1 /* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core@openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51 #include <openssl/opensslconf.h> 52 #ifndef OPENSSL_NO_AES 53 #include <openssl/evp.h> 54 #include <openssl/err.h> 55 #include <string.h> 56 #include <assert.h> 57 #include <openssl/aes.h> 58 #include "evp_locl.h" 59 #ifndef OPENSSL_FIPS 60 #include "modes_lcl.h" 61 #include <openssl/rand.h> 62 63 typedef struct 64 { 65 AES_KEY ks; 66 block128_f block; 67 union { 68 cbc128_f cbc; 69 ctr128_f ctr; 70 } stream; 71 } EVP_AES_KEY; 72 73 typedef struct 74 { 75 AES_KEY ks; /* AES key schedule to use */ 76 int key_set; /* Set if key initialised */ 77 int iv_set; /* Set if an iv is set */ 78 GCM128_CONTEXT gcm; 79 unsigned char *iv; /* Temporary IV store */ 80 int ivlen; /* IV length */ 81 int taglen; 82 int iv_gen; /* It is OK to generate IVs */ 83 int tls_aad_len; /* TLS AAD length */ 84 ctr128_f ctr; 85 } EVP_AES_GCM_CTX; 86 87 typedef struct 88 { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, 92 unsigned char *out, size_t length, 93 const AES_KEY *key1, const AES_KEY *key2, 94 const unsigned char iv[16]); 95 } EVP_AES_XTS_CTX; 96 97 typedef struct 98 { 99 AES_KEY ks; /* AES key schedule to use */ 100 int key_set; /* Set if key initialised */ 101 int iv_set; /* Set if an iv is set */ 102 int tag_set; /* Set if tag is valid */ 103 int len_set; /* Set if message length set */ 104 int L, M; /* L and M parameters from RFC3610 */ 105 CCM128_CONTEXT ccm; 106 ccm128_f str; 107 } EVP_AES_CCM_CTX; 108 109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 110 111 #ifdef VPAES_ASM 112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 115 AES_KEY *key); 116 117 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 120 const AES_KEY *key); 121 122 void vpaes_cbc_encrypt(const unsigned char *in, 123 unsigned char *out, 124 size_t length, 125 const AES_KEY *key, 126 unsigned char *ivec, int enc); 127 #endif 128 #ifdef BSAES_ASM 129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 130 size_t length, const AES_KEY *key, 131 unsigned char ivec[16], int enc); 132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 133 size_t len, const AES_KEY *key, 134 const unsigned char ivec[16]); 135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 136 size_t len, const AES_KEY *key1, 137 const AES_KEY *key2, const unsigned char iv[16]); 138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 139 size_t len, const AES_KEY *key1, 140 const AES_KEY *key2, const unsigned char iv[16]); 141 #endif 142 #ifdef AES_CTR_ASM 143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 144 size_t blocks, const AES_KEY *key, 145 const unsigned char ivec[AES_BLOCK_SIZE]); 146 #endif 147 #ifdef AES_XTS_ASM 148 void AES_xts_encrypt(const char *inp,char *out,size_t len, 149 const AES_KEY *key1, const AES_KEY *key2, 150 const unsigned char iv[16]); 151 void AES_xts_decrypt(const char *inp,char *out,size_t len, 152 const AES_KEY *key1, const AES_KEY *key2, 153 const unsigned char iv[16]); 154 #endif 155 156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 157 ((defined(__i386) || defined(__i386__) || \ 158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 159 defined(__x86_64) || defined(__x86_64__) || \ 160 defined(_M_AMD64) || defined(_M_X64) || \ 161 defined(__INTEL__) ) 162 163 extern unsigned int OPENSSL_ia32cap_P[2]; 164 165 #ifdef VPAES_ASM 166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 167 #endif 168 #ifdef BSAES_ASM 169 #define BSAES_CAPABLE VPAES_CAPABLE 170 #endif 171 /* 172 * AES-NI section 173 */ 174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 175 176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 177 AES_KEY *key); 178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 179 AES_KEY *key); 180 181 void aesni_encrypt(const unsigned char *in, unsigned char *out, 182 const AES_KEY *key); 183 void aesni_decrypt(const unsigned char *in, unsigned char *out, 184 const AES_KEY *key); 185 186 void aesni_ecb_encrypt(const unsigned char *in, 187 unsigned char *out, 188 size_t length, 189 const AES_KEY *key, 190 int enc); 191 void aesni_cbc_encrypt(const unsigned char *in, 192 unsigned char *out, 193 size_t length, 194 const AES_KEY *key, 195 unsigned char *ivec, int enc); 196 197 void aesni_ctr32_encrypt_blocks(const unsigned char *in, 198 unsigned char *out, 199 size_t blocks, 200 const void *key, 201 const unsigned char *ivec); 202 203 void aesni_xts_encrypt(const unsigned char *in, 204 unsigned char *out, 205 size_t length, 206 const AES_KEY *key1, const AES_KEY *key2, 207 const unsigned char iv[16]); 208 209 void aesni_xts_decrypt(const unsigned char *in, 210 unsigned char *out, 211 size_t length, 212 const AES_KEY *key1, const AES_KEY *key2, 213 const unsigned char iv[16]); 214 215 void aesni_ccm64_encrypt_blocks (const unsigned char *in, 216 unsigned char *out, 217 size_t blocks, 218 const void *key, 219 const unsigned char ivec[16], 220 unsigned char cmac[16]); 221 222 void aesni_ccm64_decrypt_blocks (const unsigned char *in, 223 unsigned char *out, 224 size_t blocks, 225 const void *key, 226 const unsigned char ivec[16], 227 unsigned char cmac[16]); 228 229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 230 const unsigned char *iv, int enc) 231 { 232 int ret, mode; 233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 234 235 mode = ctx->cipher->flags & EVP_CIPH_MODE; 236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 237 && !enc) 238 { 239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data); 240 dat->block = (block128_f)aesni_decrypt; 241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 242 (cbc128_f)aesni_cbc_encrypt : 243 NULL; 244 } 245 else { 246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data); 247 dat->block = (block128_f)aesni_encrypt; 248 if (mode==EVP_CIPH_CBC_MODE) 249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 250 else if (mode==EVP_CIPH_CTR_MODE) 251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 252 else 253 dat->stream.cbc = NULL; 254 } 255 256 if(ret < 0) 257 { 258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 259 return 0; 260 } 261 262 return 1; 263 } 264 265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 266 const unsigned char *in, size_t len) 267 { 268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); 269 270 return 1; 271 } 272 273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 274 const unsigned char *in, size_t len) 275 { 276 size_t bl = ctx->cipher->block_size; 277 278 if (len<bl) return 1; 279 280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); 281 282 return 1; 283 } 284 285 #define aesni_ofb_cipher aes_ofb_cipher 286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 287 const unsigned char *in,size_t len); 288 289 #define aesni_cfb_cipher aes_cfb_cipher 290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 291 const unsigned char *in,size_t len); 292 293 #define aesni_cfb8_cipher aes_cfb8_cipher 294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 295 const unsigned char *in,size_t len); 296 297 #define aesni_cfb1_cipher aes_cfb1_cipher 298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 299 const unsigned char *in,size_t len); 300 301 #define aesni_ctr_cipher aes_ctr_cipher 302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 303 const unsigned char *in, size_t len); 304 305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 306 const unsigned char *iv, int enc) 307 { 308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 309 if (!iv && !key) 310 return 1; 311 if (key) 312 { 313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 315 (block128_f)aesni_encrypt); 316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 317 /* If we have an iv can set it directly, otherwise use 318 * saved IV. 319 */ 320 if (iv == NULL && gctx->iv_set) 321 iv = gctx->iv; 322 if (iv) 323 { 324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 325 gctx->iv_set = 1; 326 } 327 gctx->key_set = 1; 328 } 329 else 330 { 331 /* If key set use IV, otherwise copy */ 332 if (gctx->key_set) 333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 334 else 335 memcpy(gctx->iv, iv, gctx->ivlen); 336 gctx->iv_set = 1; 337 gctx->iv_gen = 0; 338 } 339 return 1; 340 } 341 342 #define aesni_gcm_cipher aes_gcm_cipher 343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 344 const unsigned char *in, size_t len); 345 346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 347 