1 /* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core@openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51 #include <openssl/opensslconf.h> 52 #ifndef OPENSSL_NO_AES 53 #include <openssl/evp.h> 54 #include <openssl/err.h> 55 #include <string.h> 56 #include <assert.h> 57 #include <openssl/aes.h> 58 #include "evp_locl.h" 59 #ifndef OPENSSL_FIPS 60 #include "modes_lcl.h" 61 #include <openssl/rand.h> 62 63 typedef struct 64 { 65 AES_KEY ks; 66 block128_f block; 67 union { 68 cbc128_f cbc; 69 ctr128_f ctr; 70 } stream; 71 } EVP_AES_KEY; 72 73 typedef struct 74 { 75 AES_KEY ks; /* AES key schedule to use */ 76 int key_set; /* Set if key initialised */ 77 int iv_set; /* Set if an iv is set */ 78 GCM128_CONTEXT gcm; 79 unsigned char *iv; /* Temporary IV store */ 80 int ivlen; /* IV length */ 81 int taglen; 82 int iv_gen; /* It is OK to generate IVs */ 83 int tls_aad_len; /* TLS AAD length */ 84 ctr128_f ctr; 85 } EVP_AES_GCM_CTX; 86 87 typedef struct 88 { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, 92 unsigned char *out, size_t length, 93 const AES_KEY *key1, const AES_KEY *key2, 94 const unsigned char iv[16]); 95 } EVP_AES_XTS_CTX; 96 97 typedef struct 98 { 99 AES_KEY ks; /* AES key schedule to use */ 100 int key_set; /* Set if key initialised */ 101 int iv_set; /* Set if an iv is set */ 102 int tag_set; /* Set if tag is valid */ 103 int len_set; /* Set if message length set */ 104 int L, M; /* L and M parameters from RFC3610 */ 105 CCM128_CONTEXT ccm; 106 ccm128_f str; 107 } EVP_AES_CCM_CTX; 108 109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 110 111 #ifdef VPAES_ASM 112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 115 AES_KEY *key); 116 117 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 120 const AES_KEY *key); 121 122 void vpaes_cbc_encrypt(const unsigned char *in, 123 unsigned char *out, 124 size_t length, 125 const AES_KEY *key, 126 unsigned char *ivec, int enc); 127 #endif 128 #ifdef BSAES_ASM 129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 130 size_t length, const AES_KEY *key, 131 unsigned char ivec[16], int enc); 132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 133 size_t len, const AES_KEY *key, 134 const unsigned char ivec[16]); 135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 136 size_t len, const AES_KEY *key1, 137 const AES_KEY *key2, const unsigned char iv[16]); 138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 139 size_t len, const AES_KEY *key1, 140 const AES_KEY *key2, const unsigned char iv[16]); 141 #endif 142 #ifdef AES_CTR_ASM 143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 144 size_t blocks, const AES_KEY *key, 145 const unsigned char ivec[AES_BLOCK_SIZE]); 146 #endif 147 #ifdef AES_XTS_ASM 148 void AES_xts_encrypt(const char *inp,char *out,size_t len, 149 const AES_KEY *key1, const AES_KEY *key2, 150 const unsigned char iv[16]); 151 void AES_xts_decrypt(const char *inp,char *out,size_t len, 152 const AES_KEY *key1, const AES_KEY *key2, 153 const unsigned char iv[16]); 154 #endif 155 156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 157 ((defined(__i386) || defined(__i386__) || \ 158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 159 defined(__x86_64) || defined(__x86_64__) || \ 160 defined(_M_AMD64) || defined(_M_X64) || \ 161 defined(__INTEL__) ) 162 163 extern unsigned int OPENSSL_ia32cap_P[2]; 164 165 #ifdef VPAES_ASM 166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 167 #endif 168 #ifdef BSAES_ASM 169 #define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 170 #endif 171 /* 172 * AES-NI section 173 */ 174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 175 176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 177 AES_KEY *key); 178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 179 AES_KEY *key); 180 181 void aesni_encrypt(const unsigned char *in, unsigned char *out, 182 const AES_KEY *key); 183 void aesni_decrypt(const unsigned char *in, unsigned char *out, 184 const AES_KEY *key); 185 186 void aesni_ecb_encrypt(const unsigned char *in, 187 unsigned char *out, 188 size_t length, 189 const AES_KEY *key, 190 int enc); 191 void aesni_cbc_encrypt(const unsigned char *in, 192 unsigned char *out, 193 size_t length, 194 const AES_KEY *key, 195 unsigned char *ivec, int enc); 196 197 void aesni_ctr32_encrypt_blocks(const unsigned char *in, 198 unsigned char *out, 199 