cctx->ks.ks);
  3208. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3209. &cctx->ks, (block128_f) AES_encrypt);
  3210. cctx->str = NULL;
  3211. cctx->key_set = 1;
  3212. } while (0);
  3213. if (iv) {
  3214. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
  3215. cctx->iv_set = 1;
  3216. }
  3217. return 1;
  3218. }
  3219. static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3220. const unsigned char *in, size_t len)
  3221. {
  3222. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3223. CCM128_CONTEXT *ccm = &cctx->ccm;
  3224. /* Encrypt/decrypt must be performed in place */
  3225. if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
  3226. return -1;
  3227. /* If encrypting set explicit IV from sequence number (start of AAD) */
  3228. if (EVP_CIPHER_CTX_encrypting(ctx))
  3229. memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
  3230. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3231. /* Get rest of IV from explicit IV */
  3232. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
  3233. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3234. /* Correct length value */
  3235. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3236. if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
  3237. len))
  3238. return -1;
  3239. /* Use saved AAD */
  3240. CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
  3241. /* Fix buffer to point to payload */
  3242. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3243. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3244. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3245. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3246. cctx->str) :
  3247. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3248. return -1;
  3249. if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
  3250. return -1;
  3251. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3252. } else {
  3253. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3254. cctx->str) :
  3255. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3256. unsigned char tag[16];
  3257. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3258. if (!CRYPTO_memcmp(tag, in + len, cctx->M))
  3259. return len;
  3260. }
  3261. }
  3262. OPENSSL_cleanse(out, len);
  3263. return -1;
  3264. }
  3265. }
  3266. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3267. const unsigned char *in, size_t len)
  3268. {
  3269. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3270. CCM128_CONTEXT *ccm = &cctx->ccm;
  3271. /* If not set up, return error */
  3272. if (!cctx->key_set)
  3273. return -1;
  3274. if (cctx->tls_aad_len >= 0)
  3275. return aes_ccm_tls_cipher(ctx, out, in, len);
  3276. /* EVP_*Final() doesn't return any data */
  3277. if (in == NULL && out != NULL)
  3278. return 0;
  3279. if (!cctx->iv_set)
  3280. return -1;
  3281. if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
  3282. return -1;
  3283. if (!out) {
  3284. if (!in) {
  3285. if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
  3286. 15 - cctx->L, len))
  3287. return -1;
  3288. cctx->len_set = 1;
  3289. return len;
  3290. }
  3291. /* If have AAD need message length */
  3292. if (!cctx->len_set && len)
  3293. return -1;
  3294. CRYPTO_ccm128_aad(ccm, in, len);
  3295. return len;
  3296. }
  3297. /* If not set length yet do it */
  3298. if (!cctx->len_set) {
  3299. if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
  3300. 15 - cctx->L, len))
  3301. return -1;
  3302. cctx->len_set = 1;
  3303. }
  3304. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3305. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3306. cctx->str) :
  3307. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3308. return -1;
  3309. cctx->tag_set = 1;
  3310. return len;
  3311. } else {
  3312. int rv = -1;
  3313. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3314. cctx->str) :
  3315. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3316. unsigned char tag[16];
  3317. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3318. if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
  3319. cctx->M))
  3320. rv = len;
  3321. }
  3322. }
  3323. if (rv == -1)
  3324. OPENSSL_cleanse(out, len);
  3325. cctx->iv_set = 0;
  3326. cctx->tag_set = 0;
