e_aes.c 71 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031
  1. /* ====================================================================
  2. * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * 1. Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. *
  11. * 2. Redistributions in binary form must reproduce the above copyright
  12. * notice, this list of conditions and the following disclaimer in
  13. * the documentation and/or other materials provided with the
  14. * distribution.
  15. *
  16. * 3. All advertising materials mentioning features or use of this
  17. * software must display the following acknowledgment:
  18. * "This product includes software developed by the OpenSSL Project
  19. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20. *
  21. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22. * endorse or promote products derived from this software without
  23. * prior written permission. For written permission, please contact
  24. * openssl-core@openssl.org.
  25. *
  26. * 5. Products derived from this software may not be called "OpenSSL"
  27. * nor may "OpenSSL" appear in their names without prior written
  28. * permission of the OpenSSL Project.
  29. *
  30. * 6. Redistributions of any form whatsoever must retain the following
  31. * acknowledgment:
  32. * "This product includes software developed by the OpenSSL Project
  33. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34. *
  35. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46. * OF THE POSSIBILITY OF SUCH DAMAGE.
  47. * ====================================================================
  48. *
  49. */
  50. #include <openssl/opensslconf.h>
  51. #ifndef OPENSSL_NO_AES
  52. #include <openssl/crypto.h>
  53. # include <openssl/evp.h>
  54. # include <openssl/err.h>
  55. # include <string.h>
  56. # include <assert.h>
  57. # include <openssl/aes.h>
  58. # include "evp_locl.h"
  59. # include "modes_lcl.h"
  60. # include <openssl/rand.h>
  61. # undef EVP_CIPH_FLAG_FIPS
  62. # define EVP_CIPH_FLAG_FIPS 0
  63. typedef struct {
  64. union {
  65. double align;
  66. AES_KEY ks;
  67. } ks;
  68. block128_f block;
  69. union {
  70. cbc128_f cbc;
  71. ctr128_f ctr;
  72. } stream;
  73. } EVP_AES_KEY;
  74. typedef struct {
  75. union {
  76. double align;
  77. AES_KEY ks;
  78. } ks; /* AES key schedule to use */
  79. int key_set; /* Set if key initialised */
  80. int iv_set; /* Set if an iv is set */
  81. GCM128_CONTEXT gcm;
  82. unsigned char *iv; /* Temporary IV store */
  83. int ivlen; /* IV length */
  84. int taglen;
  85. int iv_gen; /* It is OK to generate IVs */
  86. int tls_aad_len; /* TLS AAD length */
  87. ctr128_f ctr;
  88. } EVP_AES_GCM_CTX;
  89. typedef struct {
  90. union {
  91. double align;
  92. AES_KEY ks;
  93. } ks1, ks2; /* AES key schedules to use */
  94. XTS128_CONTEXT xts;
  95. void (*stream) (const unsigned char *in,
  96. unsigned char *out, size_t length,
  97. const AES_KEY *key1, const AES_KEY *key2,
  98. const unsigned char iv[16]);
  99. } EVP_AES_XTS_CTX;
  100. typedef struct {
  101. union {
  102. double align;
  103. AES_KEY ks;
  104. } ks; /* AES key schedule to use */
  105. int key_set; /* Set if key initialised */
  106. int iv_set; /* Set if an iv is set */
  107. int tag_set; /* Set if tag is valid */
  108. int len_set; /* Set if message length set */
  109. int L, M; /* L and M parameters from RFC3610 */
  110. CCM128_CONTEXT ccm;
  111. ccm128_f str;
  112. } EVP_AES_CCM_CTX;
  113. # define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  114. # ifdef VPAES_ASM
  115. int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
  116. AES_KEY *key);
  117. int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
  118. AES_KEY *key);
  119. void vpaes_encrypt(const unsigned char *in, unsigned char *out,
  120. const AES_KEY *key);
  121. void vpaes_decrypt(const unsigned char *in, unsigned char *out,
  122. const AES_KEY *key);
  123. void vpaes_cbc_encrypt(const unsigned char *in,
  124. unsigned char *out,
  125. size_t length,
  126. const AES_KEY *key, unsigned char *ivec, int enc);
  127. # endif
  128. # ifdef BSAES_ASM
  129. void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
  130. size_t length, const AES_KEY *key,
  131. unsigned char ivec[16], int enc);
  132. void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
  133. size_t len, const AES_KEY *key,
  134. const unsigned char ivec[16]);
  135. void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
  136. size_t len, const AES_KEY *key1,
  137. const AES_KEY *key2, const unsigned char iv[16]);
  138. void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
  139. size_t len, const AES_KEY *key1,
  140. const AES_KEY *key2, const unsigned char iv[16]);
  141. # endif
  142. # ifdef AES_CTR_ASM
  143. void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  144. size_t blocks, const AES_KEY *key,
  145. const unsigned char ivec[AES_BLOCK_SIZE]);
  146. # endif
  147. # ifdef AES_XTS_ASM
  148. void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
  149. const AES_KEY *key1, const AES_KEY *key2,
  150. const unsigned char iv[16]);
  151. void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
  152. const AES_KEY *key1, const AES_KEY *key2,
  153. const unsigned char iv[16]);
  154. # endif
  155. # if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
  156. # include "ppc_arch.h"
  157. # ifdef VPAES_ASM
  158. # define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
  159. # endif
  160. # define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
  161. # define HWAES_set_encrypt_key aes_p8_set_encrypt_key
  162. # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
  163. # define HWAES_encrypt aes_p8_encrypt
  164. # define HWAES_decrypt aes_p8_decrypt
  165. # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
  166. # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
  167. # endif
  168. # if defined(AES_ASM) && !defined(I386_ONLY) && ( \
  169. ((defined(__i386) || defined(__i386__) || \
  170. defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
  171. defined(__x86_64) || defined(__x86_64__) || \
  172. defined(_M_AMD64) || defined(_M_X64) || \
  173. defined(__INTEL__) )
  174. extern unsigned int OPENSSL_ia32cap_P[];
  175. # ifdef VPAES_ASM
  176. # define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
  177. # endif
  178. # ifdef BSAES_ASM
  179. # define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
  180. # endif
  181. /*
  182. * AES-NI section
  183. */
  184. # define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
  185. int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
  186. AES_KEY *key);
  187. int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
  188. AES_KEY *key);
  189. void aesni_encrypt(const unsigned char *in, unsigned char *out,
  190. const AES_KEY *key);
  191. void aesni_decrypt(const unsigned char *in, unsigned char *out,
  192. const AES_KEY *key);
  193. void aesni_ecb_encrypt(const unsigned char *in,
  194. unsigned char *out,
  195. size_t length, const AES_KEY *key, int enc);
  196. void aesni_cbc_encrypt(const unsigned char *in,
  197. unsigned char *out,
  198. size_t length,
  199. const AES_KEY *key, unsigned char *ivec, int enc);
  200. void aesni_ctr32_encrypt_blocks(const unsigned char *in,
  201. unsigned char *out,
  202. size_t blocks,
  203. const void *key, const unsigned char *ivec);
  204. void aesni_xts_encrypt(const unsigned char *in,
  205. unsigned char *out,
  206. size_t length,
  207. const AES_KEY *key1, const AES_KEY *key2,
  208. const unsigned char iv[16]);
  209. void aesni_xts_decrypt(const unsigned char *in,
  210. unsigned char *out,
  211. size_t length,
  212. const AES_KEY *key1, const AES_KEY *key2,
  213. const unsigned char iv[16]);
  214. void aesni_ccm64_encrypt_blocks(const unsigned char *in,
  215. unsigned char *out,
  216. size_t blocks,
  217. const void *key,
  218. const unsigned char ivec[16],
  219. unsigned char cmac[16]);
  220. void aesni_ccm64_decrypt_blocks(const unsigned char *in,
  221. unsigned char *out,
  222. size_t blocks,
  223. const void *key,
  224. const unsigned char ivec[16],
  225. unsigned char cmac[16]);
  226. # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
  227. size_t aesni_gcm_encrypt(const unsigned char *in,
