e_aes.c 129 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004
  1. /*
  2. * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file uses the low level AES functions (which are deprecated for
  11. * non-internal use) in order to implement the EVP AES ciphers.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <string.h>
  15. #include <assert.h>
  16. #include <openssl/opensslconf.h>
  17. #include <openssl/crypto.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/err.h>
  20. #include <openssl/aes.h>
  21. #include <openssl/rand.h>
  22. #include <openssl/cmac.h>
  23. #include "crypto/evp.h"
  24. #include "internal/cryptlib.h"
  25. #include "crypto/modes.h"
  26. #include "crypto/siv.h"
  27. #include "crypto/aes_platform.h"
  28. #include "evp_local.h"
  29. typedef struct {
  30. union {
  31. OSSL_UNION_ALIGN;
  32. AES_KEY ks;
  33. } ks;
  34. block128_f block;
  35. union {
  36. cbc128_f cbc;
  37. ctr128_f ctr;
  38. } stream;
  39. } EVP_AES_KEY;
  40. typedef struct {
  41. union {
  42. OSSL_UNION_ALIGN;
  43. AES_KEY ks;
  44. } ks; /* AES key schedule to use */
  45. int key_set; /* Set if key initialised */
  46. int iv_set; /* Set if an iv is set */
  47. GCM128_CONTEXT gcm;
  48. unsigned char *iv; /* Temporary IV store */
  49. int ivlen; /* IV length */
  50. int taglen;
  51. int iv_gen; /* It is OK to generate IVs */
  52. int iv_gen_rand; /* No IV was specified, so generate a rand IV */
  53. int tls_aad_len; /* TLS AAD length */
  54. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  55. ctr128_f ctr;
  56. } EVP_AES_GCM_CTX;
  57. typedef struct {
  58. union {
  59. OSSL_UNION_ALIGN;
  60. AES_KEY ks;
  61. } ks1, ks2; /* AES key schedules to use */
  62. XTS128_CONTEXT xts;
  63. void (*stream) (const unsigned char *in,
  64. unsigned char *out, size_t length,
  65. const AES_KEY *key1, const AES_KEY *key2,
  66. const unsigned char iv[16]);
  67. } EVP_AES_XTS_CTX;
  68. #ifdef FIPS_MODULE
  69. static const int allow_insecure_decrypt = 0;
  70. #else
  71. static const int allow_insecure_decrypt = 1;
  72. #endif
  73. typedef struct {
  74. union {
  75. OSSL_UNION_ALIGN;
  76. AES_KEY ks;
  77. } ks; /* AES key schedule to use */
  78. int key_set; /* Set if key initialised */
  79. int iv_set; /* Set if an iv is set */
  80. int tag_set; /* Set if tag is valid */
  81. int len_set; /* Set if message length set */
  82. int L, M; /* L and M parameters from RFC3610 */
  83. int tls_aad_len; /* TLS AAD length */
  84. CCM128_CONTEXT ccm;
  85. ccm128_f str;
  86. } EVP_AES_CCM_CTX;
  87. #ifndef OPENSSL_NO_OCB
  88. typedef struct {
  89. union {
  90. OSSL_UNION_ALIGN;
  91. AES_KEY ks;
  92. } ksenc; /* AES key schedule to use for encryption */
  93. union {
  94. OSSL_UNION_ALIGN;
  95. AES_KEY ks;
  96. } ksdec; /* AES key schedule to use for decryption */
  97. int key_set; /* Set if key initialised */
  98. int iv_set; /* Set if an iv is set */
  99. OCB128_CONTEXT ocb;
  100. unsigned char *iv; /* Temporary IV store */
  101. unsigned char tag[16];
  102. unsigned char data_buf[16]; /* Store partial data blocks */
  103. unsigned char aad_buf[16]; /* Store partial AAD blocks */
  104. int data_buf_len;
  105. int aad_buf_len;
  106. int ivlen; /* IV length */
  107. int taglen;
  108. } EVP_AES_OCB_CTX;
  109. #endif
  110. #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  111. /* increment counter (64-bit int) by 1 */
  112. static void ctr64_inc(unsigned char *counter)
  113. {
  114. int n = 8;
  115. unsigned char c;
  116. do {
  117. --n;
  118. c = counter[n];
  119. ++c;
  120. counter[n] = c;
  121. if (c)
  122. return;
  123. } while (n);
  124. }
  125. #if defined(AESNI_CAPABLE)
  126. # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
  127. # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
  128. gctx->gcm.ghash==gcm_ghash_avx)
  129. # undef AES_GCM_ASM2 /* minor size optimization */
  130. # endif
  131. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  132. const unsigned char *iv, int enc)
  133. {
  134. int ret, mode;
  135. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  136. mode = EVP_CIPHER_CTX_mode(ctx);
  137. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  138. && !enc) {
  139. ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  140. &dat->ks.ks);
  141. dat->block = (block128_f) aesni_decrypt;
  142. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  143. (cbc128_f) aesni_cbc_encrypt : NULL;
  144. } else {
  145. ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  146. &dat->ks.ks);
  147. dat->block = (block128_f) aesni_encrypt;
  148. if (mode == EVP_CIPH_CBC_MODE)
  149. dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
  150. else if (mode == EVP_CIPH_CTR_MODE)
  151. dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  152. else
  153. dat->stream.cbc = NULL;
  154. }
  155. if (ret < 0) {
  156. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  157. return 0;
  158. }
  159. return 1;
  160. }
  161. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  162. const unsigned char *in, size_t len)
  163. {
  164. aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  165. ctx->iv, EVP_CIPHER_CTX_encrypting(ctx));
  166. return 1;
  167. }
  168. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  169. const unsigned char *in, size_t len)
  170. {
  171. size_t bl = EVP_CIPHER_CTX_block_size(ctx);
  172. if (len < bl)
  173. return 1;
  174. aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  175. EVP_CIPHER_CTX_encrypting(ctx));
  176. return 1;
  177. }
  178. # define aesni_ofb_cipher aes_ofb_cipher
  179. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  180. const unsigned char *in, size_t len);
  181. # define aesni_cfb_cipher aes_cfb_cipher
  182. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  183. const unsigned char *in, size_t len);
  184. # define aesni_cfb8_cipher aes_cfb8_cipher
  185. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  186. const unsigned char *in, size_t len);
  187. # define aesni_cfb1_cipher aes_cfb1_cipher
  188. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  189. const unsigned char *in, size_t len);
  190. # define aesni_ctr_cipher aes_ctr_cipher
  191. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  192. const unsigned char *in, size_t len);
  193. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  194. const unsigned char *iv, int enc)
  195. {
  196. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  197. if (!iv && !key)
  198. return 1;
  199. if (key) {
  200. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  201. &gctx->ks.ks);
  202. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
  203. gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  204. /*
  205. * If we have an iv can set it directly, otherwise use saved IV.
  206. */
  207. if (iv == NULL && gctx->iv_set)
  208. iv = gctx->iv;
  209. if (iv) {
  210. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  211. gctx->iv_set = 1;
  212. }
  213. gctx->key_set = 1;
  214. } else {
  215. /* If key set use IV, otherwise copy */
  216. if (gctx->key_set)
  217. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  218. else
  219. memcpy(gctx->iv, iv, gctx->ivlen);
  220. gctx->iv_set = 1;
  221. gctx->iv_gen = 0;
  222. }
  223. return 1;
  224. }
  225. # define aesni_gcm_cipher aes_gcm_cipher
  226. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  227. const unsigned char *in, size_t len);
  228. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  229. const unsigned char *iv, int enc)
  230. {
  231. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  232. if (!iv && !key)
  233. return 1;
  234. if (key) {
  235. /* The key is two half length keys in reality */
  236. const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
  237. const int bits = bytes * 8;
  238. /*
  239. * Verify that the two keys are different.
  240. *
  241. * This addresses Rogaway's vulnerability.
  242. * See comment in aes_xts_init_key() below.
  243. */
  244. if ((!allow_insecure_decrypt || enc)
  245. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  246. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  247. return 0;
  248. }
  249. /* key_len is two AES keys */
  250. if (enc) {
  251. aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
  252. xctx->xts.block1 = (block128_f) aesni_encrypt;
  253. xctx->stream = aesni_xts_encrypt;
  254. } else {
  255. aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
  256. xctx->xts.block1 = (block128_f) aesni_decrypt;
  257. xctx->stream = aesni_xts_decrypt;
  258. }
  259. aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  260. xctx->xts.block2 = (block128_f) aesni_encrypt;
  261. xctx->xts.key1 = &xctx->ks1;
  262. }
  263. if (iv) {
  264. xctx->xts.key2 = &xctx->ks2;
  265. memcpy(ctx->iv, iv, 16);
  266. }
  267. return 1;
  268. }
  269. # define aesni_xts_cipher aes_xts_cipher
  270. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  271. const unsigned char *in, size_t len);
  272. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  273. const unsigned char *iv, int enc)
  274. {
  275. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  276. if (!iv && !key)
  277. return 1;
  278. if (key) {
  279. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  280. &cctx->ks.ks);
  281. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  282. &cctx->ks, (block128_f) aesni_encrypt);
  283. cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
  284. (ccm128_f) aesni_ccm64_decrypt_blocks;
  285. cctx->key_set = 1;
  286. }
  287. if (iv) {
  288. memcpy(ctx->iv, iv, 15 - cctx->L);
  289. cctx->iv_set = 1;
  290. }
  291. return 1;
  292. }
  293. # define aesni_ccm_cipher aes_ccm_cipher
  294. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  295. const unsigned char *in, size_t len);
  296. # ifndef OPENSSL_NO_OCB
  297. static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  298. const unsigned char *iv, int enc)
  299. {
  300. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  301. if (!iv && !key)
  302. return 1;
  303. if (key) {
  304. do {
  305. /*
  306. * We set both the encrypt and decrypt key here because decrypt
  307. * needs both. We could possibly optimise to remove setting the
  308. * decrypt for an encryption operation.
  309. */
  310. aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  311. &octx->ksenc.ks);
  312. aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  313. &octx->ksdec.ks);
  314. if (!CRYPTO_ocb128_init(&octx->ocb,
  315. &octx->ksenc.ks, &octx->ksdec.ks,
  316. (block128_f) aesni_encrypt,
  317. (block128_f) aesni_decrypt,
  318. enc ? aesni_ocb_encrypt
  319. : aesni_ocb_decrypt))
  320. return 0;
  321. }
  322. while (0);
  323. /*
  324. * If we have an iv we can set it directly, otherwise use saved IV.
  325. */
  326. if (iv == NULL && octx->iv_set)
  327. iv = octx->iv;
  328. if (iv) {
  329. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  330. != 1)
  331. return 0;
  332. octx->iv_set = 1;
  333. }
  334. octx->key_set = 1;
  335. } else {
  336. /* If key set use IV, otherwise copy */
  337. if (octx->key_set)
  338. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  339. else
  340. memcpy(octx->iv, iv, octx->ivlen);
  341. octx->iv_set = 1;
  342. }
  343. return 1;
  344. }
  345. # define aesni_ocb_cipher aes_ocb_cipher
  346. static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  347. const unsigned char *in, size_t len);
  348. # endif /* OPENSSL_NO_OCB */
  349. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  350. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  351. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  352. flags|EVP_CIPH_##MODE##_MODE, \
  353. aesni_init_key, \
  354. aesni_##mode##_cipher, \
  355. NULL, \
  356. sizeof(EVP_AES_KEY), \
  357. NULL,NULL,NULL,NULL }; \
  358. static const EVP_CIPHER aes_##keylen##_##mode = { \
  359. nid##_##keylen##_##nmode,blocksize, \
  360. keylen/8,ivlen, \
  361. flags|EVP_CIPH_##MODE##_MODE, \
  362. aes_init_key, \
  363. aes_##mode##_cipher, \
  364. NULL, \
  365. sizeof(EVP_AES_KEY), \
  366. NULL,NULL,NULL,NULL }; \
  367. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  368. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  369. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  370. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  371. nid##_##keylen##_##mode,blocksize, \
  372. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  373. ivlen, \
  374. flags|EVP_CIPH_##MODE##_MODE, \
  375. aesni_##mode##_init_key, \
  376. aesni_##mode##_cipher, \
  377. aes_##mode##_cleanup, \
  378. sizeof(EVP_AES_##MODE##_CTX), \
  379. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  380. static const EVP_CIPHER aes_##keylen##_##mode = { \
  381. nid##_##keylen##_##mode,blocksize, \
  382. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  383. ivlen, \
  384. flags|EVP_CIPH_##MODE##_MODE, \
  385. aes_##mode##_init_key, \
  386. aes_##mode##_cipher, \
  387. aes_##mode##_cleanup, \
  388. sizeof(EVP_AES_##MODE##_CTX), \
  389. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  390. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  391. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  392. #elif defined(SPARC_AES_CAPABLE)
  393. static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  394. const unsigned char *iv, int enc)
  395. {
  396. int ret, mode, bits;
  397. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  398. mode = EVP_CIPHER_CTX_mode(ctx);
  399. bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  400. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  401. && !enc) {
  402. ret = 0;
  403. aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
  404. dat->block = (block128_f) aes_t4_decrypt;
  405. switch (bits) {
  406. case 128:
  407. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  408. (cbc128_f) aes128_t4_cbc_decrypt : NULL;
  409. break;
  410. case 192:
  411. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  412. (cbc128_f) aes192_t4_cbc_decrypt : NULL;
  413. break;
  414. case 256:
  415. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  416. (cbc128_f) aes256_t4_cbc_decrypt : NULL;
  417. break;
  418. default:
  419. ret = -1;
  420. }
  421. } else {
  422. ret = 0;
  423. aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
  424. dat->block = (block128_f) aes_t4_encrypt;
  425. switch (bits) {
  426. case 128:
  427. if (mode == EVP_CIPH_CBC_MODE)
  428. dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
  429. else if (mode == EVP_CIPH_CTR_MODE)
  430. dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  431. else
  432. dat->stream.cbc = NULL;
  433. break;
  434. case 192:
  435. if (mode == EVP_CIPH_CBC_MODE)
  436. dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
  437. else if (mode == EVP_CIPH_CTR_MODE)
  438. dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  439. else
  440. dat->stream.cbc = NULL;
  441. break;
  442. case 256:
  443. if (mode == EVP_CIPH_CBC_MODE)
  444. dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
  445. else if (mode == EVP_CIPH_CTR_MODE)
  446. dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  447. else
  448. dat->stream.cbc = NULL;
  449. break;
  450. default:
  451. ret = -1;
  452. }
  453. }
  454. if (ret < 0) {
  455. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  456. return 0;
  457. }
  458. return 1;
  459. }
  460. # define aes_t4_cbc_cipher aes_cbc_cipher
  461. static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  462. const unsigned char *in, size_t len);
  463. # define aes_t4_ecb_cipher aes_ecb_cipher
  464. static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  465. const unsigned char *in, size_t len);
  466. # define aes_t4_ofb_cipher aes_ofb_cipher
  467. static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  468. const unsigned char *in, size_t len);
  469. # define aes_t4_cfb_cipher aes_cfb_cipher
  470. static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  471. const unsigned char *in, size_t len);
  472. # define aes_t4_cfb8_cipher aes_cfb8_cipher
  473. static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  474. const unsigned char *in, size_t len);
  475. # define aes_t4_cfb1_cipher aes_cfb1_cipher
  476. static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  477. const unsigned char *in, size_t len);
  478. # define aes_t4_ctr_cipher aes_ctr_cipher
  479. static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  480. const unsigned char *in, size_t len);
  481. static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  482. const unsigned char *iv, int enc)
  483. {
  484. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  485. if (!iv && !key)
  486. return 1;
  487. if (key) {
  488. int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  489. aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
  490. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  491. (block128_f) aes_t4_encrypt);
  492. switch (bits) {
  493. case 128:
  494. gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  495. break;
  496. case 192:
  497. gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  498. break;
  499. case 256:
  500. gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  501. break;
  502. default:
  503. return 0;
  504. }
  505. /*
  506. * If we have an iv can set it directly, otherwise use saved IV.