  3327. cctx->len_set = 0;
  3328. return rv;
  3329. }
  3330. }
  3331. #define aes_ccm_cleanup NULL
  3332. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
  3333. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3334. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
  3335. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3336. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
  3337. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3338. typedef struct {
  3339. union {
  3340. double align;
  3341. AES_KEY ks;
  3342. } ks;
  3343. /* Indicates if IV has been set */
  3344. unsigned char *iv;
  3345. } EVP_AES_WRAP_CTX;
  3346. static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3347. const unsigned char *iv, int enc)
  3348. {
  3349. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3350. if (!iv && !key)
  3351. return 1;
  3352. if (key) {
  3353. if (EVP_CIPHER_CTX_encrypting(ctx))
  3354. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3355. &wctx->ks.ks);
  3356. else
  3357. AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3358. &wctx->ks.ks);
  3359. if (!iv)
  3360. wctx->iv = NULL;
  3361. }
  3362. if (iv) {
  3363. memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
  3364. wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  3365. }
  3366. return 1;
  3367. }
  3368. static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3369. const unsigned char *in, size_t inlen)
  3370. {
  3371. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3372. size_t rv;
  3373. /* AES wrap with padding has IV length of 4, without padding 8 */
  3374. int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
  3375. /* No final operation so always return zero length */
  3376. if (!in)
  3377. return 0;
  3378. /* Input length must always be non-zero */
  3379. if (!inlen)
  3380. return -1;
  3381. /* If decrypting need at least 16 bytes and multiple of 8 */
  3382. if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
  3383. return -1;
  3384. /* If not padding input must be multiple of 8 */
  3385. if (!pad && inlen & 0x7)
  3386. return -1;
  3387. if (is_partially_overlapping(out, in, inlen)) {
  3388. EVPerr(EVP_F_AES_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
  3389. return 0;
  3390. }
  3391. if (!out) {
  3392. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3393. /* If padding round up to multiple of 8 */
  3394. if (pad)
  3395. inlen = (inlen + 7) / 8 * 8;
  3396. /* 8 byte prefix */
  3397. return inlen + 8;
  3398. } else {
  3399. /*
  3400. * If not padding output will be exactly 8 bytes smaller than
  3401. * input. If padding it will be at least 8 bytes smaller but we
  3402. * don't know how much.
  3403. */
  3404. return inlen - 8;
  3405. }
  3406. }
  3407. if (pad) {
  3408. if (EVP_CIPHER_CTX_encrypting(ctx))
  3409. rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
  3410. out, in, inlen,
  3411. (block128_f) AES_encrypt);
  3412. else
  3413. rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
  3414. out, in, inlen,
  3415. (block128_f) AES_decrypt);
  3416. } else {
  3417. if (EVP_CIPHER_CTX_encrypting(ctx))
  3418. rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
  3419. out, in, inlen, (block128_f) AES_encrypt);
  3420. else
  3421. rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
  3422. out, in, inlen, (block128_f) AES_decrypt);
  3423. }
  3424. return rv ? (int)rv : -1;
  3425. }
  3426. #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
  3427. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  3428. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
  3429. static const EVP_CIPHER aes_128_wrap = {
  3430. NID_id_aes128_wrap,
  3431. 8, 16, 8, WRAP_FLAGS,
  3432. aes_wrap_init_key, aes_wrap_cipher,
  3433. NULL,
  3434. sizeof(EVP_AES_WRAP_CTX),
  3435. NULL, NULL, NULL, NULL
  3436. };
  3437. const EVP_CIPHER *EVP_aes_128_wrap(void)
  3438. {
  3439. return &aes_128_wrap;
  3440. }
  3441. static const EVP_CIPHER aes_192_wrap = {
  3442. NID_id_aes192_wrap,
  3443. 8, 24, 8, WRAP_FLAGS,
  3444. aes_wrap_init_key, aes_wrap_cipher,
  3445. NULL,
  3446. sizeof(EVP_AES_WRAP_CTX),
  3447. NULL, NULL, NULL, NULL
  3448. };
  3449. const EVP_CIPHER *EVP_aes_192_wrap(void)
  3450. {
