e_aes.c 134 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154
  1. /*
  2. * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file uses the low-level AES functions (which are deprecated for
  11. * non-internal use) in order to implement the EVP AES ciphers.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <string.h>
  15. #include <assert.h>
  16. #include <openssl/opensslconf.h>
  17. #include <openssl/crypto.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/err.h>
  20. #include <openssl/aes.h>
  21. #include <openssl/rand.h>
  22. #include <openssl/cmac.h>
  23. #include "crypto/evp.h"
  24. #include "internal/cryptlib.h"
  25. #include "crypto/modes.h"
  26. #include "crypto/siv.h"
  27. #include "crypto/aes_platform.h"
  28. #include "evp_local.h"
  29. typedef struct {
  30. union {
  31. OSSL_UNION_ALIGN;
  32. AES_KEY ks;
  33. } ks;
  34. block128_f block;
  35. union {
  36. cbc128_f cbc;
  37. ctr128_f ctr;
  38. } stream;
  39. } EVP_AES_KEY;
  40. typedef struct {
  41. union {
  42. OSSL_UNION_ALIGN;
  43. AES_KEY ks;
  44. } ks; /* AES key schedule to use */
  45. int key_set; /* Set if key initialised */
  46. int iv_set; /* Set if an iv is set */
  47. GCM128_CONTEXT gcm;
  48. unsigned char *iv; /* Temporary IV store */
  49. int ivlen; /* IV length */
  50. int taglen;
  51. int iv_gen; /* It is OK to generate IVs */
  52. int iv_gen_rand; /* No IV was specified, so generate a rand IV */
  53. int tls_aad_len; /* TLS AAD length */
  54. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  55. ctr128_f ctr;
  56. } EVP_AES_GCM_CTX;
  57. typedef struct {
  58. union {
  59. OSSL_UNION_ALIGN;
  60. AES_KEY ks;
  61. } ks1, ks2; /* AES key schedules to use */
  62. XTS128_CONTEXT xts;
  63. void (*stream) (const unsigned char *in,
  64. unsigned char *out, size_t length,
  65. const AES_KEY *key1, const AES_KEY *key2,
  66. const unsigned char iv[16]);
  67. } EVP_AES_XTS_CTX;
  68. #ifdef FIPS_MODULE
  69. static const int allow_insecure_decrypt = 0;
  70. #else
  71. static const int allow_insecure_decrypt = 1;
  72. #endif
  73. typedef struct {
  74. union {
  75. OSSL_UNION_ALIGN;
  76. AES_KEY ks;
  77. } ks; /* AES key schedule to use */
  78. int key_set; /* Set if key initialised */
  79. int iv_set; /* Set if an iv is set */
  80. int tag_set; /* Set if tag is valid */
  81. int len_set; /* Set if message length set */
  82. int L, M; /* L and M parameters from RFC3610 */
  83. int tls_aad_len; /* TLS AAD length */
  84. CCM128_CONTEXT ccm;
  85. ccm128_f str;
  86. } EVP_AES_CCM_CTX;
  87. #ifndef OPENSSL_NO_OCB
  88. typedef struct {
  89. union {
  90. OSSL_UNION_ALIGN;
  91. AES_KEY ks;
  92. } ksenc; /* AES key schedule to use for encryption */
  93. union {
  94. OSSL_UNION_ALIGN;
  95. AES_KEY ks;
  96. } ksdec; /* AES key schedule to use for decryption */
  97. int key_set; /* Set if key initialised */
  98. int iv_set; /* Set if an iv is set */
  99. OCB128_CONTEXT ocb;
  100. unsigned char *iv; /* Temporary IV store */
  101. unsigned char tag[16];
  102. unsigned char data_buf[16]; /* Store partial data blocks */
  103. unsigned char aad_buf[16]; /* Store partial AAD blocks */
  104. int data_buf_len;
  105. int aad_buf_len;
  106. int ivlen; /* IV length */
  107. int taglen;
  108. } EVP_AES_OCB_CTX;
  109. #endif
  110. #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
  111. /* increment counter (64-bit int) by 1 */
  112. static void ctr64_inc(unsigned char *counter)
  113. {
  114. int n = 8;
  115. unsigned char c;
  116. do {
  117. --n;
  118. c = counter[n];
  119. ++c;
  120. counter[n] = c;
  121. if (c)
  122. return;
  123. } while (n);
  124. }
  125. #if defined(AESNI_CAPABLE)
  126. # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
  127. # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
  128. gctx->gcm.ghash==gcm_ghash_avx)
  129. # undef AES_GCM_ASM2 /* minor size optimization */
  130. # endif
  131. static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  132. const unsigned char *iv, int enc)
  133. {
  134. int ret, mode;
  135. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  136. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  137. if (keylen <= 0) {
  138. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  139. return 0;
  140. }
  141. mode = EVP_CIPHER_CTX_get_mode(ctx);
  142. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  143. && !enc) {
  144. ret = aesni_set_decrypt_key(key, keylen, &dat->ks.ks);
  145. dat->block = (block128_f) aesni_decrypt;
  146. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  147. (cbc128_f) aesni_cbc_encrypt : NULL;
  148. } else {
  149. ret = aesni_set_encrypt_key(key, keylen, &dat->ks.ks);
  150. dat->block = (block128_f) aesni_encrypt;
  151. if (mode == EVP_CIPH_CBC_MODE)
  152. dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
  153. else if (mode == EVP_CIPH_CTR_MODE)
  154. dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  155. else
  156. dat->stream.cbc = NULL;
  157. }
  158. if (ret < 0) {
  159. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  160. return 0;
  161. }
  162. return 1;
  163. }
  164. static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  165. const unsigned char *in, size_t len)
  166. {
  167. aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  168. ctx->iv, EVP_CIPHER_CTX_is_encrypting(ctx));
  169. return 1;
  170. }
  171. static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  172. const unsigned char *in, size_t len)
  173. {
  174. size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
  175. if (len < bl)
  176. return 1;
  177. aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
  178. EVP_CIPHER_CTX_is_encrypting(ctx));
  179. return 1;
  180. }
  181. # define aesni_ofb_cipher aes_ofb_cipher
  182. static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  183. const unsigned char *in, size_t len);
  184. # define aesni_cfb_cipher aes_cfb_cipher
  185. static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  186. const unsigned char *in, size_t len);
  187. # define aesni_cfb8_cipher aes_cfb8_cipher
  188. static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  189. const unsigned char *in, size_t len);
  190. # define aesni_cfb1_cipher aes_cfb1_cipher
  191. static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  192. const unsigned char *in, size_t len);
  193. # define aesni_ctr_cipher aes_ctr_cipher
  194. static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  195. const unsigned char *in, size_t len);
  196. static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  197. const unsigned char *iv, int enc)
  198. {
  199. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx);
  200. if (iv == NULL && key == NULL)
  201. return 1;
  202. if (key) {
  203. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  204. if (keylen <= 0) {
  205. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  206. return 0;
  207. }
  208. aesni_set_encrypt_key(key, keylen, &gctx->ks.ks);
  209. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
  210. gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
  211. /*
  212. * If we have an iv can set it directly, otherwise use saved IV.
  213. */
  214. if (iv == NULL && gctx->iv_set)
  215. iv = gctx->iv;
  216. if (iv) {
  217. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  218. gctx->iv_set = 1;
  219. }
  220. gctx->key_set = 1;
  221. } else {
  222. /* If key set use IV, otherwise copy */
  223. if (gctx->key_set)
  224. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  225. else
  226. memcpy(gctx->iv, iv, gctx->ivlen);
  227. gctx->iv_set = 1;
  228. gctx->iv_gen = 0;
  229. }
  230. return 1;
  231. }
  232. # define aesni_gcm_cipher aes_gcm_cipher
  233. static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  234. const unsigned char *in, size_t len);
  235. static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  236. const unsigned char *iv, int enc)
  237. {
  238. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  239. if (iv == NULL && key == NULL)
  240. return 1;
  241. if (key) {
  242. /* The key is two half length keys in reality */
  243. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  244. const int bytes = keylen / 2;
  245. const int bits = bytes * 8;
  246. if (keylen <= 0) {
  247. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  248. return 0;
  249. }
  250. /*
  251. * Verify that the two keys are different.
  252. *
  253. * This addresses Rogaway's vulnerability.
  254. * See comment in aes_xts_init_key() below.
  255. */
  256. if ((!allow_insecure_decrypt || enc)
  257. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  258. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  259. return 0;
  260. }
  261. /* key_len is two AES keys */
  262. if (enc) {
  263. aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
  264. xctx->xts.block1 = (block128_f) aesni_encrypt;
  265. xctx->stream = aesni_xts_encrypt;
  266. } else {
  267. aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
  268. xctx->xts.block1 = (block128_f) aesni_decrypt;
  269. xctx->stream = aesni_xts_decrypt;
  270. }
  271. aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  272. xctx->xts.block2 = (block128_f) aesni_encrypt;
  273. xctx->xts.key1 = &xctx->ks1;
  274. }
  275. if (iv) {
  276. xctx->xts.key2 = &xctx->ks2;
  277. memcpy(ctx->iv, iv, 16);
  278. }
  279. return 1;
  280. }
  281. # define aesni_xts_cipher aes_xts_cipher
  282. static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  283. const unsigned char *in, size_t len);
  284. static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  285. const unsigned char *iv, int enc)
  286. {
  287. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  288. if (iv == NULL && key == NULL)
  289. return 1;
  290. if (key != NULL) {
  291. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  292. if (keylen <= 0) {
  293. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  294. return 0;
  295. }
  296. aesni_set_encrypt_key(key, keylen, &cctx->ks.ks);
  297. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  298. &cctx->ks, (block128_f) aesni_encrypt);
  299. cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
  300. (ccm128_f) aesni_ccm64_decrypt_blocks;
  301. cctx->key_set = 1;
  302. }
  303. if (iv) {
  304. memcpy(ctx->iv, iv, 15 - cctx->L);
  305. cctx->iv_set = 1;
  306. }
  307. return 1;
  308. }
  309. # define aesni_ccm_cipher aes_ccm_cipher
  310. static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  311. const unsigned char *in, size_t len);
  312. # ifndef OPENSSL_NO_OCB
  313. static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  314. const unsigned char *iv, int enc)
  315. {
  316. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  317. if (iv == NULL && key == NULL)
  318. return 1;
  319. if (key != NULL) {
  320. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  321. if (keylen <= 0) {
  322. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  323. return 0;
  324. }
  325. do {
  326. /*
  327. * We set both the encrypt and decrypt key here because decrypt
  328. * needs both. We could possibly optimise to remove setting the
  329. * decrypt for an encryption operation.
  330. */
  331. aesni_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  332. aesni_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  333. if (!CRYPTO_ocb128_init(&octx->ocb,
  334. &octx->ksenc.ks, &octx->ksdec.ks,
  335. (block128_f) aesni_encrypt,
  336. (block128_f) aesni_decrypt,
  337. enc ? aesni_ocb_encrypt
  338. : aesni_ocb_decrypt))
  339. return 0;
  340. }
  341. while (0);
  342. /*
  343. * If we have an iv we can set it directly, otherwise use saved IV.
  344. */
  345. if (iv == NULL && octx->iv_set)
  346. iv = octx->iv;
  347. if (iv) {
  348. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  349. != 1)
  350. return 0;
  351. octx->iv_set = 1;
  352. }
  353. octx->key_set = 1;
  354. } else {
  355. /* If key set use IV, otherwise copy */
  356. if (octx->key_set)
  357. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  358. else
  359. memcpy(octx->iv, iv, octx->ivlen);
  360. octx->iv_set = 1;
  361. }
  362. return 1;
  363. }
  364. # define aesni_ocb_cipher aes_ocb_cipher
  365. static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  366. const unsigned char *in, size_t len);
  367. # endif /* OPENSSL_NO_OCB */
  368. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  369. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  370. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  371. flags|EVP_CIPH_##MODE##_MODE, \
  372. EVP_ORIG_GLOBAL, \
  373. aesni_init_key, \
  374. aesni_##mode##_cipher, \
  375. NULL, \
  376. sizeof(EVP_AES_KEY), \
  377. NULL,NULL,NULL,NULL }; \
  378. static const EVP_CIPHER aes_##keylen##_##mode = { \
  379. nid##_##keylen##_##nmode,blocksize, \
  380. keylen/8,ivlen, \
  381. flags|EVP_CIPH_##MODE##_MODE, \
  382. EVP_ORIG_GLOBAL, \
  383. aes_init_key, \
  384. aes_##mode##_cipher, \
  385. NULL, \
  386. sizeof(EVP_AES_KEY), \
  387. NULL,NULL,NULL,NULL }; \
  388. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  389. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  390. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  391. static const EVP_CIPHER aesni_##keylen##_##mode = { \
  392. nid##_##keylen##_##mode,blocksize, \
  393. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  394. ivlen, \
  395. flags|EVP_CIPH_##MODE##_MODE, \
  396. EVP_ORIG_GLOBAL, \
  397. aesni_##mode##_init_key, \
  398. aesni_##mode##_cipher, \
  399. aes_##mode##_cleanup, \
  400. sizeof(EVP_AES_##MODE##_CTX), \
  401. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  402. static const EVP_CIPHER aes_##keylen##_##mode = { \
  403. nid##_##keylen##_##mode,blocksize, \
  404. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  405. ivlen, \
  406. flags|EVP_CIPH_##MODE##_MODE, \
  407. EVP_ORIG_GLOBAL, \
  408. aes_##mode##_init_key, \
  409. aes_##mode##_cipher, \
  410. aes_##mode##_cleanup, \
  411. sizeof(EVP_AES_##MODE##_CTX), \
  412. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  413. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  414. { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
  415. #elif defined(SPARC_AES_CAPABLE)
  416. static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  417. const unsigned char *iv, int enc)
  418. {
  419. int ret, mode, bits;
  420. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  421. mode = EVP_CIPHER_CTX_get_mode(ctx);
  422. bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  423. if (bits <= 0) {
  424. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  425. return 0;
  426. }
  427. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  428. && !enc) {
  429. ret = 0;
  430. aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
  431. dat->block = (block128_f) aes_t4_decrypt;
  432. switch (bits) {
  433. case 128:
  434. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  435. (cbc128_f) aes128_t4_cbc_decrypt : NULL;
  436. break;
  437. case 192:
  438. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  439. (cbc128_f) aes192_t4_cbc_decrypt : NULL;
  440. break;
  441. case 256:
  442. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  443. (cbc128_f) aes256_t4_cbc_decrypt : NULL;
  444. break;
  445. default:
  446. ret = -1;
  447. }
  448. } else {
  449. ret = 0;
  450. aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
  451. dat->block = (block128_f) aes_t4_encrypt;
  452. switch (bits) {
  453. case 128:
  454. if (mode == EVP_CIPH_CBC_MODE)
  455. dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
  456. else if (mode == EVP_CIPH_CTR_MODE)
  457. dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  458. else
  459. dat->stream.cbc = NULL;
  460. break;
  461. case 192:
  462. if (mode == EVP_CIPH_CBC_MODE)
  463. dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
  464. else if (mode == EVP_CIPH_CTR_MODE)
  465. dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  466. else
  467. dat->stream.cbc = NULL;
  468. break;
  469. case 256:
  470. if (mode == EVP_CIPH_CBC_MODE)
  471. dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
  472. else if (mode == EVP_CIPH_CTR_MODE)
  473. dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  474. else
  475. dat->stream.cbc = NULL;
  476. break;
  477. default:
  478. ret = -1;
  479. }
  480. }
  481. if (ret < 0) {
  482. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  483. return 0;
  484. }
  485. return 1;
  486. }
  487. # define aes_t4_cbc_cipher aes_cbc_cipher
  488. static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  489. const unsigned char *in, size_t len);
  490. # define aes_t4_ecb_cipher aes_ecb_cipher
  491. static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  492. const unsigned char *in, size_t len);
  493. # define aes_t4_ofb_cipher aes_ofb_cipher
  494. static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  495. const unsigned char *in, size_t len);
  496. # define aes_t4_cfb_cipher aes_cfb_cipher
  497. static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  498. const unsigned char *in, size_t len);
  499. # define aes_t4_cfb8_cipher aes_cfb8_cipher
  500. static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  501. const unsigned char *in, size_t len);
  502. # define aes_t4_cfb1_cipher aes_cfb1_cipher
  503. static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  504. const unsigned char *in, size_t len);
  505. # define aes_t4_ctr_cipher aes_ctr_cipher
  506. static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  507. const unsigned char *in, size_t len);
  508. static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  509. const unsigned char *iv, int enc)
  510. {
  511. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  512. if (iv == NULL && key == NULL)
  513. return 1;
  514. if (key) {
  515. const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  516. if (bits <= 0) {
  517. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  518. return 0;
  519. }
  520. aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
  521. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  522. (block128_f) aes_t4_encrypt);
  523. switch (bits) {
  524. case 128:
  525. gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
  526. break;
  527. case 192:
  528. gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
  529. break;
  530. case 256:
  531. gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
  532. break;
  533. default:
  534. return 0;
  535. }
  536. /*
  537. * If we have an iv can set it directly, otherwise use saved IV.