  507. */
  508. if (iv == NULL && gctx->iv_set)
  509. iv = gctx->iv;
  510. if (iv) {
  511. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  512. gctx->iv_set = 1;
  513. }
  514. gctx->key_set = 1;
  515. } else {
  516. /* If key set use IV, otherwise copy */
  517. if (gctx->key_set)
  518. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  519. else
  520. memcpy(gctx->iv, iv, gctx->ivlen);
  521. gctx->iv_set = 1;
  522. gctx->iv_gen = 0;
  523. }
  524. return 1;
  525. }
  526. # define aes_t4_gcm_cipher aes_gcm_cipher
  527. static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  528. const unsigned char *in, size_t len);
  529. static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  530. const unsigned char *iv, int enc)
  531. {
  532. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  533. if (!iv && !key)
  534. return 1;
  535. if (key) {
  536. /* The key is two half length keys in reality */
  537. const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
  538. const int bits = bytes * 8;
  539. /*
  540. * Verify that the two keys are different.
  541. *
  542. * This addresses Rogaway's vulnerability.
  543. * See comment in aes_xts_init_key() below.
  544. */
  545. if ((!allow_insecure_decrypt || enc)
  546. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  547. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  548. return 0;
  549. }
  550. xctx->stream = NULL;
  551. /* key_len is two AES keys */
  552. if (enc) {
  553. aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
  554. xctx->xts.block1 = (block128_f) aes_t4_encrypt;
  555. switch (bits) {
  556. case 128:
  557. xctx->stream = aes128_t4_xts_encrypt;
  558. break;
  559. case 256:
  560. xctx->stream = aes256_t4_xts_encrypt;
  561. break;
  562. default:
  563. return 0;
  564. }
  565. } else {
  566. aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
  567. xctx->xts.block1 = (block128_f) aes_t4_decrypt;
  568. switch (bits) {
  569. case 128:
  570. xctx->stream = aes128_t4_xts_decrypt;
  571. break;
  572. case 256:
  573. xctx->stream = aes256_t4_xts_decrypt;
  574. break;
  575. default:
  576. return 0;
  577. }
  578. }
  579. aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  580. xctx->xts.block2 = (block128_f) aes_t4_encrypt;
  581. xctx->xts.key1 = &xctx->ks1;
  582. }
  583. if (iv) {
  584. xctx->xts.key2 = &xctx->ks2;
  585. memcpy(ctx->iv, iv, 16);
  586. }
  587. return 1;
  588. }
  589. # define aes_t4_xts_cipher aes_xts_cipher
  590. static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  591. const unsigned char *in, size_t len);
  592. static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  593. const unsigned char *iv, int enc)
  594. {
  595. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  596. if (!iv && !key)
  597. return 1;
  598. if (key) {
  599. int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
  600. aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
  601. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  602. &cctx->ks, (block128_f) aes_t4_encrypt);
  603. cctx->str = NULL;
  604. cctx->key_set = 1;
  605. }
  606. if (iv) {
  607. memcpy(ctx->iv, iv, 15 - cctx->L);
  608. cctx->iv_set = 1;
  609. }
  610. return 1;
  611. }
  612. # define aes_t4_ccm_cipher aes_ccm_cipher
  613. static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  614. const unsigned char *in, size_t len);
  615. # ifndef OPENSSL_NO_OCB
  616. static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  617. const unsigned char *iv, int enc)
  618. {
  619. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  620. if (!iv && !key)
  621. return 1;
  622. if (key) {
  623. do {
  624. /*
  625. * We set both the encrypt and decrypt key here because decrypt
  626. * needs both. We could possibly optimise to remove setting the
  627. * decrypt for an encryption operation.
  628. */
  629. aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  630. &octx->ksenc.ks);
  631. aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  632. &octx->ksdec.ks);
  633. if (!CRYPTO_ocb128_init(&octx->ocb,
  634. &octx->ksenc.ks, &octx->ksdec.ks,
  635. (block128_f) aes_t4_encrypt,
  636. (block128_f) aes_t4_decrypt,
  637. NULL))
  638. return 0;
  639. }
  640. while (0);
  641. /*
  642. * If we have an iv we can set it directly, otherwise use saved IV.
  643. */
  644. if (iv == NULL && octx->iv_set)
  645. iv = octx->iv;
  646. if (iv) {
  647. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  648. != 1)
  649. return 0;
  650. octx->iv_set = 1;
  651. }
  652. octx->key_set = 1;
  653. } else {
  654. /* If key set use IV, otherwise copy */
  655. if (octx->key_set)
  656. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  657. else
  658. memcpy(octx->iv, iv, octx->ivlen);
  659. octx->iv_set = 1;
  660. }
  661. return 1;
  662. }
  663. # define aes_t4_ocb_cipher aes_ocb_cipher
  664. static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  665. const unsigned char *in, size_t len);
  666. # endif /* OPENSSL_NO_OCB */
  667. # ifndef OPENSSL_NO_SIV
  668. # define aes_t4_siv_init_key aes_siv_init_key
  669. # define aes_t4_siv_cipher aes_siv_cipher
  670. # endif /* OPENSSL_NO_SIV */
  671. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  672. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  673. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  674. flags|EVP_CIPH_##MODE##_MODE, \
  675. aes_t4_init_key, \
  676. aes_t4_##mode##_cipher, \
  677. NULL, \
  678. sizeof(EVP_AES_KEY), \
  679. NULL,NULL,NULL,NULL }; \
  680. static const EVP_CIPHER aes_##keylen##_##mode = { \
  681. nid##_##keylen##_##nmode,blocksize, \
  682. keylen/8,ivlen, \
  683. flags|EVP_CIPH_##MODE##_MODE, \
  684. aes_init_key, \
  685. aes_##mode##_cipher, \
  686. NULL, \
  687. sizeof(EVP_AES_KEY), \
  688. NULL,NULL,NULL,NULL }; \
  689. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  690. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  691. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  692. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  693. nid##_##keylen##_##mode,blocksize, \
  694. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  695. ivlen, \
  696. flags|EVP_CIPH_##MODE##_MODE, \
  697. aes_t4_##mode##_init_key, \
  698. aes_t4_##mode##_cipher, \
  699. aes_##mode##_cleanup, \
  700. sizeof(EVP_AES_##MODE##_CTX), \
  701. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  702. static const EVP_CIPHER aes_##keylen##_##mode = { \
  703. nid##_##keylen##_##mode,blocksize, \
  704. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  705. ivlen, \
  706. flags|EVP_CIPH_##MODE##_MODE, \
  707. aes_##mode##_init_key, \
  708. aes_##mode##_cipher, \
  709. aes_##mode##_cleanup, \
  710. sizeof(EVP_AES_##MODE##_CTX), \
  711. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  712. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  713. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  714. #elif defined(S390X_aes_128_CAPABLE)
  715. /* IBM S390X support */
  716. typedef struct {
  717. union {
  718. OSSL_UNION_ALIGN;
  719. /*-
  720. * KM-AES parameter block - begin
  721. * (see z/Architecture Principles of Operation >= SA22-7832-06)
  722. */
  723. struct {
  724. unsigned char k[32];
  725. } param;
  726. /* KM-AES parameter block - end */
  727. } km;
  728. unsigned int fc;
  729. } S390X_AES_ECB_CTX;
  730. typedef struct {
  731. union {
  732. OSSL_UNION_ALIGN;
  733. /*-
  734. * KMO-AES parameter block - begin
  735. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  736. */
  737. struct {
  738. unsigned char cv[16];
  739. unsigned char k[32];
  740. } param;
  741. /* KMO-AES parameter block - end */
  742. } kmo;
  743. unsigned int fc;
  744. int res;
  745. } S390X_AES_OFB_CTX;
  746. typedef struct {
  747. union {
  748. OSSL_UNION_ALIGN;
  749. /*-
  750. * KMF-AES parameter block - begin
  751. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  752. */
  753. struct {
  754. unsigned char cv[16];
  755. unsigned char k[32];
  756. } param;
  757. /* KMF-AES parameter block - end */
  758. } kmf;
  759. unsigned int fc;
  760. int res;
  761. } S390X_AES_CFB_CTX;
  762. typedef struct {
  763. union {
  764. OSSL_UNION_ALIGN;
  765. /*-
  766. * KMA-GCM-AES parameter block - begin
  767. * (see z/Architecture Principles of Operation >= SA22-7832-11)
  768. */
  769. struct {
  770. unsigned char reserved[12];
  771. union {
  772. unsigned int w;
  773. unsigned char b[4];
  774. } cv;
  775. union {
  776. unsigned long long g[2];
  777. unsigned char b[16];
  778. } t;
  779. unsigned char h[16];
  780. unsigned long long taadl;
  781. unsigned long long tpcl;
  782. union {
  783. unsigned long long g[2];
  784. unsigned int w[4];
  785. } j0;
  786. unsigned char k[32];
  787. } param;
  788. /* KMA-GCM-AES parameter block - end */
  789. } kma;
  790. unsigned int fc;
  791. int key_set;
  792. unsigned char *iv;
  793. int ivlen;
  794. int iv_set;
  795. int iv_gen;
  796. int taglen;
  797. unsigned char ares[16];
  798. unsigned char mres[16];
  799. unsigned char kres[16];
  800. int areslen;
  801. int mreslen;
  802. int kreslen;
  803. int tls_aad_len;
  804. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  805. } S390X_AES_GCM_CTX;
  806. typedef struct {
  807. union {
  808. OSSL_UNION_ALIGN;
  809. /*-
  810. * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
  811. * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
  812. * rounds field is used to store the function code and that the key
  813. * schedule is not stored (if aes hardware support is detected).
  814. */
  815. struct {
  816. unsigned char pad[16];
  817. AES_KEY k;
  818. } key;
  819. struct {
  820. /*-
  821. * KMAC-AES parameter block - begin
  822. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  823. */
  824. struct {
  825. union {
  826. unsigned long long g[2];
  827. unsigned char b[16];
  828. } icv;
  829. unsigned char k[32];
  830. } kmac_param;
  831. /* KMAC-AES parameter block - end */
  832. union {
  833. unsigned long long g[2];
  834. unsigned char b[16];
  835. } nonce;
  836. union {
  837. unsigned long long g[2];
  838. unsigned char b[16];
  839. } buf;
  840. unsigned long long blocks;
  841. int l;
  842. int m;
  843. int tls_aad_len;
  844. int iv_set;
  845. int tag_set;
  846. int len_set;
  847. int key_set;
  848. unsigned char pad[140];
  849. unsigned int fc;
  850. } ccm;
  851. } aes;
  852. } S390X_AES_CCM_CTX;
  853. # define s390x_aes_init_key aes_init_key
  854. static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  855. const unsigned char *iv, int enc);
  856. # define S390X_AES_CBC_CTX EVP_AES_KEY
  857. # define s390x_aes_cbc_init_key aes_init_key
  858. # define s390x_aes_cbc_cipher aes_cbc_cipher
  859. static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  860. const unsigned char *in, size_t len);
  861. static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
  862. const unsigned char *key,
  863. const unsigned char *iv, int enc)
  864. {
  865. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  866. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  867. cctx->fc = S390X_AES_FC(keylen);
  868. if (!enc)
  869. cctx->fc |= S390X_DECRYPT;
  870. memcpy(cctx->km.param.k, key, keylen);
  871. return 1;
  872. }
  873. static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  874. const unsigned char *in, size_t len)
  875. {
  876. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  877. s390x_km(in, len, out, cctx->fc, &cctx->km.param);
  878. return 1;
  879. }
  880. static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
  881. const unsigned char *key,
  882. const unsigned char *ivec, int enc)
  883. {
  884. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  885. const unsigned char *iv = ctx->oiv;
  886. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  887. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  888. memcpy(cctx->kmo.param.cv, iv, ivlen);
  889. memcpy(cctx->kmo.param.k, key, keylen);
  890. cctx->fc = S390X_AES_FC(keylen);
  891. cctx->res = 0;
  892. return 1;
  893. }
  894. static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  895. const unsigned char *in, size_t len)
  896. {
  897. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  898. int n = cctx->res;
  899. int rem;
  900. while (n && len) {
  901. *out = *in ^ cctx->kmo.param.cv[n];
  902. n = (n + 1) & 0xf;
  903. --len;
  904. ++in;
  905. ++out;
  906. }
  907. rem = len & 0xf;
  908. len &= ~(size_t)0xf;
  909. if (len) {
  910. s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
  911. out += len;
  912. in += len;
  913. }
  914. if (rem) {
  915. s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
  916. cctx->kmo.param.k);
  917. while (rem--) {
  918. out[n] = in[n] ^ cctx->kmo.param.cv[n];
  919. ++n;
  920. }
  921. }
  922. cctx->res = n;
  923. return 1;
  924. }
  925. static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
  926. const unsigned char *key,
  927. const unsigned char *ivec, int enc)
  928. {
  929. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  930. const unsigned char *iv = ctx->oiv;
  931. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  932. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  933. cctx->fc = S390X_AES_FC(keylen);
  934. cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
  935. if (!enc)
  936. cctx->fc |= S390X_DECRYPT;
  937. cctx->res = 0;
  938. memcpy(cctx->kmf.param.cv, iv, ivlen);
  939. memcpy(cctx->kmf.param.k, key, keylen);
  940. return 1;
  941. }
  942. static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  943. const unsigned char *in, size_t len)
  944. {
  945. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  946. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  947. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  948. int n = cctx->res;
  949. int rem;
  950. unsigned char tmp;
  951. while (n && len) {
  952. tmp = *in;
  953. *out = cctx->kmf.param.cv[n] ^ tmp;
  954. cctx->kmf.param.cv[n] = enc ? *out : tmp;
  955. n = (n + 1) & 0xf;
  956. --len;
  957. ++in;
  958. ++out;
  959. }
  960. rem = len & 0xf;
  961. len &= ~(size_t)0xf;
  962. if (len) {
  963. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  964. out += len;
  965. in += len;
  966. }
  967. if (rem) {
  968. s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
  969. S390X_AES_FC(keylen), cctx->kmf.param.k);
  970. while (rem--) {
  971. tmp = in[n];
  972. out[n] = cctx->kmf.param.cv[n] ^ tmp;
  973. cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
  974. ++n;
  975. }
  976. }
  977. cctx->res = n;
  978. return 1;
  979. }
  980. static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
  981. const unsigned char *key,
  982. const unsigned char *ivec, int enc)
  983. {
  984. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  985. const unsigned char *iv = ctx->oiv;
  986. const int keylen = EVP_CIPHER_CTX_key_length(ctx);
  987. const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
  988. cctx->fc = S390X_AES_FC(keylen);
  989. cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
  990. if (!enc)
  991. cctx->fc |= S390X_DECRYPT;
  992. memcpy(cctx->kmf.param.cv, iv, ivlen);
  993. memcpy(cctx->kmf.param.k, key, keylen);
  994. return 1;
  995. }
  996. static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  997. const unsigned char *in, size_t len)
  998. {
  999. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1000. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1001. return 1;
  1002. }
  1003. # define s390x_aes_cfb1_init_key aes_init_key
  1004. # define s390x_aes_cfb1_cipher aes_cfb1_cipher
  1005. static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1006. const unsigned char *in, size_t len);
  1007. # define S390X_AES_CTR_CTX EVP_AES_KEY
  1008. # define s390x_aes_ctr_init_key aes_init_key
  1009. # define s390x_aes_ctr_cipher aes_ctr_cipher
  1010. static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1011. const unsigned char *in, size_t len);
  1012. /* iv + padding length for iv lengths != 12 */
  1013. # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
  1014. /*-
  1015. * Process additional authenticated data. Returns 0 on success. Code is
  1016. * big-endian.
