1 /* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #include <limits.h> 53 #include <stdlib.h> 54 #include <string.h> 55 56 #include <openssl/opensslconf.h> 57 58 #include "crypto_internal.h" 59 60 #ifndef OPENSSL_NO_AES 61 #include <openssl/aes.h> 62 #include <openssl/err.h> 63 #include <openssl/evp.h> 64 65 #include "evp_local.h" 66 #include "modes_local.h" 67 68 typedef struct { 69 AES_KEY ks; 70 block128_f block; 71 union { 72 cbc128_f cbc; 73 ctr128_f ctr; 74 } stream; 75 } EVP_AES_KEY; 76 77 typedef struct { 78 AES_KEY ks; /* AES key schedule to use */ 79 int key_set; /* Set if key initialised */ 80 int iv_set; /* Set if an iv is set */ 81 GCM128_CONTEXT gcm; 82 unsigned char *iv; /* Temporary IV store */ 83 int ivlen; /* IV length */ 84 int taglen; 85 int iv_gen; /* It is OK to generate IVs */ 86 int tls_aad_len; /* TLS AAD length */ 87 ctr128_f ctr; 88 } EVP_AES_GCM_CTX; 89 90 typedef struct { 91 AES_KEY ks1, ks2; /* AES key schedules to use */ 92 XTS128_CONTEXT xts; 93 void (*stream)(const unsigned char *in, unsigned char *out, 94 size_t length, const AES_KEY *key1, const AES_KEY *key2, 95 const unsigned char iv[16]); 96 } EVP_AES_XTS_CTX; 97 98 typedef struct { 99 AES_KEY ks; /* AES key schedule to use */ 100 int key_set; /* Set if key initialised */ 101 int iv_set; /* Set if an iv is set */ 102 int tag_set; /* Set if tag is valid */ 103 int len_set; /* Set if message length set */ 104 int L, M; /* L and M parameters from RFC3610 */ 105 CCM128_CONTEXT ccm; 106 ccm128_f str; 107 } EVP_AES_CCM_CTX; 108 109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 110 111 #ifdef VPAES_ASM 112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 115 AES_KEY *key); 116 117 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 120 const AES_KEY *key); 121 122 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 123 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 124 #endif 125 #ifdef BSAES_ASM 126 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 127 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); 128 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 129 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 130 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 131 size_t len, const AES_KEY *key1, const AES_KEY *key2, 132 const unsigned char iv[16]); 133 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 134 size_t len, const AES_KEY *key1, const AES_KEY *key2, 135 const unsigned char iv[16]); 136 #endif 137 #ifdef AES_CTR_ASM 138 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 139 size_t blocks, const AES_KEY *key, 140 const unsigned char ivec[AES_BLOCK_SIZE]); 141 #endif 142 #ifdef AES_XTS_ASM 143 void AES_xts_encrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 145 void AES_xts_decrypt(const char *inp, char *out, size_t len, 146 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 147 #endif 148 149 #if defined(AES_ASM) && ( \ 150 ((defined(__i386) || defined(__i386__) || \ 151 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 152 defined(__x86_64) || defined(__x86_64__) || \ 153 defined(_M_AMD64) || defined(_M_X64) || \ 154 defined(__INTEL__) ) 155 156 #include "x86_arch.h" 157 158 #ifdef VPAES_ASM 159 #define VPAES_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3) 160 #endif 161 #ifdef BSAES_ASM 162 #define BSAES_CAPABLE VPAES_CAPABLE 163 #endif 164 /* 165 * AES-NI section 166 */ 167 #define AESNI_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI) 168 169 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 170 AES_KEY *key); 171 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 172 AES_KEY *key); 173 174 void aesni_encrypt(const unsigned char *in, unsigned char *out, 175 const AES_KEY *key); 176 void aesni_decrypt(const unsigned char *in, unsigned char *out, 177 const AES_KEY *key); 178 179 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, 180 size_t length, const AES_KEY *key, int enc); 181 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, 182 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 183 184 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 185 size_t blocks, const void *key, const unsigned char *ivec); 186 187 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, 188 size_t length, const AES_KEY *key1, const AES_KEY *key2, 189 const unsigned char iv[16]); 190 191 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, 192 size_t length, const AES_KEY *key1, const AES_KEY *key2, 193 const unsigned char iv[16]); 194 195 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, 196 size_t blocks, const void *key, const unsigned char ivec[16], 197 unsigned char cmac[16]); 198 199 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, 200 size_t blocks, const void *key, const unsigned char ivec[16], 201 unsigned char cmac[16]); 202 203 static int 204 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 205 const unsigned char *iv, int enc) 206 { 207 int ret, mode; 208 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 209 210 mode = ctx->cipher->flags & EVP_CIPH_MODE; 211 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 212 !enc) { 213 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, 214 ctx->cipher_data); 215 dat->block = (block128_f)aesni_decrypt; 216 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 217 (cbc128_f)aesni_cbc_encrypt : NULL; 218 } else { 219 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, 220 ctx->cipher_data); 221 dat->block = (block128_f)aesni_encrypt; 222 if (mode == EVP_CIPH_CBC_MODE) 223 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 224 else if (mode == EVP_CIPH_CTR_MODE) 225 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 226 else 227 dat->stream.cbc = NULL; 228 } 229 230 if (ret < 0) { 231 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 232 return 0; 233 } 234 235 return 1; 236 } 237 238 static int 239 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 240 const unsigned char *in, size_t len) 241 { 242 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, 243 ctx->encrypt); 244 245 return 1; 246 } 247 248 static int 249 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 250 const unsigned char *in, size_t len) 251 { 252 size_t bl = ctx->cipher->block_size; 253 254 if (len < bl) 255 