size_t blocks, 200 const void *key, 201 const unsigned char *ivec); 202 203 void aesni_xts_encrypt(const unsigned char *in, 204 unsigned char *out, 205 size_t length, 206 const AES_KEY *key1, const AES_KEY *key2, 207 const unsigned char iv[16]); 208 209 void aesni_xts_decrypt(const unsigned char *in, 210 unsigned char *out, 211 size_t length, 212 const AES_KEY *key1, const AES_KEY *key2, 213 const unsigned char iv[16]); 214 215 void aesni_ccm64_encrypt_blocks (const unsigned char *in, 216 unsigned char *out, 217 size_t blocks, 218 const void *key, 219 const unsigned char ivec[16], 220 unsigned char cmac[16]); 221 222 void aesni_ccm64_decrypt_blocks (const unsigned char *in, 223 unsigned char *out, 224 size_t blocks, 225 const void *key, 226 const unsigned char ivec[16], 227 unsigned char cmac[16]); 228 229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 230 const unsigned char *iv, int enc) 231 { 232 int ret, mode; 233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 234 235 mode = ctx->cipher->flags & EVP_CIPH_MODE; 236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 237 && !enc) 238 { 239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data); 240 dat->block = (block128_f)aesni_decrypt; 241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 242 (cbc128_f)aesni_cbc_encrypt : 243 NULL; 244 } 245 else { 246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data); 247 dat->block = (block128_f)aesni_encrypt; 248 if (mode==EVP_CIPH_CBC_MODE) 249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 250 else if (mode==EVP_CIPH_CTR_MODE) 251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 252 else 253 dat->stream.cbc = NULL; 254 } 255 256 if(ret < 0) 257 { 258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 259 return 0; 260 } 261 262 return 1; 263 } 264 265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 266 const unsigned char *in, size_t len) 267 { 268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); 269 270 return 1; 271 } 272 273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 274 const unsigned char *in, size_t len) 275 { 276 size_t bl = ctx->cipher->block_size; 277 278 if (len<bl) return 1; 279 280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); 281 282 return 1; 283 } 284 285 #define aesni_ofb_cipher aes_ofb_cipher 286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 287 const unsigned char *in,size_t len); 288 289 #define aesni_cfb_cipher aes_cfb_cipher 290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 291 const unsigned char *in,size_t len); 292 293 #define aesni_cfb8_cipher aes_cfb8_cipher 294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 295 const unsigned char *in,size_t len); 296 297 #define aesni_cfb1_cipher aes_cfb1_cipher 298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 299 const unsigned char *in,size_t len); 300 301 #define aesni_ctr_cipher aes_ctr_cipher 302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 303 const unsigned char *in, size_t len); 304 305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 306 const unsigned char *iv, int enc) 307 { 308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 309 if (!iv && !key) 310 return 1; 311 if (key) 312 { 313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 315 (block128_f)aesni_encrypt); 316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 317 /* If we have an iv can set it directly, otherwise use 318 * saved IV. 319 */ 320 if (iv == NULL && gctx->iv_set) 321 iv = gctx->iv; 322 if (iv) 323 { 324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 325 gctx->iv_set = 1; 326 } 327 gctx->key_set = 1; 328 } 329 else 330 { 331 /* If key set use IV, otherwise copy */ 332 if (gctx->key_set) 333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 334 else 335 memcpy(gctx->iv, iv, gctx->ivlen); 336 gctx->iv_set = 1; 337 gctx->iv_gen = 0; 338 } 339 return 1; 340 } 341 342 #define aesni_gcm_cipher aes_gcm_cipher 343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 344 const unsigned char *in, size_t len); 345 346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 347 const unsigned char *iv, int enc) 348 { 349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 350 if (!iv && !key) 351 return 1; 352 353 if (key) 354 { 355 /* key_len is two AES keys */ 356 if (enc) 357 { 358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 359 xctx->xts.block1 = (block128_f)aesni_encrypt; 360 xctx->stream = aesni_xts_encrypt; 361 } 362 else 363 { 364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 365 xctx->xts.block1 = (block128_f)aesni_decrypt; 366 xctx->stream = aesni_xts_decrypt; 367 } 368 369 aesni_set_encrypt_key(key + ctx->key_len/2, 370 ctx->key_len * 4, &xctx->ks2); 371 xctx->xts.block2 = (block128_f)aesni_encrypt; 372 373 xctx->xts.key1 = &xctx->ks1; 374 } 375 376 if (iv) 377 { 378 xctx->xts.key2 = &xctx->ks2; 379 memcpy(ctx->iv, iv, 16); 380 } 381 382 return 1; 383 } 384 385 #define aesni_xts_cipher aes_xts_cipher 386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 387 const unsigned char *in, size_t len); 388 389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 390 const unsigned char *iv, int enc) 391 { 392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 393 if (!iv && !key) 394 return 1; 395 if (key) 396 { 397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 399 &cctx->ks, (block128_f)aesni_encrypt); 400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : 401 (ccm128_f)aesni_ccm64_decrypt_blocks; 402 cctx->key_set = 1; 403 } 404 if (iv) 405 { 406 memcpy(ctx->iv, iv, 15 - cctx->L); 407 cctx->iv_set = 1; 408 } 409 return 1; 410 } 411 412 #define aesni_ccm_cipher aes_ccm_cipher 413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 414 const unsigned char *in, size_t len); 415 416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 417 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 419 flags|EVP_CIPH_##MODE##_MODE, \ 420 aesni_init_key, \ 421 aesni_##mode##_cipher, \ 422 NULL, \ 423 sizeof(EVP_AES_KEY), \ 424 NULL,NULL,NULL,NULL }; \ 425 static const EVP_CIPHER aes_##keylen##_##mode = { \ 426 nid##_##keylen##_##nmode,blocksize, \ 427 keylen/8,ivlen, \ 428 flags|EVP_CIPH_##MODE##_MODE, \ 429 aes_init_key, \ 430 aes_##mode##_cipher, \ 431 NULL, \ 432 sizeof(EVP_AES_KEY), \ 433 NULL,NULL,NULL,NULL }; \ 434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 436 437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 438 static const EVP_CIPHER aesni_##keylen##_##mode = { \ 439 nid##_##keylen##_##mode,blocksize, \ 440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 441 flags|EVP_CIPH_##MODE##_MODE, \ 442 aesni_##mode##_init_key, \ 443 aesni_##mode##_cipher, \ 444 aes_##mode##_cleanup, \ 445 sizeof(EVP_AES_##MODE##_CTX), \ 446 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 447 static const EVP_CIPHER aes_##keylen##_##mode = { \ 448 nid##_##keylen##_##mode,blocksize, \ 449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 450 flags|EVP_CIPH_##MODE##_MODE, \ 451 aes_##mode##_init_key, \ 452 aes_##mode##_cipher, \ 453 aes_##mode##_cleanup, \ 454 sizeof(EVP_AES_##MODE##_CTX), \ 455 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 458 459 #else 460 461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 462 static const EVP_CIPHER aes_##keylen##_##mode = { \ 463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 464 flags|EVP_CIPH_##MODE##_MODE, \ 465 aes_init_key, \ 466 aes_##mode##_cipher, \ 467 NULL, \ 468 sizeof(EVP_AES_KEY), \ 469 NULL,NULL,NULL,NULL }; \ 470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 471 { return &aes_##keylen##_##mode; } 472 473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 474 static const EVP_CIPHER aes_##keylen##_##mode = { \ 475 nid##_##keylen##_##mode,blocksize, \ 476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 477 flags|EVP_CIPH_##MODE##_MODE, \ 478 aes_##mode##_init_key, \ 479 aes_##mode##_cipher, \ 480 aes_##mode##_cleanup, \ 481 sizeof(EVP_AES_##MODE##_CTX), \ 482 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 484 { return &aes_##keylen##_##mode; } 485 #endif 486 487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 495 496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 497 const unsigned char *iv, int enc) 498 { 499 int ret, mode; 500 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 501 502 mode = ctx->cipher->flags & EVP_CIPH_MODE; 503 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 504 && !enc) 505 #ifdef BSAES_CAPABLE 506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) 507 { 508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 509 dat->block = (block128_f)AES_decrypt; 510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 511 } 512 else 513 #endif 514 #ifdef VPAES_CAPABLE 515 if (VPAES_CAPABLE) 516 { 