  538. */
  539. if (iv == NULL && gctx->iv_set)
  540. iv = gctx->iv;
  541. if (iv) {
  542. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  543. gctx->iv_set = 1;
  544. }
  545. gctx->key_set = 1;
  546. } else {
  547. /* If key set use IV, otherwise copy */
  548. if (gctx->key_set)
  549. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  550. else
  551. memcpy(gctx->iv, iv, gctx->ivlen);
  552. gctx->iv_set = 1;
  553. gctx->iv_gen = 0;
  554. }
  555. return 1;
  556. }
  557. # define aes_t4_gcm_cipher aes_gcm_cipher
  558. static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  559. const unsigned char *in, size_t len);
  560. static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  561. const unsigned char *iv, int enc)
  562. {
  563. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  564. if (!iv && !key)
  565. return 1;
  566. if (key) {
  567. /* The key is two half length keys in reality */
  568. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  569. const int bytes = keylen / 2;
  570. const int bits = bytes * 8;
  571. if (keylen <= 0) {
  572. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  573. return 0;
  574. }
  575. /*
  576. * Verify that the two keys are different.
  577. *
  578. * This addresses Rogaway's vulnerability.
  579. * See comment in aes_xts_init_key() below.
  580. */
  581. if ((!allow_insecure_decrypt || enc)
  582. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  583. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  584. return 0;
  585. }
  586. xctx->stream = NULL;
  587. /* key_len is two AES keys */
  588. if (enc) {
  589. aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
  590. xctx->xts.block1 = (block128_f) aes_t4_encrypt;
  591. switch (bits) {
  592. case 128:
  593. xctx->stream = aes128_t4_xts_encrypt;
  594. break;
  595. case 256:
  596. xctx->stream = aes256_t4_xts_encrypt;
  597. break;
  598. default:
  599. return 0;
  600. }
  601. } else {
  602. aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
  603. xctx->xts.block1 = (block128_f) aes_t4_decrypt;
  604. switch (bits) {
  605. case 128:
  606. xctx->stream = aes128_t4_xts_decrypt;
  607. break;
  608. case 256:
  609. xctx->stream = aes256_t4_xts_decrypt;
  610. break;
  611. default:
  612. return 0;
  613. }
  614. }
  615. aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  616. xctx->xts.block2 = (block128_f) aes_t4_encrypt;
  617. xctx->xts.key1 = &xctx->ks1;
  618. }
  619. if (iv) {
  620. xctx->xts.key2 = &xctx->ks2;
  621. memcpy(ctx->iv, iv, 16);
  622. }
  623. return 1;
  624. }
  625. # define aes_t4_xts_cipher aes_xts_cipher
  626. static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  627. const unsigned char *in, size_t len);
  628. static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  629. const unsigned char *iv, int enc)
  630. {
  631. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  632. if (iv == NULL && key == NULL)
  633. return 1;
  634. if (key != NULL) {
  635. const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  636. if (bits <= 0) {
  637. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  638. return 0;
  639. }
  640. aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
  641. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  642. &cctx->ks, (block128_f) aes_t4_encrypt);
  643. cctx->str = NULL;
  644. cctx->key_set = 1;
  645. }
  646. if (iv) {
  647. memcpy(ctx->iv, iv, 15 - cctx->L);
  648. cctx->iv_set = 1;
  649. }
  650. return 1;
  651. }
  652. # define aes_t4_ccm_cipher aes_ccm_cipher
  653. static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  654. const unsigned char *in, size_t len);
  655. # ifndef OPENSSL_NO_OCB
  656. static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  657. const unsigned char *iv, int enc)
  658. {
  659. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  660. if (iv == NULL && key == NULL)
  661. return 1;
  662. if (key != NULL) {
  663. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  664. if (keylen <= 0) {
  665. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  666. return 0;
  667. }
  668. do {
  669. /*
  670. * We set both the encrypt and decrypt key here because decrypt
  671. * needs both. We could possibly optimise to remove setting the
  672. * decrypt for an encryption operation.
  673. */
  674. aes_t4_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  675. aes_t4_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  676. if (!CRYPTO_ocb128_init(&octx->ocb,
  677. &octx->ksenc.ks, &octx->ksdec.ks,
  678. (block128_f) aes_t4_encrypt,
  679. (block128_f) aes_t4_decrypt,
  680. NULL))
  681. return 0;
  682. }
  683. while (0);
  684. /*
  685. * If we have an iv we can set it directly, otherwise use saved IV.
  686. */
  687. if (iv == NULL && octx->iv_set)
  688. iv = octx->iv;
  689. if (iv) {
  690. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  691. != 1)
  692. return 0;
  693. octx->iv_set = 1;
  694. }
  695. octx->key_set = 1;
  696. } else {
  697. /* If key set use IV, otherwise copy */
  698. if (octx->key_set)
  699. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  700. else
  701. memcpy(octx->iv, iv, octx->ivlen);
  702. octx->iv_set = 1;
  703. }
  704. return 1;
  705. }
  706. # define aes_t4_ocb_cipher aes_ocb_cipher
  707. static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  708. const unsigned char *in, size_t len);
  709. # endif /* OPENSSL_NO_OCB */
  710. # ifndef OPENSSL_NO_SIV
  711. # define aes_t4_siv_init_key aes_siv_init_key
  712. # define aes_t4_siv_cipher aes_siv_cipher
  713. # endif /* OPENSSL_NO_SIV */
  714. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  715. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  716. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  717. flags|EVP_CIPH_##MODE##_MODE, \
  718. EVP_ORIG_GLOBAL, \
  719. aes_t4_init_key, \
  720. aes_t4_##mode##_cipher, \
  721. NULL, \
  722. sizeof(EVP_AES_KEY), \
  723. NULL,NULL,NULL,NULL }; \
  724. static const EVP_CIPHER aes_##keylen##_##mode = { \
  725. nid##_##keylen##_##nmode,blocksize, \
  726. keylen/8,ivlen, \
  727. flags|EVP_CIPH_##MODE##_MODE, \
  728. EVP_ORIG_GLOBAL, \
  729. aes_init_key, \
  730. aes_##mode##_cipher, \
  731. NULL, \
  732. sizeof(EVP_AES_KEY), \
  733. NULL,NULL,NULL,NULL }; \
  734. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  735. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  736. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  737. static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
  738. nid##_##keylen##_##mode,blocksize, \
  739. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  740. ivlen, \
  741. flags|EVP_CIPH_##MODE##_MODE, \
  742. EVP_ORIG_GLOBAL, \
  743. aes_t4_##mode##_init_key, \
  744. aes_t4_##mode##_cipher, \
  745. aes_##mode##_cleanup, \
  746. sizeof(EVP_AES_##MODE##_CTX), \
  747. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  748. static const EVP_CIPHER aes_##keylen##_##mode = { \
  749. nid##_##keylen##_##mode,blocksize, \
  750. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  751. ivlen, \
  752. flags|EVP_CIPH_##MODE##_MODE, \
  753. EVP_ORIG_GLOBAL, \
  754. aes_##mode##_init_key, \
  755. aes_##mode##_cipher, \
  756. aes_##mode##_cleanup, \
  757. sizeof(EVP_AES_##MODE##_CTX), \
  758. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  759. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  760. { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
  761. #elif defined(S390X_aes_128_CAPABLE)
  762. /* IBM S390X support */
  763. typedef struct {
  764. union {
  765. OSSL_UNION_ALIGN;
  766. /*-
  767. * KM-AES parameter block - begin
  768. * (see z/Architecture Principles of Operation >= SA22-7832-06)
  769. */
  770. struct {
  771. unsigned char k[32];
  772. } param;
  773. /* KM-AES parameter block - end */
  774. } km;
  775. unsigned int fc;
  776. } S390X_AES_ECB_CTX;
  777. typedef struct {
  778. union {
  779. OSSL_UNION_ALIGN;
  780. /*-
  781. * KMO-AES parameter block - begin
  782. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  783. */
  784. struct {
  785. unsigned char cv[16];
  786. unsigned char k[32];
  787. } param;
  788. /* KMO-AES parameter block - end */
  789. } kmo;
  790. unsigned int fc;
  791. } S390X_AES_OFB_CTX;
  792. typedef struct {
  793. union {
  794. OSSL_UNION_ALIGN;
  795. /*-
  796. * KMF-AES parameter block - begin
  797. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  798. */
  799. struct {
  800. unsigned char cv[16];
  801. unsigned char k[32];
  802. } param;
  803. /* KMF-AES parameter block - end */
  804. } kmf;
  805. unsigned int fc;
  806. } S390X_AES_CFB_CTX;
  807. typedef struct {
  808. union {
  809. OSSL_UNION_ALIGN;
  810. /*-
  811. * KMA-GCM-AES parameter block - begin
  812. * (see z/Architecture Principles of Operation >= SA22-7832-11)
  813. */
  814. struct {
  815. unsigned char reserved[12];
  816. union {
  817. unsigned int w;
  818. unsigned char b[4];
  819. } cv;
  820. union {
  821. unsigned long long g[2];
  822. unsigned char b[16];
  823. } t;
  824. unsigned char h[16];
  825. unsigned long long taadl;
  826. unsigned long long tpcl;
  827. union {
  828. unsigned long long g[2];
  829. unsigned int w[4];
  830. } j0;
  831. unsigned char k[32];
  832. } param;
  833. /* KMA-GCM-AES parameter block - end */
  834. } kma;
  835. unsigned int fc;
  836. int key_set;
  837. unsigned char *iv;
  838. int ivlen;
  839. int iv_set;
  840. int iv_gen;
  841. int taglen;
  842. unsigned char ares[16];
  843. unsigned char mres[16];
  844. unsigned char kres[16];
  845. int areslen;
  846. int mreslen;
  847. int kreslen;
  848. int tls_aad_len;
  849. uint64_t tls_enc_records; /* Number of TLS records encrypted */
  850. } S390X_AES_GCM_CTX;
  851. typedef struct {
  852. union {
  853. OSSL_UNION_ALIGN;
  854. /*-
  855. * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
  856. * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
  857. * rounds field is used to store the function code and that the key
  858. * schedule is not stored (if aes hardware support is detected).