const unsigned char *iv, int enc) 348 { 349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 350 if (!iv && !key) 351 return 1; 352 353 if (key) 354 { 355 /* key_len is two AES keys */ 356 if (enc) 357 { 358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 359 xctx->xts.block1 = (block128_f)aesni_encrypt; 360 xctx->stream = aesni_xts_encrypt; 361 } 362 else 363 { 364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 365 xctx->xts.block1 = (block128_f)aesni_decrypt; 366 xctx->stream = aesni_xts_decrypt; 367 } 368 369 aesni_set_encrypt_key(key + ctx->key_len/2, 370 ctx->key_len * 4, &xctx->ks2); 371 xctx->xts.block2 = (block128_f)aesni_encrypt; 372 373 xctx->xts.key1 = &xctx->ks1; 374 } 375 376 if (iv) 377 { 378 xctx->xts.key2 = &xctx->ks2; 379 memcpy(ctx->iv, iv, 16); 380 } 381 382 return 1; 383 } 384 385 #define aesni_xts_cipher aes_xts_cipher 386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 387 const unsigned char *in, size_t len); 388 389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 390 const unsigned char *iv, int enc) 391 { 392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 393 if (!iv && !key) 394 return 1; 395 if (key) 396 { 397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 399 &cctx->ks, (block128_f)aesni_encrypt); 400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : 401 (ccm128_f)aesni_ccm64_decrypt_blocks; 402 cctx->key_set = 1; 403 } 404 if (iv) 405 { 406 memcpy(ctx->iv, iv, 15 - cctx->L); 407 cctx->iv_set = 1; 408 } 409 return 1; 410 } 411 412 #define aesni_ccm_cipher aes_ccm_cipher 413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 414 const unsigned char *in, size_t len); 415 416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 417 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 419 flags|EVP_CIPH_##MODE##_MODE, \ 420 aesni_init_key, \ 421 aesni_##mode##_cipher, \ 422 NULL, \ 423 sizeof(EVP_AES_KEY), \ 424 NULL,NULL,NULL,NULL }; \ 425 static const EVP_CIPHER aes_##keylen##_##mode = { \ 426 nid##_##keylen##_##nmode,blocksize, \ 427 keylen/8,ivlen, \ 428 flags|EVP_CIPH_##MODE##_MODE, \ 429 aes_init_key, \ 430 aes_##mode##_cipher, \ 431 NULL, \ 432 sizeof(EVP_AES_KEY), \ 433 NULL,NULL,NULL,NULL }; \ 434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 436 437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 438 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 439 nid##_##keylen##_##mode,blocksize, \ 440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 441 flags|EVP_CIPH_##MODE##_MODE, \ 442 aesni_##mode##_init_key, \ 443 aesni_##mode##_cipher, \ 444 aes_##mode##_cleanup, \ 445 sizeof(EVP_AES_##MODE##_CTX), \ 446 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 447 static const EVP_CIPHER aes_##keylen##_##mode = { \ 448 nid##_##keylen##_##mode,blocksize, \ 449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 450 flags|EVP_CIPH_##MODE##_MODE, \ 451 aes_##mode##_init_key, \ 452 aes_##mode##_cipher, \ 453 aes_##mode##_cleanup, \ 454 sizeof(EVP_AES_##MODE##_CTX), \ 455 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 458 459 #else 460 461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 462 static const EVP_CIPHER aes_##keylen##_##mode = { \ 463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 464 flags|EVP_CIPH_##MODE##_MODE, \ 465 aes_init_key, \ 466 aes_##mode##_cipher, \ 467 NULL, \ 468 sizeof(EVP_AES_KEY), \ 469 NULL,NULL,NULL,NULL }; \ 470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 471 { return &aes_##keylen##_##mode; } 472 473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 474 static const EVP_CIPHER aes_##keylen##_##mode = { \ 475 nid##_##keylen##_##mode,blocksize, \ 476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 477 flags|EVP_CIPH_##MODE##_MODE, \ 478 aes_##mode##_init_key, \ 479 aes_##mode##_cipher, \ 480 aes_##mode##_cleanup, \ 481 sizeof(EVP_AES_##MODE##_CTX), \ 482 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 484 { return &aes_##keylen##_##mode; } 485 #endif 486 487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 495 496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 497 const unsigned char *iv, int enc) 498 { 499 int ret, mode; 500 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 501 