  1017. */
  1018. static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
  1019. size_t len)
  1020. {
  1021. unsigned long long alen;
  1022. int n, rem;
  1023. if (ctx->kma.param.tpcl)
  1024. return -2;
  1025. alen = ctx->kma.param.taadl + len;
  1026. if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
  1027. return -1;
  1028. ctx->kma.param.taadl = alen;
  1029. n = ctx->areslen;
  1030. if (n) {
  1031. while (n && len) {
  1032. ctx->ares[n] = *aad;
  1033. n = (n + 1) & 0xf;
  1034. ++aad;
  1035. --len;
  1036. }
  1037. /* ctx->ares contains a complete block if offset has wrapped around */
  1038. if (!n) {
  1039. s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1040. ctx->fc |= S390X_KMA_HS;
  1041. }
  1042. ctx->areslen = n;
  1043. }
  1044. rem = len & 0xf;
  1045. len &= ~(size_t)0xf;
  1046. if (len) {
  1047. s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1048. aad += len;
  1049. ctx->fc |= S390X_KMA_HS;
  1050. }
  1051. if (rem) {
  1052. ctx->areslen = rem;
  1053. do {
  1054. --rem;
  1055. ctx->ares[rem] = aad[rem];
  1056. } while (rem);
  1057. }
  1058. return 0;
  1059. }
  1060. /*-
  1061. * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
  1062. * success. Code is big-endian.
  1063. */
  1064. static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
  1065. unsigned char *out, size_t len)
  1066. {
  1067. const unsigned char *inptr;
  1068. unsigned long long mlen;
  1069. union {
  1070. unsigned int w[4];
  1071. unsigned char b[16];
  1072. } buf;
  1073. size_t inlen;
  1074. int n, rem, i;
  1075. mlen = ctx->kma.param.tpcl + len;
  1076. if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
  1077. return -1;
  1078. ctx->kma.param.tpcl = mlen;
  1079. n = ctx->mreslen;
  1080. if (n) {
  1081. inptr = in;
  1082. inlen = len;
  1083. while (n && inlen) {
  1084. ctx->mres[n] = *inptr;
  1085. n = (n + 1) & 0xf;
  1086. ++inptr;
  1087. --inlen;
  1088. }
  1089. /* ctx->mres contains a complete block if offset has wrapped around */
  1090. if (!n) {
  1091. s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
  1092. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1093. ctx->fc |= S390X_KMA_HS;
  1094. ctx->areslen = 0;
  1095. /* previous call already encrypted/decrypted its remainder,
  1096. * see comment below */
  1097. n = ctx->mreslen;
  1098. while (n) {
  1099. *out = buf.b[n];
  1100. n = (n + 1) & 0xf;
  1101. ++out;
  1102. ++in;
  1103. --len;
  1104. }
  1105. ctx->mreslen = 0;
  1106. }
  1107. }
  1108. rem = len & 0xf;
  1109. len &= ~(size_t)0xf;
  1110. if (len) {
  1111. s390x_kma(ctx->ares, ctx->areslen, in, len, out,
  1112. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1113. in += len;
  1114. out += len;
  1115. ctx->fc |= S390X_KMA_HS;
  1116. ctx->areslen = 0;
  1117. }
  1118. /*-
  1119. * If there is a remainder, it has to be saved such that it can be
  1120. * processed by kma later. However, we also have to do the for-now
  1121. * unauthenticated encryption/decryption part here and now...
  1122. */
  1123. if (rem) {
  1124. if (!ctx->mreslen) {
  1125. buf.w[0] = ctx->kma.param.j0.w[0];
  1126. buf.w[1] = ctx->kma.param.j0.w[1];
  1127. buf.w[2] = ctx->kma.param.j0.w[2];
  1128. buf.w[3] = ctx->kma.param.cv.w + 1;
  1129. s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
  1130. }
  1131. n = ctx->mreslen;
  1132. for (i = 0; i < rem; i++) {
  1133. ctx->mres[n + i] = in[i];
  1134. out[i] = in[i] ^ ctx->kres[n + i];
  1135. }
  1136. ctx->mreslen += rem;
  1137. }
  1138. return 0;
  1139. }
  1140. /*-
  1141. * Initialize context structure. Code is big-endian.
  1142. */
  1143. static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
  1144. const unsigned char *iv)
  1145. {
  1146. ctx->kma.param.t.g[0] = 0;
  1147. ctx->kma.param.t.g[1] = 0;
  1148. ctx->kma.param.tpcl = 0;
  1149. ctx->kma.param.taadl = 0;
  1150. ctx->mreslen = 0;
  1151. ctx->areslen = 0;
  1152. ctx->kreslen = 0;
  1153. if (ctx->ivlen == 12) {
  1154. memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
  1155. ctx->kma.param.j0.w[3] = 1;
  1156. ctx->kma.param.cv.w = 1;
  1157. } else {
  1158. /* ctx->iv has the right size and is already padded. */
  1159. memcpy(ctx->iv, iv, ctx->ivlen);
  1160. s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
  1161. ctx->fc, &ctx->kma.param);
  1162. ctx->fc |= S390X_KMA_HS;
  1163. ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
  1164. ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
  1165. ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
  1166. ctx->kma.param.t.g[0] = 0;
  1167. ctx->kma.param.t.g[1] = 0;
  1168. }
  1169. }
  1170. /*-
  1171. * Performs various operations on the context structure depending on control
  1172. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1173. * Code is big-endian.
  1174. */
  1175. static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1176. {
  1177. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1178. S390X_AES_GCM_CTX *gctx_out;
  1179. EVP_CIPHER_CTX *out;
  1180. unsigned char *buf;
  1181. int ivlen, enc, len;
  1182. switch (type) {
  1183. case EVP_CTRL_INIT:
  1184. ivlen = EVP_CIPHER_iv_length(c->cipher);
  1185. gctx->key_set = 0;
  1186. gctx->iv_set = 0;
  1187. gctx->ivlen = ivlen;
  1188. gctx->iv = c->iv;
  1189. gctx->taglen = -1;
  1190. gctx->iv_gen = 0;
  1191. gctx->tls_aad_len = -1;
  1192. return 1;
  1193. case EVP_CTRL_GET_IVLEN:
  1194. *(int *)ptr = gctx->ivlen;
  1195. return 1;
  1196. case EVP_CTRL_AEAD_SET_IVLEN:
  1197. if (arg <= 0)
  1198. return 0;
  1199. if (arg != 12) {
  1200. len = S390X_gcm_ivpadlen(arg);
  1201. /* Allocate memory for iv if needed. */
  1202. if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
  1203. if (gctx->iv != c->iv)
  1204. OPENSSL_free(gctx->iv);
  1205. if ((gctx->iv = OPENSSL_malloc(len)) == NULL) {
  1206. ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
  1207. return 0;
  1208. }
  1209. }
  1210. /* Add padding. */
  1211. memset(gctx->iv + arg, 0, len - arg - 8);
  1212. *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
  1213. }
  1214. gctx->ivlen = arg;
  1215. return 1;
  1216. case EVP_CTRL_AEAD_SET_TAG:
  1217. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1218. enc = EVP_CIPHER_CTX_encrypting(c);
  1219. if (arg <= 0 || arg > 16 || enc)
  1220. return 0;
  1221. memcpy(buf, ptr, arg);
  1222. gctx->taglen = arg;
  1223. return 1;
  1224. case EVP_CTRL_AEAD_GET_TAG:
  1225. enc = EVP_CIPHER_CTX_encrypting(c);
  1226. if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
  1227. return 0;
  1228. memcpy(ptr, gctx->kma.param.t.b, arg);
  1229. return 1;
  1230. case EVP_CTRL_GCM_SET_IV_FIXED:
  1231. /* Special case: -1 length restores whole iv */
  1232. if (arg == -1) {
  1233. memcpy(gctx->iv, ptr, gctx->ivlen);
  1234. gctx->iv_gen = 1;
  1235. return 1;
  1236. }
  1237. /*
  1238. * Fixed field must be at least 4 bytes and invocation field at least
  1239. * 8.
  1240. */
  1241. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  1242. return 0;
  1243. if (arg)
  1244. memcpy(gctx->iv, ptr, arg);
  1245. enc = EVP_CIPHER_CTX_encrypting(c);
  1246. if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  1247. return 0;
  1248. gctx->iv_gen = 1;
  1249. return 1;
  1250. case EVP_CTRL_GCM_IV_GEN:
  1251. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  1252. return 0;
  1253. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1254. if (arg <= 0 || arg > gctx->ivlen)
  1255. arg = gctx->ivlen;
  1256. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  1257. /*
  1258. * Invocation field will be at least 8 bytes in size and so no need
  1259. * to check wrap around or increment more than last 8 bytes.
  1260. */
  1261. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  1262. gctx->iv_set = 1;
  1263. return 1;
  1264. case EVP_CTRL_GCM_SET_IV_INV:
  1265. enc = EVP_CIPHER_CTX_encrypting(c);
  1266. if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
  1267. return 0;
  1268. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  1269. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1270. gctx->iv_set = 1;
  1271. return 1;
  1272. case EVP_CTRL_AEAD_TLS1_AAD:
  1273. /* Save the aad for later use. */
  1274. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1275. return 0;
  1276. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1277. memcpy(buf, ptr, arg);
  1278. gctx->tls_aad_len = arg;
  1279. gctx->tls_enc_records = 0;
  1280. len = buf[arg - 2] << 8 | buf[arg - 1];
  1281. /* Correct length for explicit iv. */
  1282. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  1283. return 0;
  1284. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1285. /* If decrypting correct for tag too. */
  1286. enc = EVP_CIPHER_CTX_encrypting(c);
  1287. if (!enc) {
  1288. if (len < EVP_GCM_TLS_TAG_LEN)
  1289. return 0;
  1290. len -= EVP_GCM_TLS_TAG_LEN;
  1291. }
  1292. buf[arg - 2] = len >> 8;
  1293. buf[arg - 1] = len & 0xff;
  1294. /* Extra padding: tag appended to record. */
  1295. return EVP_GCM_TLS_TAG_LEN;
  1296. case EVP_CTRL_COPY:
  1297. out = ptr;
  1298. gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
  1299. if (gctx->iv == c->iv) {
  1300. gctx_out->iv = out->iv;
  1301. } else {
  1302. len = S390X_gcm_ivpadlen(gctx->ivlen);
  1303. if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL) {
  1304. ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
  1305. return 0;
  1306. }
  1307. memcpy(gctx_out->iv, gctx->iv, len);
  1308. }
  1309. return 1;
  1310. default:
  1311. return -1;
  1312. }
  1313. }
  1314. /*-
  1315. * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
  1316. */
  1317. static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
  1318. const unsigned char *key,
  1319. const unsigned char *iv, int enc)
  1320. {
  1321. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1322. int keylen;
  1323. if (iv == NULL && key == NULL)
  1324. return 1;
  1325. if (key != NULL) {
  1326. keylen = EVP_CIPHER_CTX_key_length(ctx);
  1327. memcpy(&gctx->kma.param.k, key, keylen);
  1328. gctx->fc = S390X_AES_FC(keylen);
  1329. if (!enc)
  1330. gctx->fc |= S390X_DECRYPT;
  1331. if (iv == NULL && gctx->iv_set)
  1332. iv = gctx->iv;
  1333. if (iv != NULL) {
  1334. s390x_aes_gcm_setiv(gctx, iv);
  1335. gctx->iv_set = 1;
  1336. }
  1337. gctx->key_set = 1;
  1338. } else {
  1339. if (gctx->key_set)
  1340. s390x_aes_gcm_setiv(gctx, iv);
  1341. else
  1342. memcpy(gctx->iv, iv, gctx->ivlen);
  1343. gctx->iv_set = 1;
  1344. gctx->iv_gen = 0;
  1345. }
  1346. return 1;
  1347. }
  1348. /*-
  1349. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1350. * if successful. Otherwise -1 is returned. Code is big-endian.