  859. */
  860. struct {
  861. unsigned char pad[16];
  862. AES_KEY k;
  863. } key;
  864. struct {
  865. /*-
  866. * KMAC-AES parameter block - begin
  867. * (see z/Architecture Principles of Operation >= SA22-7832-08)
  868. */
  869. struct {
  870. union {
  871. unsigned long long g[2];
  872. unsigned char b[16];
  873. } icv;
  874. unsigned char k[32];
  875. } kmac_param;
  876. /* KMAC-AES parameter block - end */
  877. union {
  878. unsigned long long g[2];
  879. unsigned char b[16];
  880. } nonce;
  881. union {
  882. unsigned long long g[2];
  883. unsigned char b[16];
  884. } buf;
  885. unsigned long long blocks;
  886. int l;
  887. int m;
  888. int tls_aad_len;
  889. int iv_set;
  890. int tag_set;
  891. int len_set;
  892. int key_set;
  893. unsigned char pad[140];
  894. unsigned int fc;
  895. } ccm;
  896. } aes;
  897. } S390X_AES_CCM_CTX;
  898. # define s390x_aes_init_key aes_init_key
  899. static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  900. const unsigned char *iv, int enc);
  901. # define S390X_AES_CBC_CTX EVP_AES_KEY
  902. # define s390x_aes_cbc_init_key aes_init_key
  903. # define s390x_aes_cbc_cipher aes_cbc_cipher
  904. static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  905. const unsigned char *in, size_t len);
  906. static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
  907. const unsigned char *key,
  908. const unsigned char *iv, int enc)
  909. {
  910. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  911. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  912. if (keylen <= 0) {
  913. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  914. return 0;
  915. }
  916. cctx->fc = S390X_AES_FC(keylen);
  917. if (!enc)
  918. cctx->fc |= S390X_DECRYPT;
  919. memcpy(cctx->km.param.k, key, keylen);
  920. return 1;
  921. }
  922. static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  923. const unsigned char *in, size_t len)
  924. {
  925. S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
  926. s390x_km(in, len, out, cctx->fc, &cctx->km.param);
  927. return 1;
  928. }
  929. static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
  930. const unsigned char *key,
  931. const unsigned char *ivec, int enc)
  932. {
  933. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  934. const unsigned char *iv = ctx->oiv;
  935. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  936. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  937. if (keylen <= 0) {
  938. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  939. return 0;
  940. }
  941. if (ivlen <= 0) {
  942. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  943. return 0;
  944. }
  945. memcpy(cctx->kmo.param.cv, iv, ivlen);
  946. memcpy(cctx->kmo.param.k, key, keylen);
  947. cctx->fc = S390X_AES_FC(keylen);
  948. return 1;
  949. }
  950. static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  951. const unsigned char *in, size_t len)
  952. {
  953. S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
  954. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  955. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  956. int n = ctx->num;
  957. int rem;
  958. memcpy(cctx->kmo.param.cv, iv, ivlen);
  959. while (n && len) {
  960. *out = *in ^ cctx->kmo.param.cv[n];
  961. n = (n + 1) & 0xf;
  962. --len;
  963. ++in;
  964. ++out;
  965. }
  966. rem = len & 0xf;
  967. len &= ~(size_t)0xf;
  968. if (len) {
  969. s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
  970. out += len;
  971. in += len;
  972. }
  973. if (rem) {
  974. s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
  975. cctx->kmo.param.k);
  976. while (rem--) {
  977. out[n] = in[n] ^ cctx->kmo.param.cv[n];
  978. ++n;
  979. }
  980. }
  981. memcpy(iv, cctx->kmo.param.cv, ivlen);
  982. ctx->num = n;
  983. return 1;
  984. }
  985. static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
  986. const unsigned char *key,
  987. const unsigned char *ivec, int enc)
  988. {
  989. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  990. const unsigned char *iv = ctx->oiv;
  991. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  992. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  993. if (keylen <= 0) {
  994. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  995. return 0;
  996. }
  997. if (ivlen <= 0) {
  998. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  999. return 0;
  1000. }
  1001. cctx->fc = S390X_AES_FC(keylen);
  1002. cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
  1003. if (!enc)
  1004. cctx->fc |= S390X_DECRYPT;
  1005. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1006. memcpy(cctx->kmf.param.k, key, keylen);
  1007. return 1;
  1008. }
  1009. static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1010. const unsigned char *in, size_t len)
  1011. {
  1012. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1013. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1014. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1015. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1016. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  1017. int n = ctx->num;
  1018. int rem;
  1019. unsigned char tmp;
  1020. if (keylen <= 0) {
  1021. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1022. return 0;
  1023. }
  1024. if (ivlen <= 0) {
  1025. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  1026. return 0;
  1027. }
  1028. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1029. while (n && len) {
  1030. tmp = *in;
  1031. *out = cctx->kmf.param.cv[n] ^ tmp;
  1032. cctx->kmf.param.cv[n] = enc ? *out : tmp;
  1033. n = (n + 1) & 0xf;
  1034. --len;
  1035. ++in;
  1036. ++out;
  1037. }
  1038. rem = len & 0xf;
  1039. len &= ~(size_t)0xf;
  1040. if (len) {
  1041. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1042. out += len;
  1043. in += len;
  1044. }
  1045. if (rem) {
  1046. s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
  1047. S390X_AES_FC(keylen), cctx->kmf.param.k);
  1048. while (rem--) {
  1049. tmp = in[n];
  1050. out[n] = cctx->kmf.param.cv[n] ^ tmp;
  1051. cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
  1052. ++n;
  1053. }
  1054. }
  1055. memcpy(iv, cctx->kmf.param.cv, ivlen);
  1056. ctx->num = n;
  1057. return 1;
  1058. }
  1059. static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
  1060. const unsigned char *key,
  1061. const unsigned char *ivec, int enc)
  1062. {
  1063. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1064. const unsigned char *iv = ctx->oiv;
  1065. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1066. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1067. if (keylen <= 0) {
  1068. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1069. return 0;
  1070. }
  1071. if (ivlen <= 0) {
  1072. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
  1073. return 0;
  1074. }
  1075. cctx->fc = S390X_AES_FC(keylen);
  1076. cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
  1077. if (!enc)
  1078. cctx->fc |= S390X_DECRYPT;
  1079. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1080. memcpy(cctx->kmf.param.k, key, keylen);
  1081. return 1;
  1082. }
  1083. static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1084. const unsigned char *in, size_t len)
  1085. {
  1086. S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
  1087. const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
  1088. unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
  1089. memcpy(cctx->kmf.param.cv, iv, ivlen);
  1090. s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
  1091. memcpy(iv, cctx->kmf.param.cv, ivlen);
  1092. return 1;
  1093. }
  1094. # define s390x_aes_cfb1_init_key aes_init_key
  1095. # define s390x_aes_cfb1_cipher aes_cfb1_cipher
  1096. static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1097. const unsigned char *in, size_t len);
  1098. # define S390X_AES_CTR_CTX EVP_AES_KEY
  1099. # define s390x_aes_ctr_init_key aes_init_key
  1100. # define s390x_aes_ctr_cipher aes_ctr_cipher
  1101. static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1102. const unsigned char *in, size_t len);
  1103. /* iv + padding length for iv lengths != 12 */
  1104. # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
  1105. /*-
  1106. * Process additional authenticated data. Returns 0 on success. Code is
  1107. * big-endian.
  1108. */
  1109. static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
  1110. size_t len)
  1111. {
  1112. unsigned long long alen;
  1113. int n, rem;
  1114. if (ctx->kma.param.tpcl)
  1115. return -2;
  1116. alen = ctx->kma.param.taadl + len;
  1117. if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
  1118. return -1;
  1119. ctx->kma.param.taadl = alen;
  1120. n = ctx->areslen;
  1121. if (n) {
  1122. while (n && len) {
  1123. ctx->ares[n] = *aad;
  1124. n = (n + 1) & 0xf;
  1125. ++aad;
  1126. --len;
  1127. }
  1128. /* ctx->ares contains a complete block if offset has wrapped around */
  1129. if (!n) {
  1130. s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1131. ctx->fc |= S390X_KMA_HS;
  1132. }
  1133. ctx->areslen = n;
  1134. }
  1135. rem = len & 0xf;
  1136. len &= ~(size_t)0xf;
  1137. if (len) {
  1138. s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
  1139. aad += len;
  1140. ctx->fc |= S390X_KMA_HS;
  1141. }
  1142. if (rem) {
  1143. ctx->areslen = rem;
  1144. do {
  1145. --rem;
  1146. ctx->ares[rem] = aad[rem];
  1147. } while (rem);
  1148. }
  1149. return 0;
  1150. }
  1151. /*-
  1152. * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
  1153. * success. Code is big-endian.
  1154. */
  1155. static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
  1156. unsigned char *out, size_t len)
  1157. {
  1158. const unsigned char *inptr;
  1159. unsigned long long mlen;
  1160. union {
  1161. unsigned int w[4];
  1162. unsigned char b[16];
  1163. } buf;
  1164. size_t inlen;
  1165. int n, rem, i;
  1166. mlen = ctx->kma.param.tpcl + len;
  1167. if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
  1168. return -1;
  1169. ctx->kma.param.tpcl = mlen;
  1170. n = ctx->mreslen;
  1171. if (n) {
  1172. inptr = in;
  1173. inlen = len;
  1174. while (n && inlen) {
  1175. ctx->mres[n] = *inptr;
  1176. n = (n + 1) & 0xf;
  1177. ++inptr;
  1178. --inlen;
  1179. }
  1180. /* ctx->mres contains a complete block if offset has wrapped around */
  1181. if (!n) {
  1182. s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
  1183. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1184. ctx->fc |= S390X_KMA_HS;
  1185. ctx->areslen = 0;
  1186. /* previous call already encrypted/decrypted its remainder,
  1187. * see comment below */
  1188. n = ctx->mreslen;
  1189. while (n) {
  1190. *out = buf.b[n];
  1191. n = (n + 1) & 0xf;
  1192. ++out;
  1193. ++in;
  1194. --len;
  1195. }
  1196. ctx->mreslen = 0;
  1197. }
  1198. }
  1199. rem = len & 0xf;
  1200. len &= ~(size_t)0xf;
  1201. if (len) {
  1202. s390x_kma(ctx->ares, ctx->areslen, in, len, out,
  1203. ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
  1204. in += len;
  1205. out += len;
  1206. ctx->fc |= S390X_KMA_HS;
  1207. ctx->areslen = 0;
  1208. }
  1209. /*-
  1210. * If there is a remainder, it has to be saved such that it can be
  1211. * processed by kma later. However, we also have to do the for-now
  1212. * unauthenticated encryption/decryption part here and now...
  1213. */
  1214. if (rem) {
  1215. if (!ctx->mreslen) {
  1216. buf.w[0] = ctx->kma.param.j0.w[0];
  1217. buf.w[1] = ctx->kma.param.j0.w[1];
  1218. buf.w[2] = ctx->kma.param.j0.w[2];
  1219. buf.w[3] = ctx->kma.param.cv.w + 1;
  1220. s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
  1221. }
  1222. n = ctx->mreslen;
  1223. for (i = 0; i < rem; i++) {
  1224. ctx->mres[n + i] = in[i];
  1225. out[i] = in[i] ^ ctx->kres[n + i];
  1226. }
  1227. ctx->mreslen += rem;
  1228. }
  1229. return 0;
  1230. }
  1231. /*-
  1232. * Initialize context structure. Code is big-endian.
  1233. */
  1234. static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
  1235. const unsigned char *iv)
  1236. {
  1237. ctx->kma.param.t.g[0] = 0;
  1238. ctx->kma.param.t.g[1] = 0;
  1239. ctx->kma.param.tpcl = 0;
  1240. ctx->kma.param.taadl = 0;
  1241. ctx->mreslen = 0;
  1242. ctx->areslen = 0;
  1243. ctx->kreslen = 0;
  1244. if (ctx->ivlen == 12) {
  1245. memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
  1246. ctx->kma.param.j0.w[3] = 1;
  1247. ctx->kma.param.cv.w = 1;
  1248. } else {
  1249. /* ctx->iv has the right size and is already padded. */
  1250. memcpy(ctx->iv, iv, ctx->ivlen);
  1251. s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
  1252. ctx->fc, &ctx->kma.param);
  1253. ctx->fc |= S390X_KMA_HS;
  1254. ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
  1255. ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
  1256. ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
  1257. ctx->kma.param.t.g[0] = 0;
  1258. ctx->kma.param.t.g[1] = 0;
  1259. }
  1260. }
  1261. /*-
  1262. * Performs various operations on the context structure depending on control
  1263. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1264. * Code is big-endian.
  1265. */
  1266. static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1267. {
  1268. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1269. S390X_AES_GCM_CTX *gctx_out;
  1270. EVP_CIPHER_CTX *out;
  1271. unsigned char *buf;
  1272. int ivlen, enc, len;
  1273. switch (type) {
  1274. case EVP_CTRL_INIT:
  1275. ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  1276. gctx->key_set = 0;
  1277. gctx->iv_set = 0;
  1278. gctx->ivlen = ivlen;
  1279. gctx->iv = c->iv;
  1280. gctx->taglen = -1;
  1281. gctx->iv_gen = 0;
  1282. gctx->tls_aad_len = -1;
  1283. return 1;
  1284. case EVP_CTRL_GET_IVLEN:
  1285. *(int *)ptr = gctx->ivlen;
  1286. return 1;
  1287. case EVP_CTRL_AEAD_SET_IVLEN:
  1288. if (arg <= 0)
  1289. return 0;
  1290. if (arg != 12) {
  1291. len = S390X_gcm_ivpadlen(arg);
  1292. /* Allocate memory for iv if needed. */
  1293. if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
  1294. if (gctx->iv != c->iv)
  1295. OPENSSL_free(gctx->iv);
  1296. if ((gctx->iv = OPENSSL_malloc(len)) == NULL)
  1297. return 0;
  1298. }
  1299. /* Add padding. */
  1300. memset(gctx->iv + arg, 0, len - arg - 8);
  1301. *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
  1302. }
  1303. gctx->ivlen = arg;
  1304. return 1;
  1305. case EVP_CTRL_AEAD_SET_TAG:
  1306. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1307. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1308. if (arg <= 0 || arg > 16 || enc)
  1309. return 0;
  1310. memcpy(buf, ptr, arg);
  1311. gctx->taglen = arg;
  1312. return 1;
  1313. case EVP_CTRL_AEAD_GET_TAG:
  1314. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1315. if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
  1316. return 0;
  1317. memcpy(ptr, gctx->kma.param.t.b, arg);
  1318. return 1;
  1319. case EVP_CTRL_GCM_SET_IV_FIXED:
  1320. /* Special case: -1 length restores whole iv */
  1321. if (arg == -1) {
  1322. memcpy(gctx->iv, ptr, gctx->ivlen);
  1323. gctx->iv_gen = 1;
  1324. return 1;
  1325. }
  1326. /*
  1327. * Fixed field must be at least 4 bytes and invocation field at least
  1328. * 8.
  1329. */
  1330. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  1331. return 0;
  1332. if (arg)
  1333. memcpy(gctx->iv, ptr, arg);
  1334. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1335. if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  1336. return 0;
  1337. gctx->iv_gen = 1;
  1338. return 1;
  1339. case EVP_CTRL_GCM_IV_GEN:
  1340. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  1341. return 0;
  1342. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1343. if (arg <= 0 || arg > gctx->ivlen)
  1344. arg = gctx->ivlen;
  1345. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  1346. /*
  1347. * Invocation field will be at least 8 bytes in size and so no need
  1348. * to check wrap around or increment more than last 8 bytes.
  1349. */
  1350. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  1351. gctx->iv_set = 1;
  1352. return 1;
  1353. case EVP_CTRL_GCM_SET_IV_INV:
  1354. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1355. if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
  1356. return 0;
  1357. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  1358. s390x_aes_gcm_setiv(gctx, gctx->iv);
  1359. gctx->iv_set = 1;
  1360. return 1;
  1361. case EVP_CTRL_AEAD_TLS1_AAD:
  1362. /* Save the aad for later use. */
  1363. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1364. return 0;
  1365. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1366. memcpy(buf, ptr, arg);
  1367. gctx->tls_aad_len = arg;
  1368. gctx->tls_enc_records = 0;
  1369. len = buf[arg - 2] << 8 | buf[arg - 1];
  1370. /* Correct length for explicit iv. */
  1371. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  1372. return 0;
  1373. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1374. /* If decrypting correct for tag too. */
  1375. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1376. if (!enc) {
  1377. if (len < EVP_GCM_TLS_TAG_LEN)
  1378. return 0;
  1379. len -= EVP_GCM_TLS_TAG_LEN;
  1380. }
  1381. buf[arg - 2] = len >> 8;
  1382. buf[arg - 1] = len & 0xff;
  1383. /* Extra padding: tag appended to record. */
  1384. return EVP_GCM_TLS_TAG_LEN;
  1385. case EVP_CTRL_COPY:
  1386. out = ptr;
  1387. gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
  1388. if (gctx->iv == c->iv) {
  1389. gctx_out->iv = out->iv;
  1390. } else {
  1391. len = S390X_gcm_ivpadlen(gctx->ivlen);
  1392. if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL)
  1393. return 0;
  1394. memcpy(gctx_out->iv, gctx->iv, len);
  1395. }
  1396. return 1;
  1397. default:
  1398. return -1;
  1399. }
  1400. }
  1401. /*-
  1402. * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
  1403. */
  1404. static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
  1405. const unsigned char *key,
  1406. const unsigned char *iv, int enc)
  1407. {
  1408. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1409. int keylen;
  1410. if (iv == NULL && key == NULL)
  1411. return 1;
  1412. if (key != NULL) {
  1413. keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1414. if (keylen <= 0) {
  1415. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1416. return 0;
  1417. }
  1418. memcpy(&gctx->kma.param.k, key, keylen);
  1419. gctx->fc = S390X_AES_FC(keylen);
  1420. if (!enc)
  1421. gctx->fc |= S390X_DECRYPT;
  1422. if (iv == NULL && gctx->iv_set)
  1423. iv = gctx->iv;
  1424. if (iv != NULL) {
  1425. s390x_aes_gcm_setiv(gctx, iv);
  1426. gctx->iv_set = 1;
  1427. }
  1428. gctx->key_set = 1;
  1429. } else {
  1430. if (gctx->key_set)
  1431. s390x_aes_gcm_setiv(gctx, iv);
  1432. else
  1433. memcpy(gctx->iv, iv, gctx->ivlen);
  1434. gctx->iv_set = 1;
  1435. gctx->iv_gen = 0;
  1436. }
  1437. return 1;
  1438. }
  1439. /*-
  1440. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1441. * if successful. Otherwise -1 is returned. Code is big-endian.