502 mode = ctx->cipher->flags & EVP_CIPH_MODE; 503 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 504 && !enc) 505 #ifdef BSAES_CAPABLE 506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) 507 { 508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 509 dat->block = (block128_f)AES_decrypt; 510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 511 } 512 else 513 #endif 514 #ifdef VPAES_CAPABLE 515 if (VPAES_CAPABLE) 516 { 517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 518 dat->block = (block128_f)vpaes_decrypt; 519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 520 (cbc128_f)vpaes_cbc_encrypt : 521 NULL; 522 } 523 else 524 #endif 525 { 526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 527 dat->block = (block128_f)AES_decrypt; 528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 529 (cbc128_f)AES_cbc_encrypt : 530 NULL; 531 } 532 else 533 #ifdef BSAES_CAPABLE 534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) 535 { 536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 537 dat->block = (block128_f)AES_encrypt; 538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 539 } 540 else 541 #endif 542 #ifdef VPAES_CAPABLE 543 if (VPAES_CAPABLE) 544 { 545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 546 dat->block = (block128_f)vpaes_encrypt; 547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 548 (cbc128_f)vpaes_cbc_encrypt : 549 NULL; 550 } 551 else 552 #endif 553 { 554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 555 dat->block = (block128_f)AES_encrypt; 556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 557 (cbc128_f)AES_cbc_encrypt : 558 NULL; 559 #ifdef AES_CTR_ASM 560 if (mode==EVP_CIPH_CTR_MODE) 561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 562 #endif 563 } 564 565 if(ret < 0) 566 { 567 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 568 return 0; 569 } 570 571 return 1; 572 } 573 574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 575 const unsigned char *in, size_t len) 576 { 577 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 578 579 if (dat->stream.cbc) 580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); 581 else if (ctx->encrypt) 582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 583 else 584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 585 586 return 1; 587 } 588 589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 590 const unsigned char *in, size_t len) 591 { 592 size_t bl = ctx->cipher->block_size; 593 size_t i; 594 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 595 596 if (len<bl) return 1; 597 598 for (i=0,len-=bl;i<=len;i+=bl) 599 (*dat->block)(in+i,out+i,&dat->ks); 600 601 return 1; 602 } 603 604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 605 const unsigned char *in,size_t len) 606 { 607 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 608 609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, 610 ctx->iv,&ctx->num,dat->block); 611 return 1; 612 } 613 614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 615 const unsigned char *in,size_t len) 616 { 617 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 618 619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, 620 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 621 return 1; 622 } 623 624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 625 const unsigned char *in,size_t len) 626 { 627 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 628 629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, 630 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 631 return 1; 632 } 633 634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 635 const unsigned char *in,size_t len) 636 { 637 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 638 639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, 641 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 642 return 1; 643 } 644 645 while (len>=MAXBITCHUNK) { 646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, 647 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 648 len-=MAXBITCHUNK; 649 } 650 if (len) 651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, 652 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 653 654 return 1; 655 } 656 