  1351. */
  1352. static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1353. const unsigned char *in, size_t len)
  1354. {
  1355. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1356. const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1357. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1358. int rv = -1;
  1359. if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  1360. return -1;
  1361. /*
  1362. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  1363. * Requirements from SP 800-38D". The requirements is for one party to the
  1364. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  1365. * side only.
  1366. */
  1367. if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
  1368. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  1369. goto err;
  1370. }
  1371. if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
  1372. : EVP_CTRL_GCM_SET_IV_INV,
  1373. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  1374. goto err;
  1375. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1376. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1377. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1378. gctx->kma.param.taadl = gctx->tls_aad_len << 3;
  1379. gctx->kma.param.tpcl = len << 3;
  1380. s390x_kma(buf, gctx->tls_aad_len, in, len, out,
  1381. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1382. if (enc) {
  1383. memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
  1384. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1385. } else {
  1386. if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
  1387. EVP_GCM_TLS_TAG_LEN)) {
  1388. OPENSSL_cleanse(out, len);
  1389. goto err;
  1390. }
  1391. rv = len;
  1392. }
  1393. err:
  1394. gctx->iv_set = 0;
  1395. gctx->tls_aad_len = -1;
  1396. return rv;
  1397. }
  1398. /*-
  1399. * Called from EVP layer to initialize context, process additional
  1400. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1401. * ciphertext or process a TLS packet, depending on context. Returns bytes
  1402. * written on success. Otherwise -1 is returned. Code is big-endian.
  1403. */
  1404. static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1405. const unsigned char *in, size_t len)
  1406. {
  1407. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1408. unsigned char *buf, tmp[16];
  1409. int enc;
  1410. if (!gctx->key_set)
  1411. return -1;
  1412. if (gctx->tls_aad_len >= 0)
  1413. return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
  1414. if (!gctx->iv_set)
  1415. return -1;
  1416. if (in != NULL) {
  1417. if (out == NULL) {
  1418. if (s390x_aes_gcm_aad(gctx, in, len))
  1419. return -1;
  1420. } else {
  1421. if (s390x_aes_gcm(gctx, in, out, len))
  1422. return -1;
  1423. }
  1424. return len;
  1425. } else {
  1426. gctx->kma.param.taadl <<= 3;
  1427. gctx->kma.param.tpcl <<= 3;
  1428. s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
  1429. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1430. /* recall that we already did en-/decrypt gctx->mres
  1431. * and returned it to caller... */
  1432. OPENSSL_cleanse(tmp, gctx->mreslen);
  1433. gctx->iv_set = 0;
  1434. enc = EVP_CIPHER_CTX_encrypting(ctx);
  1435. if (enc) {
  1436. gctx->taglen = 16;
  1437. } else {
  1438. if (gctx->taglen < 0)
  1439. return -1;
  1440. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1441. if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
  1442. return -1;
  1443. }
  1444. return 0;
  1445. }
  1446. }
  1447. static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  1448. {
  1449. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1450. if (gctx == NULL)
  1451. return 0;
  1452. if (gctx->iv != c->iv)
  1453. OPENSSL_free(gctx->iv);
  1454. OPENSSL_cleanse(gctx, sizeof(*gctx));
  1455. return 1;
  1456. }
  1457. # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
  1458. # define s390x_aes_xts_init_key aes_xts_init_key
  1459. static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
  1460. const unsigned char *key,
  1461. const unsigned char *iv, int enc);
  1462. # define s390x_aes_xts_cipher aes_xts_cipher
  1463. static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1464. const unsigned char *in, size_t len);
  1465. # define s390x_aes_xts_ctrl aes_xts_ctrl
  1466. static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1467. # define s390x_aes_xts_cleanup aes_xts_cleanup
  1468. /*-
  1469. * Set nonce and length fields. Code is big-endian.
  1470. */
  1471. static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
  1472. const unsigned char *nonce,
  1473. size_t mlen)
  1474. {
  1475. ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
  1476. ctx->aes.ccm.nonce.g[1] = mlen;
  1477. memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
  1478. }
  1479. /*-
  1480. * Process additional authenticated data. Code is big-endian.
  1481. */
  1482. static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
  1483. size_t alen)
  1484. {
  1485. unsigned char *ptr;
  1486. int i, rem;
  1487. if (!alen)
  1488. return;
  1489. ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
  1490. /* Suppress 'type-punned pointer dereference' warning. */
  1491. ptr = ctx->aes.ccm.buf.b;
  1492. if (alen < ((1 << 16) - (1 << 8))) {
  1493. *(uint16_t *)ptr = alen;
  1494. i = 2;
  1495. } else if (sizeof(alen) == 8
  1496. && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
  1497. *(uint16_t *)ptr = 0xffff;
  1498. *(uint64_t *)(ptr + 2) = alen;
  1499. i = 10;
  1500. } else {
  1501. *(uint16_t *)ptr = 0xfffe;
  1502. *(uint32_t *)(ptr + 2) = alen;
  1503. i = 6;
  1504. }
  1505. while (i < 16 && alen) {
  1506. ctx->aes.ccm.buf.b[i] = *aad;
  1507. ++aad;
  1508. --alen;
  1509. ++i;
  1510. }
  1511. while (i < 16) {
  1512. ctx->aes.ccm.buf.b[i] = 0;
  1513. ++i;
  1514. }
  1515. ctx->aes.ccm.kmac_param.icv.g[0] = 0;
  1516. ctx->aes.ccm.kmac_param.icv.g[1] = 0;
  1517. s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
  1518. &ctx->aes.ccm.kmac_param);
  1519. ctx->aes.ccm.blocks += 2;
  1520. rem = alen & 0xf;
  1521. alen &= ~(size_t)0xf;
  1522. if (alen) {
  1523. s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1524. ctx->aes.ccm.blocks += alen >> 4;
  1525. aad += alen;
  1526. }
  1527. if (rem) {
  1528. for (i = 0; i < rem; i++)
  1529. ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
  1530. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1531. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1532. ctx->aes.ccm.kmac_param.k);
  1533. ctx->aes.ccm.blocks++;
  1534. }
  1535. }
  1536. /*-
  1537. * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
  1538. * success.
  1539. */
  1540. static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
  1541. unsigned char *out, size_t len, int enc)
  1542. {
  1543. size_t n, rem;
  1544. unsigned int i, l, num;
  1545. unsigned char flags;
  1546. flags = ctx->aes.ccm.nonce.b[0];
  1547. if (!(flags & S390X_CCM_AAD_FLAG)) {
  1548. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
  1549. ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
  1550. ctx->aes.ccm.blocks++;
  1551. }
  1552. l = flags & 0x7;
  1553. ctx->aes.ccm.nonce.b[0] = l;
  1554. /*-
  1555. * Reconstruct length from encoded length field
  1556. * and initialize it with counter value.
  1557. */
  1558. n = 0;
  1559. for (i = 15 - l; i < 15; i++) {
  1560. n |= ctx->aes.ccm.nonce.b[i];
  1561. ctx->aes.ccm.nonce.b[i] = 0;
  1562. n <<= 8;
  1563. }
  1564. n |= ctx->aes.ccm.nonce.b[15];
  1565. ctx->aes.ccm.nonce.b[15] = 1;
  1566. if (n != len)
  1567. return -1; /* length mismatch */
  1568. if (enc) {
  1569. /* Two operations per block plus one for tag encryption */
  1570. ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
  1571. if (ctx->aes.ccm.blocks > (1ULL << 61))
  1572. return -2; /* too much data */
  1573. }
  1574. num = 0;
  1575. rem = len & 0xf;
  1576. len &= ~(size_t)0xf;
  1577. if (enc) {
  1578. /* mac-then-encrypt */
  1579. if (len)
  1580. s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1581. if (rem) {
  1582. for (i = 0; i < rem; i++)
  1583. ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
  1584. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1585. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1586. ctx->aes.ccm.kmac_param.k);
  1587. }
  1588. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1589. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1590. &num, (ctr128_f)AES_ctr32_encrypt);
  1591. } else {
  1592. /* decrypt-then-mac */
  1593. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1594. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1595. &num, (ctr128_f)AES_ctr32_encrypt);
  1596. if (len)
  1597. s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1598. if (rem) {
  1599. for (i = 0; i < rem; i++)
  1600. ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
  1601. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1602. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1603. ctx->aes.ccm.kmac_param.k);
  1604. }
  1605. }
  1606. /* encrypt tag */
  1607. for (i = 15 - l; i < 16; i++)
  1608. ctx->aes.ccm.nonce.b[i] = 0;
  1609. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
  1610. ctx->aes.ccm.kmac_param.k);
  1611. ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
  1612. ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
  1613. ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
  1614. return 0;
  1615. }
  1616. /*-
  1617. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1618. * if successful. Otherwise -1 is returned.
  1619. */
  1620. static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1621. const unsigned char *in, size_t len)
  1622. {
  1623. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1624. unsigned char *ivec = ctx->iv;
  1625. unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1626. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1627. if (out != in
  1628. || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
  1629. return -1;
  1630. if (enc) {
  1631. /* Set explicit iv (sequence number). */
  1632. memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1633. }
  1634. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1635. /*-
  1636. * Get explicit iv (sequence number). We already have fixed iv
  1637. * (server/client_write_iv) here.
  1638. */
  1639. memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1640. s390x_aes_ccm_setiv(cctx, ivec, len);
  1641. /* Process aad (sequence number|type|version|length) */
  1642. s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
  1643. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1644. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1645. if (enc) {
  1646. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1647. return -1;
  1648. memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1649. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1650. } else {
  1651. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1652. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
  1653. cctx->aes.ccm.m))
  1654. return len;
  1655. }
  1656. OPENSSL_cleanse(out, len);
  1657. return -1;
  1658. }
  1659. }
  1660. /*-
  1661. * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
  1662. * returned.
  1663. */
  1664. static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
  1665. const unsigned char *key,
  1666. const unsigned char *iv, int enc)
  1667. {
  1668. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1669. int keylen;
  1670. if (iv == NULL && key == NULL)
  1671. return 1;
  1672. if (key != NULL) {
  1673. keylen = EVP_CIPHER_CTX_key_length(ctx);
  1674. cctx->aes.ccm.fc = S390X_AES_FC(keylen);
  1675. memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
  1676. /* Store encoded m and l. */
  1677. cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
  1678. | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
  1679. memset(cctx->aes.ccm.nonce.b + 1, 0,
  1680. sizeof(cctx->aes.ccm.nonce.b));
  1681. cctx->aes.ccm.blocks = 0;
  1682. cctx->aes.ccm.key_set = 1;
  1683. }
  1684. if (iv != NULL) {
  1685. memcpy(ctx->iv, iv, 15 - cctx->aes.ccm.l);
  1686. cctx->aes.ccm.iv_set = 1;
  1687. }
  1688. return 1;
  1689. }
  1690. /*-
  1691. * Called from EVP layer to initialize context, process additional
  1692. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1693. * plaintext or process a TLS packet, depending on context. Returns bytes
  1694. * written on success. Otherwise -1 is returned.
  1695. */
  1696. static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1697. const unsigned char *in, size_t len)
  1698. {
  1699. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1700. const int enc = EVP_CIPHER_CTX_encrypting(ctx);
  1701. int rv;
  1702. unsigned char *buf;
  1703. if (!cctx->aes.ccm.key_set)
  1704. return -1;
  1705. if (cctx->aes.ccm.tls_aad_len >= 0)
  1706. return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
  1707. /*-
  1708. * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
  1709. * so integrity must be checked already at Update() i.e., before
  1710. * potentially corrupted data is output.
  1711. */
  1712. if (in == NULL && out != NULL)
  1713. return 0;
  1714. if (!cctx->aes.ccm.iv_set)
  1715. return -1;
  1716. if (out == NULL) {
  1717. /* Update(): Pass message length. */
  1718. if (in == NULL) {
  1719. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1720. cctx->aes.ccm.len_set = 1;
  1721. return len;
  1722. }
  1723. /* Update(): Process aad. */
  1724. if (!cctx->aes.ccm.len_set && len)
  1725. return -1;
  1726. s390x_aes_ccm_aad(cctx, in, len);
  1727. return len;
  1728. }
  1729. /* The tag must be set before actually decrypting data */
  1730. if (!enc && !cctx->aes.ccm.tag_set)
  1731. return -1;
  1732. /* Update(): Process message. */
  1733. if (!cctx->aes.ccm.len_set) {
  1734. /*-
  1735. * In case message length was not previously set explicitly via
  1736. * Update(), set it now.
  1737. */
  1738. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1739. cctx->aes.ccm.len_set = 1;
  1740. }
  1741. if (enc) {
  1742. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1743. return -1;
  1744. cctx->aes.ccm.tag_set = 1;
  1745. return len;
  1746. } else {
  1747. rv = -1;
  1748. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1749. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1750. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
  1751. cctx->aes.ccm.m))
  1752. rv = len;
  1753. }
  1754. if (rv == -1)
  1755. OPENSSL_cleanse(out, len);
  1756. cctx->aes.ccm.iv_set = 0;
  1757. cctx->aes.ccm.tag_set = 0;
  1758. cctx->aes.ccm.len_set = 0;
  1759. return rv;
  1760. }
  1761. }
  1762. /*-
  1763. * Performs various operations on the context structure depending on control
  1764. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1765. * Code is big-endian.