  228. unsigned char *out,
  229. size_t len,
  230. const void *key, unsigned char ivec[16], u64 *Xi);
  231. # define AES_gcm_encrypt aesni_gcm_encrypt
  232. size_t aesni_gcm_decrypt(const unsigned char *in,
  233. unsigned char *out,
  234. size_t len,
  235. const void *key, unsigned char ivec[16], u64 *Xi);
  236. # define AES_gcm_decrypt aesni_gcm_decrypt
  237. void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
  238. size_t len);
  239. # define AES_GCM_ASM(gctx) (gctx->ctr==aesni_ctr32_encrypt_blocks && \
  240. gctx->gcm.ghash==gcm_ghash_avx)
  241. # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
  242. gctx->gcm.ghash==gcm_ghash_avx)
  243. # undef AES_GCM_ASM2 /* minor size optimization */
  244. # endif
  245. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  246. const unsigned char *iv, int enc)
  247. {
  248. int ret, mode;
  249. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  250. mode = ctx->cipher->flags & EVP_CIPH_MODE;
  251. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  252. && !enc) {
  253. ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
  254. dat->block = (block128_f) aesni_decrypt;
  255. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  256. (cbc128_f) aesni_cbc_encrypt : NULL;
  257. } else {
  258. ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
  259. dat->block = (block128_f) aesni_encrypt;
  260. if (mode == EVP_CIPH_CBC_MODE)
  261. dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
  262. else if (mode == EVP_CIPH_CTR_MODE)
  263. dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  264. else
  265. dat->stream.cbc = NULL;
  266. }
  267. if (ret < 0) {
  268. EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  269. return 0;
  270. }
  271. return 1;
  272. }
  273. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  274. const unsigned char *in, size_t len)
  275. {
  276. aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt);
  277. return 1;
  278. }
  279. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  280. const unsigned char *in, size_t len)
  281. {
  282. size_t bl = ctx->cipher->block_size;
  283. if (len < bl)
  284. return 1;
  285. aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
  286. return 1;
  287. }
  288. # define aesni_ofb_cipher aes_ofb_cipher
  289. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  290. const unsigned char *in, size_t len);
  291. # define aesni_cfb_cipher aes_cfb_cipher
  292. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  293. const unsigned char *in, size_t len);
  294. # define aesni_cfb8_cipher aes_cfb8_cipher
  295. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  296. const unsigned char *in, size_t len);
  297. # define aesni_cfb1_cipher aes_cfb1_cipher
  298. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  299. const unsigned char *in, size_t len);
  300. # define aesni_ctr_cipher aes_ctr_cipher
  301. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  302. const unsigned char *in, size_t len);
  303. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  304. const unsigned char *iv, int enc)
  305. {
  306. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  307. if (!iv && !key)
  308. return 1;
  309. if (key) {
  310. aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  311. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
  312. gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  313. /*
  314. * If we have an iv can set it directly, otherwise use saved IV.
  315. */
  316. if (iv == NULL && gctx->iv_set)
  317. iv = gctx->iv;
  318. if (iv) {
  319. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  320. gctx->iv_set = 1;
  321. }
  322. gctx->key_set = 1;
  323. } else {
  324. /* If key set use IV, otherwise copy */
  325. if (gctx->key_set)
  326. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  327. else
  328. memcpy(gctx->iv, iv, gctx->ivlen);
  329. gctx->iv_set = 1;
  330. gctx->iv_gen = 0;
  331. }
  332. return 1;
  333. }
  334. # define aesni_gcm_cipher aes_gcm_cipher
  335. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  336. const unsigned char *in, size_t len);
  337. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  338. const unsigned char *iv, int enc)
  339. {
  340. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  341. if (!iv && !key)
  342. return 1;
  343. if (key) {
  344. /* key_len is two AES keys */
  345. if (enc) {
  346. aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
  347. xctx->xts.block1 = (block128_f) aesni_encrypt;
  348. xctx->stream = aesni_xts_encrypt;
  349. } else {
  350. aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
  351. xctx->xts.block1 = (block128_f) aesni_decrypt;
  352. xctx->stream = aesni_xts_decrypt;
  353. }
  354. aesni_set_encrypt_key(key + ctx->key_len / 2,
  355. ctx->key_len * 4, &xctx->ks2.ks);
  356. xctx->xts.block2 = (block128_f) aesni_encrypt;
  357. xctx->xts.key1 = &xctx->ks1;
  358. }
  359. if (iv) {
  360. xctx->xts.key2 = &xctx->ks2;
  361. memcpy(ctx->iv, iv, 16);
  362. }
  363. return 1;
  364. }
  365. # define aesni_xts_cipher aes_xts_cipher
  366. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  367. const unsigned char *in, size_t len);
  368. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  369. const unsigned char *iv, int enc)
  370. {
  371. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  372. if (!iv && !key)
  373. return 1;
  374. if (key) {
  375. aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
  376. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  377. &cctx->ks, (block128_f) aesni_encrypt);
  378. cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
  379. (ccm128_f) aesni_ccm64_decrypt_blocks;
  380. cctx->key_set = 1;
  381. }
  382. if (iv) {
  383. memcpy(ctx->iv, iv, 15 - cctx->L);
  384. cctx->iv_set = 1;
  385. }
  386. return 1;
  387. }
  388. # define aesni_ccm_cipher aes_ccm_cipher
  389. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  390. const unsigned char *in, size_t len);
  391. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  392. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  393. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  394. flags|EVP_CIPH_##MODE##_MODE, \
  395. aesni_init_key, \
  396. aesni_##mode##_cipher, \
  397. NULL, \
  398. sizeof(EVP_AES_KEY), \
  399. NULL,NULL,NULL,NULL }; \
  400. static const EVP_CIPHER aes_##keylen##_##mode = { \
  401. nid##_##keylen##_##nmode,blocksize, \
  402. keylen/8,ivlen, \
  403. flags|EVP_CIPH_##MODE##_MODE, \
  404. aes_init_key, \
  405. aes_##mode##_cipher, \
  406. NULL, \
  407. sizeof(EVP_AES_KEY), \
  408. NULL,NULL,NULL,NULL }; \
  409. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  410. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  411. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  412. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  413. nid##_##keylen##_##mode,blocksize, \
  414. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  415. flags|EVP_CIPH_##MODE##_MODE, \
  416. aesni_##mode##_init_key, \
  417. aesni_##mode##_cipher, \
  418. aes_##mode##_cleanup, \
  419. sizeof(EVP_AES_##MODE##_CTX), \
  420. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  421. static const EVP_CIPHER aes_##keylen##_##mode = { \
  422. nid##_##keylen##_##mode,blocksize, \
  423. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  424. flags|EVP_CIPH_##MODE##_MODE, \
  425. aes_##mode##_init_key, \
  426. aes_##mode##_cipher, \
  427. aes_##mode##_cleanup, \
  428. sizeof(EVP_AES_##MODE##_CTX), \
  429. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  430. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  431. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  432. # elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
  433. # include "sparc_arch.h"
  434. extern unsigned int OPENSSL_sparcv9cap_P[];
  435. # define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
  436. void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
  437. void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
  438. void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
  439. const AES_KEY *key);
  440. void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
  441. const AES_KEY *key);
  442. /*
  443. * Key-length specific subroutines were chosen for following reason.