return 1; 256 257 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 258 259 return 1; 260 } 261 262 static int 263 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 264 const unsigned char *iv, int enc) 265 { 266 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 267 268 if (!iv && !key) 269 return 1; 270 if (key) { 271 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 272 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 273 (block128_f)aesni_encrypt); 274 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 275 /* If we have an iv can set it directly, otherwise use 276 * saved IV. 277 */ 278 if (iv == NULL && gctx->iv_set) 279 iv = gctx->iv; 280 if (iv) { 281 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 282 gctx->iv_set = 1; 283 } 284 gctx->key_set = 1; 285 } else { 286 /* If key set use IV, otherwise copy */ 287 if (gctx->key_set) 288 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 289 else 290 memcpy(gctx->iv, iv, gctx->ivlen); 291 gctx->iv_set = 1; 292 gctx->iv_gen = 0; 293 } 294 return 1; 295 } 296 297 static int 298 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 299 const unsigned char *iv, int enc) 300 { 301 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 302 303 if (!iv && !key) 304 return 1; 305 306 if (key) { 307 /* key_len is two AES keys */ 308 if (enc) { 309 aesni_set_encrypt_key(key, ctx->key_len * 4, 310 &xctx->ks1); 311 xctx->xts.block1 = (block128_f)aesni_encrypt; 312 xctx->stream = aesni_xts_encrypt; 313 } else { 314 aesni_set_decrypt_key(key, ctx->key_len * 4, 315 &xctx->ks1); 316 xctx->xts.block1 = (block128_f)aesni_decrypt; 317 xctx->stream = aesni_xts_decrypt; 318 } 319 320 aesni_set_encrypt_key(key + ctx->key_len / 2, 321 ctx->key_len * 4, &xctx->ks2); 322 xctx->xts.block2 = (block128_f)aesni_encrypt; 323 324 xctx->xts.key1 = &xctx->ks1; 325 } 326 327 if (iv) { 328 xctx->xts.key2 = &xctx->ks2; 329 memcpy(ctx->iv, iv, 16); 330 } 331 332 return 1; 333 } 334 335 static int 336 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 337 const unsigned char *iv, int enc) 338 { 339 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 340 341 if (!iv && !key) 342 return 1; 343 if (key) { 344 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 345 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 346 &cctx->ks, (block128_f)aesni_encrypt); 347 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : 348 (ccm128_f)aesni_ccm64_decrypt_blocks; 349 cctx->key_set = 1; 350 } 351 if (iv) { 352 memcpy(ctx->iv, iv, 15 - cctx->L); 353 cctx->iv_set = 1; 354 } 355 return 1; 356 } 357 358 #endif 359 360 static int 361 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 362 const unsigned char *iv, int enc) 363 { 364 int ret, mode; 365 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 366 367 mode = ctx->cipher->flags & EVP_CIPH_MODE; 368 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 369 !enc) 370 #ifdef BSAES_CAPABLE 371 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 372 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 373 &dat->ks); 374 dat->block = (block128_f)AES_decrypt; 375 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 376 } else 377 #endif 378 #ifdef VPAES_CAPABLE 379 if (VPAES_CAPABLE) { 380 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, 381 &dat->ks); 382 dat->block = (block128_f)vpaes_decrypt; 383 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 384 (cbc128_f)vpaes_cbc_encrypt : NULL; 385 } else 386 #endif 387 { 388 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 389 &dat->ks); 390 dat->block = (block128_f)AES_decrypt; 391 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 392 (cbc128_f)AES_cbc_encrypt : NULL; 393 } else 394 #ifdef BSAES_CAPABLE 395 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 396 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 397 &dat->ks); 398 dat->block = (block128_f)AES_encrypt; 399 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 400 } else 401 #endif 402 #ifdef VPAES_CAPABLE 403 if (VPAES_CAPABLE) { 404 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, 405 &dat->ks); 406 dat->block = (block128_f)vpaes_encrypt; 407 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 408 (cbc128_f)vpaes_cbc_encrypt : NULL; 409 } else 410 #endif 411 { 412 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 413 &dat->ks); 414 dat->block = (block128_f)AES_encrypt; 415 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 416 (cbc128_f)AES_cbc_encrypt : NULL; 417 #ifdef AES_CTR_ASM 418 if (mode == EVP_CIPH_CTR_MODE) 419 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 420 #endif 421 } 422 423 if (ret < 0) { 424 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 425 return 0; 426 } 427 428 return 1; 429 } 430 431 static int 432 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 433 const unsigned char *in, size_t len) 434 { 435 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 436 437 if (dat->stream.cbc) 438 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, 439 ctx->encrypt); 440 else if (ctx->encrypt) 441 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, 442 dat->block); 443 else 444 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, 445 dat->block); 446 447 return 1; 448 } 449 450 static int 451 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 452 const unsigned char *in, size_t len) 453 { 454 size_t bl = ctx->cipher->block_size; 455 size_t i; 456 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 457 458 if (len < bl) 459 return 1; 460 461 for (i = 0, len -= bl; i <= len; i += bl) 462 (*dat->block)(in + i, out + i, &dat->ks); 463 464 return 1; 465 } 466 467 static int 468 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 469 const unsigned char *in, size_t len) 470 { 471 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 472 473 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 474 dat->block); 475 return 1; 476 } 477 478 static int 479 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 480 const unsigned char *in, size_t len) 481 { 482 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 483 484 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 485 ctx->encrypt, dat->block); 486 return 1; 487 } 488 489 static int 490 