  3451. return &aes_192_wrap;
  3452. }
  3453. static const EVP_CIPHER aes_256_wrap = {
  3454. NID_id_aes256_wrap,
  3455. 8, 32, 8, WRAP_FLAGS,
  3456. aes_wrap_init_key, aes_wrap_cipher,
  3457. NULL,
  3458. sizeof(EVP_AES_WRAP_CTX),
  3459. NULL, NULL, NULL, NULL
  3460. };
  3461. const EVP_CIPHER *EVP_aes_256_wrap(void)
  3462. {
  3463. return &aes_256_wrap;
  3464. }
  3465. static const EVP_CIPHER aes_128_wrap_pad = {
  3466. NID_id_aes128_wrap_pad,
  3467. 8, 16, 4, WRAP_FLAGS,
  3468. aes_wrap_init_key, aes_wrap_cipher,
  3469. NULL,
  3470. sizeof(EVP_AES_WRAP_CTX),
  3471. NULL, NULL, NULL, NULL
  3472. };
  3473. const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
  3474. {
  3475. return &aes_128_wrap_pad;
  3476. }
  3477. static const EVP_CIPHER aes_192_wrap_pad = {
  3478. NID_id_aes192_wrap_pad,
  3479. 8, 24, 4, WRAP_FLAGS,
  3480. aes_wrap_init_key, aes_wrap_cipher,
  3481. NULL,
  3482. sizeof(EVP_AES_WRAP_CTX),
  3483. NULL, NULL, NULL, NULL
  3484. };
  3485. const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
  3486. {
  3487. return &aes_192_wrap_pad;
  3488. }
  3489. static const EVP_CIPHER aes_256_wrap_pad = {
  3490. NID_id_aes256_wrap_pad,
  3491. 8, 32, 4, WRAP_FLAGS,
  3492. aes_wrap_init_key, aes_wrap_cipher,
  3493. NULL,
  3494. sizeof(EVP_AES_WRAP_CTX),
  3495. NULL, NULL, NULL, NULL
  3496. };
  3497. const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
  3498. {
  3499. return &aes_256_wrap_pad;
  3500. }
  3501. #ifndef OPENSSL_NO_OCB
  3502. static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3503. {
  3504. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3505. EVP_CIPHER_CTX *newc;
  3506. EVP_AES_OCB_CTX *new_octx;
  3507. switch (type) {
  3508. case EVP_CTRL_INIT:
  3509. octx->key_set = 0;
  3510. octx->iv_set = 0;
  3511. octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
  3512. octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
  3513. octx->taglen = 16;
  3514. octx->data_buf_len = 0;
  3515. octx->aad_buf_len = 0;
  3516. return 1;
  3517. case EVP_CTRL_AEAD_SET_IVLEN:
  3518. /* IV len must be 1 to 15 */
  3519. if (arg <= 0 || arg > 15)
  3520. return 0;
  3521. octx->ivlen = arg;
  3522. return 1;
  3523. case EVP_CTRL_AEAD_SET_TAG:
  3524. if (!ptr) {
  3525. /* Tag len must be 0 to 16 */
  3526. if (arg < 0 || arg > 16)
  3527. return 0;
  3528. octx->taglen = arg;
  3529. return 1;
  3530. }
  3531. if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
  3532. return 0;
  3533. memcpy(octx->tag, ptr, arg);
  3534. return 1;
  3535. case EVP_CTRL_AEAD_GET_TAG:
  3536. if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
  3537. return 0;
  3538. memcpy(ptr, octx->tag, arg);
  3539. return 1;
  3540. case EVP_CTRL_COPY:
  3541. newc = (EVP_CIPHER_CTX *)ptr;
  3542. new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
  3543. return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
  3544. &new_octx->ksenc.ks,
  3545. &new_octx->ksdec.ks);
  3546. default:
  3547. return -1;
  3548. }
  3549. }
  3550. # ifdef HWAES_CAPABLE
  3551. # ifdef HWAES_ocb_encrypt
  3552. void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
  3553. size_t blocks, const void *key,
  3554. size_t start_block_num,
  3555. unsigned char offset_i[16],
  3556. const unsigned char L_[][16],
  3557. unsigned char checksum[16]);
  3558. # else
  3559. # define HWAES_ocb_encrypt ((ocb128_f)NULL)
  3560. # endif
  3561. # ifdef HWAES_ocb_decrypt
  3562. void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
  3563. size_t blocks, const void *key,
  3564. size_t start_block_num,
  3565. unsigned char offset_i[16],
  3566. const unsigned char L_[][16],
  3567. unsigned char checksum[16]);
  3568. # else
  3569. # define HWAES_ocb_decrypt ((ocb128_f)NULL)
  3570. # endif
  3571. # endif
  3572. static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3573. const unsigned char *iv, int enc)
  3574. {
  3575. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3576. if (!iv && !key)
  3577. return 1;
  3578. if (key) {
  3579. do {
  3580. /*
  3581. * We set both the encrypt and decrypt key here because decrypt
  3582. * needs both. We could possibly optimise to remove setting the
  3583. * decrypt for an encryption operation.