517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 518 dat->block = (block128_f)vpaes_decrypt; 519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 520 (cbc128_f)vpaes_cbc_encrypt : 521 NULL; 522 } 523 else 524 #endif 525 { 526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 527 dat->block = (block128_f)AES_decrypt; 528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 529 (cbc128_f)AES_cbc_encrypt : 530 NULL; 531 } 532 else 533 #ifdef BSAES_CAPABLE 534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) 535 { 536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 537 dat->block = (block128_f)AES_encrypt; 538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 539 } 540 else 541 #endif 542 #ifdef VPAES_CAPABLE 543 if (VPAES_CAPABLE) 544 { 545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 546 dat->block = (block128_f)vpaes_encrypt; 547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 548 (cbc128_f)vpaes_cbc_encrypt : 549 NULL; 550 } 551 else 552 #endif 553 { 554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 555 dat->block = (block128_f)AES_encrypt; 556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 557 (cbc128_f)AES_cbc_encrypt : 558 NULL; 559 #ifdef AES_CTR_ASM 560 if (mode==EVP_CIPH_CTR_MODE) 561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 562 #endif 563 } 564 565 if(ret < 0) 566 { 567 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 568 return 0; 569 } 570 571 return 1; 572 } 573 574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 575 const unsigned char *in, size_t len) 576 { 577 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 578 579 if (dat->stream.cbc) 580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); 581 else if (ctx->encrypt) 582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 583 else 584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 585 586 return 1; 587 } 588 589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 590 const unsigned char *in, size_t len) 591 { 592 size_t bl = ctx->cipher->block_size; 593 size_t i; 594 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 595 596 if (len<bl) return 1; 597 598 for (i=0,len-=bl;i<=len;i+=bl) 599 (*dat->block)(in+i,out+i,&dat->ks); 600 601 return 1; 602 } 603 604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 605 const unsigned char *in,size_t len) 606 { 607 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 608 609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, 610 ctx->iv,&ctx->num,dat->block); 611 return 1; 612 } 613 614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 615 const unsigned char *in,size_t len) 616 { 617 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 618 619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, 620 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 621 return 1; 622 } 623 624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 625 const unsigned char *in,size_t len) 626 { 627 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 628 629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, 630 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 631 return 1; 632 } 633 634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 635 const unsigned char *in,size_t len) 636 { 637 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 638 639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, 641 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 642 return 1; 643 } 644 645 while (len>=MAXBITCHUNK) { 646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, 647 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 648 len-=MAXBITCHUNK; 649 } 650 if (len) 651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, 652 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 653 654 return 1; 655 } 656 657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, 658 const unsigned char *in, size_t len) 659 { 660 unsigned int num = ctx->num; 661 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 662 663 if (dat->stream.ctr) 664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, 665 ctx->iv,ctx->buf,&num,dat->stream.ctr); 666 else 667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, 668 ctx->iv,ctx->buf,&num,dat->block); 669 ctx->num = (size_t)num; 670 return 1; 671 } 672 673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) 674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) 675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) 