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 491 const unsigned char *in, size_t len) 492 { 493 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 494 495 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 496 ctx->encrypt, dat->block); 497 return 1; 498 } 499 500 static int 501 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 502 const unsigned char *in, size_t len) 503 { 504 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 505 506 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 507 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, 508 &ctx->num, ctx->encrypt, dat->block); 509 return 1; 510 } 511 512 while (len >= MAXBITCHUNK) { 513 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, 514 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 515 len -= MAXBITCHUNK; 516 in += MAXBITCHUNK; 517 out += MAXBITCHUNK; 518 } 519 if (len) 520 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, 521 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 522 523 return 1; 524 } 525 526 static int 527 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 528 const unsigned char *in, size_t len) 529 { 530 unsigned int num = ctx->num; 531 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 532 533 if (dat->stream.ctr) 534 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 535 ctx->iv, ctx->buf, &num, dat->stream.ctr); 536 else 537 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 538 ctx->iv, ctx->buf, &num, dat->block); 539 ctx->num = (size_t)num; 540 return 1; 541 } 542 543 544 #ifdef AESNI_CAPABLE 545 static const EVP_CIPHER aesni_128_cbc = { 546 .nid = NID_aes_128_cbc, 547 .block_size = 16, 548 .key_len = 16, 549 .iv_len = 16, 550 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 551 .init = aesni_init_key, 552 .do_cipher = aesni_cbc_cipher, 553 .ctx_size = sizeof(EVP_AES_KEY), 554 }; 555 #endif 556 557 static const EVP_CIPHER aes_128_cbc = { 558 .nid = NID_aes_128_cbc, 559 .block_size = 16, 560 .key_len = 16, 561 .iv_len = 16, 562 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 563 .init = aes_init_key, 564 .do_cipher = aes_cbc_cipher, 565 .ctx_size = sizeof(EVP_AES_KEY), 566 }; 567 568 const EVP_CIPHER * 569 EVP_aes_128_cbc(void) 570 { 571 #ifdef AESNI_CAPABLE 572 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; 573 #else 574 return &aes_128_cbc; 575 #endif 576 } 577 LCRYPTO_ALIAS(EVP_aes_128_cbc); 578 579 #ifdef AESNI_CAPABLE 580 static const EVP_CIPHER aesni_128_ecb = { 581 .nid = NID_aes_128_ecb, 582 .block_size = 16, 583 .key_len = 16, 584 .iv_len = 0, 585 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 586 .init = aesni_init_key, 587 .do_cipher = aesni_ecb_cipher, 588 .ctx_size = sizeof(EVP_AES_KEY), 589 }; 590 #endif 591 592 static const EVP_CIPHER aes_128_ecb = { 593 .nid = NID_aes_128_ecb, 594 .block_size = 16, 595 .key_len = 16, 596 .iv_len = 0, 597 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 598 .init = aes_init_key, 599 .do_cipher = aes_ecb_cipher, 600 .ctx_size = sizeof(EVP_AES_KEY), 601 }; 602 603 const EVP_CIPHER * 604 EVP_aes_128_ecb(void) 605 { 606 #ifdef AESNI_CAPABLE 607 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; 608 #else 609 return &aes_128_ecb; 610 #endif 611 } 612 LCRYPTO_ALIAS(EVP_aes_128_ecb); 613 614 #ifdef AESNI_CAPABLE 615 static const EVP_CIPHER aesni_128_ofb = { 616 .nid = NID_aes_128_ofb128, 617 .block_size = 1, 618 .key_len = 16, 619 .iv_len = 16, 620 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 621 .init = aesni_init_key, 622 .do_cipher = aes_ofb_cipher, 623 .ctx_size = sizeof(EVP_AES_KEY), 624 }; 625 #endif 626 627 static const EVP_CIPHER aes_128_ofb = { 628 .nid = NID_aes_128_ofb128, 629 .block_size = 1, 630 .key_len = 16, 631 .iv_len = 16, 632 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 633 .init = aes_init_key, 634 .do_cipher = aes_ofb_cipher, 635 .ctx_size = sizeof(EVP_AES_KEY), 636 }; 637 638 const EVP_CIPHER * 639 EVP_aes_128_ofb(void) 640 { 641 #ifdef AESNI_CAPABLE 642 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; 643 #else 644 return &aes_128_ofb; 645 #endif 646 } 647 LCRYPTO_ALIAS(EVP_aes_128_ofb); 648 649 #ifdef AESNI_CAPABLE 650 static const EVP_CIPHER aesni_128_cfb = { 651 .nid = NID_aes_128_cfb128, 652 .block_size = 1, 653 .key_len = 16, 654 .iv_len = 16, 655 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 656 .init = aesni_init_key, 657 .do_cipher = aes_cfb_cipher, 658 .ctx_size = sizeof(EVP_AES_KEY), 659 }; 660 #endif 661 662 static const EVP_CIPHER aes_128_cfb = { 663 .nid = NID_aes_128_cfb128, 664 .block_size = 1, 665 .key_len = 16, 666 .iv_len = 16, 667 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 668 .init = aes_init_key, 669 .do_cipher = aes_cfb_cipher, 670 .ctx_size = sizeof(EVP_AES_KEY), 671 }; 672 673 const EVP_CIPHER * 674 EVP_aes_128_cfb128(void) 675 { 676 #ifdef AESNI_CAPABLE 677 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; 678 #else 679 return &aes_128_cfb; 680 #endif 681 } 682 LCRYPTO_ALIAS(EVP_aes_128_cfb128); 683 684 #ifdef AESNI_CAPABLE 685 static const EVP_CIPHER aesni_128_cfb1 = { 686 .nid = NID_aes_128_cfb1, 687 .block_size = 1, 688 .key_len = 16, 689 .iv_len = 16, 690 .flags = EVP_CIPH_CFB_MODE, 691 .init = aesni_init_key, 692 .do_cipher = aes_cfb1_cipher, 693 .ctx_size = sizeof(EVP_AES_KEY), 694 }; 695 #endif 696 697 static const EVP_CIPHER aes_128_cfb1 = { 698 .nid = NID_aes_128_cfb1, 699 .block_size = 1, 700 .key_len = 16, 701 .iv_len = 16, 702 .flags = EVP_CIPH_CFB_MODE, 703 .init = aes_init_key, 704 .do_cipher = aes_cfb1_cipher, 705 .ctx_size = sizeof(EVP_AES_KEY), 706 }; 707 708 const EVP_CIPHER * 709 EVP_aes_128_cfb1(void) 710 { 711 #ifdef AESNI_CAPABLE 712 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; 713 #else 714 return &aes_128_cfb1; 715 #endif 716 } 717 LCRYPTO_ALIAS(EVP_aes_128_cfb1); 718 719 #ifdef AESNI_CAPABLE 720 static const EVP_CIPHER aesni_128_cfb8 = { 721 .nid = NID_aes_128_cfb8, 722 .block_size = 1, 723 .key_len = 16, 724 .iv_len = 16, 725 .flags = EVP_CIPH_CFB_MODE, 726 .init = aesni_init_key, 727 .do_cipher = aes_cfb8_cipher, 728 .ctx_size = sizeof(EVP_AES_KEY), 729 }; 730 #endif 731 732 static const EVP_CIPHER aes_128_cfb8 = { 733 .nid = NID_aes_128_cfb8, 734 .block_size = 1, 735 .key_len = 16, 736 .iv_len = 16, 737 .flags = EVP_CIPH_CFB_MODE, 