  3584. */
  3585. # ifdef HWAES_CAPABLE
  3586. if (HWAES_CAPABLE) {
  3587. HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3588. &octx->ksenc.ks);
  3589. HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3590. &octx->ksdec.ks);
  3591. if (!CRYPTO_ocb128_init(&octx->ocb,
  3592. &octx->ksenc.ks, &octx->ksdec.ks,
  3593. (block128_f) HWAES_encrypt,
  3594. (block128_f) HWAES_decrypt,
  3595. enc ? HWAES_ocb_encrypt
  3596. : HWAES_ocb_decrypt))
  3597. return 0;
  3598. break;
  3599. }
  3600. # endif
  3601. # ifdef VPAES_CAPABLE
  3602. if (VPAES_CAPABLE) {
  3603. vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3604. &octx->ksenc.ks);
  3605. vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3606. &octx->ksdec.ks);
  3607. if (!CRYPTO_ocb128_init(&octx->ocb,
  3608. &octx->ksenc.ks, &octx->ksdec.ks,
  3609. (block128_f) vpaes_encrypt,
  3610. (block128_f) vpaes_decrypt,
  3611. NULL))
  3612. return 0;
  3613. break;
  3614. }
  3615. # endif
  3616. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3617. &octx->ksenc.ks);
  3618. AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3619. &octx->ksdec.ks);
  3620. if (!CRYPTO_ocb128_init(&octx->ocb,
  3621. &octx->ksenc.ks, &octx->ksdec.ks,
  3622. (block128_f) AES_encrypt,
  3623. (block128_f) AES_decrypt,
  3624. NULL))
  3625. return 0;
  3626. }
  3627. while (0);
  3628. /*
  3629. * If we have an iv we can set it directly, otherwise use saved IV.
  3630. */
  3631. if (iv == NULL && octx->iv_set)
  3632. iv = octx->iv;
  3633. if (iv) {
  3634. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  3635. != 1)
  3636. return 0;
  3637. octx->iv_set = 1;
  3638. }
  3639. octx->key_set = 1;
  3640. } else {
  3641. /* If key set use IV, otherwise copy */
  3642. if (octx->key_set)
  3643. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  3644. else
  3645. memcpy(octx->iv, iv, octx->ivlen);
  3646. octx->iv_set = 1;
  3647. }
  3648. return 1;
  3649. }
  3650. static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3651. const unsigned char *in, size_t len)
  3652. {
  3653. unsigned char *buf;
  3654. int *buf_len;
  3655. int written_len = 0;
  3656. size_t trailing_len;
  3657. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3658. /* If IV or Key not set then return error */
  3659. if (!octx->iv_set)
  3660. return -1;
  3661. if (!octx->key_set)
  3662. return -1;
  3663. if (in != NULL) {
  3664. /*
  3665. * Need to ensure we are only passing full blocks to low level OCB
  3666. * routines. We do it here rather than in EVP_EncryptUpdate/
  3667. * EVP_DecryptUpdate because we need to pass full blocks of AAD too
  3668. * and those routines don't support that
  3669. */
  3670. /* Are we dealing with AAD or normal data here? */
  3671. if (out == NULL) {
  3672. buf = octx->aad_buf;
  3673. buf_len = &(octx->aad_buf_len);
  3674. } else {
  3675. buf = octx->data_buf;
  3676. buf_len = &(octx->data_buf_len);
  3677. if (is_partially_overlapping(out + *buf_len, in, len)) {
  3678. EVPerr(EVP_F_AES_OCB_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
  3679. return 0;
  3680. }
  3681. }
  3682. /*
  3683. * If we've got a partially filled buffer from a previous call then
  3684. * use that data first
  3685. */
  3686. if (*buf_len > 0) {
  3687. unsigned int remaining;
  3688. remaining = AES_BLOCK_SIZE - (*buf_len);
  3689. if (remaining > len) {
  3690. memcpy(buf + (*buf_len), in, len);