  1442. */
  1443. static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1444. const unsigned char *in, size_t len)
  1445. {
  1446. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1447. const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1448. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1449. int rv = -1;
  1450. if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  1451. return -1;
  1452. /*
  1453. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  1454. * Requirements from SP 800-38D". The requirements is for one party to the
  1455. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  1456. * side only.
  1457. */
  1458. if (enc && ++gctx->tls_enc_records == 0) {
  1459. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  1460. goto err;
  1461. }
  1462. if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
  1463. : EVP_CTRL_GCM_SET_IV_INV,
  1464. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  1465. goto err;
  1466. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1467. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  1468. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1469. gctx->kma.param.taadl = gctx->tls_aad_len << 3;
  1470. gctx->kma.param.tpcl = len << 3;
  1471. s390x_kma(buf, gctx->tls_aad_len, in, len, out,
  1472. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1473. if (enc) {
  1474. memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
  1475. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  1476. } else {
  1477. if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
  1478. EVP_GCM_TLS_TAG_LEN)) {
  1479. OPENSSL_cleanse(out, len);
  1480. goto err;
  1481. }
  1482. rv = len;
  1483. }
  1484. err:
  1485. gctx->iv_set = 0;
  1486. gctx->tls_aad_len = -1;
  1487. return rv;
  1488. }
  1489. /*-
  1490. * Called from EVP layer to initialize context, process additional
  1491. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1492. * ciphertext or process a TLS packet, depending on context. Returns bytes
  1493. * written on success. Otherwise -1 is returned. Code is big-endian.
  1494. */
  1495. static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1496. const unsigned char *in, size_t len)
  1497. {
  1498. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
  1499. unsigned char *buf, tmp[16];
  1500. int enc;
  1501. if (!gctx->key_set)
  1502. return -1;
  1503. if (gctx->tls_aad_len >= 0)
  1504. return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
  1505. if (!gctx->iv_set)
  1506. return -1;
  1507. if (in != NULL) {
  1508. if (out == NULL) {
  1509. if (s390x_aes_gcm_aad(gctx, in, len))
  1510. return -1;
  1511. } else {
  1512. if (s390x_aes_gcm(gctx, in, out, len))
  1513. return -1;
  1514. }
  1515. return len;
  1516. } else {
  1517. gctx->kma.param.taadl <<= 3;
  1518. gctx->kma.param.tpcl <<= 3;
  1519. s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
  1520. gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
  1521. /* recall that we already did en-/decrypt gctx->mres
  1522. * and returned it to caller... */
  1523. OPENSSL_cleanse(tmp, gctx->mreslen);
  1524. gctx->iv_set = 0;
  1525. enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1526. if (enc) {
  1527. gctx->taglen = 16;
  1528. } else {
  1529. if (gctx->taglen < 0)
  1530. return -1;
  1531. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1532. if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
  1533. return -1;
  1534. }
  1535. return 0;
  1536. }
  1537. }
  1538. static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  1539. {
  1540. S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
  1541. if (gctx == NULL)
  1542. return 0;
  1543. if (gctx->iv != c->iv)
  1544. OPENSSL_free(gctx->iv);
  1545. OPENSSL_cleanse(gctx, sizeof(*gctx));
  1546. return 1;
  1547. }
  1548. # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
  1549. # define s390x_aes_xts_init_key aes_xts_init_key
  1550. static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
  1551. const unsigned char *key,
  1552. const unsigned char *iv, int enc);
  1553. # define s390x_aes_xts_cipher aes_xts_cipher
  1554. static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1555. const unsigned char *in, size_t len);
  1556. # define s390x_aes_xts_ctrl aes_xts_ctrl
  1557. static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1558. # define s390x_aes_xts_cleanup aes_xts_cleanup
  1559. /*-
  1560. * Set nonce and length fields. Code is big-endian.
  1561. */
  1562. static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
  1563. const unsigned char *nonce,
  1564. size_t mlen)
  1565. {
  1566. ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
  1567. ctx->aes.ccm.nonce.g[1] = mlen;
  1568. memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
  1569. }
  1570. /*-
  1571. * Process additional authenticated data. Code is big-endian.
  1572. */
  1573. static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
  1574. size_t alen)
  1575. {
  1576. unsigned char *ptr;
  1577. int i, rem;
  1578. if (!alen)
  1579. return;
  1580. ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
  1581. /* Suppress 'type-punned pointer dereference' warning. */
  1582. ptr = ctx->aes.ccm.buf.b;
  1583. if (alen < ((1 << 16) - (1 << 8))) {
  1584. *(uint16_t *)ptr = alen;
  1585. i = 2;
  1586. } else if (sizeof(alen) == 8
  1587. && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
  1588. *(uint16_t *)ptr = 0xffff;
  1589. *(uint64_t *)(ptr + 2) = alen;
  1590. i = 10;
  1591. } else {
  1592. *(uint16_t *)ptr = 0xfffe;
  1593. *(uint32_t *)(ptr + 2) = alen;
  1594. i = 6;
  1595. }
  1596. while (i < 16 && alen) {
  1597. ctx->aes.ccm.buf.b[i] = *aad;
  1598. ++aad;
  1599. --alen;
  1600. ++i;
  1601. }
  1602. while (i < 16) {
  1603. ctx->aes.ccm.buf.b[i] = 0;
  1604. ++i;
  1605. }
  1606. ctx->aes.ccm.kmac_param.icv.g[0] = 0;
  1607. ctx->aes.ccm.kmac_param.icv.g[1] = 0;
  1608. s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
  1609. &ctx->aes.ccm.kmac_param);
  1610. ctx->aes.ccm.blocks += 2;
  1611. rem = alen & 0xf;
  1612. alen &= ~(size_t)0xf;
  1613. if (alen) {
  1614. s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1615. ctx->aes.ccm.blocks += alen >> 4;
  1616. aad += alen;
  1617. }
  1618. if (rem) {
  1619. for (i = 0; i < rem; i++)
  1620. ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
  1621. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1622. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1623. ctx->aes.ccm.kmac_param.k);
  1624. ctx->aes.ccm.blocks++;
  1625. }
  1626. }
  1627. /*-
  1628. * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
  1629. * success.
  1630. */
  1631. static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
  1632. unsigned char *out, size_t len, int enc)
  1633. {
  1634. size_t n, rem;
  1635. unsigned int i, l, num;
  1636. unsigned char flags;
  1637. flags = ctx->aes.ccm.nonce.b[0];
  1638. if (!(flags & S390X_CCM_AAD_FLAG)) {
  1639. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
  1640. ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
  1641. ctx->aes.ccm.blocks++;
  1642. }
  1643. l = flags & 0x7;
  1644. ctx->aes.ccm.nonce.b[0] = l;
  1645. /*-
  1646. * Reconstruct length from encoded length field
  1647. * and initialize it with counter value.
  1648. */
  1649. n = 0;
  1650. for (i = 15 - l; i < 15; i++) {
  1651. n |= ctx->aes.ccm.nonce.b[i];
  1652. ctx->aes.ccm.nonce.b[i] = 0;
  1653. n <<= 8;
  1654. }
  1655. n |= ctx->aes.ccm.nonce.b[15];
  1656. ctx->aes.ccm.nonce.b[15] = 1;
  1657. if (n != len)
  1658. return -1; /* length mismatch */
  1659. if (enc) {
  1660. /* Two operations per block plus one for tag encryption */
  1661. ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
  1662. if (ctx->aes.ccm.blocks > (1ULL << 61))
  1663. return -2; /* too much data */
  1664. }
  1665. num = 0;
  1666. rem = len & 0xf;
  1667. len &= ~(size_t)0xf;
  1668. if (enc) {
  1669. /* mac-then-encrypt */
  1670. if (len)
  1671. s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1672. if (rem) {
  1673. for (i = 0; i < rem; i++)
  1674. ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
  1675. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1676. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1677. ctx->aes.ccm.kmac_param.k);
  1678. }
  1679. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1680. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1681. &num, (ctr128_f)AES_ctr32_encrypt);
  1682. } else {
  1683. /* decrypt-then-mac */
  1684. CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
  1685. ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
  1686. &num, (ctr128_f)AES_ctr32_encrypt);
  1687. if (len)
  1688. s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
  1689. if (rem) {
  1690. for (i = 0; i < rem; i++)
  1691. ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
  1692. s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
  1693. ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
  1694. ctx->aes.ccm.kmac_param.k);
  1695. }
  1696. }
  1697. /* encrypt tag */
  1698. for (i = 15 - l; i < 16; i++)
  1699. ctx->aes.ccm.nonce.b[i] = 0;
  1700. s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
  1701. ctx->aes.ccm.kmac_param.k);
  1702. ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
  1703. ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
  1704. ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
  1705. return 0;
  1706. }
  1707. /*-
  1708. * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
  1709. * if successful. Otherwise -1 is returned.
  1710. */
  1711. static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1712. const unsigned char *in, size_t len)
  1713. {
  1714. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1715. unsigned char *ivec = ctx->iv;
  1716. unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1717. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1718. if (out != in
  1719. || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
  1720. return -1;
  1721. if (enc) {
  1722. /* Set explicit iv (sequence number). */
  1723. memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1724. }
  1725. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1726. /*-
  1727. * Get explicit iv (sequence number). We already have fixed iv
  1728. * (server/client_write_iv) here.
  1729. */
  1730. memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
  1731. s390x_aes_ccm_setiv(cctx, ivec, len);
  1732. /* Process aad (sequence number|type|version|length) */
  1733. s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
  1734. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1735. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1736. if (enc) {
  1737. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1738. return -1;
  1739. memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1740. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
  1741. } else {
  1742. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1743. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
  1744. cctx->aes.ccm.m))
  1745. return len;
  1746. }
  1747. OPENSSL_cleanse(out, len);
  1748. return -1;
  1749. }
  1750. }
  1751. /*-
  1752. * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
  1753. * returned.
  1754. */
  1755. static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
  1756. const unsigned char *key,
  1757. const unsigned char *iv, int enc)
  1758. {
  1759. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1760. int keylen;
  1761. if (iv == NULL && key == NULL)
  1762. return 1;
  1763. if (key != NULL) {
  1764. keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  1765. if (keylen <= 0) {
  1766. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  1767. return 0;
  1768. }
  1769. cctx->aes.ccm.fc = S390X_AES_FC(keylen);
  1770. memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
  1771. /* Store encoded m and l. */
  1772. cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
  1773. | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
  1774. memset(cctx->aes.ccm.nonce.b + 1, 0,
  1775. sizeof(cctx->aes.ccm.nonce.b));
  1776. cctx->aes.ccm.blocks = 0;
  1777. cctx->aes.ccm.key_set = 1;
  1778. }
  1779. if (iv != NULL) {
  1780. memcpy(ctx->iv, iv, 15 - cctx->aes.ccm.l);
  1781. cctx->aes.ccm.iv_set = 1;
  1782. }
  1783. return 1;
  1784. }
  1785. /*-
  1786. * Called from EVP layer to initialize context, process additional
  1787. * authenticated data, en/de-crypt plain/cipher-text and authenticate
  1788. * plaintext or process a TLS packet, depending on context. Returns bytes
  1789. * written on success. Otherwise -1 is returned.
  1790. */
  1791. static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1792. const unsigned char *in, size_t len)
  1793. {
  1794. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
  1795. const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
  1796. int rv;
  1797. unsigned char *buf;
  1798. if (!cctx->aes.ccm.key_set)
  1799. return -1;
  1800. if (cctx->aes.ccm.tls_aad_len >= 0)
  1801. return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
  1802. /*-
  1803. * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
  1804. * so integrity must be checked already at Update() i.e., before
  1805. * potentially corrupted data is output.
  1806. */
  1807. if (in == NULL && out != NULL)
  1808. return 0;
  1809. if (!cctx->aes.ccm.iv_set)
  1810. return -1;
  1811. if (out == NULL) {
  1812. /* Update(): Pass message length. */
  1813. if (in == NULL) {
  1814. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1815. cctx->aes.ccm.len_set = 1;
  1816. return len;
  1817. }
  1818. /* Update(): Process aad. */
  1819. if (!cctx->aes.ccm.len_set && len)
  1820. return -1;
  1821. s390x_aes_ccm_aad(cctx, in, len);
  1822. return len;
  1823. }
  1824. /* The tag must be set before actually decrypting data */
  1825. if (!enc && !cctx->aes.ccm.tag_set)
  1826. return -1;
  1827. /* Update(): Process message. */
  1828. if (!cctx->aes.ccm.len_set) {
  1829. /*-
  1830. * In case message length was not previously set explicitly via
  1831. * Update(), set it now.
  1832. */
  1833. s390x_aes_ccm_setiv(cctx, ctx->iv, len);
  1834. cctx->aes.ccm.len_set = 1;
  1835. }
  1836. if (enc) {
  1837. if (s390x_aes_ccm(cctx, in, out, len, enc))
  1838. return -1;
  1839. cctx->aes.ccm.tag_set = 1;
  1840. return len;
  1841. } else {
  1842. rv = -1;
  1843. if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
  1844. buf = EVP_CIPHER_CTX_buf_noconst(ctx);
  1845. if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
  1846. cctx->aes.ccm.m))
  1847. rv = len;
  1848. }
  1849. if (rv == -1)
  1850. OPENSSL_cleanse(out, len);
  1851. cctx->aes.ccm.iv_set = 0;
  1852. cctx->aes.ccm.tag_set = 0;
  1853. cctx->aes.ccm.len_set = 0;
  1854. return rv;
  1855. }
  1856. }
  1857. /*-
  1858. * Performs various operations on the context structure depending on control
  1859. * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
  1860. * Code is big-endian.