  444. * Each SPARC T4 core can execute up to 8 threads which share core's
  445. * resources. Loading as much key material to registers allows to
  446. * minimize references to shared memory interface, as well as amount
  447. * of instructions in inner loops [much needed on T4]. But then having
  448. * non-key-length specific routines would require conditional branches
  449. * either in inner loops or on subroutines' entries. Former is hardly
  450. * acceptable, while latter means code size increase to size occupied
  451. * by multiple key-length specfic subroutines, so why fight?
  452. */
  453. void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  454. size_t len, const AES_KEY *key,
  455. unsigned char *ivec);
  456. void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  457. size_t len, const AES_KEY *key,
  458. unsigned char *ivec);
  459. void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  460. size_t len, const AES_KEY *key,
  461. unsigned char *ivec);
  462. void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  463. size_t len, const AES_KEY *key,
  464. unsigned char *ivec);
  465. void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
  466. size_t len, const AES_KEY *key,
  467. unsigned char *ivec);
  468. void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
  469. size_t len, const AES_KEY *key,
  470. unsigned char *ivec);
  471. void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  472. size_t blocks, const AES_KEY *key,
  473. unsigned char *ivec);
  474. void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  475. size_t blocks, const AES_KEY *key,
  476. unsigned char *ivec);
  477. void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  478. size_t blocks, const AES_KEY *key,
  479. unsigned char *ivec);
  480. void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
  481. size_t blocks, const AES_KEY *key1,
  482. const AES_KEY *key2, const unsigned char *ivec);
  483. void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
  484. size_t blocks, const AES_KEY *key1,
  485. const AES_KEY *key2, const unsigned char *ivec);
  486. void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
  487. size_t blocks, const AES_KEY *key1,
  488. const AES_KEY *key2, const unsigned char *ivec);
  489. void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
  490. size_t blocks, const AES_KEY *key1,
  491. const AES_KEY *key2, const unsigned char *ivec);
  492. static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  493. const unsigned char *iv, int enc)
  494. {
  495. int ret, mode, bits;
  496. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  497. mode = ctx->cipher->flags & EVP_CIPH_MODE;
  498. bits = ctx->key_len * 8;
  499. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  500. && !enc) {
  501. ret = 0;
  502. aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
  503. dat->block = (block128_f) aes_t4_decrypt;
  504. switch (bits) {
  505. case 128:
  506. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  507. (cbc128_f) aes128_t4_cbc_decrypt : NULL;
  508. break;
  509. case 192:
  510. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  511. (cbc128_f) aes192_t4_cbc_decrypt : NULL;
  512. break;
  513. case 256:
  514. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  515. (cbc128_f) aes256_t4_cbc_decrypt : NULL;
  516. break;
  517. default:
  518. ret = -1;
  519. }
  520. } else {
  521. ret = 0;
  522. aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
  523. dat->block = (block128_f) aes_t4_encrypt;
  524. switch (bits) {
  525. case 128:
  526. if (mode == EVP_CIPH_CBC_MODE)
  527. dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
  528. else if (mode == EVP_CIPH_CTR_MODE)
  529. dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  530. else
  531. dat->stream.cbc = NULL;
  532. break;
  533. case 192:
  534. if (mode == EVP_CIPH_CBC_MODE)
  535. dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
  536. else if (mode == EVP_CIPH_CTR_MODE)
  537. dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  538. else
  539. dat->stream.cbc = NULL;
  540. break;
  541. case 256:
  542. if (mode == EVP_CIPH_CBC_MODE)
  543. dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
  544. else if (mode == EVP_CIPH_CTR_MODE)
  545. dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  546. else
  547. dat->stream.cbc = NULL;
  548. break;
  549. default:
  550. ret = -1;
  551. }
  552. }
  553. if (ret < 0) {
  554. EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  555. return 0;
  556. }
  557. return 1;
  558. }
  559. # define aes_t4_cbc_cipher aes_cbc_cipher
  560. static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  561. const unsigned char *in, size_t len);
  562. # define aes_t4_ecb_cipher aes_ecb_cipher
  563. static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  564. const unsigned char *in, size_t len);
  565. # define aes_t4_ofb_cipher aes_ofb_cipher
  566. static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  567. const unsigned char *in, size_t len);
  568. # define aes_t4_cfb_cipher aes_cfb_cipher
  569. static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  570. const unsigned char *in, size_t len);
  571. # define aes_t4_cfb8_cipher aes_cfb8_cipher
  572. static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  573. const unsigned char *in, size_t len);
  574. # define aes_t4_cfb1_cipher aes_cfb1_cipher
  575. static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  576. const unsigned char *in, size_t len);
  577. # define aes_t4_ctr_cipher aes_ctr_cipher
  578. static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  579. const unsigned char *in, size_t len);
  580. static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  581. const unsigned char *iv, int enc)
  582. {
  583. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  584. if (!iv && !key)
  585. return 1;
  586. if (key) {
  587. int bits = ctx->key_len * 8;
  588. aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
  589. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  590. (block128_f) aes_t4_encrypt);
  591. switch (bits) {
  592. case 128:
  593. gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  594. break;
  595. case 192:
  596. gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  597. break;
  598. case 256:
  599. gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  600. break;
  601. default:
  602. return 0;
  603. }
  604. /*
  605. * If we have an iv can set it directly, otherwise use saved IV.
  606. */
  607. if (iv == NULL && gctx->iv_set)
  608. iv = gctx->iv;
  609. if (iv) {
  610. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  611. gctx->iv_set = 1;
  612. }
  613. gctx->key_set = 1;
  614. } else {
  615. /* If key set use IV, otherwise copy */
  616. if (gctx->key_set)
  617. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  618. else
  619. memcpy(gctx->iv, iv, gctx->ivlen);
  620. gctx->iv_set = 1;
  621. gctx->iv_gen = 0;
  622. }
  623. return 1;
  624. }
  625. # define aes_t4_gcm_cipher aes_gcm_cipher
  626. static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  627. const unsigned char *in, size_t len);
  628. static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  629. const unsigned char *iv, int enc)
  630. {
  631. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  632. if (!iv && !key)
  633. return 1;
  634. if (key) {
  635. int bits = ctx->key_len * 4;
  636. xctx->stream = NULL;
  637. /* key_len is two AES keys */
  638. if (enc) {
  639. aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
  640. xctx->xts.block1 = (block128_f) aes_t4_encrypt;
  641. switch (bits) {
  642. case 128:
  643. xctx->stream = aes128_t4_xts_encrypt;
  644. break;
  645. # if 0 /* not yet */
  646. case 192:
  647. xctx->stream = aes192_t4_xts_encrypt;
  648. break;
  649. # endif
  650. case 256:
  651. xctx->stream = aes256_t4_xts_encrypt;
  652. break;
  653. default:
  654. return 0;
  655. }
  656. } else {
  657. aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
  658. xctx->xts.block1 = (block128_f) aes_t4_decrypt;
  659. switch (bits) {
  660. case 128:
  661. xctx->stream = aes128_t4_xts_decrypt;
  662. break;
  663. # if 0 /* not yet */
  664. case 192:
  665. xctx->stream = aes192_t4_xts_decrypt;
  666. break;
  667. # endif
  668. case 256:
  669. xctx->stream = aes256_t4_xts_decrypt;
  670. break;
  671. default:
  672. return 0;
  673. }
  674. }
  675. aes_t4_set_encrypt_key(key + ctx->key_len / 2,
  676. ctx->key_len * 4, &xctx->ks2.ks);
  677. xctx->xts.block2 = (block128_f) aes_t4_encrypt;
  678. xctx->xts.key1 = &xctx->ks1;
  679. }
  680. if (iv) {
  681. xctx->xts.key2 = &xctx->ks2;
  682. memcpy(ctx->iv, iv, 16);
  683. }
  684. return 1;
  685. }
  686. # define aes_t4_xts_cipher aes_xts_cipher
  687. static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  688. const unsigned char *in, size_t len);
  689. static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  690. const unsigned char *iv, int enc)
  691. {
  692. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  693. if (!iv && !key)
  694. return 1;
  695. if (key) {