657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, 658 const unsigned char *in, size_t len) 659 { 660 unsigned int num = ctx->num; 661 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 662 663 if (dat->stream.ctr) 664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, 665 ctx->iv,ctx->buf,&num,dat->stream.ctr); 666 else 667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, 668 ctx->iv,ctx->buf,&num,dat->block); 669 ctx->num = (size_t)num; 670 return 1; 671 } 672 673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) 674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) 675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) 676 677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 678 { 679 EVP_AES_GCM_CTX *gctx = c->cipher_data; 680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 681 if (gctx->iv != c->iv) 682 OPENSSL_free(gctx->iv); 683 return 1; 684 } 685 686 /* increment counter (64-bit int) by 1 */ 687 static void ctr64_inc(unsigned char *counter) { 688 int n=8; 689 unsigned char c; 690 691 do { 692 --n; 693 c = counter[n]; 694 ++c; 695 counter[n] = c; 696 if (c) return; 697 } while (n); 698 } 699 700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 701 { 702 EVP_AES_GCM_CTX *gctx = c->cipher_data; 703 switch (type) 704 { 705 case EVP_CTRL_INIT: 706 gctx->key_set = 0; 707 gctx->iv_set = 0; 708 gctx->ivlen = c->cipher->iv_len; 709 gctx->iv = c->iv; 710 gctx->taglen = -1; 711 gctx->iv_gen = 0; 712 gctx->tls_aad_len = -1; 713 return 1; 714 715 case EVP_CTRL_GCM_SET_IVLEN: 716 if (arg <= 0) 717 return 0; 718 #ifdef OPENSSL_FIPS 719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 720 && arg < 12) 721 return 0; 722 #endif 723 /* Allocate memory for IV if needed */ 724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) 725 { 726 if (gctx->iv != c->iv) 727 OPENSSL_free(gctx->iv); 728 gctx->iv = OPENSSL_malloc(arg); 729 if (!gctx->iv) 730 return 0; 731 } 732 gctx->ivlen = arg; 733 return 1; 734 735 case EVP_CTRL_GCM_SET_TAG: 736 if (arg <= 0 || arg > 16 || c->encrypt) 737 return 0; 738 memcpy(c->buf, ptr, arg); 739 gctx->taglen = arg; 740 return 1; 741 742 case EVP_CTRL_GCM_GET_TAG: 743 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 744 return 0; 745 memcpy(ptr, c->buf, arg); 746 return 1; 747 748 case EVP_CTRL_GCM_SET_IV_FIXED: 749 /* Special case: -1 length restores whole IV */ 750 if (arg == -1) 751 { 752 memcpy(gctx->iv, ptr, gctx->ivlen); 753 gctx->iv_gen = 1; 754 return 1; 755 } 756 /* Fixed field must be at least 4 bytes and invocation field 757 * at least 8. 758 */ 759 if ((arg < 4) || (gctx->ivlen - arg) < 8) 760 return 0; 761 if (arg) 762 memcpy(gctx->iv, ptr, arg); 763 if (c->encrypt && 764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 765 return 0; 766 gctx->iv_gen = 1; 767 return 1; 768 769 case EVP_CTRL_GCM_IV_GEN: 770 if (gctx->iv_gen == 0 || gctx->key_set == 0) 771 return 0; 772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 773 if (arg <= 0 || arg > gctx->ivlen) 774 arg = gctx->ivlen; 775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 776 /* Invocation field will be at least 8 bytes in size and 777 * so no need to check wrap around or increment more than 778 * last 8 bytes. 779 */ 780 ctr64_inc(gctx->iv + gctx->ivlen - 8); 781 gctx->iv_set = 1; 782 return 1; 783 784 case EVP_CTRL_GCM_SET_IV_INV: 785 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 786 return 0; 787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 789 gctx->iv_set = 1; 790 return 1; 791 792 case EVP_CTRL_AEAD_TLS1_AAD: 793 /* Save the AAD for later use */ 794 if (arg != 13) 795 return 0; 796 memcpy(c->buf, ptr, arg); 797 gctx->tls_aad_len = arg; 798 { 799 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; 800 /* Correct length for explicit IV */ 801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 802 /* If decrypting correct for tag too */ 803 if (!c->encrypt) 804 len -= EVP_GCM_TLS_TAG_LEN; 805 c->buf[arg-2] = len>>8; 806 c->buf[arg-1] = len & 0xff; 807 } 808 /* Extra padding: tag appended to record */ 809 return EVP_GCM_TLS_TAG_LEN; 810 811 default: 812 return -1; 813 814 } 815 } 816 817 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 818 const unsigned char *iv, int enc) 819 { 820 