  1861. */
  1862. static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  1863. {
  1864. S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
  1865. unsigned char *buf;
  1866. int enc, len;
  1867. switch (type) {
  1868. case EVP_CTRL_INIT:
  1869. cctx->aes.ccm.key_set = 0;
  1870. cctx->aes.ccm.iv_set = 0;
  1871. cctx->aes.ccm.l = 8;
  1872. cctx->aes.ccm.m = 12;
  1873. cctx->aes.ccm.tag_set = 0;
  1874. cctx->aes.ccm.len_set = 0;
  1875. cctx->aes.ccm.tls_aad_len = -1;
  1876. return 1;
  1877. case EVP_CTRL_GET_IVLEN:
  1878. *(int *)ptr = 15 - cctx->aes.ccm.l;
  1879. return 1;
  1880. case EVP_CTRL_AEAD_TLS1_AAD:
  1881. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  1882. return 0;
  1883. /* Save the aad for later use. */
  1884. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1885. memcpy(buf, ptr, arg);
  1886. cctx->aes.ccm.tls_aad_len = arg;
  1887. len = buf[arg - 2] << 8 | buf[arg - 1];
  1888. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  1889. return 0;
  1890. /* Correct length for explicit iv. */
  1891. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  1892. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1893. if (!enc) {
  1894. if (len < cctx->aes.ccm.m)
  1895. return 0;
  1896. /* Correct length for tag. */
  1897. len -= cctx->aes.ccm.m;
  1898. }
  1899. buf[arg - 2] = len >> 8;
  1900. buf[arg - 1] = len & 0xff;
  1901. /* Extra padding: tag appended to record. */
  1902. return cctx->aes.ccm.m;
  1903. case EVP_CTRL_CCM_SET_IV_FIXED:
  1904. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  1905. return 0;
  1906. /* Copy to first part of the iv. */
  1907. memcpy(c->iv, ptr, arg);
  1908. return 1;
  1909. case EVP_CTRL_AEAD_SET_IVLEN:
  1910. arg = 15 - arg;
  1911. /* fall-through */
  1912. case EVP_CTRL_CCM_SET_L:
  1913. if (arg < 2 || arg > 8)
  1914. return 0;
  1915. cctx->aes.ccm.l = arg;
  1916. return 1;
  1917. case EVP_CTRL_AEAD_SET_TAG:
  1918. if ((arg & 1) || arg < 4 || arg > 16)
  1919. return 0;
  1920. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1921. if (enc && ptr)
  1922. return 0;
  1923. if (ptr) {
  1924. cctx->aes.ccm.tag_set = 1;
  1925. buf = EVP_CIPHER_CTX_buf_noconst(c);
  1926. memcpy(buf, ptr, arg);
  1927. }
  1928. cctx->aes.ccm.m = arg;
  1929. return 1;
  1930. case EVP_CTRL_AEAD_GET_TAG:
  1931. enc = EVP_CIPHER_CTX_is_encrypting(c);
  1932. if (!enc || !cctx->aes.ccm.tag_set)
  1933. return 0;
  1934. if (arg < cctx->aes.ccm.m)
  1935. return 0;
  1936. memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
  1937. cctx->aes.ccm.tag_set = 0;
  1938. cctx->aes.ccm.iv_set = 0;
  1939. cctx->aes.ccm.len_set = 0;
  1940. return 1;
  1941. case EVP_CTRL_COPY:
  1942. return 1;
  1943. default:
  1944. return -1;
  1945. }
  1946. }
  1947. # define s390x_aes_ccm_cleanup aes_ccm_cleanup
  1948. # ifndef OPENSSL_NO_OCB
  1949. # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
  1950. # define s390x_aes_ocb_init_key aes_ocb_init_key
  1951. static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  1952. const unsigned char *iv, int enc);
  1953. # define s390x_aes_ocb_cipher aes_ocb_cipher
  1954. static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  1955. const unsigned char *in, size_t len);
  1956. # define s390x_aes_ocb_cleanup aes_ocb_cleanup
  1957. static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
  1958. # define s390x_aes_ocb_ctrl aes_ocb_ctrl
  1959. static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
  1960. # endif
  1961. # ifndef OPENSSL_NO_SIV
  1962. # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
  1963. # define s390x_aes_siv_init_key aes_siv_init_key
  1964. # define s390x_aes_siv_cipher aes_siv_cipher
  1965. # define s390x_aes_siv_cleanup aes_siv_cleanup
  1966. # define s390x_aes_siv_ctrl aes_siv_ctrl
  1967. # endif
  1968. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
  1969. MODE,flags) \
  1970. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  1971. nid##_##keylen##_##nmode,blocksize, \
  1972. keylen / 8, \
  1973. ivlen, \
  1974. flags | EVP_CIPH_##MODE##_MODE, \
  1975. EVP_ORIG_GLOBAL, \
  1976. s390x_aes_##mode##_init_key, \
  1977. s390x_aes_##mode##_cipher, \
  1978. NULL, \
  1979. sizeof(S390X_AES_##MODE##_CTX), \
  1980. NULL, \
  1981. NULL, \
  1982. NULL, \
  1983. NULL \
  1984. }; \
  1985. static const EVP_CIPHER aes_##keylen##_##mode = { \
  1986. nid##_##keylen##_##nmode, \
  1987. blocksize, \
  1988. keylen / 8, \
  1989. ivlen, \
  1990. flags | EVP_CIPH_##MODE##_MODE, \
  1991. EVP_ORIG_GLOBAL, \
  1992. aes_init_key, \
  1993. aes_##mode##_cipher, \
  1994. NULL, \
  1995. sizeof(EVP_AES_KEY), \
  1996. NULL, \
  1997. NULL, \
  1998. NULL, \
  1999. NULL \
  2000. }; \
  2001. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2002. { \
  2003. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2004. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2005. }
  2006. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
  2007. static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
  2008. nid##_##keylen##_##mode, \
  2009. blocksize, \
  2010. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  2011. ivlen, \
  2012. flags | EVP_CIPH_##MODE##_MODE, \
  2013. EVP_ORIG_GLOBAL, \
  2014. s390x_aes_##mode##_init_key, \
  2015. s390x_aes_##mode##_cipher, \
  2016. s390x_aes_##mode##_cleanup, \
  2017. sizeof(S390X_AES_##MODE##_CTX), \
  2018. NULL, \
  2019. NULL, \
  2020. s390x_aes_##mode##_ctrl, \
  2021. NULL \
  2022. }; \
  2023. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2024. nid##_##keylen##_##mode,blocksize, \
  2025. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
  2026. ivlen, \
  2027. flags | EVP_CIPH_##MODE##_MODE, \
  2028. EVP_ORIG_GLOBAL, \
  2029. aes_##mode##_init_key, \
  2030. aes_##mode##_cipher, \
  2031. aes_##mode##_cleanup, \
  2032. sizeof(EVP_AES_##MODE##_CTX), \
  2033. NULL, \
  2034. NULL, \
  2035. aes_##mode##_ctrl, \
  2036. NULL \
  2037. }; \
  2038. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2039. { \
  2040. return S390X_aes_##keylen##_##mode##_CAPABLE ? \
  2041. &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
  2042. }
  2043. #else
  2044. # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
  2045. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2046. nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
  2047. flags|EVP_CIPH_##MODE##_MODE, \
  2048. EVP_ORIG_GLOBAL, \
  2049. aes_init_key, \
  2050. aes_##mode##_cipher, \
  2051. NULL, \
  2052. sizeof(EVP_AES_KEY), \
  2053. NULL,NULL,NULL,NULL }; \
  2054. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2055. { return &aes_##keylen##_##mode; }
  2056. # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
  2057. static const EVP_CIPHER aes_##keylen##_##mode = { \
  2058. nid##_##keylen##_##mode,blocksize, \
  2059. (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
  2060. ivlen, \
  2061. flags|EVP_CIPH_##MODE##_MODE, \
  2062. EVP_ORIG_GLOBAL, \
  2063. aes_##mode##_init_key, \
  2064. aes_##mode##_cipher, \
  2065. aes_##mode##_cleanup, \
  2066. sizeof(EVP_AES_##MODE##_CTX), \
  2067. NULL,NULL,aes_##mode##_ctrl,NULL }; \
  2068. const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
  2069. { return &aes_##keylen##_##mode; }
  2070. #endif
  2071. #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
  2072. BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2073. BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2074. BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2075. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
  2076. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
  2077. BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
  2078. BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
  2079. static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2080. const unsigned char *iv, int enc)
  2081. {
  2082. int ret, mode;
  2083. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2084. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  2085. if (keylen <= 0) {
  2086. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2087. return 0;
  2088. }
  2089. mode = EVP_CIPHER_CTX_get_mode(ctx);
  2090. if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
  2091. && !enc) {
  2092. #ifdef HWAES_CAPABLE
  2093. if (HWAES_CAPABLE) {
  2094. ret = HWAES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2095. dat->block = (block128_f) HWAES_decrypt;
  2096. dat->stream.cbc = NULL;
  2097. # ifdef HWAES_cbc_encrypt
  2098. if (mode == EVP_CIPH_CBC_MODE)
  2099. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2100. # endif
  2101. } else
  2102. #endif
  2103. #ifdef BSAES_CAPABLE
  2104. if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
  2105. ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2106. dat->block = (block128_f) AES_decrypt;
  2107. dat->stream.cbc = (cbc128_f) ossl_bsaes_cbc_encrypt;
  2108. } else
  2109. #endif
  2110. #ifdef VPAES_CAPABLE
  2111. if (VPAES_CAPABLE) {
  2112. ret = vpaes_set_decrypt_key(key, keylen, &dat->ks.ks);
  2113. dat->block = (block128_f) vpaes_decrypt;
  2114. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2115. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2116. } else
  2117. #endif
  2118. {
  2119. ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
  2120. dat->block = (block128_f) AES_decrypt;
  2121. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2122. (cbc128_f) AES_cbc_encrypt : NULL;
  2123. }
  2124. } else
  2125. #ifdef HWAES_CAPABLE
  2126. if (HWAES_CAPABLE) {
  2127. ret = HWAES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2128. dat->block = (block128_f) HWAES_encrypt;
  2129. dat->stream.cbc = NULL;
  2130. # ifdef HWAES_cbc_encrypt
  2131. if (mode == EVP_CIPH_CBC_MODE)
  2132. dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
  2133. else
  2134. # endif
  2135. # ifdef HWAES_ctr32_encrypt_blocks
  2136. if (mode == EVP_CIPH_CTR_MODE)
  2137. dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2138. else
  2139. # endif
  2140. (void)0; /* terminate potentially open 'else' */
  2141. } else
  2142. #endif
  2143. #ifdef BSAES_CAPABLE
  2144. if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
  2145. ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2146. dat->block = (block128_f) AES_encrypt;
  2147. dat->stream.ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
  2148. } else
  2149. #endif
  2150. #ifdef VPAES_CAPABLE
  2151. if (VPAES_CAPABLE) {
  2152. ret = vpaes_set_encrypt_key(key, keylen, &dat->ks.ks);
  2153. dat->block = (block128_f) vpaes_encrypt;
  2154. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2155. (cbc128_f) vpaes_cbc_encrypt : NULL;
  2156. } else
  2157. #endif
  2158. {
  2159. ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
  2160. dat->block = (block128_f) AES_encrypt;
  2161. dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
  2162. (cbc128_f) AES_cbc_encrypt : NULL;
  2163. #ifdef AES_CTR_ASM
  2164. if (mode == EVP_CIPH_CTR_MODE)
  2165. dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
  2166. #endif
  2167. }
  2168. if (ret < 0) {
  2169. ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
  2170. return 0;
  2171. }
  2172. return 1;
  2173. }
  2174. static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2175. const unsigned char *in, size_t len)
  2176. {
  2177. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2178. if (dat->stream.cbc)
  2179. (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv,
  2180. EVP_CIPHER_CTX_is_encrypting(ctx));
  2181. else if (EVP_CIPHER_CTX_is_encrypting(ctx))
  2182. CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
  2183. dat->block);
  2184. else
  2185. CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
  2186. ctx->iv, dat->block);
  2187. return 1;
  2188. }
  2189. static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2190. const unsigned char *in, size_t len)
  2191. {
  2192. size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
  2193. size_t i;
  2194. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2195. if (len < bl)
  2196. return 1;
  2197. for (i = 0, len -= bl; i <= len; i += bl)
  2198. (*dat->block) (in + i, out + i, &dat->ks);
  2199. return 1;
  2200. }
  2201. static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2202. const unsigned char *in, size_t len)
  2203. {
  2204. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2205. int num = EVP_CIPHER_CTX_get_num(ctx);
  2206. CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
  2207. ctx->iv, &num, dat->block);
  2208. EVP_CIPHER_CTX_set_num(ctx, num);
  2209. return 1;
  2210. }
  2211. static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2212. const unsigned char *in, size_t len)
  2213. {
  2214. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2215. int num = EVP_CIPHER_CTX_get_num(ctx);
  2216. CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
  2217. ctx->iv, &num,
  2218. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2219. EVP_CIPHER_CTX_set_num(ctx, num);
  2220. return 1;
  2221. }
  2222. static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2223. const unsigned char *in, size_t len)
  2224. {
  2225. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2226. int num = EVP_CIPHER_CTX_get_num(ctx);
  2227. CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
  2228. ctx->iv, &num,
  2229. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2230. EVP_CIPHER_CTX_set_num(ctx, num);
  2231. return 1;
  2232. }
  2233. static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2234. const unsigned char *in, size_t len)
  2235. {
  2236. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2237. if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
  2238. int num = EVP_CIPHER_CTX_get_num(ctx);
  2239. CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
  2240. ctx->iv, &num,
  2241. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2242. EVP_CIPHER_CTX_set_num(ctx, num);
  2243. return 1;
  2244. }
  2245. while (len >= MAXBITCHUNK) {
  2246. int num = EVP_CIPHER_CTX_get_num(ctx);
  2247. CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
  2248. ctx->iv, &num,
  2249. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2250. EVP_CIPHER_CTX_set_num(ctx, num);
  2251. len -= MAXBITCHUNK;
  2252. out += MAXBITCHUNK;
  2253. in += MAXBITCHUNK;
  2254. }
  2255. if (len) {
  2256. int num = EVP_CIPHER_CTX_get_num(ctx);
  2257. CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
  2258. ctx->iv, &num,
  2259. EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
  2260. EVP_CIPHER_CTX_set_num(ctx, num);
  2261. }
  2262. return 1;
  2263. }
  2264. static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2265. const unsigned char *in, size_t len)
  2266. {
  2267. int n = EVP_CIPHER_CTX_get_num(ctx);
  2268. unsigned int num;
  2269. EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
  2270. if (n < 0)
  2271. return 0;
  2272. num = (unsigned int)n;
  2273. if (dat->stream.ctr)
  2274. CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
  2275. ctx->iv,
  2276. EVP_CIPHER_CTX_buf_noconst(ctx),
  2277. &num, dat->stream.ctr);
  2278. else
  2279. CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
  2280. ctx->iv,
  2281. EVP_CIPHER_CTX_buf_noconst(ctx), &num,
  2282. dat->block);
  2283. EVP_CIPHER_CTX_set_num(ctx, num);
  2284. return 1;
  2285. }
  2286. BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
  2287. BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
  2288. BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
  2289. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
  2290. {
  2291. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2292. if (gctx == NULL)
  2293. return 0;
  2294. OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
  2295. if (gctx->iv != c->iv)
  2296. OPENSSL_free(gctx->iv);
  2297. return 1;
  2298. }
  2299. static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2300. {
  2301. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
  2302. switch (type) {
  2303. case EVP_CTRL_INIT:
  2304. gctx->key_set = 0;
  2305. gctx->iv_set = 0;
  2306. gctx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  2307. gctx->iv = c->iv;
  2308. gctx->taglen = -1;
  2309. gctx->iv_gen = 0;
  2310. gctx->tls_aad_len = -1;
  2311. return 1;
  2312. case EVP_CTRL_GET_IVLEN:
  2313. *(int *)ptr = gctx->ivlen;
  2314. return 1;
  2315. case EVP_CTRL_AEAD_SET_IVLEN:
  2316. if (arg <= 0)
  2317. return 0;
  2318. /* Allocate memory for IV if needed */
  2319. if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
  2320. if (gctx->iv != c->iv)
  2321. OPENSSL_free(gctx->iv);
  2322. if ((gctx->iv = OPENSSL_malloc(arg)) == NULL)
  2323. return 0;
  2324. }
  2325. gctx->ivlen = arg;
  2326. return 1;
  2327. case EVP_CTRL_AEAD_SET_TAG:
  2328. if (arg <= 0 || arg > 16 || c->encrypt)
  2329. return 0;
  2330. memcpy(c->buf, ptr, arg);
  2331. gctx->taglen = arg;
  2332. return 1;
  2333. case EVP_CTRL_AEAD_GET_TAG:
  2334. if (arg <= 0 || arg > 16 || !c->encrypt
  2335. || gctx->taglen < 0)
  2336. return 0;
  2337. memcpy(ptr, c->buf, arg);
  2338. return 1;
  2339. case EVP_CTRL_GCM_SET_IV_FIXED:
  2340. /* Special case: -1 length restores whole IV */
  2341. if (arg == -1) {
  2342. memcpy(gctx->iv, ptr, gctx->ivlen);
  2343. gctx->iv_gen = 1;
  2344. return 1;
  2345. }
  2346. /*
  2347. * Fixed field must be at least 4 bytes and invocation field at least
  2348. * 8.