  696. int bits = ctx->key_len * 8;
  697. aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
  698. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  699. &cctx->ks, (block128_f) aes_t4_encrypt);
  700. # if 0 /* not yet */
  701. switch (bits) {
  702. case 128:
  703. cctx->str = enc ? (ccm128_f) aes128_t4_ccm64_encrypt :
  704. (ccm128_f) ae128_t4_ccm64_decrypt;
  705. break;
  706. case 192:
  707. cctx->str = enc ? (ccm128_f) aes192_t4_ccm64_encrypt :
  708. (ccm128_f) ae192_t4_ccm64_decrypt;
  709. break;
  710. case 256:
  711. cctx->str = enc ? (ccm128_f) aes256_t4_ccm64_encrypt :
  712. (ccm128_f) ae256_t4_ccm64_decrypt;
  713. break;
  714. default:
  715. return 0;
  716. }
  717. # else
  718. cctx->str = NULL;
  719. # endif
  720. cctx->key_set = 1;
  721. }
  722. if (iv) {
  723. memcpy(ctx->iv, iv, 15 - cctx->L);
  724. cctx->iv_set = 1;
  725. }
  726. return 1;
  727. }
  728. # define aes_t4_ccm_cipher aes_ccm_cipher
  729. static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  730. const unsigned char *in, size_t len);
  731. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  732. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  733. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  734. flags|EVP_CIPH_##MODE##_MODE, \
  735. aes_t4_init_key, \
  736. aes_t4_##mode##_cipher, \
  737. NULL, \
  738. sizeof(EVP_AES_KEY), \
  739. NULL,NULL,NULL,NULL }; \
  740. static const EVP_CIPHER aes_##keylen##_##mode = { \
  741. nid##_##keylen##_##nmode,blocksize, \
  742. keylen/8,ivlen, \
  743. flags|EVP_CIPH_##MODE##_MODE, \
  744. aes_init_key, \
  745. aes_##mode##_cipher, \
  746. NULL, \
  747. sizeof(EVP_AES_KEY), \
  748. NULL,NULL,NULL,NULL }; \
  749. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  750. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  751. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  752. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  753. nid##_##keylen##_##mode,blocksize, \
  754. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  755. flags|EVP_CIPH_##MODE##_MODE, \
  756. aes_t4_##mode##_init_key, \
  757. aes_t4_##mode##_cipher, \
  758. aes_##mode##_cleanup, \
  759. sizeof(EVP_AES_##MODE##_CTX), \
  760. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  761. static const EVP_CIPHER aes_##keylen##_##mode = { \
  762. nid##_##keylen##_##mode,blocksize, \
  763. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  764. flags|EVP_CIPH_##MODE##_MODE, \
  765. aes_##mode##_init_key, \
  766. aes_##mode##_cipher, \
  767. aes_##mode##_cleanup, \
  768. sizeof(EVP_AES_##MODE##_CTX), \
  769. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  770. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  771. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  772. # else
  773. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  774. static const EVP_CIPHER aes_##keylen##_##mode = { \
  775. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  776. flags|EVP_CIPH_##MODE##_MODE, \
  777. aes_init_key, \
  778. aes_##mode##_cipher, \
  779. NULL, \
  780. sizeof(EVP_AES_KEY), \
  781. NULL,NULL,NULL,NULL }; \
  782. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  783. { return &aes_##keylen##_##mode; }
  784. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  785. static const EVP_CIPHER aes_##keylen##_##mode = { \
  786. nid##_##keylen##_##mode,blocksize, \
  787. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
  788. flags|EVP_CIPH_##MODE##_MODE, \
  789. aes_##mode##_init_key, \
  790. aes_##mode##_cipher, \
  791. aes_##mode##_cleanup, \
  792. sizeof(EVP_AES_##MODE##_CTX), \
  793. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  794. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  795. { return &aes_##keylen##_##mode; }
  796. # endif
  797. # if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
  798. # include "arm_arch.h"
  799. # if __ARM_MAX_ARCH__>=7
  800. # if defined(BSAES_ASM)
  801. # define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
  802. # endif
  803. # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
  804. # define HWAES_set_encrypt_key aes_v8_set_encrypt_key
  805. # define HWAES_set_decrypt_key aes_v8_set_decrypt_key
  806. # define HWAES_encrypt aes_v8_encrypt
  807. # define HWAES_decrypt aes_v8_decrypt
  808. # define HWAES_cbc_encrypt aes_v8_cbc_encrypt
  809. # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
  810. # endif
  811. # endif
  812. # if defined(HWAES_CAPABLE)
  813. int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
  814. AES_KEY *key);
  815. int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
  816. AES_KEY *key);
  817. void HWAES_encrypt(const unsigned char *in, unsigned char *out,
  818. const AES_KEY *key);
  819. void HWAES_decrypt(const unsigned char *in, unsigned char *out,
  820. const AES_KEY *key);
  821. void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
  822. size_t length, const AES_KEY *key,
  823. unsigned char *ivec, const int enc);
  824. void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
  825. size_t len, const AES_KEY *key,
  826. const unsigned char ivec[16]);
  827. # endif
  828. # define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  829. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  830. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  831. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  832. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  833. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  834. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  835. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  836. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  837. const unsigned char *iv, int enc)
  838. {
  839. int ret, mode;
  840. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  841. mode = ctx->cipher->flags & EVP_CIPH_MODE;
  842. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  843. && !enc)
  844. # ifdef HWAES_CAPABLE
  845. if (HWAES_CAPABLE) {
  846. ret = HWAES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  847. dat->block = (block128_f) HWAES_decrypt;
  848. dat->stream.cbc = NULL;
  849. # ifdef HWAES_cbc_encrypt
  850. if (mode == EVP_CIPH_CBC_MODE)
  851. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  852. # endif
  853. } else
  854. # endif
  855. # ifdef BSAES_CAPABLE
  856. if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
  857. ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  858. dat->block = (block128_f) AES_decrypt;
  859. dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
  860. } else
  861. # endif
  862. # ifdef VPAES_CAPABLE
  863. if (VPAES_CAPABLE) {
  864. ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  865. dat->block = (block128_f) vpaes_decrypt;
  866. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  867. (cbc128_f) vpaes_cbc_encrypt : NULL;
  868. } else
  869. # endif
  870. {
  871. ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  872. dat->block = (block128_f) AES_decrypt;
  873. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  874. (cbc128_f) AES_cbc_encrypt : NULL;
  875. } else
  876. # ifdef HWAES_CAPABLE
  877. if (HWAES_CAPABLE) {
  878. ret = HWAES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  879. dat->block = (block128_f) HWAES_encrypt;
  880. dat->stream.cbc = NULL;
  881. # ifdef HWAES_cbc_encrypt
  882. if (mode == EVP_CIPH_CBC_MODE)
  883. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  884. else
  885. # endif
  886. # ifdef HWAES_ctr32_encrypt_blocks
  887. if (mode == EVP_CIPH_CTR_MODE)
  888. dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  889. else
  890. # endif
  891. (void)0; /* terminate potentially open 'else' */
  892. } else
  893. # endif
  894. # ifdef BSAES_CAPABLE
  895. if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
  896. ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  897. dat->block = (block128_f) AES_encrypt;
  898. dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  899. } else
  900. # endif
  901. # ifdef VPAES_CAPABLE
  902. if (VPAES_CAPABLE) {
  903. ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  904. dat->block = (block128_f) vpaes_encrypt;
  905. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  906. (cbc128_f) vpaes_cbc_encrypt : NULL;
  907. } else
  908. # endif
  909. {
  910. ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
  911. dat->block = (block128_f) AES_encrypt;
  912. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  913. (cbc128_f) AES_cbc_encrypt : NULL;
  914. # ifdef AES_CTR_ASM
  915. if (mode == EVP_CIPH_CTR_MODE)
  916. dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
  917. # endif
  918. }
  919. if (ret < 0) {
  920. EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
  921. return 0;
  922. }
  923. return 1;
  924. }
  925. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  926. const unsigned char *in, size_t len)
  927. {
  928. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  929. if (dat->stream.cbc)
  930. (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
  931. else if (ctx->encrypt)
  932. CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