738 .init = aes_init_key, 739 .do_cipher = aes_cfb8_cipher, 740 .ctx_size = sizeof(EVP_AES_KEY), 741 }; 742 743 const EVP_CIPHER * 744 EVP_aes_128_cfb8(void) 745 { 746 #ifdef AESNI_CAPABLE 747 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; 748 #else 749 return &aes_128_cfb8; 750 #endif 751 } 752 LCRYPTO_ALIAS(EVP_aes_128_cfb8); 753 754 #ifdef AESNI_CAPABLE 755 static const EVP_CIPHER aesni_128_ctr = { 756 .nid = NID_aes_128_ctr, 757 .block_size = 1, 758 .key_len = 16, 759 .iv_len = 16, 760 .flags = EVP_CIPH_CTR_MODE, 761 .init = aesni_init_key, 762 .do_cipher = aes_ctr_cipher, 763 .ctx_size = sizeof(EVP_AES_KEY), 764 }; 765 #endif 766 767 static const EVP_CIPHER aes_128_ctr = { 768 .nid = NID_aes_128_ctr, 769 .block_size = 1, 770 .key_len = 16, 771 .iv_len = 16, 772 .flags = EVP_CIPH_CTR_MODE, 773 .init = aes_init_key, 774 .do_cipher = aes_ctr_cipher, 775 .ctx_size = sizeof(EVP_AES_KEY), 776 }; 777 778 const EVP_CIPHER * 779 EVP_aes_128_ctr(void) 780 { 781 #ifdef AESNI_CAPABLE 782 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; 783 #else 784 return &aes_128_ctr; 785 #endif 786 } 787 LCRYPTO_ALIAS(EVP_aes_128_ctr); 788 789 790 #ifdef AESNI_CAPABLE 791 static const EVP_CIPHER aesni_192_cbc = { 792 .nid = NID_aes_192_cbc, 793 .block_size = 16, 794 .key_len = 24, 795 .iv_len = 16, 796 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 797 .init = aesni_init_key, 798 .do_cipher = aesni_cbc_cipher, 799 .ctx_size = sizeof(EVP_AES_KEY), 800 }; 801 #endif 802 803 static const EVP_CIPHER aes_192_cbc = { 804 .nid = NID_aes_192_cbc, 805 .block_size = 16, 806 .key_len = 24, 807 .iv_len = 16, 808 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 809 .init = aes_init_key, 810 .do_cipher = aes_cbc_cipher, 811 .ctx_size = sizeof(EVP_AES_KEY), 812 }; 813 814 const EVP_CIPHER * 815 EVP_aes_192_cbc(void) 816 { 817 #ifdef AESNI_CAPABLE 818 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; 819 #else 820 return &aes_192_cbc; 821 #endif 822 } 823 LCRYPTO_ALIAS(EVP_aes_192_cbc); 824 825 #ifdef AESNI_CAPABLE 826 static const EVP_CIPHER aesni_192_ecb = { 827 .nid = NID_aes_192_ecb, 828 .block_size = 16, 829 .key_len = 24, 830 .iv_len = 0, 831 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 832 .init = aesni_init_key, 833 .do_cipher = aesni_ecb_cipher, 834 .ctx_size = sizeof(EVP_AES_KEY), 835 }; 836 #endif 837 838 static const EVP_CIPHER aes_192_ecb = { 839 .nid = NID_aes_192_ecb, 840 .block_size = 16, 841 .key_len = 24, 842 .iv_len = 0, 843 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 844 .init = aes_init_key, 845 .do_cipher = aes_ecb_cipher, 846 .ctx_size = sizeof(EVP_AES_KEY), 847 }; 848 849 const EVP_CIPHER * 850 EVP_aes_192_ecb(void) 851 { 852 #ifdef AESNI_CAPABLE 853 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; 854 #else 855 return &aes_192_ecb; 856 #endif 857 } 858 LCRYPTO_ALIAS(EVP_aes_192_ecb); 859 860 #ifdef AESNI_CAPABLE 861 static const EVP_CIPHER aesni_192_ofb = { 862 .nid = NID_aes_192_ofb128, 863 .block_size = 1, 864 .key_len = 24, 865 .iv_len = 16, 866 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 867 .init = aesni_init_key, 868 .do_cipher = aes_ofb_cipher, 869 .ctx_size = sizeof(EVP_AES_KEY), 870 }; 871 #endif 872 873 static const EVP_CIPHER aes_192_ofb = { 874 .nid = NID_aes_192_ofb128, 875 .block_size = 1, 876 .key_len = 24, 877 .iv_len = 16, 878 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 879 .init = aes_init_key, 880 .do_cipher = aes_ofb_cipher, 881 .ctx_size = sizeof(EVP_AES_KEY), 882 }; 883 884 const EVP_CIPHER * 885 EVP_aes_192_ofb(void) 886 { 887 #ifdef AESNI_CAPABLE 888 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; 889 #else 890 return &aes_192_ofb; 891 #endif 892 } 893 LCRYPTO_ALIAS(EVP_aes_192_ofb); 894 895 #ifdef AESNI_CAPABLE 896 static const EVP_CIPHER aesni_192_cfb = { 897 .nid = NID_aes_192_cfb128, 898 .block_size = 1, 899 .key_len = 24, 900 .iv_len = 16, 901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 902 .init = aesni_init_key, 903 .do_cipher = aes_cfb_cipher, 904 .ctx_size = sizeof(EVP_AES_KEY), 905 }; 906 #endif 907 908 static const EVP_CIPHER aes_192_cfb = { 909 .nid = NID_aes_192_cfb128, 910 .block_size = 1, 911 .key_len = 24, 912 .iv_len = 16, 913 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 914 .init = aes_init_key, 915 .do_cipher = aes_cfb_cipher, 916 .ctx_size = sizeof(EVP_AES_KEY), 917 }; 918 919 const EVP_CIPHER * 920 EVP_aes_192_cfb128(void) 921 { 922 #ifdef AESNI_CAPABLE 923 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; 924 #else 925 return &aes_192_cfb; 926 #endif 927 } 928 LCRYPTO_ALIAS(EVP_aes_192_cfb128); 929 930 #ifdef AESNI_CAPABLE 931 static const EVP_CIPHER aesni_192_cfb1 = { 932 .nid = NID_aes_192_cfb1, 933 .block_size = 1, 934 .key_len = 24, 935 .iv_len = 16, 936 .flags = EVP_CIPH_CFB_MODE, 937 .init = aesni_init_key, 938 .do_cipher = aes_cfb1_cipher, 939 .ctx_size = sizeof(EVP_AES_KEY), 940 }; 941 #endif 942 943 static const EVP_CIPHER aes_192_cfb1 = { 944 .nid = NID_aes_192_cfb1, 945 .block_size = 1, 946 .key_len = 24, 947 .iv_len = 16, 948 .flags = EVP_CIPH_CFB_MODE, 949 .init = aes_init_key, 950 .do_cipher = aes_cfb1_cipher, 951 .ctx_size = sizeof(EVP_AES_KEY), 952 }; 953 954 const EVP_CIPHER * 955 EVP_aes_192_cfb1(void) 956 { 957 #ifdef AESNI_CAPABLE 958 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; 959 #else 960 return &aes_192_cfb1; 961 #endif 962 } 963 LCRYPTO_ALIAS(EVP_aes_192_cfb1); 964 965 #ifdef AESNI_CAPABLE 966 static const EVP_CIPHER aesni_192_cfb8 = { 967 .nid = NID_aes_192_cfb8, 968 .block_size = 1, 969 .key_len = 24, 970 .iv_len = 16, 971 .flags = EVP_CIPH_CFB_MODE, 972 .init = aesni_init_key, 973 .do_cipher = aes_cfb8_cipher, 974 .ctx_size = sizeof(EVP_AES_KEY), 975 }; 976 #endif 977 978 static const EVP_CIPHER aes_192_cfb8 = { 979 .nid = NID_aes_192_cfb8, 980 .block_size = 1, 981 .key_len = 24, 982 .iv_len = 16, 983 .flags = EVP_CIPH_CFB_MODE, 984 .init = aes_init_key, 985 .do_cipher = aes_cfb8_cipher, 986 .ctx_size = sizeof(EVP_AES_KEY), 987 }; 988 989 const EVP_CIPHER * 990 EVP_aes_192_cfb8(void) 991 { 992 #ifdef AESNI_CAPABLE 993 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; 994 #else 995 return &aes_192_cfb8; 996 #endif 997 } 998 LCRYPTO_ALIAS(EVP_aes_192_cfb8); 999 