  2349. */
  2350. if ((arg < 4) || (gctx->ivlen - arg) < 8)
  2351. return 0;
  2352. if (arg)
  2353. memcpy(gctx->iv, ptr, arg);
  2354. if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
  2355. return 0;
  2356. gctx->iv_gen = 1;
  2357. return 1;
  2358. case EVP_CTRL_GCM_IV_GEN:
  2359. if (gctx->iv_gen == 0 || gctx->key_set == 0)
  2360. return 0;
  2361. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2362. if (arg <= 0 || arg > gctx->ivlen)
  2363. arg = gctx->ivlen;
  2364. memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
  2365. /*
  2366. * Invocation field will be at least 8 bytes in size and so no need
  2367. * to check wrap around or increment more than last 8 bytes.
  2368. */
  2369. ctr64_inc(gctx->iv + gctx->ivlen - 8);
  2370. gctx->iv_set = 1;
  2371. return 1;
  2372. case EVP_CTRL_GCM_SET_IV_INV:
  2373. if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
  2374. return 0;
  2375. memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
  2376. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2377. gctx->iv_set = 1;
  2378. return 1;
  2379. case EVP_CTRL_AEAD_TLS1_AAD:
  2380. /* Save the AAD for later use */
  2381. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2382. return 0;
  2383. memcpy(c->buf, ptr, arg);
  2384. gctx->tls_aad_len = arg;
  2385. gctx->tls_enc_records = 0;
  2386. {
  2387. unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
  2388. /* Correct length for explicit IV */
  2389. if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
  2390. return 0;
  2391. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2392. /* If decrypting correct for tag too */
  2393. if (!c->encrypt) {
  2394. if (len < EVP_GCM_TLS_TAG_LEN)
  2395. return 0;
  2396. len -= EVP_GCM_TLS_TAG_LEN;
  2397. }
  2398. c->buf[arg - 2] = len >> 8;
  2399. c->buf[arg - 1] = len & 0xff;
  2400. }
  2401. /* Extra padding: tag appended to record */
  2402. return EVP_GCM_TLS_TAG_LEN;
  2403. case EVP_CTRL_COPY:
  2404. {
  2405. EVP_CIPHER_CTX *out = ptr;
  2406. EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
  2407. if (gctx->gcm.key) {
  2408. if (gctx->gcm.key != &gctx->ks)
  2409. return 0;
  2410. gctx_out->gcm.key = &gctx_out->ks;
  2411. }
  2412. if (gctx->iv == c->iv)
  2413. gctx_out->iv = out->iv;
  2414. else {
  2415. if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL)
  2416. return 0;
  2417. memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
  2418. }
  2419. return 1;
  2420. }
  2421. default:
  2422. return -1;
  2423. }
  2424. }
  2425. static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2426. const unsigned char *iv, int enc)
  2427. {
  2428. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2429. if (iv == NULL && key == NULL)
  2430. return 1;
  2431. if (key != NULL) {
  2432. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  2433. if (keylen <= 0) {
  2434. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2435. return 0;
  2436. }
  2437. do {
  2438. #ifdef HWAES_CAPABLE
  2439. if (HWAES_CAPABLE) {
  2440. HWAES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2441. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2442. (block128_f) HWAES_encrypt);
  2443. # ifdef HWAES_ctr32_encrypt_blocks
  2444. gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
  2445. # else
  2446. gctx->ctr = NULL;
  2447. # endif
  2448. break;
  2449. } else
  2450. #endif
  2451. #ifdef BSAES_CAPABLE
  2452. if (BSAES_CAPABLE) {
  2453. AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2454. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2455. (block128_f) AES_encrypt);
  2456. gctx->ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
  2457. break;
  2458. } else
  2459. #endif
  2460. #ifdef VPAES_CAPABLE
  2461. if (VPAES_CAPABLE) {
  2462. vpaes_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2463. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2464. (block128_f) vpaes_encrypt);
  2465. gctx->ctr = NULL;
  2466. break;
  2467. } else
  2468. #endif
  2469. (void)0; /* terminate potentially open 'else' */
  2470. AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
  2471. CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
  2472. (block128_f) AES_encrypt);
  2473. #ifdef AES_CTR_ASM
  2474. gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
  2475. #else
  2476. gctx->ctr = NULL;
  2477. #endif
  2478. } while (0);
  2479. /*
  2480. * If we have an iv can set it directly, otherwise use saved IV.
  2481. */
  2482. if (iv == NULL && gctx->iv_set)
  2483. iv = gctx->iv;
  2484. if (iv) {
  2485. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2486. gctx->iv_set = 1;
  2487. }
  2488. gctx->key_set = 1;
  2489. } else {
  2490. /* If key set use IV, otherwise copy */
  2491. if (gctx->key_set)
  2492. CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
  2493. else
  2494. memcpy(gctx->iv, iv, gctx->ivlen);
  2495. gctx->iv_set = 1;
  2496. gctx->iv_gen = 0;
  2497. }
  2498. return 1;
  2499. }
  2500. /*
  2501. * Handle TLS GCM packet format. This consists of the last portion of the IV
  2502. * followed by the payload and finally the tag. On encrypt generate IV,
  2503. * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
  2504. * and verify tag.
  2505. */
  2506. static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2507. const unsigned char *in, size_t len)
  2508. {
  2509. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2510. int rv = -1;
  2511. /* Encrypt/decrypt must be performed in place */
  2512. if (out != in
  2513. || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
  2514. return -1;
  2515. /*
  2516. * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
  2517. * Requirements from SP 800-38D". The requirements is for one party to the
  2518. * communication to fail after 2^64 - 1 keys. We do this on the encrypting
  2519. * side only.
  2520. */
  2521. if (EVP_CIPHER_CTX_is_encrypting(ctx) && ++gctx->tls_enc_records == 0) {
  2522. ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
  2523. goto err;
  2524. }
  2525. /*
  2526. * Set IV from start of buffer or generate IV and write to start of
  2527. * buffer.
  2528. */
  2529. if (EVP_CIPHER_CTX_ctrl(ctx,
  2530. EVP_CIPHER_CTX_is_encrypting(ctx) ?
  2531. EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
  2532. EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
  2533. goto err;
  2534. /* Use saved AAD */
  2535. if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
  2536. gctx->tls_aad_len))
  2537. goto err;
  2538. /* Fix buffer and length to point to payload */
  2539. in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2540. out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  2541. len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2542. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2543. /* Encrypt payload */
  2544. if (gctx->ctr) {
  2545. size_t bulk = 0;
  2546. #if defined(AES_GCM_ASM)
  2547. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2548. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2549. return -1;
  2550. bulk = AES_gcm_encrypt(in, out, len,
  2551. gctx->gcm.key,
  2552. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2553. gctx->gcm.len.u[1] += bulk;
  2554. }
  2555. #endif
  2556. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2557. in + bulk,
  2558. out + bulk,
  2559. len - bulk, gctx->ctr))
  2560. goto err;
  2561. } else {
  2562. size_t bulk = 0;
  2563. #if defined(AES_GCM_ASM2)
  2564. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2565. if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
  2566. return -1;
  2567. bulk = AES_gcm_encrypt(in, out, len,
  2568. gctx->gcm.key,
  2569. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2570. gctx->gcm.len.u[1] += bulk;
  2571. }
  2572. #endif
  2573. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2574. in + bulk, out + bulk, len - bulk))
  2575. goto err;
  2576. }
  2577. out += len;
  2578. /* Finally write tag */
  2579. CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
  2580. rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
  2581. } else {
  2582. /* Decrypt */
  2583. if (gctx->ctr) {
  2584. size_t bulk = 0;
  2585. #if defined(AES_GCM_ASM)
  2586. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2587. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2588. return -1;
  2589. bulk = AES_gcm_decrypt(in, out, len,
  2590. gctx->gcm.key,
  2591. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2592. gctx->gcm.len.u[1] += bulk;
  2593. }
  2594. #endif
  2595. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2596. in + bulk,
  2597. out + bulk,
  2598. len - bulk, gctx->ctr))
  2599. goto err;
  2600. } else {
  2601. size_t bulk = 0;
  2602. #if defined(AES_GCM_ASM2)
  2603. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2604. if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
  2605. return -1;
  2606. bulk = AES_gcm_decrypt(in, out, len,
  2607. gctx->gcm.key,
  2608. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2609. gctx->gcm.len.u[1] += bulk;
  2610. }
  2611. #endif
  2612. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2613. in + bulk, out + bulk, len - bulk))
  2614. goto err;
  2615. }
  2616. /* Retrieve tag */
  2617. CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
  2618. EVP_GCM_TLS_TAG_LEN);
  2619. /* If tag mismatch wipe buffer */
  2620. if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
  2621. EVP_GCM_TLS_TAG_LEN)) {
  2622. OPENSSL_cleanse(out, len);
  2623. goto err;
  2624. }
  2625. rv = len;
  2626. }
  2627. err:
  2628. gctx->iv_set = 0;
  2629. gctx->tls_aad_len = -1;
  2630. return rv;
  2631. }
  2632. #ifdef FIPS_MODULE
  2633. /*
  2634. * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
  2635. *
  2636. * See also 8.2.2 RBG-based construction.
  2637. * Random construction consists of a free field (which can be NULL) and a
  2638. * random field which will use a DRBG that can return at least 96 bits of
  2639. * entropy strength. (The DRBG must be seeded by the FIPS module).
  2640. */
  2641. static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
  2642. {
  2643. int sz = gctx->ivlen - offset;
  2644. /* Must be at least 96 bits */
  2645. if (sz <= 0 || gctx->ivlen < 12)
  2646. return 0;
  2647. /* Use DRBG to generate random iv */
  2648. if (RAND_bytes(gctx->iv + offset, sz) <= 0)
  2649. return 0;
  2650. return 1;
  2651. }
  2652. #endif /* FIPS_MODULE */
  2653. static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2654. const unsigned char *in, size_t len)
  2655. {
  2656. EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
  2657. /* If not set up, return error */
  2658. if (!gctx->key_set)
  2659. return -1;
  2660. if (gctx->tls_aad_len >= 0)
  2661. return aes_gcm_tls_cipher(ctx, out, in, len);
  2662. #ifdef FIPS_MODULE
  2663. /*
  2664. * FIPS requires generation of AES-GCM IV's inside the FIPS module.
  2665. * The IV can still be set externally (the security policy will state that
  2666. * this is not FIPS compliant). There are some applications
  2667. * where setting the IV externally is the only option available.
  2668. */
  2669. if (!gctx->iv_set) {
  2670. if (!EVP_CIPHER_CTX_is_encrypting(ctx) || !aes_gcm_iv_generate(gctx, 0))
  2671. return -1;
  2672. CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
  2673. gctx->iv_set = 1;
  2674. gctx->iv_gen_rand = 1;
  2675. }
  2676. #else
  2677. if (!gctx->iv_set)
  2678. return -1;
  2679. #endif /* FIPS_MODULE */
  2680. if (in) {
  2681. if (out == NULL) {
  2682. if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
  2683. return -1;
  2684. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2685. if (gctx->ctr) {
  2686. size_t bulk = 0;
  2687. #if defined(AES_GCM_ASM)
  2688. if (len >= 32 && AES_GCM_ASM(gctx)) {
  2689. size_t res = (16 - gctx->gcm.mres) % 16;
  2690. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2691. return -1;
  2692. bulk = AES_gcm_encrypt(in + res,
  2693. out + res, len - res,
  2694. gctx->gcm.key, gctx->gcm.Yi.c,
  2695. gctx->gcm.Xi.u);
  2696. gctx->gcm.len.u[1] += bulk;
  2697. bulk += res;
  2698. }
  2699. #endif
  2700. if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
  2701. in + bulk,
  2702. out + bulk,
  2703. len - bulk, gctx->ctr))
  2704. return -1;
  2705. } else {
  2706. size_t bulk = 0;
  2707. #if defined(AES_GCM_ASM2)
  2708. if (len >= 32 && AES_GCM_ASM2(gctx)) {
  2709. size_t res = (16 - gctx->gcm.mres) % 16;
  2710. if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
  2711. return -1;
  2712. bulk = AES_gcm_encrypt(in + res,
  2713. out + res, len - res,
  2714. gctx->gcm.key, gctx->gcm.Yi.c,
  2715. gctx->gcm.Xi.u);
  2716. gctx->gcm.len.u[1] += bulk;
  2717. bulk += res;
  2718. }
  2719. #endif
  2720. if (CRYPTO_gcm128_encrypt(&gctx->gcm,
  2721. in + bulk, out + bulk, len - bulk))
  2722. return -1;
  2723. }
  2724. } else {
  2725. if (gctx->ctr) {
  2726. size_t bulk = 0;
  2727. #if defined(AES_GCM_ASM)
  2728. if (len >= 16 && AES_GCM_ASM(gctx)) {
  2729. size_t res = (16 - gctx->gcm.mres) % 16;
  2730. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2731. return -1;
  2732. bulk = AES_gcm_decrypt(in + res,
  2733. out + res, len - res,
  2734. gctx->gcm.key,
  2735. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2736. gctx->gcm.len.u[1] += bulk;
  2737. bulk += res;
  2738. }
  2739. #endif
  2740. if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
  2741. in + bulk,
  2742. out + bulk,
  2743. len - bulk, gctx->ctr))
  2744. return -1;
  2745. } else {
  2746. size_t bulk = 0;
  2747. #if defined(AES_GCM_ASM2)
  2748. if (len >= 16 && AES_GCM_ASM2(gctx)) {
  2749. size_t res = (16 - gctx->gcm.mres) % 16;
  2750. if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
  2751. return -1;
  2752. bulk = AES_gcm_decrypt(in + res,
  2753. out + res, len - res,
  2754. gctx->gcm.key,
  2755. gctx->gcm.Yi.c, gctx->gcm.Xi.u);
  2756. gctx->gcm.len.u[1] += bulk;
  2757. bulk += res;
  2758. }
  2759. #endif
  2760. if (CRYPTO_gcm128_decrypt(&gctx->gcm,
  2761. in + bulk, out + bulk, len - bulk))
  2762. return -1;
  2763. }
  2764. }
  2765. return len;
  2766. } else {
  2767. if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
  2768. if (gctx->taglen < 0)
  2769. return -1;
  2770. if (CRYPTO_gcm128_finish(&gctx->gcm,
  2771. EVP_CIPHER_CTX_buf_noconst(ctx),
  2772. gctx->taglen) != 0)
  2773. return -1;
  2774. gctx->iv_set = 0;
  2775. return 0;
  2776. }
  2777. CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
  2778. gctx->taglen = 16;
  2779. /* Don't reuse the IV */
  2780. gctx->iv_set = 0;
  2781. return 0;
  2782. }
  2783. }
  2784. #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
  2785. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  2786. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2787. | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
  2788. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
  2789. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2790. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
  2791. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2792. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
  2793. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  2794. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2795. {
  2796. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
  2797. if (type == EVP_CTRL_COPY) {
  2798. EVP_CIPHER_CTX *out = ptr;
  2799. EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
  2800. if (xctx->xts.key1) {
  2801. if (xctx->xts.key1 != &xctx->ks1)
  2802. return 0;
  2803. xctx_out->xts.key1 = &xctx_out->ks1;
  2804. }
  2805. if (xctx->xts.key2) {
  2806. if (xctx->xts.key2 != &xctx->ks2)
  2807. return 0;
  2808. xctx_out->xts.key2 = &xctx_out->ks2;
  2809. }
  2810. return 1;
  2811. } else if (type != EVP_CTRL_INIT)
  2812. return -1;
  2813. /* key1 and key2 are used as an indicator both key and IV are set */
  2814. xctx->xts.key1 = NULL;
  2815. xctx->xts.key2 = NULL;
  2816. return 1;
  2817. }
  2818. static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  2819. const unsigned char *iv, int enc)
  2820. {
  2821. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2822. if (iv == NULL && key == NULL)
  2823. return 1;
  2824. if (key != NULL) {
  2825. do {
  2826. /* The key is two half length keys in reality */
  2827. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
  2828. const int bytes = keylen / 2;
  2829. const int bits = bytes * 8;
  2830. if (keylen <= 0) {
  2831. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  2832. return 0;
  2833. }
  2834. /*
  2835. * Verify that the two keys are different.