  1766. */
  1767. static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1768. {
  1769. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
  1770. unsigned char *buf;
  1771. int enc, len;
  1772. switch (type) {
  1773. case EVP_CTRL_INIT:
  1774. cctx->aes.ccm.key_set = 0;
  1775. cctx->aes.ccm.iv_set = 0;
  1776. cctx->aes.ccm.l = 8;
  1777. cctx->aes.ccm.m = 12;
  1778. cctx->aes.ccm.tag_set = 0;
  1779. cctx->aes.ccm.len_set = 0;
  1780. cctx->aes.ccm.tls_aad_len = -1;
  1781. return 1;
  1782. case EVP_CTRL_GET_IVLEN:
  1783. *(int *)ptr = 15 - cctx->aes.ccm.l;
  1784. return 1;
  1785. case EVP_CTRL_AEAD_TLS1_AAD:
  1786. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1787. return 0;
  1788. /* Save the aad for later use. */
  1789. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1790. memcpy(buf, ptr, arg);
  1791. cctx->aes.ccm.tls_aad_len = arg;
  1792. len = buf[arg - 2] << 8 | buf[arg - 1];
  1793. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  1794. return 0;
  1795. /* Correct length for explicit iv. */
  1796. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1797. enc = EVP_CIPHER_CTX_encrypting(c);
  1798. if (!enc) {
  1799. if (len < cctx->aes.ccm.m)
  1800. return 0;
  1801. /* Correct length for tag. */
  1802. len -= cctx->aes.ccm.m;
  1803. }
  1804. buf[arg - 2] = len >> 8;
  1805. buf[arg - 1] = len & 0xff;
  1806. /* Extra padding: tag appended to record. */
  1807. return cctx->aes.ccm.m;
  1808. case EVP_CTRL_CCM_SET_IV_FIXED:
  1809. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  1810. return 0;
  1811. /* Copy to first part of the iv. */
  1812. memcpy(c->iv, ptr, arg);
  1813. return 1;
  1814. case EVP_CTRL_AEAD_SET_IVLEN:
  1815. arg = 15 - arg;
  1816. /* fall-through */
  1817. case EVP_CTRL_CCM_SET_L:
  1818. if (arg < 2 || arg > 8)
  1819. return 0;
  1820. cctx->aes.ccm.l = arg;
  1821. return 1;
  1822. case EVP_CTRL_AEAD_SET_TAG:
  1823. if ((arg & 1) || arg < 4 || arg > 16)
  1824. return 0;
  1825. enc = EVP_CIPHER_CTX_encrypting(c);
  1826. if (enc && ptr)
  1827. return 0;
  1828. if (ptr) {
  1829. cctx->aes.ccm.tag_set = 1;
  1830. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1831. memcpy(buf, ptr, arg);
  1832. }
  1833. cctx->aes.ccm.m = arg;
  1834. return 1;
  1835. case EVP_CTRL_AEAD_GET_TAG:
  1836. enc = EVP_CIPHER_CTX_encrypting(c);
  1837. if (!enc || !cctx->aes.ccm.tag_set)
  1838. return 0;
  1839. if(arg < cctx->aes.ccm.m)
  1840. return 0;
  1841. memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1842. cctx->aes.ccm.tag_set = 0;
  1843. cctx->aes.ccm.iv_set = 0;
  1844. cctx->aes.ccm.len_set = 0;
  1845. return 1;
  1846. case EVP_CTRL_COPY:
  1847. return 1;
  1848. default:
  1849. return -1;
  1850. }
  1851. }
  1852. # define s390x_aes_ccm_cleanup aes_ccm_cleanup
  1853. # ifndef OPENSSL_NO_OCB
  1854. # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
  1855. # define s390x_aes_ocb_init_key aes_ocb_init_key
  1856. static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1857. const unsigned char *iv, int enc);
  1858. # define s390x_aes_ocb_cipher aes_ocb_cipher
  1859. static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1860. const unsigned char *in, size_t len);
  1861. # define s390x_aes_ocb_cleanup aes_ocb_cleanup
  1862. static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
  1863. # define s390x_aes_ocb_ctrl aes_ocb_ctrl
  1864. static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1865. # endif
  1866. # ifndef OPENSSL_NO_SIV
  1867. # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
  1868. # define s390x_aes_siv_init_key aes_siv_init_key
  1869. # define s390x_aes_siv_cipher aes_siv_cipher
  1870. # define s390x_aes_siv_cleanup aes_siv_cleanup
  1871. # define s390x_aes_siv_ctrl aes_siv_ctrl
  1872. # endif
  1873. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
  1874. MODE,flags) \
  1875. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  1876. nid##_##keylen##_##nmode,blocksize, \
  1877. keylen / 8, \
  1878. ivlen, \
  1879. flags | EVP_CIPH_##MODE##_MODE, \
  1880. s390x_aes_##mode##_init_key, \
  1881. s390x_aes_##mode##_cipher, \
  1882. NULL, \
  1883. sizeof(S390X_AES_##MODE##_CTX), \
  1884. NULL, \
  1885. NULL, \
  1886. NULL, \
  1887. NULL \
  1888. }; \
  1889. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1890. nid##_##keylen##_##nmode, \
  1891. blocksize, \
  1892. keylen / 8, \
  1893. ivlen, \
  1894. flags | EVP_CIPH_##MODE##_MODE, \
  1895. aes_init_key, \
  1896. aes_##mode##_cipher, \
  1897. NULL, \
  1898. sizeof(EVP_AES_KEY), \
  1899. NULL, \
  1900. NULL, \
  1901. NULL, \
  1902. NULL \
  1903. }; \
  1904. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  1905. { \
  1906. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  1907. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  1908. }
  1909. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
  1910. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  1911. nid##_##keylen##_##mode, \
  1912. blocksize, \
  1913. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  1914. ivlen, \
  1915. flags | EVP_CIPH_##MODE##_MODE, \
  1916. s390x_aes_##mode##_init_key, \
  1917. s390x_aes_##mode##_cipher, \
  1918. s390x_aes_##mode##_cleanup, \
  1919. sizeof(S390X_AES_##MODE##_CTX), \
  1920. NULL, \
  1921. NULL, \
  1922. s390x_aes_##mode##_ctrl, \
  1923. NULL \
  1924. }; \
  1925. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1926. nid##_##keylen##_##mode,blocksize, \
  1927. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  1928. ivlen, \
  1929. flags | EVP_CIPH_##MODE##_MODE, \
  1930. aes_##mode##_init_key, \
  1931. aes_##mode##_cipher, \
  1932. aes_##mode##_cleanup, \
  1933. sizeof(EVP_AES_##MODE##_CTX), \
  1934. NULL, \
  1935. NULL, \
  1936. aes_##mode##_ctrl, \
  1937. NULL \
  1938. }; \
  1939. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  1940. { \
  1941. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  1942. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  1943. }
  1944. #else
  1945. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  1946. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1947. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  1948. flags|EVP_CIPH_##MODE##_MODE, \
  1949. aes_init_key, \
  1950. aes_##mode##_cipher, \
  1951. NULL, \
  1952. sizeof(EVP_AES_KEY), \
  1953. NULL,NULL,NULL,NULL }; \
  1954. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  1955. { return &aes_##keylen##_##mode; }
  1956. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  1957. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1958. nid##_##keylen##_##mode,blocksize, \
  1959. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  1960. ivlen, \
  1961. flags|EVP_CIPH_##MODE##_MODE, \
  1962. aes_##mode##_init_key, \
  1963. aes_##mode##_cipher, \
  1964. aes_##mode##_cleanup, \
  1965. sizeof(EVP_AES_##MODE##_CTX), \
  1966. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  1967. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  1968. { return &aes_##keylen##_##mode; }
  1969. #endif
  1970. #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  1971. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  1972. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  1973. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  1974. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  1975. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  1976. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  1977. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  1978. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1979. const unsigned char *iv, int enc)
  1980. {
  1981. int ret, mode;
  1982. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  1983. mode = EVP_CIPHER_CTX_mode(ctx);
  1984. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  1985. && !enc) {
  1986. #ifdef HWAES_CAPABLE
  1987. if (HWAES_CAPABLE) {
  1988. ret = HWAES_set_decrypt_key(key,
  1989. EVP_CIPHER_CTX_key_length(ctx) * 8,
  1990. &dat->ks.ks);
  1991. dat->block = (block128_f) HWAES_decrypt;
  1992. dat->stream.cbc = NULL;
  1993. # ifdef HWAES_cbc_encrypt
  1994. if (mode == EVP_CIPH_CBC_MODE)
  1995. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  1996. # endif
  1997. } else
  1998. #endif
  1999. #ifdef BSAES_CAPABLE
  2000. if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
  2001. ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2002. &dat->ks.ks);
  2003. dat->block = (block128_f) AES_decrypt;
  2004. dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
  2005. } else
  2006. #endif
  2007. #ifdef VPAES_CAPABLE
  2008. if (VPAES_CAPABLE) {
  2009. ret = vpaes_set_decrypt_key(key,
  2010. EVP_CIPHER_CTX_key_length(ctx) * 8,
  2011. &dat->ks.ks);
  2012. dat->block = (block128_f) vpaes_decrypt;
  2013. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2014. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2015. } else
  2016. #endif
  2017. {
  2018. ret = AES_set_decrypt_key(key,
  2019. EVP_CIPHER_CTX_key_length(ctx) * 8,
  2020. &dat->ks.ks);
  2021. dat->block = (block128_f) AES_decrypt;
  2022. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2023. (cbc128_f) AES_cbc_encrypt : NULL;
  2024. }
  2025. } else
  2026. #ifdef HWAES_CAPABLE
  2027. if (HWAES_CAPABLE) {
  2028. ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2029. &dat->ks.ks);
  2030. dat->block = (block128_f) HWAES_encrypt;
  2031. dat->stream.cbc = NULL;
  2032. # ifdef HWAES_cbc_encrypt
  2033. if (mode == EVP_CIPH_CBC_MODE)
  2034. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2035. else
  2036. # endif
  2037. # ifdef HWAES_ctr32_encrypt_blocks
  2038. if (mode == EVP_CIPH_CTR_MODE)
  2039. dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2040. else
  2041. # endif
  2042. (void)0; /* terminate potentially open 'else' */
  2043. } else
  2044. #endif
  2045. #ifdef BSAES_CAPABLE
  2046. if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
  2047. ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2048. &dat->ks.ks);
  2049. dat->block = (block128_f) AES_encrypt;
  2050. dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  2051. } else
  2052. #endif
  2053. #ifdef VPAES_CAPABLE
  2054. if (VPAES_CAPABLE) {
  2055. ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2056. &dat->ks.ks);
  2057. dat->block = (block128_f) vpaes_encrypt;
  2058. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2059. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2060. } else
  2061. #endif
  2062. {
  2063. ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2064. &dat->ks.ks);
  2065. dat->block = (block128_f) AES_encrypt;
  2066. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2067. (cbc128_f) AES_cbc_encrypt : NULL;
  2068. #ifdef AES_CTR_ASM
  2069. if (mode == EVP_CIPH_CTR_MODE)
  2070. dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
  2071. #endif
  2072. }
  2073. if (ret < 0) {
  2074. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  2075. return 0;
  2076. }
  2077. return 1;
  2078. }
  2079. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2080. const unsigned char *in, size_t len)
  2081. {
  2082. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2083. if (dat->stream.cbc)
  2084. (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv,
  2085. EVP_CIPHER_CTX_encrypting(ctx));
  2086. else if (EVP_CIPHER_CTX_encrypting(ctx))
  2087. CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
  2088. dat->block);
  2089. else
  2090. CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
  2091. ctx->iv, dat->block);
  2092. return 1;
  2093. }
  2094. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2095. const unsigned char *in, size_t len)
  2096. {
  2097. size_t bl = EVP_CIPHER_CTX_block_size(ctx);
  2098. size_t i;
  2099. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2100. if (len < bl)
  2101. return 1;
  2102. for (i = 0, len -= bl; i <= len; i += bl)
  2103. (*dat->block) (in + i, out + i, &dat->ks);
  2104. return 1;
  2105. }
  2106. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2107. const unsigned char *in, size_t len)
  2108. {
  2109. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2110. int num = EVP_CIPHER_CTX_num(ctx);
  2111. CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
  2112. ctx->iv, &num, dat->block);
  2113. EVP_CIPHER_CTX_set_num(ctx, num);
  2114. return 1;
  2115. }
  2116. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2117. const unsigned char *in, size_t len)
  2118. {
  2119. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2120. int num = EVP_CIPHER_CTX_num(ctx);
  2121. CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
  2122. ctx->iv, &num,
  2123. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2124. EVP_CIPHER_CTX_set_num(ctx, num);
  2125. return 1;
  2126. }
  2127. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2128. const unsigned char *in, size_t len)
  2129. {
  2130. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2131. int num = EVP_CIPHER_CTX_num(ctx);
  2132. CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
  2133. ctx->iv, &num,
  2134. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2135. EVP_CIPHER_CTX_set_num(ctx, num);
  2136. return 1;
  2137. }
  2138. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2139. const unsigned char *in, size_t len)
  2140. {
  2141. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2142. if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
  2143. int num = EVP_CIPHER_CTX_num(ctx);
  2144. CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
  2145. ctx->iv, &num,
  2146. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2147. EVP_CIPHER_CTX_set_num(ctx, num);
  2148. return 1;
  2149. }
  2150. while (len >= MAXBITCHUNK) {
  2151. int num = EVP_CIPHER_CTX_num(ctx);
  2152. CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
  2153. ctx->iv, &num,
  2154. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2155. EVP_CIPHER_CTX_set_num(ctx, num);
  2156. len -= MAXBITCHUNK;
  2157. out += MAXBITCHUNK;
  2158. in += MAXBITCHUNK;
  2159. }
  2160. if (len) {
  2161. int num = EVP_CIPHER_CTX_num(ctx);
  2162. CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
  2163. ctx->iv, &num,
  2164. EVP_CIPHER_CTX_encrypting(ctx), dat->block);
  2165. EVP_CIPHER_CTX_set_num(ctx, num);
  2166. }
  2167. return 1;
  2168. }
  2169. static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2170. const unsigned char *in, size_t len)
  2171. {
  2172. unsigned int num = EVP_CIPHER_CTX_num(ctx);
  2173. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2174. if (dat->stream.ctr)
  2175. CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
  2176. ctx->iv,
  2177. EVP_CIPHER_CTX_buf_noconst(ctx),
  2178. &num, dat->stream.ctr);
  2179. else
  2180. CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
  2181. ctx->iv,
  2182. EVP_CIPHER_CTX_buf_noconst(ctx), &num,
  2183. dat->block);
  2184. EVP_CIPHER_CTX_set_num(ctx, num);
  2185. return 1;
  2186. }
  2187. BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
  2188. BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
  2189. BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
  2190. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  2191. {
  2192. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2193. if (gctx == NULL)
  2194. return 0;
  2195. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  2196. if (gctx->iv != c->iv)
  2197. OPENSSL_free(gctx->iv);
  2198. return 1;
  2199. }
  2200. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2201. {
  2202. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2203. switch (type) {
  2204. case EVP_CTRL_INIT:
  2205. gctx->key_set = 0;
  2206. gctx->iv_set = 0;
  2207. gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
  2208. gctx->iv = c->iv;
  2209. gctx->taglen = -1;
  2210. gctx->iv_gen = 0;
  2211. gctx->tls_aad_len = -1;
  2212. return 1;
  2213. case EVP_CTRL_GET_IVLEN:
  2214. *(int *)ptr = gctx->ivlen;
  2215. return 1;
  2216. case EVP_CTRL_AEAD_SET_IVLEN:
  2217. if (arg <= 0)
  2218. return 0;
  2219. /* Allocate memory for IV if needed */
  2220. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
  2221. if (gctx->iv != c->iv)
  2222. OPENSSL_free(gctx->iv);
  2223. if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) {
  2224. ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
  2225. return 0;
  2226. }
  2227. }
  2228. gctx->ivlen = arg;
  2229. return 1;
  2230. case EVP_CTRL_AEAD_SET_TAG:
  2231. if (arg <= 0 || arg > 16 || c->encrypt)
  2232. return 0;
  2233. memcpy(c->buf, ptr, arg);
  2234. gctx->taglen = arg;
  2235. return 1;
  2236. case EVP_CTRL_AEAD_GET_TAG:
  2237. if (arg <= 0 || arg > 16 || !c->encrypt
  2238. || gctx->taglen < 0)
  2239. return 0;
  2240. memcpy(ptr, c->buf, arg);
  2241. return 1;
  2242. case EVP_CTRL_GCM_SET_IV_FIXED:
  2243. /* Special case: -1 length restores whole IV */
  2244. if (arg == -1) {
  2245. memcpy(gctx->iv, ptr, gctx->ivlen);
  2246. gctx->iv_gen = 1;
  2247. return 1;
  2248. }
  2249. /*
  2250. * Fixed field must be at least 4 bytes and invocation field at least
  2251. * 8.