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 821 if (!iv && !key) 822 return 1; 823 if (key) 824 { do { 825 #ifdef BSAES_CAPABLE 826 if (BSAES_CAPABLE) 827 { 828 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 829 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 830 (block128_f)AES_encrypt); 831 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 832 break; 833 } 834 else 835 #endif 836 #ifdef VPAES_CAPABLE 837 if (VPAES_CAPABLE) 838 { 839 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 840 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 841 (block128_f)vpaes_encrypt); 842 gctx->ctr = NULL; 843 break; 844 } 845 else 846 #endif 847 (void)0; /* terminate potentially open 'else' */ 848 849 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 850 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 851 #ifdef AES_CTR_ASM 852 gctx->ctr = (ctr128_f)AES_ctr32_encrypt; 853 #else 854 gctx->ctr = NULL; 855 #endif 856 } while (0); 857 858 /* If we have an iv can set it directly, otherwise use 859 * saved IV. 860 */ 861 if (iv == NULL && gctx->iv_set) 862 iv = gctx->iv; 863 if (iv) 864 { 865 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 866 gctx->iv_set = 1; 867 } 868 gctx->key_set = 1; 869 } 870 else 871 { 872 /* If key set use IV, otherwise copy */ 873 if (gctx->key_set) 874 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 875 else 876 memcpy(gctx->iv, iv, gctx->ivlen); 877 gctx->iv_set = 1; 878 gctx->iv_gen = 0; 879 } 880 return 1; 881 } 882 883 /* Handle TLS GCM packet format. This consists of the last portion of the IV 884 * followed by the payload and finally the tag. On encrypt generate IV, 885 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 886 * and verify tag. 887 */ 888 889 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 890 const unsigned char *in, size_t len) 891 { 892 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 893 int rv = -1; 894 /* Encrypt/decrypt must be performed in place */ 895 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)) 896 return -1; 897 /* Set IV from start of buffer or generate IV and write to start 898 * of buffer. 899 */ 900 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 901 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 902 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 903 goto err; 904 /* Use saved AAD */ 905 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 906 goto err; 907 /* Fix buffer and length to point to payload */ 908 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 909 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 910 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 911 if (ctx->encrypt) 912 { 913 /* Encrypt payload */ 914 if (gctx->ctr) 915 { 916 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 917 in, out, len, 918 gctx->ctr)) 919 goto err; 920 } 921 else { 922 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 923 goto err; 924 } 925 out += len; 926 /* Finally write tag */ 927 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 928 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 929 } 930 else 931 { 932 /* Decrypt */ 933 if (gctx->ctr) 934 { 935 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 936 in, out, len, 937 gctx->ctr)) 938 goto err; 939 } 940 else { 941 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 942 goto err; 943 } 944 /* Retrieve tag */ 945 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 946 EVP_GCM_TLS_TAG_LEN); 947 /* If tag mismatch wipe buffer */ 948 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) 949 { 950 OPENSSL_cleanse(out, len); 951 goto err; 952 } 953 rv = len; 954 } 955 956 err: 957 gctx->iv_set = 0; 958 gctx->tls_aad_len = -1; 959 return rv; 960 } 961 962 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 963 const unsigned char *in, size_t len) 964 { 965 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 966 /* If not set up, return error */ 967 if (!gctx->key_set) 968 return -1; 969 970 if (gctx->tls_aad_len >= 0) 971 return aes_gcm_tls_cipher(ctx, out, in, len); 972 973 if (!gctx->iv_set) 974 return -1; 975 if (in) 976 { 977 if (out == NULL) 978 { 979 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 980 return -1; 981 } 982 