676 677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 678 { 679 EVP_AES_GCM_CTX *gctx = c->cipher_data; 680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 681 if (gctx->iv != c->iv) 682 OPENSSL_free(gctx->iv); 683 return 1; 684 } 685 686 /* increment counter (64-bit int) by 1 */ 687 static void ctr64_inc(unsigned char *counter) { 688 int n=8; 689 unsigned char c; 690 691 do { 692 --n; 693 c = counter[n]; 694 ++c; 695 counter[n] = c; 696 if (c) return; 697 } while (n); 698 } 699 700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 701 { 702 EVP_AES_GCM_CTX *gctx = c->cipher_data; 703 switch (type) 704 { 705 case EVP_CTRL_INIT: 706 gctx->key_set = 0; 707 gctx->iv_set = 0; 708 gctx->ivlen = c->cipher->iv_len; 709 gctx->iv = c->iv; 710 gctx->taglen = -1; 711 gctx->iv_gen = 0; 712 gctx->tls_aad_len = -1; 713 return 1; 714 715 case EVP_CTRL_GCM_SET_IVLEN: 716 if (arg <= 0) 717 return 0; 718 #ifdef OPENSSL_FIPS 719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 720 && arg < 12) 721 return 0; 722 #endif 723 /* Allocate memory for IV if needed */ 724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) 725 { 726 if (gctx->iv != c->iv) 727 OPENSSL_free(gctx->iv); 728 gctx->iv = OPENSSL_malloc(arg); 729 if (!gctx->iv) 730 return 0; 731 } 732 gctx->ivlen = arg; 733 return 1; 734 735 case EVP_CTRL_GCM_SET_TAG: 736 if (arg <= 0 || arg > 16 || c->encrypt) 737 return 0; 738 memcpy(c->buf, ptr, arg); 739 gctx->taglen = arg; 740 return 1; 741 742 case EVP_CTRL_GCM_GET_TAG: 743 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 744 return 0; 745 memcpy(ptr, c->buf, arg); 746 return 1; 747 748 case EVP_CTRL_GCM_SET_IV_FIXED: 749 /* Special case: -1 length restores whole IV */ 750 if (arg == -1) 751 { 752 memcpy(gctx->iv, ptr, gctx->ivlen); 753 gctx->iv_gen = 1; 754 return 1; 755 } 756 /* Fixed field must be at least 4 bytes and invocation field 757 * at least 8. 758 */ 759 if ((arg < 4) || (gctx->ivlen - arg) < 8) 760 return 0; 761 if (arg) 762 memcpy(gctx->iv, ptr, arg); 763 if (c->encrypt && 764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 765 return 0; 766 gctx->iv_gen = 1; 767 return 1; 768 769 case EVP_CTRL_GCM_IV_GEN: 770 if (gctx->iv_gen == 0 || gctx->key_set == 0) 771 return 0; 772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 773 if (arg <= 0 || arg > gctx->ivlen) 774 arg = gctx->ivlen; 775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 776 /* Invocation field will be at least 8 bytes in size and 777 * so no need to check wrap around or increment more than 778 * last 8 bytes. 779 */ 780 ctr64_inc(gctx->iv + gctx->ivlen - 8); 781 gctx->iv_set = 1; 782 return 1; 783 784 case EVP_CTRL_GCM_SET_IV_INV: 785 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 786 return 0; 787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 789 gctx->iv_set = 1; 790 return 1; 791 792 case EVP_CTRL_AEAD_TLS1_AAD: 793 /* Save the AAD for later use */ 794 if (arg != 13) 795 return 0; 796 memcpy(c->buf, ptr, arg); 797 gctx->tls_aad_len = arg; 798 { 799 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; 800 /* Correct length for explicit IV */ 801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 802 /* If decrypting correct for tag too */ 803 if (!c->encrypt) 804 len -= EVP_GCM_TLS_TAG_LEN; 805 c->buf[arg-2] = len>>8; 806 c->buf[arg-1] = len & 0xff; 807 } 808 /* Extra padding: tag appended to record */ 809 return EVP_GCM_TLS_TAG_LEN; 810 811 case EVP_CTRL_COPY: 812 { 813 EVP_CIPHER_CTX *out = ptr; 814 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 815 if (gctx->gcm.key) 816 { 817 if (gctx->gcm.key != &gctx->ks) 818 return 0; 819 gctx_out->gcm.key = &gctx_out->ks; 820 } 821 if (gctx->iv == c->iv) 822 gctx_out->iv = out->iv; 823 else 824 { 825 gctx_out->iv = OPENSSL_malloc(gctx->ivlen); 826 if (!gctx_out->iv) 827 return 0; 828 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 829 } 830 return 1; 831 } 832 833 default: 834 return -1; 835 836 } 837 } 838 839 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 840 const unsigned char *iv, int enc) 841 { 842 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 843 if (!iv && !key) 844 return 1; 845 if (key) 846 { do { 847 #ifdef BSAES_CAPABLE 848 if (BSAES_CAPABLE) 849 { 850 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 851 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 852 (block128_f)AES_encrypt); 