  933. else
  934. CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
  935. return 1;
  936. }
  937. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  938. const unsigned char *in, size_t len)
  939. {
  940. size_t bl = ctx->cipher->block_size;
  941. size_t i;
  942. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  943. if (len < bl)
  944. return 1;
  945. for (i = 0, len -= bl; i <= len; i += bl)
  946. (*dat->block) (in + i, out + i, &dat->ks);
  947. return 1;
  948. }
  949. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  950. const unsigned char *in, size_t len)
  951. {
  952. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  953. CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
  954. ctx->iv, &ctx->num, dat->block);
  955. return 1;
  956. }
  957. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  958. const unsigned char *in, size_t len)
  959. {
  960. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  961. CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
  962. ctx->iv, &ctx->num, ctx->encrypt, dat->block);
  963. return 1;
  964. }
  965. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  966. const unsigned char *in, size_t len)
  967. {
  968. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  969. CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
  970. ctx->iv, &ctx->num, ctx->encrypt, dat->block);
  971. return 1;
  972. }
  973. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  974. const unsigned char *in, size_t len)
  975. {
  976. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  977. if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) {
  978. CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
  979. ctx->iv, &ctx->num, ctx->encrypt, dat->block);
  980. return 1;
  981. }
  982. while (len >= MAXBITCHUNK) {
  983. CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
  984. ctx->iv, &ctx->num, ctx->encrypt, dat->block);
  985. len -= MAXBITCHUNK;
  986. }
  987. if (len)
  988. CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
  989. ctx->iv, &ctx->num, ctx->encrypt, dat->block);
  990. return 1;
  991. }
  992. static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  993. const unsigned char *in, size_t len)
  994. {
  995. unsigned int num = ctx->num;
  996. EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
  997. if (dat->stream.ctr)
  998. CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
  999. ctx->iv, ctx->buf, &num, dat->stream.ctr);
  1000. else
  1001. CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
  1002. ctx->iv, ctx->buf, &num, dat->block);
  1003. ctx->num = (size_t)num;
  1004. return 1;
  1005. }
  1006. BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
  1007. BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
  1008. BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
  1009. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  1010. {
  1011. EVP_AES_GCM_CTX *gctx = c->cipher_data;
  1012. if (gctx == NULL)
  1013. return 0;
  1014. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  1015. if (gctx->iv != c->iv)
  1016. OPENSSL_free(gctx->iv);
  1017. return 1;
  1018. }
  1019. /* increment counter (64-bit int) by 1 */
  1020. static void ctr64_inc(unsigned char *counter)
  1021. {
  1022. int n = 8;
  1023. unsigned char c;
  1024. do {
  1025. --n;
  1026. c = counter[n];
  1027. ++c;
  1028. counter[n] = c;
  1029. if (c)
  1030. return;
  1031. } while (n);
  1032. }
  1033. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1034. {
  1035. EVP_AES_GCM_CTX *gctx = c->cipher_data;
  1036. switch (type) {
  1037. case EVP_CTRL_INIT:
  1038. gctx->key_set = 0;
  1039. gctx->iv_set = 0;
  1040. gctx->ivlen = c->cipher->iv_len;
  1041. gctx->iv = c->iv;
  1042. gctx->taglen = -1;
  1043. gctx->iv_gen = 0;
  1044. gctx->tls_aad_len = -1;
  1045. return 1;
  1046. case EVP_CTRL_GCM_SET_IVLEN:
  1047. if (arg <= 0)
  1048. return 0;
  1049. /* Allocate memory for IV if needed */
  1050. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
  1051. if (gctx->iv != c->iv)
  1052. OPENSSL_free(gctx->iv);
  1053. gctx->iv = OPENSSL_malloc(arg);
  1054. if (!gctx->iv)
  1055. return 0;
  1056. }
  1057. gctx->ivlen = arg;
  1058. return 1;
  1059. case EVP_CTRL_GCM_SET_TAG:
  1060. if (arg <= 0 || arg > 16 || c->encrypt)
  1061. return 0;
  1062. memcpy(c->buf, ptr, arg);
  1063. gctx->taglen = arg;
  1064. return 1;
  1065. case EVP_CTRL_GCM_GET_TAG:
  1066. if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
  1067. return 0;
  1068. memcpy(ptr, c->buf, arg);
  1069. return 1;
  1070. case EVP_CTRL_GCM_SET_IV_FIXED:
  1071. /* Special case: -1 length restores whole IV */
  1072. if (arg == -1) {
  1073. memcpy(gctx->iv, ptr, gctx->ivlen);
  1074. gctx->iv_gen = 1;
  1075. return 1;
  1076. }
  1077. /*
  1078. * Fixed field must be at least 4 bytes and invocation field at least
  1079. * 8.
  1080. */
  1081. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  1082. return 0;
  1083. if (arg)
  1084. memcpy(gctx->iv, ptr, arg);
  1085. if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  1086. return 0;
  1087. gctx->iv_gen = 1;
  1088. return 1;
  1089. case EVP_CTRL_GCM_IV_GEN:
  1090. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  1091. return 0;
  1092. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  1093. if (arg <= 0 || arg > gctx->ivlen)
  1094. arg = gctx->ivlen;
  1095. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  1096. /*
  1097. * Invocation field will be at least 8 bytes in size and so no need
  1098. * to check wrap around or increment more than last 8 bytes.
  1099. */
  1100. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  1101. gctx->iv_set = 1;
  1102. return 1;
  1103. case EVP_CTRL_GCM_SET_IV_INV:
  1104. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  1105. return 0;
  1106. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  1107. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  1108. gctx->iv_set = 1;
  1109. return 1;
  1110. case EVP_CTRL_AEAD_TLS1_AAD:
  1111. /* Save the AAD for later use */
  1112. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1113. return 0;
  1114. memcpy(c->buf, ptr, arg);
  1115. gctx->tls_aad_len = arg;
  1116. {
  1117. unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
  1118. /* Correct length for explicit IV */
  1119. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  1120. return 0;
  1121. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1122. /* If decrypting correct for tag too */
  1123. if (!c->encrypt) {
  1124. if (len < EVP_GCM_TLS_TAG_LEN)
  1125. return 0;
  1126. len -= EVP_GCM_TLS_TAG_LEN;
  1127. }
  1128. c->buf[arg - 2] = len >> 8;
  1129. c->buf[arg - 1] = len & 0xff;
  1130. }
  1131. /* Extra padding: tag appended to record */
  1132. return EVP_GCM_TLS_TAG_LEN;
  1133. case EVP_CTRL_COPY:
  1134. {
  1135. EVP_CIPHER_CTX *out = ptr;
  1136. EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
  1137. if (gctx->gcm.key) {
  1138. if (gctx->gcm.key != &gctx->ks)
  1139. return 0;
  1140. gctx_out->gcm.key = &gctx_out->ks;
  1141. }
  1142. if (gctx->iv == c->iv)
  1143. gctx_out->iv = out->iv;
  1144. else {
  1145. gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
  1146. if (!gctx_out->iv)
  1147. return 0;
  1148. memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
  1149. }
  1150. return 1;
  1151. }
  1152. default:
  1153. return -1;
  1154. }
  1155. }
  1156. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1157. const unsigned char *iv, int enc)
  1158. {
  1159. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  1160. if (!iv && !key)
  1161. return 1;
  1162. if (key) {
  1163. do {
  1164. # ifdef HWAES_CAPABLE
  1165. if (HWAES_CAPABLE) {
  1166. HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  1167. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  1168. (block128_f) HWAES_encrypt);
  1169. # ifdef HWAES_ctr32_encrypt_blocks
  1170. gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  1171. # else
  1172. gctx->ctr = NULL;
  1173. # endif
  1174. break;
  1175. } else
  1176. # endif
  1177. # ifdef BSAES_CAPABLE
  1178. if (BSAES_CAPABLE) {
  1179. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  1180. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  1181. (block128_f) AES_encrypt);
  1182. gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  1183. break;
  1184. } else
  1185. # endif
  1186. # ifdef VPAES_CAPABLE
  1187. if (VPAES_CAPABLE) {
  1188. vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  1189. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  1190. (block128_f) vpaes_encrypt);
  1191. gctx->ctr = NULL;
  1192. break;
  1193. } else
  1194. # endif
  1195. (void)0; /* terminate potentially open 'else' */
  1196. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  1197. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  1198. (block128_f) AES_encrypt);
  1199. # ifdef AES_CTR_ASM
  1200. gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
  1201. # else
  1202. gctx->ctr = NULL;
  1203. # endif
  1204. } while (0);
  1205. /*
  1206. * If we have an iv can set it directly, otherwise use saved IV.