  2252. */
  2253. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  2254. return 0;
  2255. if (arg)
  2256. memcpy(gctx->iv, ptr, arg);
  2257. if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  2258. return 0;
  2259. gctx->iv_gen = 1;
  2260. return 1;
  2261. case EVP_CTRL_GCM_IV_GEN:
  2262. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  2263. return 0;
  2264. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2265. if (arg <= 0 || arg > gctx->ivlen)
  2266. arg = gctx->ivlen;
  2267. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  2268. /*
  2269. * Invocation field will be at least 8 bytes in size and so no need
  2270. * to check wrap around or increment more than last 8 bytes.
  2271. */
  2272. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  2273. gctx->iv_set = 1;
  2274. return 1;
  2275. case EVP_CTRL_GCM_SET_IV_INV:
  2276. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  2277. return 0;
  2278. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  2279. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2280. gctx->iv_set = 1;
  2281. return 1;
  2282. case EVP_CTRL_AEAD_TLS1_AAD:
  2283. /* Save the AAD for later use */
  2284. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2285. return 0;
  2286. memcpy(c->buf, ptr, arg);
  2287. gctx->tls_aad_len = arg;
  2288. gctx->tls_enc_records = 0;
  2289. {
  2290. unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
  2291. /* Correct length for explicit IV */
  2292. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  2293. return 0;
  2294. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2295. /* If decrypting correct for tag too */
  2296. if (!c->encrypt) {
  2297. if (len < EVP_GCM_TLS_TAG_LEN)
  2298. return 0;
  2299. len -= EVP_GCM_TLS_TAG_LEN;
  2300. }
  2301. c->buf[arg - 2] = len >> 8;
  2302. c->buf[arg - 1] = len & 0xff;
  2303. }
  2304. /* Extra padding: tag appended to record */
  2305. return EVP_GCM_TLS_TAG_LEN;
  2306. case EVP_CTRL_COPY:
  2307. {
  2308. EVP_CIPHER_CTX *out = ptr;
  2309. EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
  2310. if (gctx->gcm.key) {
  2311. if (gctx->gcm.key != &gctx->ks)
  2312. return 0;
  2313. gctx_out->gcm.key = &gctx_out->ks;
  2314. }
  2315. if (gctx->iv == c->iv)
  2316. gctx_out->iv = out->iv;
  2317. else {
  2318. if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) {
  2319. ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
  2320. return 0;
  2321. }
  2322. memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
  2323. }
  2324. return 1;
  2325. }
  2326. default:
  2327. return -1;
  2328. }
  2329. }
  2330. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2331. const unsigned char *iv, int enc)
  2332. {
  2333. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2334. if (!iv && !key)
  2335. return 1;
  2336. if (key) {
  2337. do {
  2338. #ifdef HWAES_CAPABLE
  2339. if (HWAES_CAPABLE) {
  2340. HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2341. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2342. (block128_f) HWAES_encrypt);
  2343. # ifdef HWAES_ctr32_encrypt_blocks
  2344. gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2345. # else
  2346. gctx->ctr = NULL;
  2347. # endif
  2348. break;
  2349. } else
  2350. #endif
  2351. #ifdef BSAES_CAPABLE
  2352. if (BSAES_CAPABLE) {
  2353. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2354. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2355. (block128_f) AES_encrypt);
  2356. gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
  2357. break;
  2358. } else
  2359. #endif
  2360. #ifdef VPAES_CAPABLE
  2361. if (VPAES_CAPABLE) {
  2362. vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2363. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2364. (block128_f) vpaes_encrypt);
  2365. gctx->ctr = NULL;
  2366. break;
  2367. } else
  2368. #endif
  2369. (void)0; /* terminate potentially open 'else' */
  2370. AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  2371. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2372. (block128_f) AES_encrypt);
  2373. #ifdef AES_CTR_ASM
  2374. gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
  2375. #else
  2376. gctx->ctr = NULL;
  2377. #endif
  2378. } while (0);
  2379. /*
  2380. * If we have an iv can set it directly, otherwise use saved IV.
  2381. */
  2382. if (iv == NULL && gctx->iv_set)
  2383. iv = gctx->iv;
  2384. if (iv) {
  2385. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2386. gctx->iv_set = 1;
  2387. }
  2388. gctx->key_set = 1;
  2389. } else {
  2390. /* If key set use IV, otherwise copy */
  2391. if (gctx->key_set)
  2392. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2393. else
  2394. memcpy(gctx->iv, iv, gctx->ivlen);
  2395. gctx->iv_set = 1;
  2396. gctx->iv_gen = 0;
  2397. }
  2398. return 1;
  2399. }
  2400. /*
  2401. * Handle TLS GCM packet format. This consists of the last portion of the IV
  2402. * followed by the payload and finally the tag. On encrypt generate IV,
  2403. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  2404. * and verify tag.
  2405. */
  2406. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2407. const unsigned char *in, size_t len)
  2408. {
  2409. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2410. int rv = -1;
  2411. /* Encrypt/decrypt must be performed in place */
  2412. if (out != in
  2413. || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  2414. return -1;
  2415. /*
  2416. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  2417. * Requirements from SP 800-38D". The requirements is for one party to the
  2418. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  2419. * side only.
  2420. */
  2421. if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
  2422. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  2423. goto err;
  2424. }
  2425. /*
  2426. * Set IV from start of buffer or generate IV and write to start of
  2427. * buffer.
  2428. */
  2429. if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? EVP_CTRL_GCM_IV_GEN
  2430. : EVP_CTRL_GCM_SET_IV_INV,
  2431. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  2432. goto err;
  2433. /* Use saved AAD */
  2434. if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
  2435. goto err;
  2436. /* Fix buffer and length to point to payload */
  2437. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2438. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2439. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2440. if (ctx->encrypt) {
  2441. /* Encrypt payload */
  2442. if (gctx->ctr) {
  2443. size_t bulk = 0;
  2444. #if defined(AES_GCM_ASM)
  2445. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2446. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2447. return -1;
  2448. bulk = AES_gcm_encrypt(in, out, len,
  2449. gctx->gcm.key,
  2450. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2451. gctx->gcm.len.u[1] += bulk;
  2452. }
  2453. #endif
  2454. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2455. in + bulk,
  2456. out + bulk,
  2457. len - bulk, gctx->ctr))
  2458. goto err;
  2459. } else {
  2460. size_t bulk = 0;
  2461. #if defined(AES_GCM_ASM2)
  2462. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2463. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2464. return -1;
  2465. bulk = AES_gcm_encrypt(in, out, len,
  2466. gctx->gcm.key,
  2467. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2468. gctx->gcm.len.u[1] += bulk;
  2469. }
  2470. #endif
  2471. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2472. in + bulk, out + bulk, len - bulk))
  2473. goto err;
  2474. }
  2475. out += len;
  2476. /* Finally write tag */
  2477. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  2478. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2479. } else {
  2480. /* Decrypt */
  2481. if (gctx->ctr) {
  2482. size_t bulk = 0;
  2483. #if defined(AES_GCM_ASM)
  2484. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2485. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2486. return -1;
  2487. bulk = AES_gcm_decrypt(in, out, len,
  2488. gctx->gcm.key,
  2489. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2490. gctx->gcm.len.u[1] += bulk;
  2491. }
  2492. #endif
  2493. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2494. in + bulk,
  2495. out + bulk,
  2496. len - bulk, gctx->ctr))
  2497. goto err;
  2498. } else {
  2499. size_t bulk = 0;
  2500. #if defined(AES_GCM_ASM2)
  2501. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2502. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2503. return -1;
  2504. bulk = AES_gcm_decrypt(in, out, len,
  2505. gctx->gcm.key,
  2506. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2507. gctx->gcm.len.u[1] += bulk;
  2508. }
  2509. #endif
  2510. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2511. in + bulk, out + bulk, len - bulk))
  2512. goto err;
  2513. }
  2514. /* Retrieve tag */
  2515. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
  2516. /* If tag mismatch wipe buffer */
  2517. if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
  2518. OPENSSL_cleanse(out, len);
  2519. goto err;
  2520. }
  2521. rv = len;
  2522. }
  2523. err:
  2524. gctx->iv_set = 0;
  2525. gctx->tls_aad_len = -1;
  2526. return rv;
  2527. }
  2528. #ifdef FIPS_MODULE
  2529. /*
  2530. * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
  2531. *
  2532. * See also 8.2.2 RBG-based construction.
  2533. * Random construction consists of a free field (which can be NULL) and a
  2534. * random field which will use a DRBG that can return at least 96 bits of
  2535. * entropy strength. (The DRBG must be seeded by the FIPS module).
  2536. */
  2537. static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
  2538. {
  2539. int sz = gctx->ivlen - offset;
  2540. /* Must be at least 96 bits */
  2541. if (sz <= 0 || gctx->ivlen < 12)
  2542. return 0;
  2543. /* Use DRBG to generate random iv */
  2544. if (RAND_bytes(gctx->iv + offset, sz) <= 0)
  2545. return 0;
  2546. return 1;
  2547. }
  2548. #endif /* FIPS_MODULE */
  2549. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2550. const unsigned char *in, size_t len)
  2551. {
  2552. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2553. /* If not set up, return error */
  2554. if (!gctx->key_set)
  2555. return -1;
  2556. if (gctx->tls_aad_len >= 0)
  2557. return aes_gcm_tls_cipher(ctx, out, in, len);
  2558. #ifdef FIPS_MODULE
  2559. /*
  2560. * FIPS requires generation of AES-GCM IV's inside the FIPS module.
  2561. * The IV can still be set externally (the security policy will state that
  2562. * this is not FIPS compliant). There are some applications
  2563. * where setting the IV externally is the only option available.
  2564. */
  2565. if (!gctx->iv_set) {
  2566. if (!ctx->encrypt || !aes_gcm_iv_generate(gctx, 0))
  2567. return -1;
  2568. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2569. gctx->iv_set = 1;
  2570. gctx->iv_gen_rand = 1;
  2571. }
  2572. #else
  2573. if (!gctx->iv_set)
  2574. return -1;
  2575. #endif /* FIPS_MODULE */
  2576. if (in) {
  2577. if (out == NULL) {
  2578. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  2579. return -1;
  2580. } else if (ctx->encrypt) {
  2581. if (gctx->ctr) {
  2582. size_t bulk = 0;
  2583. #if defined(AES_GCM_ASM)
  2584. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2585. size_t res = (16 - gctx->gcm.mres) % 16;
  2586. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2587. return -1;
  2588. bulk = AES_gcm_encrypt(in + res,
  2589. out + res, len - res,
  2590. gctx->gcm.key, gctx->gcm.Yi.c,
  2591. gctx->gcm.Xi.u);
  2592. gctx->gcm.len.u[1] += bulk;
  2593. bulk += res;
  2594. }
  2595. #endif
  2596. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2597. in + bulk,
  2598. out + bulk,
  2599. len - bulk, gctx->ctr))
  2600. return -1;
  2601. } else {
  2602. size_t bulk = 0;
  2603. #if defined(AES_GCM_ASM2)
  2604. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2605. size_t res = (16 - gctx->gcm.mres) % 16;
  2606. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2607. return -1;
  2608. bulk = AES_gcm_encrypt(in + res,
  2609. out + res, len - res,
  2610. gctx->gcm.key, gctx->gcm.Yi.c,
  2611. gctx->gcm.Xi.u);
  2612. gctx->gcm.len.u[1] += bulk;
  2613. bulk += res;
  2614. }
  2615. #endif
  2616. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2617. in + bulk, out + bulk, len - bulk))
  2618. return -1;
  2619. }
  2620. } else {
  2621. if (gctx->ctr) {
  2622. size_t bulk = 0;
  2623. #if defined(AES_GCM_ASM)
  2624. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2625. size_t res = (16 - gctx->gcm.mres) % 16;
  2626. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2627. return -1;
  2628. bulk = AES_gcm_decrypt(in + res,
  2629. out + res, len - res,
  2630. gctx->gcm.key,
  2631. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2632. gctx->gcm.len.u[1] += bulk;
  2633. bulk += res;
  2634. }
  2635. #endif
  2636. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2637. in + bulk,
  2638. out + bulk,
  2639. len - bulk, gctx->ctr))
  2640. return -1;
  2641. } else {
  2642. size_t bulk = 0;
  2643. #if defined(AES_GCM_ASM2)
  2644. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2645. size_t res = (16 - gctx->gcm.mres) % 16;
  2646. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2647. return -1;
  2648. bulk = AES_gcm_decrypt(in + res,
  2649. out + res, len - res,
  2650. gctx->gcm.key,
  2651. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2652. gctx->gcm.len.u[1] += bulk;
  2653. bulk += res;
  2654. }
  2655. #endif
  2656. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2657. in + bulk, out + bulk, len - bulk))
  2658. return -1;
  2659. }
  2660. }
  2661. return len;
  2662. } else {
  2663. if (!ctx->encrypt) {
  2664. if (gctx->taglen < 0)
  2665. return -1;
  2666. if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
  2667. return -1;
  2668. gctx->iv_set = 0;
  2669. return 0;
  2670. }
  2671. CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
  2672. gctx->taglen = 16;
  2673. /* Don't reuse the IV */
  2674. gctx->iv_set = 0;
  2675. return 0;
  2676. }
  2677. }
  2678. #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  2679. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  2680. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2681. | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
  2682. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
  2683. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2684. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
  2685. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2686. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
  2687. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2688. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2689. {
  2690. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
  2691. if (type == EVP_CTRL_COPY) {
  2692. EVP_CIPHER_CTX *out = ptr;
  2693. EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
  2694. if (xctx->xts.key1) {
  2695. if (xctx->xts.key1 != &xctx->ks1)
  2696. return 0;
  2697. xctx_out->xts.key1 = &xctx_out->ks1;
  2698. }
  2699. if (xctx->xts.key2) {
  2700. if (xctx->xts.key2 != &xctx->ks2)
  2701. return 0;
  2702. xctx_out->xts.key2 = &xctx_out->ks2;
  2703. }
  2704. return 1;
  2705. } else if (type != EVP_CTRL_INIT)
  2706. return -1;
  2707. /* key1 and key2 are used as an indicator both key and IV are set */
  2708. xctx->xts.key1 = NULL;
  2709. xctx->xts.key2 = NULL;
  2710. return 1;
  2711. }
  2712. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2713. const unsigned char *iv, int enc)
  2714. {
  2715. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2716. if (!iv && !key)
  2717. return 1;
  2718. if (key) {
  2719. do {
  2720. /* The key is two half length keys in reality */
  2721. const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
  2722. const int bits = bytes * 8;
  2723. /*
  2724. * Verify that the two keys are different.