853 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 854 break; 855 } 856 else 857 #endif 858 #ifdef VPAES_CAPABLE 859 if (VPAES_CAPABLE) 860 { 861 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 862 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 863 (block128_f)vpaes_encrypt); 864 gctx->ctr = NULL; 865 break; 866 } 867 else 868 #endif 869 (void)0; /* terminate potentially open 'else' */ 870 871 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 872 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 873 #ifdef AES_CTR_ASM 874 gctx->ctr = (ctr128_f)AES_ctr32_encrypt; 875 #else 876 gctx->ctr = NULL; 877 #endif 878 } while (0); 879 880 /* If we have an iv can set it directly, otherwise use 881 * saved IV. 882 */ 883 if (iv == NULL && gctx->iv_set) 884 iv = gctx->iv; 885 if (iv) 886 { 887 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 888 gctx->iv_set = 1; 889 } 890 gctx->key_set = 1; 891 } 892 else 893 { 894 /* If key set use IV, otherwise copy */ 895 if (gctx->key_set) 896 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 897 else 898 memcpy(gctx->iv, iv, gctx->ivlen); 899 gctx->iv_set = 1; 900 gctx->iv_gen = 0; 901 } 902 return 1; 903 } 904 905 /* Handle TLS GCM packet format. This consists of the last portion of the IV 906 * followed by the payload and finally the tag. On encrypt generate IV, 907 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 908 * and verify tag. 909 */ 910 911 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 912 const unsigned char *in, size_t len) 913 { 914 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 915 int rv = -1; 916 /* Encrypt/decrypt must be performed in place */ 917 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)) 918 return -1; 919 /* Set IV from start of buffer or generate IV and write to start 920 * of buffer. 921 */ 922 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 923 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 924 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 925 goto err; 926 /* Use saved AAD */ 927 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 928 goto err; 929 /* Fix buffer and length to point to payload */ 930 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 931 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 932 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 933 if (ctx->encrypt) 934 { 935 /* Encrypt payload */ 936 if (gctx->ctr) 937 { 938 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 939 in, out, len, 940 gctx->ctr)) 941 goto err; 942 } 943 else { 944 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 945 goto err; 946 } 947 out += len; 948 /* Finally write tag */ 949 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 950 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 951 } 952 else 953 { 954 /* Decrypt */ 955 if (gctx->ctr) 956 { 957 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 958 in, out, len, 959 gctx->ctr)) 960 goto err; 961 } 962 else { 963 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 964 goto err; 965 } 966 /* Retrieve tag */ 967 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 968 EVP_GCM_TLS_TAG_LEN); 969 /* If tag mismatch wipe buffer */ 970 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) 971 { 972 OPENSSL_cleanse(out, len); 973 goto err; 974 } 975 rv = len; 976 } 977 978 err: 979 gctx->iv_set = 0; 980 gctx->tls_aad_len = -1; 981 return rv; 982 } 983 984 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 985 const unsigned char *in, size_t len) 986 { 987 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 988 /* If not set up, return error */ 989 if (!gctx->key_set) 990 return -1; 991 992 if (gctx->tls_aad_len >= 0) 993 return aes_gcm_tls_cipher(ctx, out, in, len); 994 995 if (!gctx->iv_set) 996 return -1; 997 if (in) 998 { 999 if (out == NULL) 1000 { 1001 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1002 return -1; 1003 } 1004 else if (ctx->encrypt) 1005 { 1006 if (gctx->ctr) 1007 { 1008 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1009 in, out, len, 1010 gctx->ctr)) 1011 return -1; 1012 } 1013 else { 1014 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1015 return -1; 1016 } 1017 } 1018 else 1019 { 1020 if (gctx->ctr) 1021 { 1022 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1023 in, out, len, 1024 gctx->ctr)) 1025 return -1; 1026 } 1027 else { 1028 