  3691. *(buf_len) += len;
  3692. return 0;
  3693. }
  3694. memcpy(buf + (*buf_len), in, remaining);
  3695. /*
  3696. * If we get here we've filled the buffer, so process it
  3697. */
  3698. len -= remaining;
  3699. in += remaining;
  3700. if (out == NULL) {
  3701. if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
  3702. return -1;
  3703. } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3704. if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
  3705. AES_BLOCK_SIZE))
  3706. return -1;
  3707. } else {
  3708. if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
  3709. AES_BLOCK_SIZE))
  3710. return -1;
  3711. }
  3712. written_len = AES_BLOCK_SIZE;
  3713. *buf_len = 0;
  3714. if (out != NULL)
  3715. out += AES_BLOCK_SIZE;
  3716. }
  3717. /* Do we have a partial block to handle at the end? */
  3718. trailing_len = len % AES_BLOCK_SIZE;
  3719. /*
  3720. * If we've got some full blocks to handle, then process these first
  3721. */
  3722. if (len != trailing_len) {
  3723. if (out == NULL) {
  3724. if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
  3725. return -1;
  3726. } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3727. if (!CRYPTO_ocb128_encrypt
  3728. (&octx->ocb, in, out, len - trailing_len))
  3729. return -1;
  3730. } else {
  3731. if (!CRYPTO_ocb128_decrypt
  3732. (&octx->ocb, in, out, len - trailing_len))
  3733. return -1;
  3734. }
  3735. written_len += len - trailing_len;
  3736. in += len - trailing_len;
  3737. }
  3738. /* Handle any trailing partial block */
  3739. if (trailing_len > 0) {
  3740. memcpy(buf, in, trailing_len);
  3741. *buf_len = trailing_len;
  3742. }
  3743. return written_len;
  3744. } else {
  3745. /*
  3746. * First of all empty the buffer of any partial block that we might
  3747. * have been provided - both for data and AAD
  3748. */
  3749. if (octx->data_buf_len > 0) {
  3750. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3751. if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
  3752. octx->data_buf_len))
  3753. return -1;
  3754. } else {
  3755. if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
  3756. octx->data_buf_len))
  3757. return -1;
  3758. }
  3759. written_len = octx->data_buf_len;
  3760. octx->data_buf_len = 0;
  3761. }
  3762. if (octx->aad_buf_len > 0) {
  3763. if (!CRYPTO_ocb128_aad
  3764. (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
  3765. return -1;
  3766. octx->aad_buf_len = 0;
  3767. }
  3768. /* If decrypting then verify */
  3769. if (!EVP_CIPHER_CTX_encrypting(ctx)) {
  3770. if (octx->taglen < 0)
  3771. return -1;
  3772. if (CRYPTO_ocb128_finish(&octx->ocb,
  3773. octx->tag, octx->taglen) != 0)
  3774. return -1;
  3775. octx->iv_set = 0;
  3776. return written_len;
  3777. }
  3778. /* If encrypting then just get the tag */
  3779. if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
  3780. return -1;
  3781. /* Don't reuse the IV */
  3782. octx->iv_set = 0;
  3783. return written_len;
  3784. }
  3785. }
  3786. static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
  3787. {
  3788. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3789. CRYPTO_ocb128_cleanup(&octx->ocb);
  3790. return 1;
  3791. }
  3792. BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
  3793. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3794. BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