else if (ctx->encrypt) 983 { 984 if (gctx->ctr) 985 { 986 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 987 in, out, len, 988 gctx->ctr)) 989 return -1; 990 } 991 else { 992 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 993 return -1; 994 } 995 } 996 else 997 { 998 if (gctx->ctr) 999 { 1000 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1001 in, out, len, 1002 gctx->ctr)) 1003 return -1; 1004 } 1005 else { 1006 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1007 return -1; 1008 } 1009 } 1010 return len; 1011 } 1012 else 1013 { 1014 if (!ctx->encrypt) 1015 { 1016 if (gctx->taglen < 0) 1017 return -1; 1018 if (CRYPTO_gcm128_finish(&gctx->gcm, 1019 ctx->buf, gctx->taglen) != 0) 1020 return -1; 1021 gctx->iv_set = 0; 1022 return 0; 1023 } 1024 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1025 gctx->taglen = 16; 1026 /* Don't reuse the IV */ 1027 gctx->iv_set = 0; 1028 return 0; 1029 } 1030 1031 } 1032 1033 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 1034 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 1035 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1036 1037 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, 1038 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1039 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, 1040 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1041 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, 1042 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1043 1044 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1045 { 1046 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1047 if (type != EVP_CTRL_INIT) 1048 return -1; 1049 /* key1 and key2 are used as an indicator both key and IV are set */ 1050 xctx->xts.key1 = NULL; 1051 xctx->xts.key2 = NULL; 1052 return 1; 1053 } 1054 1055 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1056 const unsigned char *iv, int enc) 1057 { 1058 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1059 if (!iv && !key) 1060 return 1; 1061 1062 if (key) do 1063 { 1064 #ifdef AES_XTS_ASM 1065 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1066 #else 1067 xctx->stream = NULL; 1068 #endif 1069 /* key_len is two AES keys */ 1070 #ifdef BSAES_CAPABLE 1071 if (BSAES_CAPABLE) 1072 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1073 else 1074 #endif 1075 #ifdef VPAES_CAPABLE 1076 if (VPAES_CAPABLE) 1077 { 1078 if (enc) 1079 { 1080 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1081 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1082 } 1083 else 1084 { 1085 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1086 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1087 } 1088 1089 vpaes_set_encrypt_key(key + ctx->key_len/2, 1090 ctx->key_len * 4, &xctx->ks2); 1091 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1092 1093 xctx->xts.key1 = &xctx->ks1; 1094 break; 1095 } 1096 else 1097 #endif 1098 (void)0; /* terminate potentially open 'else' */ 1099 1100 if (enc) 1101 { 1102 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1103 xctx->xts.block1 = (block128_f)AES_encrypt; 1104 } 1105 else 1106 { 1107 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1108 xctx->xts.block1 = (block128_f)AES_decrypt; 1109 } 1110 1111 AES_set_encrypt_key(key + ctx->key_len/2, 1112 ctx->key_len * 4, &xctx->ks2); 1113 xctx->xts.block2 = (block128_f)AES_encrypt; 1114 1115 xctx->xts.key1 = &xctx->ks1; 1116 } while (0); 1117 1118 if (iv) 1119 { 1120 xctx->xts.key2 = &xctx->ks2; 1121 memcpy(ctx->iv, iv, 16); 1122 } 1123 1124 return 1; 1125 } 1126 1127 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1128 const unsigned char *in, size_t len) 1129 { 1130 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1131 if (!xctx->xts.key1 || !xctx->xts.key2) 1132 return 0; 1133 if (!out || !in || len<AES_BLOCK_SIZE) 1134 return 0; 1135 #ifdef OPENSSL_FIPS 1136 /* Requirement of SP800-38E */ 1137 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1138 (len > (1UL<<20)*16)) 1139 { 1140 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1141 return 0; 1142 } 1143 #endif 1144 if (xctx->stream) 1145 (*xctx->stream)(in, out, len, 1146 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1147 