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1029 return -1; 1030 } 1031 } 1032 return len; 1033 } 1034 else 1035 { 1036 if (!ctx->encrypt) 1037 { 1038 if (gctx->taglen < 0) 1039 return -1; 1040 if (CRYPTO_gcm128_finish(&gctx->gcm, 1041 ctx->buf, gctx->taglen) != 0) 1042 return -1; 1043 gctx->iv_set = 0; 1044 return 0; 1045 } 1046 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1047 gctx->taglen = 16; 1048 /* Don't reuse the IV */ 1049 gctx->iv_set = 0; 1050 return 0; 1051 } 1052 1053 } 1054 1055 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 1056 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 1057 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1058 | EVP_CIPH_CUSTOM_COPY) 1059 1060 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, 1061 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1062 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, 1063 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1064 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, 1065 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1066 1067 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1068 { 1069 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1070 if (type == EVP_CTRL_COPY) 1071 { 1072 EVP_CIPHER_CTX *out = ptr; 1073 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1074 if (xctx->xts.key1) 1075 { 1076 if (xctx->xts.key1 != &xctx->ks1) 1077 return 0; 1078 xctx_out->xts.key1 = &xctx_out->ks1; 1079 } 1080 if (xctx->xts.key2) 1081 { 1082 if (xctx->xts.key2 != &xctx->ks2) 1083 return 0; 1084 xctx_out->xts.key2 = &xctx_out->ks2; 1085 } 1086 return 1; 1087 } 1088 else if (type != EVP_CTRL_INIT) 1089 return -1; 1090 /* key1 and key2 are used as an indicator both key and IV are set */ 1091 xctx->xts.key1 = NULL; 1092 xctx->xts.key2 = NULL; 1093 return 1; 1094 } 1095 1096 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1097 const unsigned char *iv, int enc) 1098 { 1099 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1100 if (!iv && !key) 1101 return 1; 1102 1103 if (key) do 1104 { 1105 #ifdef AES_XTS_ASM 1106 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1107 #else 1108 xctx->stream = NULL; 1109 #endif 1110 /* key_len is two AES keys */ 1111 #ifdef BSAES_CAPABLE 1112 if (BSAES_CAPABLE) 1113 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1114 else 1115 #endif 1116 #ifdef VPAES_CAPABLE 1117 if (VPAES_CAPABLE) 1118 { 1119 if (enc) 1120 { 1121 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1122 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1123 } 1124 else 1125 { 1126 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1127 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1128 } 1129 1130 vpaes_set_encrypt_key(key + ctx->key_len/2, 1131 ctx->key_len * 4, &xctx->ks2); 1132 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1133 1134 xctx->xts.key1 = &xctx->ks1; 1135 break; 1136 } 1137 else 1138 #endif 1139 (void)0; /* terminate potentially open 'else' */ 1140 1141 if (enc) 1142 { 1143 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1144 xctx->xts.block1 = (block128_f)AES_encrypt; 1145 } 1146 else 1147 { 1148 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1149 xctx->xts.block1 = (block128_f)AES_decrypt; 1150 } 1151 1152 AES_set_encrypt_key(key + ctx->key_len/2, 1153 ctx->key_len * 4, &xctx->ks2); 1154 xctx->xts.block2 = (block128_f)AES_encrypt; 1155 1156 xctx->xts.key1 = &xctx->ks1; 1157 } while (0); 1158 1159 if (iv) 1160 { 1161 xctx->xts.key2 = &xctx->ks2; 1162 memcpy(ctx->iv, iv, 16); 1163 } 1164 1165 return 1; 1166 } 1167 1168 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1169 const unsigned char *in, size_t len) 1170 { 1171 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1172 if (!xctx->xts.key1 || !xctx->xts.key2) 1173 return 0; 1174 if (!out || !in || len<AES_BLOCK_SIZE) 1175 return 0; 1176 #ifdef OPENSSL_FIPS 1177 /* Requirement of SP800-38E */ 1178 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1179 (len > (1UL<<20)*16)) 1180 { 1181 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1182 return 0; 1183 } 1184 #endif 1185 if (xctx->stream) 1186 (*xctx->stream)(in, out, len, 1187 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1188 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1189 ctx->encrypt)) 1190 return 0; 1191 return 1; 1192 } 1193 1194 #define aes_xts_cleanup NULL 1195 1196 