  2725. *
  2726. * This addresses the vulnerability described in Rogaway's
  2727. * September 2004 paper:
  2728. *
  2729. * "Efficient Instantiations of Tweakable Blockciphers and
  2730. * Refinements to Modes OCB and PMAC".
  2731. * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
  2732. *
  2733. * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
  2734. * that:
  2735. * "The check for Key_1 != Key_2 shall be done at any place
  2736. * BEFORE using the keys in the XTS-AES algorithm to process
  2737. * data with them."
  2738. */
  2739. if ((!allow_insecure_decrypt || enc)
  2740. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  2741. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  2742. return 0;
  2743. }
  2744. #ifdef AES_XTS_ASM
  2745. xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
  2746. #else
  2747. xctx->stream = NULL;
  2748. #endif
  2749. /* key_len is two AES keys */
  2750. #ifdef HWAES_CAPABLE
  2751. if (HWAES_CAPABLE) {
  2752. if (enc) {
  2753. HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2754. xctx->xts.block1 = (block128_f) HWAES_encrypt;
  2755. # ifdef HWAES_xts_encrypt
  2756. xctx->stream = HWAES_xts_encrypt;
  2757. # endif
  2758. } else {
  2759. HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2760. xctx->xts.block1 = (block128_f) HWAES_decrypt;
  2761. # ifdef HWAES_xts_decrypt
  2762. xctx->stream = HWAES_xts_decrypt;
  2763. #endif
  2764. }
  2765. HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2766. xctx->xts.block2 = (block128_f) HWAES_encrypt;
  2767. xctx->xts.key1 = &xctx->ks1;
  2768. break;
  2769. } else
  2770. #endif
  2771. #ifdef BSAES_CAPABLE
  2772. if (BSAES_CAPABLE)
  2773. xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
  2774. else
  2775. #endif
  2776. #ifdef VPAES_CAPABLE
  2777. if (VPAES_CAPABLE) {
  2778. if (enc) {
  2779. vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2780. xctx->xts.block1 = (block128_f) vpaes_encrypt;
  2781. } else {
  2782. vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2783. xctx->xts.block1 = (block128_f) vpaes_decrypt;
  2784. }
  2785. vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2786. xctx->xts.block2 = (block128_f) vpaes_encrypt;
  2787. xctx->xts.key1 = &xctx->ks1;
  2788. break;
  2789. } else
  2790. #endif
  2791. (void)0; /* terminate potentially open 'else' */
  2792. if (enc) {
  2793. AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2794. xctx->xts.block1 = (block128_f) AES_encrypt;
  2795. } else {
  2796. AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2797. xctx->xts.block1 = (block128_f) AES_decrypt;
  2798. }
  2799. AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2800. xctx->xts.block2 = (block128_f) AES_encrypt;
  2801. xctx->xts.key1 = &xctx->ks1;
  2802. } while (0);
  2803. }
  2804. if (iv) {
  2805. xctx->xts.key2 = &xctx->ks2;
  2806. memcpy(ctx->iv, iv, 16);
  2807. }
  2808. return 1;
  2809. }
  2810. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2811. const unsigned char *in, size_t len)
  2812. {
  2813. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2814. if (xctx->xts.key1 == NULL
  2815. || xctx->xts.key2 == NULL
  2816. || out == NULL
  2817. || in == NULL
  2818. || len < AES_BLOCK_SIZE)
  2819. return 0;
  2820. /*
  2821. * Impose a limit of 2^20 blocks per data unit as specified by
  2822. * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
  2823. * indicated that this was a SHOULD NOT rather than a MUST NOT.
  2824. * NIST SP 800-38E mandates the same limit.
  2825. */
  2826. if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
  2827. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
  2828. return 0;
  2829. }
  2830. if (xctx->stream)
  2831. (*xctx->stream) (in, out, len,
  2832. xctx->xts.key1, xctx->xts.key2,
  2833. ctx->iv);
  2834. else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
  2835. EVP_CIPHER_CTX_encrypting(ctx)))
  2836. return 0;
  2837. return 1;
  2838. }
  2839. #define aes_xts_cleanup NULL
  2840. #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
  2841. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2842. | EVP_CIPH_CUSTOM_COPY)
  2843. BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
  2844. BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
  2845. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2846. {
  2847. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
  2848. switch (type) {
  2849. case EVP_CTRL_INIT:
  2850. cctx->key_set = 0;
  2851. cctx->iv_set = 0;
  2852. cctx->L = 8;
  2853. cctx->M = 12;
  2854. cctx->tag_set = 0;
  2855. cctx->len_set = 0;
  2856. cctx->tls_aad_len = -1;
  2857. return 1;
  2858. case EVP_CTRL_GET_IVLEN:
  2859. *(int *)ptr = 15 - cctx->L;
  2860. return 1;
  2861. case EVP_CTRL_AEAD_TLS1_AAD:
  2862. /* Save the AAD for later use */
  2863. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2864. return 0;
  2865. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  2866. cctx->tls_aad_len = arg;
  2867. {
  2868. uint16_t len =
  2869. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
  2870. | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
  2871. /* Correct length for explicit IV */
  2872. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  2873. return 0;
  2874. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  2875. /* If decrypting correct for tag too */
  2876. if (!EVP_CIPHER_CTX_encrypting(c)) {
  2877. if (len < cctx->M)
  2878. return 0;
  2879. len -= cctx->M;
  2880. }
  2881. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
  2882. EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
  2883. }
  2884. /* Extra padding: tag appended to record */
  2885. return cctx->M;
  2886. case EVP_CTRL_CCM_SET_IV_FIXED:
  2887. /* Sanity check length */
  2888. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  2889. return 0;
  2890. /* Just copy to first part of IV */
  2891. memcpy(c->iv, ptr, arg);
  2892. return 1;
  2893. case EVP_CTRL_AEAD_SET_IVLEN:
  2894. arg = 15 - arg;
  2895. /* fall thru */
  2896. case EVP_CTRL_CCM_SET_L:
  2897. if (arg < 2 || arg > 8)
  2898. return 0;
  2899. cctx->L = arg;
  2900. return 1;
  2901. case EVP_CTRL_AEAD_SET_TAG:
  2902. if ((arg & 1) || arg < 4 || arg > 16)
  2903. return 0;
  2904. if (EVP_CIPHER_CTX_encrypting(c) && ptr)
  2905. return 0;
  2906. if (ptr) {
  2907. cctx->tag_set = 1;
  2908. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  2909. }
  2910. cctx->M = arg;
  2911. return 1;
  2912. case EVP_CTRL_AEAD_GET_TAG:
  2913. if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
  2914. return 0;
  2915. if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  2916. return 0;
  2917. cctx->tag_set = 0;
  2918. cctx->iv_set = 0;
  2919. cctx->len_set = 0;
  2920. return 1;
  2921. case EVP_CTRL_COPY:
  2922. {
  2923. EVP_CIPHER_CTX *out = ptr;
  2924. EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
  2925. if (cctx->ccm.key) {
  2926. if (cctx->ccm.key != &cctx->ks)
  2927. return 0;
  2928. cctx_out->ccm.key = &cctx_out->ks;
  2929. }
  2930. return 1;
  2931. }
  2932. default:
  2933. return -1;
  2934. }
  2935. }
  2936. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2937. const unsigned char *iv, int enc)
  2938. {
  2939. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  2940. if (!iv && !key)
  2941. return 1;
  2942. if (key)
  2943. do {
  2944. #ifdef HWAES_CAPABLE
  2945. if (HWAES_CAPABLE) {
  2946. HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2947. &cctx->ks.ks);
  2948. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  2949. &cctx->ks, (block128_f) HWAES_encrypt);
  2950. cctx->str = NULL;
  2951. cctx->key_set = 1;
  2952. break;
  2953. } else
  2954. #endif
  2955. #ifdef VPAES_CAPABLE
  2956. if (VPAES_CAPABLE) {
  2957. vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2958. &cctx->ks.ks);
  2959. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  2960. &cctx->ks, (block128_f) vpaes_encrypt);
  2961. cctx->str = NULL;
  2962. cctx->key_set = 1;
  2963. break;
  2964. }
  2965. #endif
  2966. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  2967. &cctx->ks.ks);
  2968. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  2969. &cctx->ks, (block128_f) AES_encrypt);
  2970. cctx->str = NULL;
  2971. cctx->key_set = 1;
  2972. } while (0);
  2973. if (iv) {
  2974. memcpy(ctx->iv, iv, 15 - cctx->L);
  2975. cctx->iv_set = 1;
  2976. }
  2977. return 1;
  2978. }
  2979. static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2980. const unsigned char *in, size_t len)
  2981. {
  2982. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  2983. CCM128_CONTEXT *ccm = &cctx->ccm;
  2984. /* Encrypt/decrypt must be performed in place */
  2985. if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
  2986. return -1;
  2987. /* If encrypting set explicit IV from sequence number (start of AAD) */
  2988. if (EVP_CIPHER_CTX_encrypting(ctx))
  2989. memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
  2990. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  2991. /* Get rest of IV from explicit IV */
  2992. memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in,
  2993. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  2994. /* Correct length value */
  2995. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  2996. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
  2997. len))
  2998. return -1;
  2999. /* Use saved AAD */
  3000. CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
  3001. /* Fix buffer to point to payload */
  3002. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3003. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3004. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3005. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3006. cctx->str) :
  3007. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3008. return -1;
  3009. if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
  3010. return -1;
  3011. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3012. } else {
  3013. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3014. cctx->str) :
  3015. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3016. unsigned char tag[16];
  3017. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3018. if (!CRYPTO_memcmp(tag, in + len, cctx->M))
  3019. return len;
  3020. }
  3021. }
  3022. OPENSSL_cleanse(out, len);
  3023. return -1;
  3024. }
  3025. }
  3026. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3027. const unsigned char *in, size_t len)
  3028. {
  3029. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3030. CCM128_CONTEXT *ccm = &cctx->ccm;
  3031. /* If not set up, return error */
  3032. if (!cctx->key_set)
  3033. return -1;
  3034. if (cctx->tls_aad_len >= 0)
  3035. return aes_ccm_tls_cipher(ctx, out, in, len);
  3036. /* EVP_*Final() doesn't return any data */
  3037. if (in == NULL && out != NULL)
  3038. return 0;
  3039. if (!cctx->iv_set)
  3040. return -1;
  3041. if (!out) {
  3042. if (!in) {
  3043. if (CRYPTO_ccm128_setiv(ccm, ctx->iv,
  3044. 15 - cctx->L, len))
  3045. return -1;
  3046. cctx->len_set = 1;
  3047. return len;
  3048. }
  3049. /* If have AAD need message length */
  3050. if (!cctx->len_set && len)
  3051. return -1;
  3052. CRYPTO_ccm128_aad(ccm, in, len);
  3053. return len;
  3054. }
  3055. /* The tag must be set before actually decrypting data */
  3056. if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
  3057. return -1;
  3058. /* If not set length yet do it */
  3059. if (!cctx->len_set) {
  3060. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  3061. return -1;
  3062. cctx->len_set = 1;
  3063. }
  3064. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3065. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3066. cctx->str) :
  3067. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3068. return -1;
  3069. cctx->tag_set = 1;
  3070. return len;
  3071. } else {
  3072. int rv = -1;
  3073. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3074. cctx->str) :
  3075. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3076. unsigned char tag[16];
  3077. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3078. if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
  3079. cctx->M))
  3080. rv = len;
  3081. }
  3082. }
  3083. if (rv == -1)
  3084. OPENSSL_cleanse(out, len);
  3085. cctx->iv_set = 0;
  3086. cctx->tag_set = 0;
  3087. cctx->len_set = 0;
  3088. return rv;
  3089. }
  3090. }
  3091. #define aes_ccm_cleanup NULL
  3092. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
  3093. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3094. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
  3095. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3096. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
  3097. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3098. typedef struct {
  3099. union {
  3100. OSSL_UNION_ALIGN;
  3101. AES_KEY ks;
  3102. } ks;
  3103. /* Indicates if IV has been set */
  3104. unsigned char *iv;
  3105. } EVP_AES_WRAP_CTX;
  3106. static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3107. const unsigned char *iv, int enc)
  3108. {
  3109. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3110. if (!iv && !key)
  3111. return 1;
  3112. if (key) {
  3113. if (EVP_CIPHER_CTX_encrypting(ctx))
  3114. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3115. &wctx->ks.ks);
  3116. else
  3117. AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3118. &wctx->ks.ks);
  3119. if (!iv)
  3120. wctx->iv = NULL;
  3121. }
  3122. if (iv) {
  3123. memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
  3124. wctx->iv = ctx->iv;
  3125. }
  3126. return 1;
  3127. }
  3128. static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3129. const unsigned char *in, size_t inlen)
  3130. {
  3131. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3132. size_t rv;
  3133. /* AES wrap with padding has IV length of 4, without padding 8 */
  3134. int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
  3135. /* No final operation so always return zero length */
  3136. if (!in)
  3137. return 0;
  3138. /* Input length must always be non-zero */
  3139. if (!inlen)
  3140. return -1;
  3141. /* If decrypting need at least 16 bytes and multiple of 8 */
  3142. if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
  3143. return -1;
  3144. /* If not padding input must be multiple of 8 */
  3145. if (!pad && inlen & 0x7)
  3146. return -1;
  3147. if (ossl_is_partially_overlapping(out, in, inlen)) {
  3148. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3149. return 0;
  3150. }
  3151. if (!out) {
  3152. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3153. /* If padding round up to multiple of 8 */
  3154. if (pad)
  3155. inlen = (inlen + 7) / 8 * 8;
  3156. /* 8 byte prefix */
  3157. return inlen + 8;
  3158. } else {
  3159. /*
  3160. * If not padding output will be exactly 8 bytes smaller than
  3161. * input. If padding it will be at least 8 bytes smaller but we
  3162. * don't know how much.