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1148 ctx->encrypt)) 1149 return 0; 1150 return 1; 1151 } 1152 1153 #define aes_xts_cleanup NULL 1154 1155 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1156 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1157 1158 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1159 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1160 1161 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1162 { 1163 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1164 switch (type) 1165 { 1166 case EVP_CTRL_INIT: 1167 cctx->key_set = 0; 1168 cctx->iv_set = 0; 1169 cctx->L = 8; 1170 cctx->M = 12; 1171 cctx->tag_set = 0; 1172 cctx->len_set = 0; 1173 return 1; 1174 1175 case EVP_CTRL_CCM_SET_IVLEN: 1176 arg = 15 - arg; 1177 case EVP_CTRL_CCM_SET_L: 1178 if (arg < 2 || arg > 8) 1179 return 0; 1180 cctx->L = arg; 1181 return 1; 1182 1183 case EVP_CTRL_CCM_SET_TAG: 1184 if ((arg & 1) || arg < 4 || arg > 16) 1185 return 0; 1186 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1187 return 0; 1188 if (ptr) 1189 { 1190 cctx->tag_set = 1; 1191 memcpy(c->buf, ptr, arg); 1192 } 1193 cctx->M = arg; 1194 return 1; 1195 1196 case EVP_CTRL_CCM_GET_TAG: 1197 if (!c->encrypt || !cctx->tag_set) 1198 return 0; 1199 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1200 return 0; 1201 cctx->tag_set = 0; 1202 cctx->iv_set = 0; 1203 cctx->len_set = 0; 1204 return 1; 1205 1206 default: 1207 return -1; 1208 1209 } 1210 } 1211 1212 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1213 const unsigned char *iv, int enc) 1214 { 1215 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1216 if (!iv && !key) 1217 return 1; 1218 if (key) do 1219 { 1220 #ifdef VPAES_CAPABLE 1221 if (VPAES_CAPABLE) 1222 { 1223 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 1224 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1225 &cctx->ks, (block128_f)vpaes_encrypt); 1226 cctx->str = NULL; 1227 cctx->key_set = 1; 1228 break; 1229 } 1230 #endif 1231 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1232 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1233 &cctx->ks, (block128_f)AES_encrypt); 1234 cctx->str = NULL; 1235 cctx->key_set = 1; 1236 } while (0); 1237 if (iv) 1238 { 1239 memcpy(ctx->iv, iv, 15 - cctx->L); 1240 cctx->iv_set = 1; 1241 } 1242 return 1; 1243 } 1244 1245 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1246 const unsigned char *in, size_t len) 1247 { 1248 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1249 CCM128_CONTEXT *ccm = &cctx->ccm; 1250 /* If not set up, return error */ 1251 if (!cctx->iv_set && !cctx->key_set) 1252 return -1; 1253 if (!ctx->encrypt && !cctx->tag_set) 1254 return -1; 1255 if (!out) 1256 { 1257 if (!in) 1258 { 1259 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) 1260 return -1; 1261 cctx->len_set = 1; 1262 return len; 1263 } 1264 /* If have AAD need message length */ 1265 if (!cctx->len_set && len) 1266 return -1; 1267 CRYPTO_ccm128_aad(ccm, in, len); 1268 return len; 1269 } 1270 /* EVP_*Final() doesn't return any data */ 1271 if (!in) 1272 return 0; 1273 /* If not set length yet do it */ 1274 if (!cctx->len_set) 1275 { 1276 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1277 return -1; 1278 cctx->len_set = 1; 1279 } 1280 if (ctx->encrypt) 1281 { 1282 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1283 cctx->str) : 1284 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1285 return -1; 1286 cctx->tag_set = 1; 1287 return len; 1288 } 1289 else 1290 { 1291 int rv = -1; 1292 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1293 cctx->str) : 1294 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) 1295 { 1296 unsigned char tag[16]; 1297 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) 1298 { 1299 if (!memcmp(tag, ctx->buf, cctx->M)) 1300 rv = len; 1301 } 1302 } 1303 if (rv == -1) 1304 OPENSSL_cleanse(out, len); 1305 cctx->iv_set = 0; 1306 cctx->tag_set = 0; 1307 cctx->len_set = 0; 1308 return rv; 1309 } 1310 1311 } 1312 1313 #define aes_ccm_cleanup NULL 1314 1315 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1316 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1317 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1318 1319 #endif 1320 #endif 1321