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1197 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ 1198 | EVP_CIPH_CUSTOM_COPY) 1199 1200 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1201 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1202 1203 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1204 { 1205 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1206 switch (type) 1207 { 1208 case EVP_CTRL_INIT: 1209 cctx->key_set = 0; 1210 cctx->iv_set = 0; 1211 cctx->L = 8; 1212 cctx->M = 12; 1213 cctx->tag_set = 0; 1214 cctx->len_set = 0; 1215 return 1; 1216 1217 case EVP_CTRL_CCM_SET_IVLEN: 1218 arg = 15 - arg; 1219 case EVP_CTRL_CCM_SET_L: 1220 if (arg < 2 || arg > 8) 1221 return 0; 1222 cctx->L = arg; 1223 return 1; 1224 1225 case EVP_CTRL_CCM_SET_TAG: 1226 if ((arg & 1) || arg < 4 || arg > 16) 1227 return 0; 1228 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1229 return 0; 1230 if (ptr) 1231 { 1232 cctx->tag_set = 1; 1233 memcpy(c->buf, ptr, arg); 1234 } 1235 cctx->M = arg; 1236 return 1; 1237 1238 case EVP_CTRL_CCM_GET_TAG: 1239 if (!c->encrypt || !cctx->tag_set) 1240 return 0; 1241 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1242 return 0; 1243 cctx->tag_set = 0; 1244 cctx->iv_set = 0; 1245 cctx->len_set = 0; 1246 return 1; 1247 1248 case EVP_CTRL_COPY: 1249 { 1250 EVP_CIPHER_CTX *out = ptr; 1251 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 1252 if (cctx->ccm.key) 1253 { 1254 if (cctx->ccm.key != &cctx->ks) 1255 return 0; 1256 cctx_out->ccm.key = &cctx_out->ks; 1257 } 1258 return 1; 1259 } 1260 1261 default: 1262 return -1; 1263 1264 } 1265 } 1266 1267 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1268 const unsigned char *iv, int enc) 1269 { 1270 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1271 if (!iv && !key) 1272 return 1; 1273 if (key) do 1274 { 1275 #ifdef VPAES_CAPABLE 1276 if (VPAES_CAPABLE) 1277 { 1278 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 1279 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1280 &cctx->ks, (block128_f)vpaes_encrypt); 1281 cctx->str = NULL; 1282 cctx->key_set = 1; 1283 break; 1284 } 1285 #endif 1286 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1287 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1288 &cctx->ks, (block128_f)AES_encrypt); 1289 cctx->str = NULL; 1290 cctx->key_set = 1; 1291 } while (0); 1292 if (iv) 1293 { 1294 memcpy(ctx->iv, iv, 15 - cctx->L); 1295 cctx->iv_set = 1; 1296 } 1297 return 1; 1298 } 1299 1300 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1301 const unsigned char *in, size_t len) 1302 { 1303 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1304 CCM128_CONTEXT *ccm = &cctx->ccm; 1305 /* If not set up, return error */ 1306 if (!cctx->iv_set && !cctx->key_set) 1307 return -1; 1308 if (!ctx->encrypt && !cctx->tag_set) 1309 return -1; 1310 if (!out) 1311 { 1312 if (!in) 1313 { 1314 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) 1315 return -1; 1316 cctx->len_set = 1; 1317 return len; 1318 } 1319 /* If have AAD need message length */ 1320 if (!cctx->len_set && len) 1321 return -1; 1322 CRYPTO_ccm128_aad(ccm, in, len); 1323 return len; 1324 } 1325 /* EVP_*Final() doesn't return any data */ 1326 if (!in) 1327 return 0; 1328 /* If not set length yet do it */ 1329 if (!cctx->len_set) 1330 { 1331 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1332 return -1; 1333 cctx->len_set = 1; 1334 } 1335 if (ctx->encrypt) 1336 { 1337 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1338 cctx->str) : 1339 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1340 return -1; 1341 cctx->tag_set = 1; 1342 return len; 1343 } 1344 else 1345 { 1346 int rv = -1; 1347 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1348 cctx->str) : 1349 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) 1350 { 1351 unsigned char tag[16]; 1352 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) 1353 { 1354 if (!memcmp(tag, ctx->buf, cctx->M)) 1355 rv = len; 1356 } 1357 } 1358 if (rv == -1) 1359 OPENSSL_cleanse(out, len); 1360 cctx->iv_set = 0; 1361 cctx->tag_set = 0; 1362 cctx->len_set = 0; 1363 return rv; 1364 } 1365 1366 } 1367 1368 #define aes_ccm_cleanup NULL 1369 1370 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1371 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1372 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1373 1374 #endif 1375 #endif 1376