  2836. *
  2837. * This addresses the vulnerability described in Rogaway's
  2838. * September 2004 paper:
  2839. *
  2840. * "Efficient Instantiations of Tweakable Blockciphers and
  2841. * Refinements to Modes OCB and PMAC".
  2842. * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
  2843. *
  2844. * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
  2845. * that:
  2846. * "The check for Key_1 != Key_2 shall be done at any place
  2847. * BEFORE using the keys in the XTS-AES algorithm to process
  2848. * data with them."
  2849. */
  2850. if ((!allow_insecure_decrypt || enc)
  2851. && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
  2852. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
  2853. return 0;
  2854. }
  2855. #ifdef AES_XTS_ASM
  2856. xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
  2857. #else
  2858. xctx->stream = NULL;
  2859. #endif
  2860. /* key_len is two AES keys */
  2861. #ifdef HWAES_CAPABLE
  2862. if (HWAES_CAPABLE) {
  2863. if (enc) {
  2864. HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2865. xctx->xts.block1 = (block128_f) HWAES_encrypt;
  2866. # ifdef HWAES_xts_encrypt
  2867. xctx->stream = HWAES_xts_encrypt;
  2868. # endif
  2869. } else {
  2870. HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2871. xctx->xts.block1 = (block128_f) HWAES_decrypt;
  2872. # ifdef HWAES_xts_decrypt
  2873. xctx->stream = HWAES_xts_decrypt;
  2874. #endif
  2875. }
  2876. HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2877. xctx->xts.block2 = (block128_f) HWAES_encrypt;
  2878. xctx->xts.key1 = &xctx->ks1;
  2879. break;
  2880. } else
  2881. #endif
  2882. #ifdef BSAES_CAPABLE
  2883. if (BSAES_CAPABLE)
  2884. xctx->stream = enc ? ossl_bsaes_xts_encrypt : ossl_bsaes_xts_decrypt;
  2885. else
  2886. #endif
  2887. #ifdef VPAES_CAPABLE
  2888. if (VPAES_CAPABLE) {
  2889. if (enc) {
  2890. vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2891. xctx->xts.block1 = (block128_f) vpaes_encrypt;
  2892. } else {
  2893. vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2894. xctx->xts.block1 = (block128_f) vpaes_decrypt;
  2895. }
  2896. vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2897. xctx->xts.block2 = (block128_f) vpaes_encrypt;
  2898. xctx->xts.key1 = &xctx->ks1;
  2899. break;
  2900. } else
  2901. #endif
  2902. (void)0; /* terminate potentially open 'else' */
  2903. if (enc) {
  2904. AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
  2905. xctx->xts.block1 = (block128_f) AES_encrypt;
  2906. } else {
  2907. AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
  2908. xctx->xts.block1 = (block128_f) AES_decrypt;
  2909. }
  2910. AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
  2911. xctx->xts.block2 = (block128_f) AES_encrypt;
  2912. xctx->xts.key1 = &xctx->ks1;
  2913. } while (0);
  2914. }
  2915. if (iv) {
  2916. xctx->xts.key2 = &xctx->ks2;
  2917. memcpy(ctx->iv, iv, 16);
  2918. }
  2919. return 1;
  2920. }
  2921. static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  2922. const unsigned char *in, size_t len)
  2923. {
  2924. EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
  2925. if (xctx->xts.key1 == NULL
  2926. || xctx->xts.key2 == NULL
  2927. || out == NULL
  2928. || in == NULL
  2929. || len < AES_BLOCK_SIZE)
  2930. return 0;
  2931. /*
  2932. * Impose a limit of 2^20 blocks per data unit as specified by
  2933. * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
  2934. * indicated that this was a SHOULD NOT rather than a MUST NOT.
  2935. * NIST SP 800-38E mandates the same limit.
  2936. */
  2937. if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
  2938. ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
  2939. return 0;
  2940. }
  2941. if (xctx->stream)
  2942. (*xctx->stream) (in, out, len,
  2943. xctx->xts.key1, xctx->xts.key2,
  2944. ctx->iv);
  2945. else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
  2946. EVP_CIPHER_CTX_is_encrypting(ctx)))
  2947. return 0;
  2948. return 1;
  2949. }
  2950. #define aes_xts_cleanup NULL
  2951. #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
  2952. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
  2953. | EVP_CIPH_CUSTOM_COPY)
  2954. BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
  2955. BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
  2956. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  2957. {
  2958. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
  2959. switch (type) {
  2960. case EVP_CTRL_INIT:
  2961. cctx->key_set = 0;
  2962. cctx->iv_set = 0;
  2963. cctx->L = 8;
  2964. cctx->M = 12;
  2965. cctx->tag_set = 0;
  2966. cctx->len_set = 0;
  2967. cctx->tls_aad_len = -1;
  2968. return 1;
  2969. case EVP_CTRL_GET_IVLEN:
  2970. *(int *)ptr = 15 - cctx->L;
  2971. return 1;
  2972. case EVP_CTRL_AEAD_TLS1_AAD:
  2973. /* Save the AAD for later use */
  2974. if (arg != EVP_AEAD_TLS1_AAD_LEN)
  2975. return 0;
  2976. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  2977. cctx->tls_aad_len = arg;
  2978. {
  2979. uint16_t len =
  2980. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
  2981. | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
  2982. /* Correct length for explicit IV */
  2983. if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
  2984. return 0;
  2985. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
  2986. /* If decrypting correct for tag too */
  2987. if (!EVP_CIPHER_CTX_is_encrypting(c)) {
  2988. if (len < cctx->M)
  2989. return 0;
  2990. len -= cctx->M;
  2991. }
  2992. EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
  2993. EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
  2994. }
  2995. /* Extra padding: tag appended to record */
  2996. return cctx->M;
  2997. case EVP_CTRL_CCM_SET_IV_FIXED:
  2998. /* Sanity check length */
  2999. if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
  3000. return 0;
  3001. /* Just copy to first part of IV */
  3002. memcpy(c->iv, ptr, arg);
  3003. return 1;
  3004. case EVP_CTRL_AEAD_SET_IVLEN:
  3005. arg = 15 - arg;
  3006. /* fall through */
  3007. case EVP_CTRL_CCM_SET_L:
  3008. if (arg < 2 || arg > 8)
  3009. return 0;
  3010. cctx->L = arg;
  3011. return 1;
  3012. case EVP_CTRL_AEAD_SET_TAG:
  3013. if ((arg & 1) || arg < 4 || arg > 16)
  3014. return 0;
  3015. if (EVP_CIPHER_CTX_is_encrypting(c) && ptr)
  3016. return 0;
  3017. if (ptr) {
  3018. cctx->tag_set = 1;
  3019. memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
  3020. }
  3021. cctx->M = arg;
  3022. return 1;
  3023. case EVP_CTRL_AEAD_GET_TAG:
  3024. if (!EVP_CIPHER_CTX_is_encrypting(c) || !cctx->tag_set)
  3025. return 0;
  3026. if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
  3027. return 0;
  3028. cctx->tag_set = 0;
  3029. cctx->iv_set = 0;
  3030. cctx->len_set = 0;
  3031. return 1;
  3032. case EVP_CTRL_COPY:
  3033. {
  3034. EVP_CIPHER_CTX *out = ptr;
  3035. EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
  3036. if (cctx->ccm.key) {
  3037. if (cctx->ccm.key != &cctx->ks)
  3038. return 0;
  3039. cctx_out->ccm.key = &cctx_out->ks;
  3040. }
  3041. return 1;
  3042. }
  3043. default:
  3044. return -1;
  3045. }
  3046. }
  3047. static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3048. const unsigned char *iv, int enc)
  3049. {
  3050. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3051. if (iv == NULL && key == NULL)
  3052. return 1;
  3053. if (key != NULL) {
  3054. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3055. if (keylen <= 0) {
  3056. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3057. return 0;
  3058. }
  3059. do {
  3060. #ifdef HWAES_CAPABLE
  3061. if (HWAES_CAPABLE) {
  3062. HWAES_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3063. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3064. &cctx->ks, (block128_f) HWAES_encrypt);
  3065. cctx->str = NULL;
  3066. cctx->key_set = 1;
  3067. break;
  3068. } else
  3069. #endif
  3070. #ifdef VPAES_CAPABLE
  3071. if (VPAES_CAPABLE) {
  3072. vpaes_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3073. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3074. &cctx->ks, (block128_f) vpaes_encrypt);
  3075. cctx->str = NULL;
  3076. cctx->key_set = 1;
  3077. break;
  3078. }
  3079. #endif
  3080. AES_set_encrypt_key(key, keylen, &cctx->ks.ks);
  3081. CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  3082. &cctx->ks, (block128_f) AES_encrypt);
  3083. cctx->str = NULL;
  3084. cctx->key_set = 1;
  3085. } while (0);
  3086. }
  3087. if (iv != NULL) {
  3088. memcpy(ctx->iv, iv, 15 - cctx->L);
  3089. cctx->iv_set = 1;
  3090. }
  3091. return 1;
  3092. }
  3093. static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3094. const unsigned char *in, size_t len)
  3095. {
  3096. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3097. CCM128_CONTEXT *ccm = &cctx->ccm;
  3098. /* Encrypt/decrypt must be performed in place */
  3099. if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
  3100. return -1;
  3101. /* If encrypting set explicit IV from sequence number (start of AAD) */
  3102. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3103. memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
  3104. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3105. /* Get rest of IV from explicit IV */
  3106. memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in,
  3107. EVP_CCM_TLS_EXPLICIT_IV_LEN);
  3108. /* Correct length value */
  3109. len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3110. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
  3111. len))
  3112. return -1;
  3113. /* Use saved AAD */
  3114. CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx),
  3115. cctx->tls_aad_len);
  3116. /* Fix buffer to point to payload */
  3117. in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3118. out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
  3119. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3120. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3121. cctx->str) :
  3122. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3123. return -1;
  3124. if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
  3125. return -1;
  3126. return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
  3127. } else {
  3128. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3129. cctx->str) :
  3130. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3131. unsigned char tag[16];
  3132. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3133. if (!CRYPTO_memcmp(tag, in + len, cctx->M))
  3134. return len;
  3135. }
  3136. }
  3137. OPENSSL_cleanse(out, len);
  3138. return -1;
  3139. }
  3140. }
  3141. static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3142. const unsigned char *in, size_t len)
  3143. {
  3144. EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
  3145. CCM128_CONTEXT *ccm = &cctx->ccm;
  3146. /* If not set up, return error */
  3147. if (!cctx->key_set)
  3148. return -1;
  3149. if (cctx->tls_aad_len >= 0)
  3150. return aes_ccm_tls_cipher(ctx, out, in, len);
  3151. /* EVP_*Final() doesn't return any data */
  3152. if (in == NULL && out != NULL)
  3153. return 0;
  3154. if (!cctx->iv_set)
  3155. return -1;
  3156. if (!out) {
  3157. if (!in) {
  3158. if (CRYPTO_ccm128_setiv(ccm, ctx->iv,
  3159. 15 - cctx->L, len))
  3160. return -1;
  3161. cctx->len_set = 1;
  3162. return len;
  3163. }
  3164. /* If have AAD need message length */
  3165. if (!cctx->len_set && len)
  3166. return -1;
  3167. CRYPTO_ccm128_aad(ccm, in, len);
  3168. return len;
  3169. }
  3170. /* The tag must be set before actually decrypting data */
  3171. if (!EVP_CIPHER_CTX_is_encrypting(ctx) && !cctx->tag_set)
  3172. return -1;
  3173. /* If not set length yet do it */
  3174. if (!cctx->len_set) {
  3175. if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
  3176. return -1;
  3177. cctx->len_set = 1;
  3178. }
  3179. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3180. if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
  3181. cctx->str) :
  3182. CRYPTO_ccm128_encrypt(ccm, in, out, len))
  3183. return -1;
  3184. cctx->tag_set = 1;
  3185. return len;
  3186. } else {
  3187. int rv = -1;
  3188. if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
  3189. cctx->str) :
  3190. !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
  3191. unsigned char tag[16];
  3192. if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
  3193. if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
  3194. cctx->M))
  3195. rv = len;
  3196. }
  3197. }
  3198. if (rv == -1)
  3199. OPENSSL_cleanse(out, len);
  3200. cctx->iv_set = 0;
  3201. cctx->tag_set = 0;
  3202. cctx->len_set = 0;
  3203. return rv;
  3204. }
  3205. }
  3206. #define aes_ccm_cleanup NULL
  3207. BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
  3208. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3209. BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
  3210. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3211. BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
  3212. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3213. typedef struct {
  3214. union {
  3215. OSSL_UNION_ALIGN;
  3216. AES_KEY ks;
  3217. } ks;
  3218. /* Indicates if IV has been set */
  3219. unsigned char *iv;
  3220. } EVP_AES_WRAP_CTX;
  3221. static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3222. const unsigned char *iv, int enc)
  3223. {
  3224. int len;
  3225. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3226. if (iv == NULL && key == NULL)
  3227. return 1;
  3228. if (key != NULL) {
  3229. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3230. if (keylen <= 0) {
  3231. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3232. return 0;
  3233. }
  3234. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3235. AES_set_encrypt_key(key, keylen, &wctx->ks.ks);
  3236. else
  3237. AES_set_decrypt_key(key, keylen, &wctx->ks.ks);
  3238. if (iv == NULL)
  3239. wctx->iv = NULL;
  3240. }
  3241. if (iv != NULL) {
  3242. if ((len = EVP_CIPHER_CTX_get_iv_length(ctx)) < 0)
  3243. return 0;
  3244. memcpy(ctx->iv, iv, len);
  3245. wctx->iv = ctx->iv;
  3246. }
  3247. return 1;
  3248. }
  3249. static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3250. const unsigned char *in, size_t inlen)
  3251. {
  3252. EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
  3253. size_t rv;
  3254. /* AES wrap with padding has IV length of 4, without padding 8 */
  3255. int pad = EVP_CIPHER_CTX_get_iv_length(ctx) == 4;
  3256. /* No final operation so always return zero length */
  3257. if (!in)
  3258. return 0;
  3259. /* Input length must always be non-zero */
  3260. if (!inlen)
  3261. return -1;
  3262. /* If decrypting need at least 16 bytes and multiple of 8 */
  3263. if (!EVP_CIPHER_CTX_is_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
  3264. return -1;
  3265. /* If not padding input must be multiple of 8 */
  3266. if (!pad && inlen & 0x7)
  3267. return -1;
  3268. if (ossl_is_partially_overlapping(out, in, inlen)) {
  3269. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3270. return 0;
  3271. }
  3272. if (!out) {
  3273. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3274. /* If padding round up to multiple of 8 */
  3275. if (pad)
  3276. inlen = (inlen + 7) / 8 * 8;
  3277. /* 8 byte prefix */
  3278. return inlen + 8;
  3279. } else {
  3280. /*
  3281. * If not padding output will be exactly 8 bytes smaller than
  3282. * input. If padding it will be at least 8 bytes smaller but we
  3283. * don't know how much.