1000 #ifdef AESNI_CAPABLE 1001 static const EVP_CIPHER aesni_192_ctr = { 1002 .nid = NID_aes_192_ctr, 1003 .block_size = 1, 1004 .key_len = 24, 1005 .iv_len = 16, 1006 .flags = EVP_CIPH_CTR_MODE, 1007 .init = aesni_init_key, 1008 .do_cipher = aes_ctr_cipher, 1009 .ctx_size = sizeof(EVP_AES_KEY), 1010 }; 1011 #endif 1012 1013 static const EVP_CIPHER aes_192_ctr = { 1014 .nid = NID_aes_192_ctr, 1015 .block_size = 1, 1016 .key_len = 24, 1017 .iv_len = 16, 1018 .flags = EVP_CIPH_CTR_MODE, 1019 .init = aes_init_key, 1020 .do_cipher = aes_ctr_cipher, 1021 .ctx_size = sizeof(EVP_AES_KEY), 1022 }; 1023 1024 const EVP_CIPHER * 1025 EVP_aes_192_ctr(void) 1026 { 1027 #ifdef AESNI_CAPABLE 1028 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; 1029 #else 1030 return &aes_192_ctr; 1031 #endif 1032 } 1033 LCRYPTO_ALIAS(EVP_aes_192_ctr); 1034 1035 1036 #ifdef AESNI_CAPABLE 1037 static const EVP_CIPHER aesni_256_cbc = { 1038 .nid = NID_aes_256_cbc, 1039 .block_size = 16, 1040 .key_len = 32, 1041 .iv_len = 16, 1042 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1043 .init = aesni_init_key, 1044 .do_cipher = aesni_cbc_cipher, 1045 .ctx_size = sizeof(EVP_AES_KEY), 1046 }; 1047 #endif 1048 1049 static const EVP_CIPHER aes_256_cbc = { 1050 .nid = NID_aes_256_cbc, 1051 .block_size = 16, 1052 .key_len = 32, 1053 .iv_len = 16, 1054 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1055 .init = aes_init_key, 1056 .do_cipher = aes_cbc_cipher, 1057 .ctx_size = sizeof(EVP_AES_KEY), 1058 }; 1059 1060 const EVP_CIPHER * 1061 EVP_aes_256_cbc(void) 1062 { 1063 #ifdef AESNI_CAPABLE 1064 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; 1065 #else 1066 return &aes_256_cbc; 1067 #endif 1068 } 1069 LCRYPTO_ALIAS(EVP_aes_256_cbc); 1070 1071 #ifdef AESNI_CAPABLE 1072 static const EVP_CIPHER aesni_256_ecb = { 1073 .nid = NID_aes_256_ecb, 1074 .block_size = 16, 1075 .key_len = 32, 1076 .iv_len = 0, 1077 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1078 .init = aesni_init_key, 1079 .do_cipher = aesni_ecb_cipher, 1080 .ctx_size = sizeof(EVP_AES_KEY), 1081 }; 1082 #endif 1083 1084 static const EVP_CIPHER aes_256_ecb = { 1085 .nid = NID_aes_256_ecb, 1086 .block_size = 16, 1087 .key_len = 32, 1088 .iv_len = 0, 1089 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1090 .init = aes_init_key, 1091 .do_cipher = aes_ecb_cipher, 1092 .ctx_size = sizeof(EVP_AES_KEY), 1093 }; 1094 1095 const EVP_CIPHER * 1096 EVP_aes_256_ecb(void) 1097 { 1098 #ifdef AESNI_CAPABLE 1099 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; 1100 #else 1101 return &aes_256_ecb; 1102 #endif 1103 } 1104 LCRYPTO_ALIAS(EVP_aes_256_ecb); 1105 1106 #ifdef AESNI_CAPABLE 1107 static const EVP_CIPHER aesni_256_ofb = { 1108 .nid = NID_aes_256_ofb128, 1109 .block_size = 1, 1110 .key_len = 32, 1111 .iv_len = 16, 1112 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1113 .init = aesni_init_key, 1114 .do_cipher = aes_ofb_cipher, 1115 .ctx_size = sizeof(EVP_AES_KEY), 1116 }; 1117 #endif 1118 1119 static const EVP_CIPHER aes_256_ofb = { 1120 .nid = NID_aes_256_ofb128, 1121 .block_size = 1, 1122 .key_len = 32, 1123 .iv_len = 16, 1124 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1125 .init = aes_init_key, 1126 .do_cipher = aes_ofb_cipher, 1127 .ctx_size = sizeof(EVP_AES_KEY), 1128 }; 1129 1130 const EVP_CIPHER * 1131 EVP_aes_256_ofb(void) 1132 { 1133 #ifdef AESNI_CAPABLE 1134 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; 1135 #else 1136 return &aes_256_ofb; 1137 #endif 1138 } 1139 LCRYPTO_ALIAS(EVP_aes_256_ofb); 1140 1141 #ifdef AESNI_CAPABLE 1142 static const EVP_CIPHER aesni_256_cfb = { 1143 .nid = NID_aes_256_cfb128, 1144 .block_size = 1, 1145 .key_len = 32, 1146 .iv_len = 16, 1147 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1148 .init = aesni_init_key, 1149 .do_cipher = aes_cfb_cipher, 1150 .ctx_size = sizeof(EVP_AES_KEY), 1151 }; 1152 #endif 1153 1154 static const EVP_CIPHER aes_256_cfb = { 1155 .nid = NID_aes_256_cfb128, 1156 .block_size = 1, 1157 .key_len = 32, 1158 .iv_len = 16, 1159 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1160 .init = aes_init_key, 1161 .do_cipher = aes_cfb_cipher, 1162 .ctx_size = sizeof(EVP_AES_KEY), 1163 }; 1164 1165 const EVP_CIPHER * 1166 EVP_aes_256_cfb128(void) 1167 { 1168 #ifdef AESNI_CAPABLE 1169 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; 1170 #else 1171 return &aes_256_cfb; 1172 #endif 1173 } 1174 LCRYPTO_ALIAS(EVP_aes_256_cfb128); 1175 1176 #ifdef AESNI_CAPABLE 1177 static const EVP_CIPHER aesni_256_cfb1 = { 1178 .nid = NID_aes_256_cfb1, 1179 .block_size = 1, 1180 .key_len = 32, 1181 .iv_len = 16, 1182 .flags = EVP_CIPH_CFB_MODE, 1183 .init = aesni_init_key, 1184 .do_cipher = aes_cfb1_cipher, 1185 .ctx_size = sizeof(EVP_AES_KEY), 1186 }; 1187 #endif 1188 1189 static const EVP_CIPHER aes_256_cfb1 = { 1190 .nid = NID_aes_256_cfb1, 1191 .block_size = 1, 1192 .key_len = 32, 1193 .iv_len = 16, 1194 .flags = EVP_CIPH_CFB_MODE, 1195 .init = aes_init_key, 1196 .do_cipher = aes_cfb1_cipher, 1197 .ctx_size = sizeof(EVP_AES_KEY), 1198 }; 1199 1200 const EVP_CIPHER * 1201 EVP_aes_256_cfb1(void) 1202 { 1203 #ifdef AESNI_CAPABLE 1204 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; 1205 #else 1206 return &aes_256_cfb1; 1207 #endif 1208 } 1209 LCRYPTO_ALIAS(EVP_aes_256_cfb1); 1210 1211 #ifdef AESNI_CAPABLE 1212 static const EVP_CIPHER aesni_256_cfb8 = { 1213 .nid = NID_aes_256_cfb8, 1214 .block_size = 1, 1215 .key_len = 32, 1216 .iv_len = 16, 1217 .flags = EVP_CIPH_CFB_MODE, 1218 .init = aesni_init_key, 1219 .do_cipher = aes_cfb8_cipher, 1220 .ctx_size = sizeof(EVP_AES_KEY), 1221 }; 1222 #endif 1223 1224 static const EVP_CIPHER aes_256_cfb8 = { 1225 .nid = NID_aes_256_cfb8, 1226 .block_size = 1, 1227 .key_len = 32, 1228 .iv_len = 16, 1229 .flags = EVP_CIPH_CFB_MODE, 1230 .init = aes_init_key, 1231 .do_cipher = aes_cfb8_cipher, 1232 .ctx_size = sizeof(EVP_AES_KEY), 1233 }; 1234 1235 const EVP_CIPHER * 1236 EVP_aes_256_cfb8(void) 1237 { 1238 #ifdef AESNI_CAPABLE 1239 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; 1240 #else 1241 return &aes_256_cfb8; 1242 #endif 1243 } 1244 LCRYPTO_ALIAS(EVP_aes_256_cfb8); 1245 1246 #ifdef AESNI_CAPABLE 1247 static const EVP_CIPHER aesni_256_ctr = { 1248 .nid = NID_aes_256_ctr, 1249 .block_size = 1, 1250 .key_len = 32, 1251 .iv_len = 16, 1252 .flags = EVP_CIPH_CTR_MODE, 1253 .init = aesni_init_key, 1254 .do_cipher = aes_ctr_cipher, 1255 .ctx_size = sizeof(EVP_AES_KEY), 1256 }; 1257 #endif 1258 1259 static const EVP_CIPHER aes_256_ctr = { 1260 .nid = NID_aes_256_ctr, 1261 .block_size = 1, 1262 .key_len = 32, 1263 .iv_len = 16, 1264 .flags = EVP_CIPH_CTR_MODE, 1265 .init = aes_init_key, 1266 .do_cipher = aes_ctr_cipher, 1267 .ctx_size = sizeof(EVP_AES_KEY), 1268 }; 1269 1270 const EVP_CIPHER * 1271 EVP_aes_256_ctr(void) 1272 { 1273 #ifdef AESNI_CAPABLE 1274 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; 1275 #else 1276 return &aes_256_ctr; 1277 #endif 1278 } 1279 LCRYPTO_ALIAS(EVP_aes_256_ctr); 1280 1281 static int 1282 aes_gcm_cleanup(EVP_CIPHER_CTX *c) 1283 { 1284 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1285 1286 if (gctx->iv != c->iv) 1287 free(gctx->iv); 1288 1289 explicit_bzero(gctx, sizeof(*gctx)); 1290 1291 return 1; 1292 } 1293 1294 /* increment counter (64-bit int) by 1 */ 1295 static void 1296 ctr64_inc(unsigned char *counter) 1297 { 1298 int n = 8; 1299 unsigned char c; 1300 1301 do { 1302 --n; 1303 c = counter[n]; 1304 ++c; 1305 counter[n] = c; 1306 if (c) 1307 return; 1308 } while (n); 1309 } 1310 1311 static int 1312 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1313 { 1314 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1315 1316 switch (type) { 1317 case EVP_CTRL_INIT: 1318 gctx->key_set = 0; 1319 gctx->iv_set = 0; 1320 if (c->cipher->iv_len == 0) { 1321 EVPerror(EVP_R_INVALID_IV_LENGTH); 1322 return 0; 1323 } 1324 gctx->ivlen = c->cipher->iv_len; 1325 gctx->iv = c->iv; 1326 gctx->taglen = -1; 1327 gctx->iv_gen = 0; 1328 gctx->tls_aad_len = -1; 1329 return 1; 1330 1331 case EVP_CTRL_AEAD_GET_IVLEN: 1332 *(int *)ptr = gctx->ivlen; 1333 return 1; 1334 1335 case EVP_CTRL_AEAD_SET_IVLEN: 1336 if (arg <= 0) 1337 return 0; 1338 /* Allocate memory for IV if needed */ 1339 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 1340 if (gctx->iv != c->iv) 1341 free(gctx->iv); 1342 gctx->iv = malloc(arg); 1343 if (!gctx->iv) 1344 return 0; 1345 } 1346 gctx->ivlen = arg; 1347 return 1; 1348 1349 case EVP_CTRL_GCM_SET_TAG: 1350 if (arg <= 0 || arg > 16 || c->encrypt) 1351 return 0; 1352 memcpy(c->buf, ptr, arg); 1353 gctx->taglen = arg; 1354 return 1; 1355 1356 case EVP_CTRL_GCM_GET_TAG: 1357 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 1358 return 0; 1359 memcpy(ptr, c->buf, arg); 1360 return 1; 1361 1362 case EVP_CTRL_GCM_SET_IV_FIXED: 1363 /* Special case: -1 length restores whole IV */ 1364 if (arg == -1) { 1365 memcpy(gctx->iv, ptr, gctx->ivlen); 1366 gctx->iv_gen = 1; 1367 return 1; 1368 } 1369 /* Fixed field must be at least 4 bytes and invocation field 1370 * at least 8. 1371 */ 1372 if ((arg < 4) || (gctx->ivlen - arg) < 8) 1373 return 0; 1374 if (arg) 1375 memcpy(gctx->iv, ptr, arg); 1376 if (c->encrypt) 1377 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); 1378 gctx->iv_gen = 1; 1379 return 1; 1380 1381 case EVP_CTRL_GCM_IV_GEN: 1382 if (gctx->iv_gen == 0 || gctx->key_set == 0) 1383 return 0; 1384 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1385 if (arg <= 0 || arg > gctx->ivlen) 1386 arg = gctx->ivlen; 1387 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 1388 /* Invocation field will be at least 8 bytes in size and 1389 * so no need to check wrap around or increment more than 1390 * last 8 bytes. 1391 */ 1392 ctr64_inc(gctx->iv + gctx->ivlen - 8); 1393 gctx->iv_set = 1; 1394 return 1; 1395 1396 case EVP_CTRL_GCM_SET_IV_INV: 1397 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 1398 return 0; 1399 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 1400 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1401 gctx->iv_set = 1; 1402 return 1; 1403 1404 case EVP_CTRL_AEAD_TLS1_AAD: 1405 /* Save the AAD for later use */ 1406 if (arg != 13) 1407 return 0; 1408 memcpy(c->buf, ptr, arg); 1409 gctx->tls_aad_len = arg; 1410 { 1411 unsigned int len = c->buf[arg - 2] << 8 | 1412 c->buf[arg - 1]; 1413 1414 /* Correct length for explicit IV */ 1415 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) 1416 return 0; 1417 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1418 1419 /* If decrypting correct for tag too */ 1420 if (!c->encrypt) { 1421 if (len < EVP_GCM_TLS_TAG_LEN) 1422 return 0; 1423 len -= EVP_GCM_TLS_TAG_LEN; 1424 } 1425 c->buf[arg - 2] = len >> 8; 1426 c->buf[arg - 1] = len & 0xff; 1427 } 1428 /* Extra padding: tag appended to record */ 1429 return EVP_GCM_TLS_TAG_LEN; 1430 1431 case EVP_CTRL_COPY: 1432 { 1433 EVP_CIPHER_CTX *out = ptr; 1434 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 1435 1436 if (gctx->gcm.key) { 1437 if (gctx->gcm.key != &gctx->ks) 1438 return 0; 1439 gctx_out->gcm.key = &gctx_out->ks; 1440 } 1441 1442 if (gctx->iv == c->iv) { 1443 gctx_out->iv = out->iv; 1444 } else { 1445 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) 1446 return 0; 1447 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 1448 } 1449 return 1; 1450 } 1451 1452 default: 1453 return -1; 1454 1455 } 1456 } 1457 1458 static ctr128_f 1459 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, 1460 const unsigned char *key, size_t key_len) 1461 { 1462 #ifdef BSAES_CAPABLE 1463 if (BSAES_CAPABLE) { 1464 AES_set_encrypt_key(key, key_len * 8, aes_key); 1465 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1466 return (ctr128_f)bsaes_ctr32_encrypt_blocks; 1467 } else 1468 #endif 1469 #ifdef VPAES_CAPABLE 1470 if (VPAES_CAPABLE) { 1471 vpaes_set_encrypt_key(key, key_len * 8, aes_key); 1472 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); 1473 return NULL; 1474 } else 1475 #endif 1476 (void)0; /* terminate potentially open 'else' */ 1477 1478 AES_set_encrypt_key(key, key_len * 8, aes_key); 1479 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1480 #ifdef AES_CTR_ASM 1481 return (ctr128_f)AES_ctr32_encrypt; 1482 #else 1483 return NULL; 1484 #endif 1485 } 1486 1487 static int 1488 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1489 const unsigned char *iv, int enc) 1490 { 1491 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1492 1493 if (!iv && !key) 1494 return 1; 1495 if (key) { 1496 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, 