  3795. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3796. BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
  3797. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3798. #endif /* OPENSSL_NO_OCB */
  3799. /* AES-SIV mode */
  3800. #ifndef OPENSSL_NO_SIV
  3801. typedef SIV128_CONTEXT EVP_AES_SIV_CTX;
  3802. #define aesni_siv_init_key aes_siv_init_key
  3803. static int aes_siv_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3804. const unsigned char *iv, int enc)
  3805. {
  3806. const EVP_CIPHER *ctr;
  3807. const EVP_CIPHER *cbc;
  3808. SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
  3809. int klen = EVP_CIPHER_CTX_key_length(ctx) / 2;
  3810. if (key == NULL)
  3811. return 1;
  3812. switch (klen) {
  3813. case 16:
  3814. cbc = EVP_aes_128_cbc();
  3815. ctr = EVP_aes_128_ctr();
  3816. break;
  3817. case 24:
  3818. cbc = EVP_aes_192_cbc();
  3819. ctr = EVP_aes_192_ctr();
  3820. break;
  3821. case 32:
  3822. cbc = EVP_aes_256_cbc();
  3823. ctr = EVP_aes_256_ctr();
  3824. break;
  3825. default:
  3826. return 0;
  3827. }
  3828. /* klen is the length of the underlying cipher, not the input key,
  3829. which should be twice as long */
  3830. return CRYPTO_siv128_init(sctx, key, klen, cbc, ctr);
  3831. }
  3832. #define aesni_siv_cipher aes_siv_cipher
  3833. static int aes_siv_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3834. const unsigned char *in, size_t len)
  3835. {
  3836. SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, ctx);
  3837. /* EncryptFinal or DecryptFinal */
  3838. if (in == NULL)
  3839. return CRYPTO_siv128_finish(sctx);
  3840. /* Deal with associated data */
  3841. if (out == NULL)
  3842. return CRYPTO_siv128_aad(sctx, in, len);
  3843. if (EVP_CIPHER_CTX_encrypting(ctx))
  3844. return CRYPTO_siv128_encrypt(sctx, in, out, len);
  3845. return CRYPTO_siv128_decrypt(sctx, in, out, len);
  3846. }
  3847. #define aesni_siv_cleanup aes_siv_cleanup
  3848. static int aes_siv_cleanup(EVP_CIPHER_CTX *c)
  3849. {
  3850. SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
  3851. return CRYPTO_siv128_cleanup(sctx);
  3852. }
  3853. #define aesni_siv_ctrl aes_siv_ctrl
  3854. static int aes_siv_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3855. {
  3856. SIV128_CONTEXT *sctx = EVP_C_DATA(SIV128_CONTEXT, c);
  3857. SIV128_CONTEXT *sctx_out;
  3858. switch (type) {
  3859. case EVP_CTRL_INIT:
  3860. return CRYPTO_siv128_cleanup(sctx);
  3861. case EVP_CTRL_SET_SPEED:
  3862. return CRYPTO_siv128_speed(sctx, arg);
  3863. case EVP_CTRL_AEAD_SET_TAG:
  3864. if (!EVP_CIPHER_CTX_encrypting(c))
  3865. return CRYPTO_siv128_set_tag(sctx, ptr, arg);
  3866. return 1;
  3867. case EVP_CTRL_AEAD_GET_TAG:
  3868. if (!EVP_CIPHER_CTX_encrypting(c))
  3869. return 0;
  3870. return CRYPTO_siv128_get_tag(sctx, ptr, arg);
  3871. case EVP_CTRL_COPY:
  3872. sctx_out = EVP_C_DATA(SIV128_CONTEXT, (EVP_CIPHER_CTX*)ptr);
  3873. return CRYPTO_siv128_copy_ctx(sctx_out, sctx);
  3874. default:
  3875. return -1;
  3876. }
  3877. }
  3878. #define SIV_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
  3879. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  3880. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_COPY \
  3881. | EVP_CIPH_CTRL_INIT)
  3882. BLOCK_CIPHER_custom(NID_aes, 128, 1, 0, siv, SIV, SIV_FLAGS)
  3883. BLOCK_CIPHER_custom(NID_aes, 192, 1, 0, siv, SIV, SIV_FLAGS)
  3884. BLOCK_CIPHER_custom(NID_aes, 256, 1, 0, siv, SIV, SIV_FLAGS)
  3885. #endif