  3163. */
  3164. return inlen - 8;
  3165. }
  3166. }
  3167. if (pad) {
  3168. if (EVP_CIPHER_CTX_encrypting(ctx))
  3169. rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
  3170. out, in, inlen,
  3171. (block128_f) AES_encrypt);
  3172. else
  3173. rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
  3174. out, in, inlen,
  3175. (block128_f) AES_decrypt);
  3176. } else {
  3177. if (EVP_CIPHER_CTX_encrypting(ctx))
  3178. rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
  3179. out, in, inlen, (block128_f) AES_encrypt);
  3180. else
  3181. rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
  3182. out, in, inlen, (block128_f) AES_decrypt);
  3183. }
  3184. return rv ? (int)rv : -1;
  3185. }
  3186. #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
  3187. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  3188. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
  3189. static const EVP_CIPHER aes_128_wrap = {
  3190. NID_id_aes128_wrap,
  3191. 8, 16, 8, WRAP_FLAGS,
  3192. aes_wrap_init_key, aes_wrap_cipher,
  3193. NULL,
  3194. sizeof(EVP_AES_WRAP_CTX),
  3195. NULL, NULL, NULL, NULL
  3196. };
  3197. const EVP_CIPHER *EVP_aes_128_wrap(void)
  3198. {
  3199. return &aes_128_wrap;
  3200. }
  3201. static const EVP_CIPHER aes_192_wrap = {
  3202. NID_id_aes192_wrap,
  3203. 8, 24, 8, WRAP_FLAGS,
  3204. aes_wrap_init_key, aes_wrap_cipher,
  3205. NULL,
  3206. sizeof(EVP_AES_WRAP_CTX),
  3207. NULL, NULL, NULL, NULL
  3208. };
  3209. const EVP_CIPHER *EVP_aes_192_wrap(void)
  3210. {
  3211. return &aes_192_wrap;
  3212. }
  3213. static const EVP_CIPHER aes_256_wrap = {
  3214. NID_id_aes256_wrap,
  3215. 8, 32, 8, WRAP_FLAGS,
  3216. aes_wrap_init_key, aes_wrap_cipher,
  3217. NULL,
  3218. sizeof(EVP_AES_WRAP_CTX),
  3219. NULL, NULL, NULL, NULL
  3220. };
  3221. const EVP_CIPHER *EVP_aes_256_wrap(void)
  3222. {
  3223. return &aes_256_wrap;
  3224. }
  3225. static const EVP_CIPHER aes_128_wrap_pad = {
  3226. NID_id_aes128_wrap_pad,
  3227. 8, 16, 4, WRAP_FLAGS,
  3228. aes_wrap_init_key, aes_wrap_cipher,
  3229. NULL,
  3230. sizeof(EVP_AES_WRAP_CTX),
  3231. NULL, NULL, NULL, NULL
  3232. };
  3233. const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
  3234. {
  3235. return &aes_128_wrap_pad;
  3236. }
  3237. static const EVP_CIPHER aes_192_wrap_pad = {
  3238. NID_id_aes192_wrap_pad,
  3239. 8, 24, 4, WRAP_FLAGS,
  3240. aes_wrap_init_key, aes_wrap_cipher,
  3241. NULL,
  3242. sizeof(EVP_AES_WRAP_CTX),
  3243. NULL, NULL, NULL, NULL
  3244. };
  3245. const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
  3246. {
  3247. return &aes_192_wrap_pad;
  3248. }
  3249. static const EVP_CIPHER aes_256_wrap_pad = {
  3250. NID_id_aes256_wrap_pad,
  3251. 8, 32, 4, WRAP_FLAGS,
  3252. aes_wrap_init_key, aes_wrap_cipher,
  3253. NULL,
  3254. sizeof(EVP_AES_WRAP_CTX),
  3255. NULL, NULL, NULL, NULL
  3256. };
  3257. const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
  3258. {
  3259. return &aes_256_wrap_pad;
  3260. }
  3261. #ifndef OPENSSL_NO_OCB
  3262. static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3263. {
  3264. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3265. EVP_CIPHER_CTX *newc;
  3266. EVP_AES_OCB_CTX *new_octx;
  3267. switch (type) {
  3268. case EVP_CTRL_INIT:
  3269. octx->key_set = 0;
  3270. octx->iv_set = 0;
  3271. octx->ivlen = EVP_CIPHER_iv_length(c->cipher);
  3272. octx->iv = c->iv;
  3273. octx->taglen = 16;
  3274. octx->data_buf_len = 0;
  3275. octx->aad_buf_len = 0;
  3276. return 1;
  3277. case EVP_CTRL_GET_IVLEN:
  3278. *(int *)ptr = octx->ivlen;
  3279. return 1;
  3280. case EVP_CTRL_AEAD_SET_IVLEN:
  3281. /* IV len must be 1 to 15 */
  3282. if (arg <= 0 || arg > 15)
  3283. return 0;
  3284. octx->ivlen = arg;
  3285. return 1;
  3286. case EVP_CTRL_AEAD_SET_TAG:
  3287. if (ptr == NULL) {
  3288. /* Tag len must be 0 to 16 */
  3289. if (arg < 0 || arg > 16)
  3290. return 0;
  3291. octx->taglen = arg;
  3292. return 1;
  3293. }
  3294. if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
  3295. return 0;
  3296. memcpy(octx->tag, ptr, arg);
  3297. return 1;
  3298. case EVP_CTRL_AEAD_GET_TAG:
  3299. if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
  3300. return 0;
  3301. memcpy(ptr, octx->tag, arg);
  3302. return 1;
  3303. case EVP_CTRL_COPY:
  3304. newc = (EVP_CIPHER_CTX *)ptr;
  3305. new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
  3306. return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
  3307. &new_octx->ksenc.ks,
  3308. &new_octx->ksdec.ks);
  3309. default:
  3310. return -1;
  3311. }
  3312. }
  3313. static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3314. const unsigned char *iv, int enc)
  3315. {
  3316. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3317. if (!iv && !key)
  3318. return 1;
  3319. if (key) {
  3320. do {
  3321. /*
  3322. * We set both the encrypt and decrypt key here because decrypt
  3323. * needs both. We could possibly optimise to remove setting the
  3324. * decrypt for an encryption operation.
  3325. */
  3326. # ifdef HWAES_CAPABLE
  3327. if (HWAES_CAPABLE) {
  3328. HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3329. &octx->ksenc.ks);
  3330. HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3331. &octx->ksdec.ks);
  3332. if (!CRYPTO_ocb128_init(&octx->ocb,
  3333. &octx->ksenc.ks, &octx->ksdec.ks,
  3334. (block128_f) HWAES_encrypt,
  3335. (block128_f) HWAES_decrypt,
  3336. enc ? HWAES_ocb_encrypt
  3337. : HWAES_ocb_decrypt))
  3338. return 0;
  3339. break;
  3340. }
  3341. # endif
  3342. # ifdef VPAES_CAPABLE
  3343. if (VPAES_CAPABLE) {
  3344. vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3345. &octx->ksenc.ks);
  3346. vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3347. &octx->ksdec.ks);
  3348. if (!CRYPTO_ocb128_init(&octx->ocb,
  3349. &octx->ksenc.ks, &octx->ksdec.ks,
  3350. (block128_f) vpaes_encrypt,
  3351. (block128_f) vpaes_decrypt,
  3352. NULL))
  3353. return 0;
  3354. break;
  3355. }
  3356. # endif
  3357. AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3358. &octx->ksenc.ks);
  3359. AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  3360. &octx->ksdec.ks);
  3361. if (!CRYPTO_ocb128_init(&octx->ocb,
  3362. &octx->ksenc.ks, &octx->ksdec.ks,
  3363. (block128_f) AES_encrypt,
  3364. (block128_f) AES_decrypt,
  3365. NULL))
  3366. return 0;
  3367. }
  3368. while (0);
  3369. /*
  3370. * If we have an iv we can set it directly, otherwise use saved IV.
  3371. */
  3372. if (iv == NULL && octx->iv_set)
  3373. iv = octx->iv;
  3374. if (iv) {
  3375. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  3376. != 1)
  3377. return 0;
  3378. octx->iv_set = 1;
  3379. }
  3380. octx->key_set = 1;
  3381. } else {
  3382. /* If key set use IV, otherwise copy */
  3383. if (octx->key_set)
  3384. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  3385. else
  3386. memcpy(octx->iv, iv, octx->ivlen);
  3387. octx->iv_set = 1;
  3388. }
  3389. return 1;
  3390. }
  3391. static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3392. const unsigned char *in, size_t len)
  3393. {
  3394. unsigned char *buf;
  3395. int *buf_len;
  3396. int written_len = 0;
  3397. size_t trailing_len;
  3398. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3399. /* If IV or Key not set then return error */
  3400. if (!octx->iv_set)
  3401. return -1;
  3402. if (!octx->key_set)
  3403. return -1;
  3404. if (in != NULL) {
  3405. /*
  3406. * Need to ensure we are only passing full blocks to low level OCB
  3407. * routines. We do it here rather than in EVP_EncryptUpdate/
  3408. * EVP_DecryptUpdate because we need to pass full blocks of AAD too
  3409. * and those routines don't support that
  3410. */
  3411. /* Are we dealing with AAD or normal data here? */
  3412. if (out == NULL) {
  3413. buf = octx->aad_buf;
  3414. buf_len = &(octx->aad_buf_len);
  3415. } else {
  3416. buf = octx->data_buf;
  3417. buf_len = &(octx->data_buf_len);
  3418. if (ossl_is_partially_overlapping(out + *buf_len, in, len)) {
  3419. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3420. return 0;
  3421. }
  3422. }
  3423. /*
  3424. * If we've got a partially filled buffer from a previous call then
  3425. * use that data first
  3426. */
  3427. if (*buf_len > 0) {
  3428. unsigned int remaining;
  3429. remaining = AES_BLOCK_SIZE - (*buf_len);
  3430. if (remaining > len) {
  3431. memcpy(buf + (*buf_len), in, len);
  3432. *(buf_len) += len;
  3433. return 0;
  3434. }
  3435. memcpy(buf + (*buf_len), in, remaining);
  3436. /*
  3437. * If we get here we've filled the buffer, so process it
  3438. */
  3439. len -= remaining;
  3440. in += remaining;
  3441. if (out == NULL) {
  3442. if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
  3443. return -1;
  3444. } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3445. if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
  3446. AES_BLOCK_SIZE))
  3447. return -1;
  3448. } else {
  3449. if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
  3450. AES_BLOCK_SIZE))
  3451. return -1;
  3452. }
  3453. written_len = AES_BLOCK_SIZE;
  3454. *buf_len = 0;
  3455. if (out != NULL)
  3456. out += AES_BLOCK_SIZE;
  3457. }
  3458. /* Do we have a partial block to handle at the end? */
  3459. trailing_len = len % AES_BLOCK_SIZE;
  3460. /*
  3461. * If we've got some full blocks to handle, then process these first
  3462. */
  3463. if (len != trailing_len) {
  3464. if (out == NULL) {
  3465. if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
  3466. return -1;
  3467. } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3468. if (!CRYPTO_ocb128_encrypt
  3469. (&octx->ocb, in, out, len - trailing_len))
  3470. return -1;
  3471. } else {
  3472. if (!CRYPTO_ocb128_decrypt
  3473. (&octx->ocb, in, out, len - trailing_len))
  3474. return -1;
  3475. }
  3476. written_len += len - trailing_len;
  3477. in += len - trailing_len;
  3478. }
  3479. /* Handle any trailing partial block */
  3480. if (trailing_len > 0) {
  3481. memcpy(buf, in, trailing_len);
  3482. *buf_len = trailing_len;
  3483. }
  3484. return written_len;
  3485. } else {
  3486. /*
  3487. * First of all empty the buffer of any partial block that we might
  3488. * have been provided - both for data and AAD
  3489. */
  3490. if (octx->data_buf_len > 0) {
  3491. if (EVP_CIPHER_CTX_encrypting(ctx)) {
  3492. if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
  3493. octx->data_buf_len))
  3494. return -1;
  3495. } else {
  3496. if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
  3497. octx->data_buf_len))
  3498. return -1;
  3499. }
  3500. written_len = octx->data_buf_len;
  3501. octx->data_buf_len = 0;
  3502. }
  3503. if (octx->aad_buf_len > 0) {
  3504. if (!CRYPTO_ocb128_aad
  3505. (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
  3506. return -1;
  3507. octx->aad_buf_len = 0;
  3508. }
  3509. /* If decrypting then verify */
  3510. if (!EVP_CIPHER_CTX_encrypting(ctx)) {
  3511. if (octx->taglen < 0)
  3512. return -1;
  3513. if (CRYPTO_ocb128_finish(&octx->ocb,
  3514. octx->tag, octx->taglen) != 0)
  3515. return -1;
  3516. octx->iv_set = 0;
  3517. return written_len;
  3518. }
  3519. /* If encrypting then just get the tag */
  3520. if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
  3521. return -1;
  3522. /* Don't reuse the IV */
  3523. octx->iv_set = 0;
  3524. return written_len;
  3525. }
  3526. }
  3527. static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
  3528. {
  3529. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3530. CRYPTO_ocb128_cleanup(&octx->ocb);
  3531. return 1;
  3532. }
  3533. BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
  3534. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3535. BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
  3536. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3537. BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
  3538. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3539. #endif /* OPENSSL_NO_OCB */