  1207. */
  1208. if (iv == NULL && gctx->iv_set)
  1209. iv = gctx->iv;
  1210. if (iv) {
  1211. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  1212. gctx->iv_set = 1;
  1213. }
  1214. gctx->key_set = 1;
  1215. } else {
  1216. /* If key set use IV, otherwise copy */
  1217. if (gctx->key_set)
  1218. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  1219. else
  1220. memcpy(gctx->iv, iv, gctx->ivlen);
  1221. gctx->iv_set = 1;
  1222. gctx->iv_gen = 0;
  1223. }
  1224. return 1;
  1225. }
  1226. /*
  1227. * Handle TLS GCM packet format. This consists of the last portion of the IV
  1228. * followed by the payload and finally the tag. On encrypt generate IV,
  1229. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  1230. * and verify tag.
  1231. */
  1232. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1233. const unsigned char *in, size_t len)
  1234. {
  1235. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  1236. int rv = -1;
  1237. /* Encrypt/decrypt must be performed in place */
  1238. if (out != in
  1239. || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  1240. return -1;
  1241. /*
  1242. * Set IV from start of buffer or generate IV and write to start of
  1243. * buffer.
  1244. */
  1245. if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
  1246. EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
  1247. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  1248. goto err;
  1249. /* Use saved AAD */
  1250. if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
  1251. goto err;
  1252. /* Fix buffer and length to point to payload */
  1253. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1254. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1255. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1256. if (ctx->encrypt) {
  1257. /* Encrypt payload */
  1258. if (gctx->ctr) {
  1259. size_t bulk = 0;
  1260. # if defined(AES_GCM_ASM)
  1261. if (len >= 32 && AES_GCM_ASM(gctx)) {
  1262. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  1263. return -1;
  1264. bulk = AES_gcm_encrypt(in, out, len,
  1265. gctx->gcm.key,
  1266. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1267. gctx->gcm.len.u[1] += bulk;
  1268. }
  1269. # endif
  1270. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  1271. in + bulk,
  1272. out + bulk,
  1273. len - bulk, gctx->ctr))
  1274. goto err;
  1275. } else {
  1276. size_t bulk = 0;
  1277. # if defined(AES_GCM_ASM2)
  1278. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  1279. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  1280. return -1;
  1281. bulk = AES_gcm_encrypt(in, out, len,
  1282. gctx->gcm.key,
  1283. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1284. gctx->gcm.len.u[1] += bulk;
  1285. }
  1286. # endif
  1287. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  1288. in + bulk, out + bulk, len - bulk))
  1289. goto err;
  1290. }
  1291. out += len;
  1292. /* Finally write tag */
  1293. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  1294. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1295. } else {
  1296. /* Decrypt */
  1297. if (gctx->ctr) {
  1298. size_t bulk = 0;
  1299. # if defined(AES_GCM_ASM)
  1300. if (len >= 16 && AES_GCM_ASM(gctx)) {
  1301. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  1302. return -1;
  1303. bulk = AES_gcm_decrypt(in, out, len,
  1304. gctx->gcm.key,
  1305. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1306. gctx->gcm.len.u[1] += bulk;
  1307. }
  1308. # endif
  1309. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  1310. in + bulk,
  1311. out + bulk,
  1312. len - bulk, gctx->ctr))
  1313. goto err;
  1314. } else {
  1315. size_t bulk = 0;
  1316. # if defined(AES_GCM_ASM2)
  1317. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  1318. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  1319. return -1;
  1320. bulk = AES_gcm_decrypt(in, out, len,
  1321. gctx->gcm.key,
  1322. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1323. gctx->gcm.len.u[1] += bulk;
  1324. }
  1325. # endif
  1326. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  1327. in + bulk, out + bulk, len - bulk))
  1328. goto err;
  1329. }
  1330. /* Retrieve tag */
  1331. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
  1332. /* If tag mismatch wipe buffer */
  1333. if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
  1334. OPENSSL_cleanse(out, len);
  1335. goto err;
  1336. }
  1337. rv = len;
  1338. }
  1339. err:
  1340. gctx->iv_set = 0;
  1341. gctx->tls_aad_len = -1;
  1342. return rv;
  1343. }
  1344. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1345. const unsigned char *in, size_t len)
  1346. {
  1347. EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
  1348. /* If not set up, return error */
  1349. if (!gctx->key_set)
  1350. return -1;
  1351. if (gctx->tls_aad_len >= 0)
  1352. return aes_gcm_tls_cipher(ctx, out, in, len);
  1353. if (!gctx->iv_set)
  1354. return -1;
  1355. if (in) {
  1356. if (out == NULL) {
  1357. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  1358. return -1;
  1359. } else if (ctx->encrypt) {
  1360. if (gctx->ctr) {
  1361. size_t bulk = 0;
  1362. # if defined(AES_GCM_ASM)
  1363. if (len >= 32 && AES_GCM_ASM(gctx)) {
  1364. size_t res = (16 - gctx->gcm.mres) % 16;
  1365. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  1366. return -1;
  1367. bulk = AES_gcm_encrypt(in + res,
  1368. out + res, len - res,
  1369. gctx->gcm.key, gctx->gcm.Yi.c,
  1370. gctx->gcm.Xi.u);
  1371. gctx->gcm.len.u[1] += bulk;
  1372. bulk += res;
  1373. }
  1374. # endif
  1375. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  1376. in + bulk,
  1377. out + bulk,
  1378. len - bulk, gctx->ctr))
  1379. return -1;
  1380. } else {
  1381. size_t bulk = 0;
  1382. # if defined(AES_GCM_ASM2)
  1383. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  1384. size_t res = (16 - gctx->gcm.mres) % 16;
  1385. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  1386. return -1;
  1387. bulk = AES_gcm_encrypt(in + res,
  1388. out + res, len - res,
  1389. gctx->gcm.key, gctx->gcm.Yi.c,
  1390. gctx->gcm.Xi.u);
  1391. gctx->gcm.len.u[1] += bulk;
  1392. bulk += res;
  1393. }
  1394. # endif
  1395. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  1396. in + bulk, out + bulk, len - bulk))
  1397. return -1;
  1398. }
  1399. } else {
  1400. if (gctx->ctr) {
  1401. size_t bulk = 0;
  1402. # if defined(AES_GCM_ASM)
  1403. if (len >= 16 && AES_GCM_ASM(gctx)) {
  1404. size_t res = (16 - gctx->gcm.mres) % 16;
  1405. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  1406. return -1;
  1407. bulk = AES_gcm_decrypt(in + res,
  1408. out + res, len - res,
  1409. gctx->gcm.key,
  1410. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1411. gctx->gcm.len.u[1] += bulk;
  1412. bulk += res;
  1413. }
  1414. # endif