  3284. */
  3285. return inlen - 8;
  3286. }
  3287. }
  3288. if (pad) {
  3289. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3290. rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
  3291. out, in, inlen,
  3292. (block128_f) AES_encrypt);
  3293. else
  3294. rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
  3295. out, in, inlen,
  3296. (block128_f) AES_decrypt);
  3297. } else {
  3298. if (EVP_CIPHER_CTX_is_encrypting(ctx))
  3299. rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
  3300. out, in, inlen, (block128_f) AES_encrypt);
  3301. else
  3302. rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
  3303. out, in, inlen, (block128_f) AES_decrypt);
  3304. }
  3305. return rv ? (int)rv : -1;
  3306. }
  3307. #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
  3308. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
  3309. | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
  3310. static const EVP_CIPHER aes_128_wrap = {
  3311. NID_id_aes128_wrap,
  3312. 8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3313. aes_wrap_init_key, aes_wrap_cipher,
  3314. NULL,
  3315. sizeof(EVP_AES_WRAP_CTX),
  3316. NULL, NULL, NULL, NULL
  3317. };
  3318. const EVP_CIPHER *EVP_aes_128_wrap(void)
  3319. {
  3320. return &aes_128_wrap;
  3321. }
  3322. static const EVP_CIPHER aes_192_wrap = {
  3323. NID_id_aes192_wrap,
  3324. 8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3325. aes_wrap_init_key, aes_wrap_cipher,
  3326. NULL,
  3327. sizeof(EVP_AES_WRAP_CTX),
  3328. NULL, NULL, NULL, NULL
  3329. };
  3330. const EVP_CIPHER *EVP_aes_192_wrap(void)
  3331. {
  3332. return &aes_192_wrap;
  3333. }
  3334. static const EVP_CIPHER aes_256_wrap = {
  3335. NID_id_aes256_wrap,
  3336. 8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3337. aes_wrap_init_key, aes_wrap_cipher,
  3338. NULL,
  3339. sizeof(EVP_AES_WRAP_CTX),
  3340. NULL, NULL, NULL, NULL
  3341. };
  3342. const EVP_CIPHER *EVP_aes_256_wrap(void)
  3343. {
  3344. return &aes_256_wrap;
  3345. }
  3346. static const EVP_CIPHER aes_128_wrap_pad = {
  3347. NID_id_aes128_wrap_pad,
  3348. 8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3349. aes_wrap_init_key, aes_wrap_cipher,
  3350. NULL,
  3351. sizeof(EVP_AES_WRAP_CTX),
  3352. NULL, NULL, NULL, NULL
  3353. };
  3354. const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
  3355. {
  3356. return &aes_128_wrap_pad;
  3357. }
  3358. static const EVP_CIPHER aes_192_wrap_pad = {
  3359. NID_id_aes192_wrap_pad,
  3360. 8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3361. aes_wrap_init_key, aes_wrap_cipher,
  3362. NULL,
  3363. sizeof(EVP_AES_WRAP_CTX),
  3364. NULL, NULL, NULL, NULL
  3365. };
  3366. const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
  3367. {
  3368. return &aes_192_wrap_pad;
  3369. }
  3370. static const EVP_CIPHER aes_256_wrap_pad = {
  3371. NID_id_aes256_wrap_pad,
  3372. 8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
  3373. aes_wrap_init_key, aes_wrap_cipher,
  3374. NULL,
  3375. sizeof(EVP_AES_WRAP_CTX),
  3376. NULL, NULL, NULL, NULL
  3377. };
  3378. const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
  3379. {
  3380. return &aes_256_wrap_pad;
  3381. }
  3382. #ifndef OPENSSL_NO_OCB
  3383. static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
  3384. {
  3385. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3386. EVP_CIPHER_CTX *newc;
  3387. EVP_AES_OCB_CTX *new_octx;
  3388. switch (type) {
  3389. case EVP_CTRL_INIT:
  3390. octx->key_set = 0;
  3391. octx->iv_set = 0;
  3392. octx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
  3393. octx->iv = c->iv;
  3394. octx->taglen = 16;
  3395. octx->data_buf_len = 0;
  3396. octx->aad_buf_len = 0;
  3397. return 1;
  3398. case EVP_CTRL_GET_IVLEN:
  3399. *(int *)ptr = octx->ivlen;
  3400. return 1;
  3401. case EVP_CTRL_AEAD_SET_IVLEN:
  3402. /* IV len must be 1 to 15 */
  3403. if (arg <= 0 || arg > 15)
  3404. return 0;
  3405. octx->ivlen = arg;
  3406. return 1;
  3407. case EVP_CTRL_AEAD_SET_TAG:
  3408. if (ptr == NULL) {
  3409. /* Tag len must be 0 to 16 */
  3410. if (arg < 0 || arg > 16)
  3411. return 0;
  3412. octx->taglen = arg;
  3413. return 1;
  3414. }
  3415. if (arg != octx->taglen || EVP_CIPHER_CTX_is_encrypting(c))
  3416. return 0;
  3417. memcpy(octx->tag, ptr, arg);
  3418. return 1;
  3419. case EVP_CTRL_AEAD_GET_TAG:
  3420. if (arg != octx->taglen || !EVP_CIPHER_CTX_is_encrypting(c))
  3421. return 0;
  3422. memcpy(ptr, octx->tag, arg);
  3423. return 1;
  3424. case EVP_CTRL_COPY:
  3425. newc = (EVP_CIPHER_CTX *)ptr;
  3426. new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
  3427. return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
  3428. &new_octx->ksenc.ks,
  3429. &new_octx->ksdec.ks);
  3430. default:
  3431. return -1;
  3432. }
  3433. }
  3434. static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  3435. const unsigned char *iv, int enc)
  3436. {
  3437. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3438. if (iv == NULL && key == NULL)
  3439. return 1;
  3440. if (key != NULL) {
  3441. const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
  3442. if (keylen <= 0) {
  3443. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  3444. return 0;
  3445. }
  3446. do {
  3447. /*
  3448. * We set both the encrypt and decrypt key here because decrypt
  3449. * needs both. We could possibly optimise to remove setting the
  3450. * decrypt for an encryption operation.
  3451. */
  3452. # ifdef HWAES_CAPABLE
  3453. if (HWAES_CAPABLE) {
  3454. HWAES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3455. HWAES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3456. if (!CRYPTO_ocb128_init(&octx->ocb,
  3457. &octx->ksenc.ks, &octx->ksdec.ks,
  3458. (block128_f) HWAES_encrypt,
  3459. (block128_f) HWAES_decrypt,
  3460. enc ? HWAES_ocb_encrypt
  3461. : HWAES_ocb_decrypt))
  3462. return 0;
  3463. break;
  3464. }
  3465. # endif
  3466. # ifdef VPAES_CAPABLE
  3467. if (VPAES_CAPABLE) {
  3468. vpaes_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3469. vpaes_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3470. if (!CRYPTO_ocb128_init(&octx->ocb,
  3471. &octx->ksenc.ks, &octx->ksdec.ks,
  3472. (block128_f) vpaes_encrypt,
  3473. (block128_f) vpaes_decrypt,
  3474. NULL))
  3475. return 0;
  3476. break;
  3477. }
  3478. # endif
  3479. AES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
  3480. AES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
  3481. if (!CRYPTO_ocb128_init(&octx->ocb,
  3482. &octx->ksenc.ks, &octx->ksdec.ks,
  3483. (block128_f) AES_encrypt,
  3484. (block128_f) AES_decrypt,
  3485. NULL))
  3486. return 0;
  3487. }
  3488. while (0);
  3489. /*
  3490. * If we have an iv we can set it directly, otherwise use saved IV.
  3491. */
  3492. if (iv == NULL && octx->iv_set)
  3493. iv = octx->iv;
  3494. if (iv) {
  3495. if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
  3496. != 1)
  3497. return 0;
  3498. octx->iv_set = 1;
  3499. }
  3500. octx->key_set = 1;
  3501. } else {
  3502. /* If key set use IV, otherwise copy */
  3503. if (octx->key_set)
  3504. CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
  3505. else
  3506. memcpy(octx->iv, iv, octx->ivlen);
  3507. octx->iv_set = 1;
  3508. }
  3509. return 1;
  3510. }
  3511. static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  3512. const unsigned char *in, size_t len)
  3513. {
  3514. unsigned char *buf;
  3515. int *buf_len;
  3516. int written_len = 0;
  3517. size_t trailing_len;
  3518. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
  3519. /* If IV or Key not set then return error */
  3520. if (!octx->iv_set)
  3521. return -1;
  3522. if (!octx->key_set)
  3523. return -1;
  3524. if (in != NULL) {
  3525. /*
  3526. * Need to ensure we are only passing full blocks to low-level OCB
  3527. * routines. We do it here rather than in EVP_EncryptUpdate/
  3528. * EVP_DecryptUpdate because we need to pass full blocks of AAD too
  3529. * and those routines don't support that
  3530. */
  3531. /* Are we dealing with AAD or normal data here? */
  3532. if (out == NULL) {
  3533. buf = octx->aad_buf;
  3534. buf_len = &(octx->aad_buf_len);
  3535. } else {
  3536. buf = octx->data_buf;
  3537. buf_len = &(octx->data_buf_len);
  3538. if (ossl_is_partially_overlapping(out + *buf_len, in, len)) {
  3539. ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
  3540. return 0;
  3541. }
  3542. }
  3543. /*
  3544. * If we've got a partially filled buffer from a previous call then
  3545. * use that data first
  3546. */
  3547. if (*buf_len > 0) {
  3548. unsigned int remaining;
  3549. remaining = AES_BLOCK_SIZE - (*buf_len);
  3550. if (remaining > len) {
  3551. memcpy(buf + (*buf_len), in, len);
  3552. *(buf_len) += len;
  3553. return 0;
  3554. }
  3555. memcpy(buf + (*buf_len), in, remaining);
  3556. /*
  3557. * If we get here we've filled the buffer, so process it
  3558. */
  3559. len -= remaining;
  3560. in += remaining;
  3561. if (out == NULL) {
  3562. if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
  3563. return -1;
  3564. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3565. if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
  3566. AES_BLOCK_SIZE))
  3567. return -1;
  3568. } else {
  3569. if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
  3570. AES_BLOCK_SIZE))
  3571. return -1;
  3572. }
  3573. written_len = AES_BLOCK_SIZE;
  3574. *buf_len = 0;
  3575. if (out != NULL)
  3576. out += AES_BLOCK_SIZE;
  3577. }
  3578. /* Do we have a partial block to handle at the end? */
  3579. trailing_len = len % AES_BLOCK_SIZE;
  3580. /*
  3581. * If we've got some full blocks to handle, then process these first
  3582. */
  3583. if (len != trailing_len) {
  3584. if (out == NULL) {
  3585. if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
  3586. return -1;
  3587. } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3588. if (!CRYPTO_ocb128_encrypt
  3589. (&octx->ocb, in, out, len - trailing_len))
  3590. return -1;
  3591. } else {
  3592. if (!CRYPTO_ocb128_decrypt
  3593. (&octx->ocb, in, out, len - trailing_len))
  3594. return -1;
  3595. }
  3596. written_len += len - trailing_len;
  3597. in += len - trailing_len;
  3598. }
  3599. /* Handle any trailing partial block */
  3600. if (trailing_len > 0) {
  3601. memcpy(buf, in, trailing_len);
  3602. *buf_len = trailing_len;
  3603. }
  3604. return written_len;
  3605. } else {
  3606. /*
  3607. * First of all empty the buffer of any partial block that we might
  3608. * have been provided - both for data and AAD
  3609. */
  3610. if (octx->data_buf_len > 0) {
  3611. if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3612. if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
  3613. octx->data_buf_len))
  3614. return -1;
  3615. } else {
  3616. if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
  3617. octx->data_buf_len))
  3618. return -1;
  3619. }
  3620. written_len = octx->data_buf_len;
  3621. octx->data_buf_len = 0;
  3622. }
  3623. if (octx->aad_buf_len > 0) {
  3624. if (!CRYPTO_ocb128_aad
  3625. (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
  3626. return -1;
  3627. octx->aad_buf_len = 0;
  3628. }
  3629. /* If decrypting then verify */
  3630. if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
  3631. if (octx->taglen < 0)
  3632. return -1;
  3633. if (CRYPTO_ocb128_finish(&octx->ocb,
  3634. octx->tag, octx->taglen) != 0)
  3635. return -1;
  3636. octx->iv_set = 0;
  3637. return written_len;
  3638. }
  3639. /* If encrypting then just get the tag */
  3640. if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
  3641. return -1;
  3642. /* Don't reuse the IV */
  3643. octx->iv_set = 0;
  3644. return written_len;
  3645. }
  3646. }
  3647. static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
  3648. {
  3649. EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
  3650. CRYPTO_ocb128_cleanup(&octx->ocb);
  3651. return 1;
  3652. }
  3653. BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
  3654. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3655. BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
  3656. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3657. BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
  3658. EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
  3659. #endif /* OPENSSL_NO_OCB */