  1415. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  1416. in + bulk,
  1417. out + bulk,
  1418. len - bulk, gctx->ctr))
  1419. return -1;
  1420. } else {
  1421. size_t bulk = 0;
  1422. # if defined(AES_GCM_ASM2)
  1423. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  1424. size_t res = (16 - gctx->gcm.mres) % 16;
  1425. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  1426. return -1;
  1427. bulk = AES_gcm_decrypt(in + res,
  1428. out + res, len - res,
  1429. gctx->gcm.key,
  1430. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  1431. gctx->gcm.len.u[1] += bulk;
  1432. bulk += res;
  1433. }
  1434. # endif
  1435. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  1436. in + bulk, out + bulk, len - bulk))
  1437. return -1;
  1438. }
  1439. }
  1440. return len;
  1441. } else {
  1442. if (!ctx->encrypt) {
  1443. if (gctx->taglen < 0)
  1444. return -1;
  1445. if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
  1446. return -1;
  1447. gctx->iv_set = 0;
  1448. return 0;
  1449. }
  1450. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
  1451. gctx->taglen = 16;
  1452. /* Don't reuse the IV */
  1453. gctx->iv_set = 0;
  1454. return 0;
  1455. }
  1456. }
  1457. # define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  1458. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  1459. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  1460. | EVP_CIPH_CUSTOM_COPY)
  1461. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
  1462. EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
  1463. CUSTOM_FLAGS)
  1464. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
  1465. EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
  1466. CUSTOM_FLAGS)
  1467. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
  1468. EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
  1469. CUSTOM_FLAGS)
  1470. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1471. {
  1472. EVP_AES_XTS_CTX *xctx = c->cipher_data;
  1473. if (type == EVP_CTRL_COPY) {
  1474. EVP_CIPHER_CTX *out = ptr;
  1475. EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
  1476. if (xctx->xts.key1) {
  1477. if (xctx->xts.key1 != &xctx->ks1)
  1478. return 0;
  1479. xctx_out->xts.key1 = &xctx_out->ks1;
  1480. }
  1481. if (xctx->xts.key2) {
  1482. if (xctx->xts.key2 != &xctx->ks2)
  1483. return 0;
  1484. xctx_out->xts.key2 = &xctx_out->ks2;
  1485. }
  1486. return 1;
  1487. } else if (type != EVP_CTRL_INIT)
  1488. return -1;
  1489. /* key1 and key2 are used as an indicator both key and IV are set */
  1490. xctx->xts.key1 = NULL;
  1491. xctx->xts.key2 = NULL;
  1492. return 1;
  1493. }
  1494. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1495. const unsigned char *iv, int enc)
  1496. {
  1497. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  1498. if (!iv && !key)
  1499. return 1;
  1500. if (key)
  1501. do {
  1502. # ifdef AES_XTS_ASM
  1503. xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
  1504. # else
  1505. xctx->stream = NULL;
  1506. # endif
  1507. /* key_len is two AES keys */
  1508. # ifdef HWAES_CAPABLE
  1509. if (HWAES_CAPABLE) {
  1510. if (enc) {
  1511. HWAES_set_encrypt_key(key, ctx->key_len * 4,
  1512. &xctx->ks1.ks);
  1513. xctx->xts.block1 = (block128_f) HWAES_encrypt;
  1514. } else {
  1515. HWAES_set_decrypt_key(key, ctx->key_len * 4,
  1516. &xctx->ks1.ks);
  1517. xctx->xts.block1 = (block128_f) HWAES_decrypt;
  1518. }
  1519. HWAES_set_encrypt_key(key + ctx->key_len / 2,
  1520. ctx->key_len * 4, &xctx->ks2.ks);
  1521. xctx->xts.block2 = (block128_f) HWAES_encrypt;
  1522. xctx->xts.key1 = &xctx->ks1;
  1523. break;
  1524. } else
  1525. # endif
  1526. # ifdef BSAES_CAPABLE
  1527. if (BSAES_CAPABLE)
  1528. xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
  1529. else
  1530. # endif
  1531. # ifdef VPAES_CAPABLE
  1532. if (VPAES_CAPABLE) {
  1533. if (enc) {
  1534. vpaes_set_encrypt_key(key, ctx->key_len * 4,
  1535. &xctx->ks1.ks);
  1536. xctx->xts.block1 = (block128_f) vpaes_encrypt;
  1537. } else {
  1538. vpaes_set_decrypt_key(key, ctx->key_len * 4,
  1539. &xctx->ks1.ks);
  1540. xctx->xts.block1 = (block128_f) vpaes_decrypt;
  1541. }
  1542. vpaes_set_encrypt_key(key + ctx->key_len / 2,
  1543. ctx->key_len * 4, &xctx->ks2.ks);
  1544. xctx->xts.block2 = (block128_f) vpaes_encrypt;
  1545. xctx->xts.key1 = &xctx->ks1;
  1546. break;
  1547. } else
  1548. # endif
  1549. (void)0; /* terminate potentially open 'else' */
  1550. if (enc) {
  1551. AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
  1552. xctx->xts.block1 = (block128_f) AES_encrypt;
  1553. } else {
  1554. AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
  1555. xctx->xts.block1 = (block128_f) AES_decrypt;
  1556. }
  1557. AES_set_encrypt_key(key + ctx->key_len / 2,
  1558. ctx->key_len * 4, &xctx->ks2.ks);
  1559. xctx->xts.block2 = (block128_f) AES_encrypt;
  1560. xctx->xts.key1 = &xctx->ks1;
  1561. } while (0);
  1562. if (iv) {
  1563. xctx->xts.key2 = &xctx->ks2;
  1564. memcpy(ctx->iv, iv, 16);
  1565. }
  1566. return 1;
  1567. }
  1568. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1569. const unsigned char *in, size_t len)
  1570. {
  1571. EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
  1572. if (!xctx->xts.key1 || !xctx->xts.key2)
  1573. return 0;
  1574. if (!out || !in || len < AES_BLOCK_SIZE)
  1575. return 0;
  1576. if (xctx->stream)
  1577. (*xctx->stream) (in, out, len,
  1578. xctx->xts.key1, xctx->xts.key2, ctx->iv);
  1579. else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
  1580. ctx->encrypt))
  1581. return 0;
  1582. return 1;
  1583. }
  1584. # define aes_xts_cleanup NULL
  1585. # define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
  1586. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  1587. | EVP_CIPH_CUSTOM_COPY)
  1588. BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
  1589. EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
  1590. BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
  1591. EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
  1592. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1593. {
  1594. EVP_AES_CCM_CTX *cctx = c->cipher_data;
  1595. switch (type) {
  1596. case EVP_CTRL_INIT:
  1597. cctx->key_set = 0;
  1598. cctx->iv_set = 0;
  1599. cctx->L = 8;
  1600. cctx->M = 12;
  1601. cctx->tag_set = 0;
  1602. cctx->len_set = 0;
  1603. return 1;
  1604. case EVP_CTRL_CCM_SET_IVLEN:
  1605. arg = 15 - arg;
  1606. case EVP_CTRL_CCM_SET_L:
  1607. if (arg < 2 || arg > 8)
  1608. return 0;
  1609. cctx->L = arg;
  1610. return 1;
  1611. case EVP_CTRL_CCM_SET_TAG:
  1612. if ((arg & 1) || arg < 4 || arg > 16)
  1613. return 0;
  1614. if (c->encrypt && ptr)
  1615. return 0;
  1616. if (ptr) {
  1617. cctx->tag_set = 1;
  1618. memcpy(c->buf, ptr, arg);
  1619. }
  1620. cctx->M = arg;
  1621. return 1;
  1622. case EVP_CTRL_CCM_GET_TAG:
  1623. if (!c->encrypt || !cctx->tag_set)
  1624. return 0;
  1625. if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  1626. return 0;
  1627. cctx->tag_set = 0;
  1628. cctx->iv_set = 0;
  1629. cctx->len_set = 0;
  1630. return 1;
  1631. case EVP_CTRL_COPY:
  1632. {
  1633. EVP_CIPHER_CTX *out = ptr;
  1634. EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
  1635. if (cctx->ccm.key) {
  1636. if (cctx->ccm.key != &cctx->ks)
  1637. return 0;
  1638. cctx_out->ccm.key = &cctx_out->ks;
  1639. }
  1640. return 1;
  1641. }
  1642. default:
  1643. return -1;
  1644. }
  1645. }
  1646. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1647. const unsigned char *iv, int enc)
  1648. {
  1649. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  1650. if (!iv && !key)
  1651. return 1;
  1652. if (key)
  1653. do {
  1654. # ifdef HWAES_CAPABLE
  1655. if (HWAES_CAPABLE) {
  1656. HWAES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
  1657. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  1658. &cctx->ks, (block128_f) HWAES_encrypt);
  1659. cctx->str = NULL;
  1660. cctx->key_set = 1;
  1661. break;
  1662. } else
  1663. # endif
  1664. # ifdef VPAES_CAPABLE
  1665. if (VPAES_CAPABLE) {
  1666. vpaes_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
  1667. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  1668. &cctx->ks, (block128_f) vpaes_encrypt);
  1669. cctx->str = NULL;
  1670. cctx->key_set = 1;
  1671. break;
  1672. }
  1673. # endif
  1674. AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
  1675. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  1676. &cctx->ks, (block128_f) AES_encrypt);
  1677. cctx->str = NULL;
  1678. cctx->key_set = 1;
  1679. } while (0);
  1680. if (iv) {
  1681. memcpy(ctx->iv, iv, 15 - cctx->L);
  1682. cctx->iv_set = 1;
  1683. }
  1684. return 1;
  1685. }
  1686. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1687. const unsigned char *in, size_t len)
  1688. {
  1689. EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
  1690. CCM128_CONTEXT *ccm = &cctx->ccm;
  1691. /* If not set up, return error */
  1692. if (!cctx->iv_set && !cctx->key_set)
  1693. return -1;
  1694. if (!ctx->encrypt && !cctx->tag_set)
  1695. return -1;
  1696. if (!out) {
  1697. if (!in) {
  1698. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  1699. return -1;
  1700. cctx->len_set = 1;
  1701. return len;
  1702. }
  1703. /* If have AAD need message length */
  1704. if (!cctx->len_set && len)
  1705. return -1;
  1706. CRYPTO_ccm128_aad(ccm, in, len);
  1707. return len;
  1708. }
  1709. /* EVP_*Final() doesn't return any data */
  1710. if (!in)
  1711. return 0;
  1712. /* If not set length yet do it */
  1713. if (!cctx->len_set) {
  1714. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  1715. return -1;
  1716. cctx->len_set = 1;
  1717. }
  1718. if (ctx->encrypt) {
  1719. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  1720. cctx->str) :
  1721. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  1722. return -1;
  1723. cctx->tag_set = 1;
  1724. return len;
  1725. } else {
  1726. int rv = -1;
  1727. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  1728. cctx->str) :
  1729. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  1730. unsigned char tag[16];
  1731. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  1732. if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))
  1733. rv = len;
  1734. }
  1735. }
  1736. if (rv == -1)
  1737. OPENSSL_cleanse(out, len);
  1738. cctx->iv_set = 0;
  1739. cctx->tag_set = 0;
  1740. cctx->len_set = 0;
  1741. return rv;
  1742. }
  1743. }
  1744. # define aes_ccm_cleanup NULL
  1745. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
  1746. EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
  1747. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
  1748. EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
  1749. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
  1750. EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
  1751. #endif
  1752. typedef struct {
  1753. union {
  1754. double align;
  1755. AES_KEY ks;
  1756. } ks;
  1757. /* Indicates if IV has been set */
  1758. unsigned char *iv;
  1759. } EVP_AES_WRAP_CTX;
  1760. static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1761. const unsigned char *iv, int enc)
  1762. {
  1763. EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
  1764. if (!iv && !key)
  1765. return 1;
  1766. if (key) {
  1767. if (ctx->encrypt)
  1768. AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
  1769. else
  1770. AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
  1771. if (!iv)
  1772. wctx->iv = NULL;
  1773. }
  1774. if (iv) {
  1775. memcpy(ctx->iv, iv, 8);
  1776. wctx->iv = ctx->iv;
  1777. }
  1778. return 1;
  1779. }
  1780. static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1781. const unsigned char *in, size_t inlen)
  1782. {
  1783. EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
  1784. size_t rv;
  1785. if (!in)
  1786. return 0;
  1787. if (inlen % 8)
  1788. return -1;
  1789. if (ctx->encrypt && inlen < 8)
  1790. return -1;
  1791. if (!ctx->encrypt && inlen < 16)
  1792. return -1;
  1793. if (!out) {
  1794. if (ctx->encrypt)
  1795. return inlen + 8;
  1796. else
  1797. return inlen - 8;
  1798. }
  1799. if (ctx->encrypt)
  1800. rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
  1801. (block128_f) AES_encrypt);
  1802. else
  1803. rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
  1804. (block128_f) AES_decrypt);
  1805. return rv ? (int)rv : -1;
  1806. }
  1807. #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
  1808. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  1809. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
  1810. static const EVP_CIPHER aes_128_wrap = {
  1811. NID_id_aes128_wrap,
  1812. 8, 16, 8, WRAP_FLAGS,
  1813. aes_wrap_init_key, aes_wrap_cipher,
  1814. NULL,
  1815. sizeof(EVP_AES_WRAP_CTX),
  1816. NULL, NULL, NULL, NULL
  1817. };
  1818. const EVP_CIPHER *EVP_aes_128_wrap(void)
  1819. {
  1820. return &aes_128_wrap;
  1821. }
  1822. static const EVP_CIPHER aes_192_wrap = {
  1823. NID_id_aes192_wrap,
  1824. 8, 24, 8, WRAP_FLAGS,
  1825. aes_wrap_init_key, aes_wrap_cipher,
  1826. NULL,
  1827. sizeof(EVP_AES_WRAP_CTX),
  1828. NULL, NULL, NULL, NULL
  1829. };
  1830. const EVP_CIPHER *EVP_aes_192_wrap(void)
  1831. {
  1832. return &aes_192_wrap;
  1833. }
  1834. static const EVP_CIPHER aes_256_wrap = {
  1835. NID_id_aes256_wrap,
  1836. 8, 32, 8, WRAP_FLAGS,
  1837. aes_wrap_init_key, aes_wrap_cipher,
  1838. NULL,
  1839. sizeof(EVP_AES_WRAP_CTX),
  1840. NULL, NULL, NULL, NULL
  1841. };
  1842. const EVP_CIPHER *EVP_aes_256_wrap(void)
  1843. {
  1844. return &aes_256_wrap;
  1845. }