1497 key, ctx->key_len); 1498 1499 /* If we have an iv can set it directly, otherwise use 1500 * saved IV. 1501 */ 1502 if (iv == NULL && gctx->iv_set) 1503 iv = gctx->iv; 1504 if (iv) { 1505 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1506 gctx->iv_set = 1; 1507 } 1508 gctx->key_set = 1; 1509 } else { 1510 /* If key set use IV, otherwise copy */ 1511 if (gctx->key_set) 1512 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1513 else 1514 memcpy(gctx->iv, iv, gctx->ivlen); 1515 gctx->iv_set = 1; 1516 gctx->iv_gen = 0; 1517 } 1518 return 1; 1519 } 1520 1521 /* Handle TLS GCM packet format. This consists of the last portion of the IV 1522 * followed by the payload and finally the tag. On encrypt generate IV, 1523 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 1524 * and verify tag. 1525 */ 1526 1527 static int 1528 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1529 const unsigned char *in, size_t len) 1530 { 1531 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1532 int rv = -1; 1533 1534 /* Encrypt/decrypt must be performed in place */ 1535 if (out != in || 1536 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 1537 return -1; 1538 1539 /* Set IV from start of buffer or generate IV and write to start 1540 * of buffer. 1541 */ 1542 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1543 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1544 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1545 goto err; 1546 1547 /* Use saved AAD */ 1548 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1549 goto err; 1550 1551 /* Fix buffer and length to point to payload */ 1552 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1553 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1554 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1555 if (ctx->encrypt) { 1556 /* Encrypt payload */ 1557 if (gctx->ctr) { 1558 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, 1559 len, gctx->ctr)) 1560 goto err; 1561 } else { 1562 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1563 goto err; 1564 } 1565 out += len; 1566 1567 /* Finally write tag */ 1568 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1569 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1570 } else { 1571 /* Decrypt */ 1572 if (gctx->ctr) { 1573 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, 1574 len, gctx->ctr)) 1575 goto err; 1576 } else { 1577 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1578 goto err; 1579 } 1580 /* Retrieve tag */ 1581 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 1582 1583 /* If tag mismatch wipe buffer */ 1584 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 1585 explicit_bzero(out, len); 1586 goto err; 1587 } 1588 rv = len; 1589 } 1590 1591 err: 1592 gctx->iv_set = 0; 1593 gctx->tls_aad_len = -1; 1594 return rv; 1595 } 1596 1597 static int 1598 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1599 const unsigned char *in, size_t len) 1600 { 1601 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1602 1603 /* If not set up, return error */ 1604 if (!gctx->key_set) 1605 return -1; 1606 1607 if (gctx->tls_aad_len >= 0) 1608 return aes_gcm_tls_cipher(ctx, out, in, len); 1609 1610 if (!gctx->iv_set) 1611 return -1; 1612 1613 if (in) { 1614 if (out == NULL) { 1615 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1616 return -1; 1617 } else if (ctx->encrypt) { 1618 if (gctx->ctr) { 1619 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1620 in, out, len, gctx->ctr)) 1621 return -1; 1622 } else { 1623 if (CRYPTO_gcm128_encrypt(&gctx->gcm, 1624 in, out, len)) 1625 return -1; 1626 } 1627 } else { 1628 if (gctx->ctr) { 1629 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1630 in, out, len, gctx->ctr)) 1631 return -1; 1632 } else { 1633 if (CRYPTO_gcm128_decrypt(&gctx->gcm, 1634 in, out, len)) 1635 return -1; 1636 } 1637 } 1638 return len; 1639 } else { 1640 if (!ctx->encrypt) { 1641 if (gctx->taglen < 0) 1642 return -1; 1643 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, 1644 gctx->taglen) != 0) 1645 return -1; 1646 gctx->iv_set = 0; 1647 return 0; 1648 } 1649 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1650 gctx->taglen = 16; 1651 1652 /* Don't reuse the IV */ 1653 gctx->iv_set = 0; 1654 return 0; 1655 } 1656 1657 } 1658 1659 #define CUSTOM_FLAGS \ 1660 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1661 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \ 1662 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ 1663 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1664 1665 1666 #ifdef AESNI_CAPABLE 1667 static const EVP_CIPHER aesni_128_gcm = { 1668 .nid = NID_aes_128_gcm, 1669 .block_size = 1, 1670 .key_len = 16, 1671 .iv_len = 12, 1672 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1673 .init = aesni_gcm_init_key, 1674 .do_cipher = aes_gcm_cipher, 1675 .cleanup = aes_gcm_cleanup, 1676 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1677 .ctrl = aes_gcm_ctrl, 1678 }; 1679 #endif 1680 1681 static const EVP_CIPHER aes_128_gcm = { 1682 .nid = NID_aes_128_gcm, 1683 .block_size = 1, 1684 .key_len = 16, 1685 .iv_len = 12, 1686 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1687 .init = aes_gcm_init_key, 1688 .do_cipher = aes_gcm_cipher, 1689 .cleanup = aes_gcm_cleanup, 1690 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1691 .ctrl = aes_gcm_ctrl, 1692 }; 1693 1694 const EVP_CIPHER * 1695 EVP_aes_128_gcm(void) 1696 { 1697 #ifdef AESNI_CAPABLE 1698 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; 1699 #else 1700 return &aes_128_gcm; 1701 #endif 1702 } 1703 LCRYPTO_ALIAS(EVP_aes_128_gcm); 1704 1705 #ifdef AESNI_CAPABLE 1706 static const EVP_CIPHER aesni_192_gcm = { 1707 .nid = NID_aes_192_gcm, 1708 .block_size = 1, 1709 .key_len = 24, 1710 .iv_len = 12, 1711 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1712 .init = aesni_gcm_init_key, 1713 .do_cipher = aes_gcm_cipher, 1714 .cleanup = aes_gcm_cleanup, 1715 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1716 .ctrl = aes_gcm_ctrl, 1717 }; 1718 #endif 1719 1720 static const EVP_CIPHER aes_192_gcm = { 1721 .nid = NID_aes_192_gcm, 1722 .block_size = 1, 1723 .key_len = 24, 1724 .iv_len = 12, 1725 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1726 .init = aes_gcm_init_key, 1727 .do_cipher = aes_gcm_cipher, 1728 .cleanup = aes_gcm_cleanup, 1729 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1730 .ctrl = aes_gcm_ctrl, 1731 }; 1732 1733 const EVP_CIPHER * 1734 EVP_aes_192_gcm(void) 1735 { 1736 #ifdef AESNI_CAPABLE 1737 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; 1738 #else 1739 return &aes_192_gcm; 1740 #endif 1741 } 1742 LCRYPTO_ALIAS(EVP_aes_192_gcm); 1743 1744 #ifdef AESNI_CAPABLE 1745 static const EVP_CIPHER aesni_256_gcm = { 1746 .nid = NID_aes_256_gcm, 1747 .block_size = 1, 1748 .key_len = 32, 1749 .iv_len = 12, 1750 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1751 .init = aesni_gcm_init_key, 1752 .do_cipher = aes_gcm_cipher, 1753 .cleanup = aes_gcm_cleanup, 1754 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1755 .ctrl = aes_gcm_ctrl, 1756 }; 1757 #endif 1758 1759 static const EVP_CIPHER aes_256_gcm = { 1760 .nid = NID_aes_256_gcm, 1761 .block_size = 1, 1762 .key_len = 32, 1763 .iv_len = 12, 1764 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1765 .init = aes_gcm_init_key, 1766 .do_cipher = aes_gcm_cipher, 1767 .cleanup = aes_gcm_cleanup, 1768 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1769 .ctrl = aes_gcm_ctrl, 1770 }; 1771 1772 const EVP_CIPHER * 1773 EVP_aes_256_gcm(void) 1774 { 1775 #ifdef AESNI_CAPABLE 1776 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; 1777 #else 1778 return &aes_256_gcm; 1779 #endif 1780 } 1781 LCRYPTO_ALIAS(EVP_aes_256_gcm); 1782 1783 static int 1784 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1785 { 1786 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1787 1788 switch (type) { 1789 case EVP_CTRL_INIT: 1790 /* 1791 * key1 and key2 are used as an indicator both key and IV 1792 * are set 1793 */ 1794 xctx->xts.key1 = NULL; 1795 xctx->xts.key2 = NULL; 1796 return 1; 1797 1798 case EVP_CTRL_COPY: 1799 { 1800 EVP_CIPHER_CTX *out = ptr; 1801 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1802 1803 if (xctx->xts.key1) { 1804 if (xctx->xts.key1 != &xctx->ks1) 1805 return 0; 1806 xctx_out->xts.key1 = &xctx_out->ks1; 1807 } 1808 if (xctx->xts.key2) { 1809 if (xctx->xts.key2 != &xctx->ks2) 1810 return 0; 1811 xctx_out->xts.key2 = &xctx_out->ks2; 1812 } 1813 return 1; 1814 } 1815 } 1816 return -1; 1817 } 1818 1819 static int 1820 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1821 const unsigned char *iv, int enc) 1822 { 1823 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1824 1825 if (!iv && !key) 1826 return 1; 1827 1828 if (key) do { 1829 #ifdef AES_XTS_ASM 1830 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1831 #else 1832 xctx->stream = NULL; 1833 #endif 1834 /* key_len is two AES keys */ 1835 #ifdef BSAES_CAPABLE 1836 if (BSAES_CAPABLE) 1837 xctx->stream = enc ? bsaes_xts_encrypt : 1838 bsaes_xts_decrypt; 1839 else 1840 #endif 1841 #ifdef VPAES_CAPABLE 1842 if (VPAES_CAPABLE) { 1843 if (enc) { 1844 vpaes_set_encrypt_key(key, ctx->key_len * 4, 1845 &xctx->ks1); 1846 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1847 } else { 1848 vpaes_set_decrypt_key(key, ctx->key_len * 4, 1849 &xctx->ks1); 1850 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1851 } 1852 1853 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1854 ctx->key_len * 4, &xctx->ks2); 1855 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1856 1857 xctx->xts.key1 = &xctx->ks1; 1858 break; 1859 } else 1860 #endif 1861 (void)0; /* terminate potentially open 'else' */ 1862 1863 if (enc) { 1864 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1865 xctx->xts.block1 = (block128_f)AES_encrypt; 1866 } else { 1867 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1868 xctx->xts.block1 = (block128_f)AES_decrypt; 1869 } 1870 1871 AES_set_encrypt_key(key + ctx->key_len / 2, 1872 ctx->key_len * 4, &xctx->ks2); 1873 xctx->xts.block2 = (block128_f)AES_encrypt; 1874 1875 xctx->xts.key1 = &xctx->ks1; 1876 } while (0); 1877 1878 if (iv) { 1879 xctx->xts.key2 = &xctx->ks2; 1880 memcpy(ctx->iv, iv, 16); 1881 } 1882 1883 return 1; 1884 } 1885 1886 static int 1887 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1888 const unsigned char *in, size_t len) 1889 { 1890 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1891 1892 if (!xctx->xts.key1 || !xctx->xts.key2) 1893 return 0; 1894 if (!out || !in || len < AES_BLOCK_SIZE) 1895 return 0; 1896 1897 if (xctx->stream) 1898 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, 1899 ctx->iv); 1900 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1901 ctx->encrypt)) 1902 return 0; 1903 return 1; 1904 } 1905 1906 #define XTS_FLAGS \ 1907 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1908 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1909 1910 1911 #ifdef AESNI_CAPABLE 1912 static const EVP_CIPHER aesni_128_xts = { 1913 .nid = NID_aes_128_xts, 1914 .block_size = 1, 1915 .key_len = 2 * 16, 1916 .iv_len = 16, 1917 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1918 .init = aesni_xts_init_key, 1919 .do_cipher = aes_xts_cipher, 1920 .cleanup = NULL, 1921 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1922 .ctrl = aes_xts_ctrl, 1923 }; 1924 #endif 1925 1926 static const EVP_CIPHER aes_128_xts = { 1927 .nid = NID_aes_128_xts, 1928 .block_size = 1, 1929 .key_len = 2 * 16, 1930 .iv_len = 16, 1931 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1932 .init = aes_xts_init_key, 1933 .do_cipher = aes_xts_cipher, 1934 .cleanup = NULL, 1935 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1936 .ctrl = aes_xts_ctrl, 1937 }; 1938 1939 const EVP_CIPHER * 1940 EVP_aes_128_xts(void) 1941 { 1942 #ifdef AESNI_CAPABLE 1943 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; 1944 #else 1945 return &aes_128_xts; 1946 #endif 1947 } 1948 LCRYPTO_ALIAS(EVP_aes_128_xts); 1949 1950 #ifdef AESNI_CAPABLE 1951 static const EVP_CIPHER aesni_256_xts = { 1952 .nid = NID_aes_256_xts, 1953 .block_size = 1, 1954 .key_len = 2 * 32, 1955 .iv_len = 16, 1956 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1957 .init = aesni_xts_init_key, 1958 .do_cipher = aes_xts_cipher, 1959 .cleanup = NULL, 1960 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1961 .ctrl = aes_xts_ctrl, 1962 }; 1963 #endif 1964 1965 static const EVP_CIPHER aes_256_xts = { 1966 .nid = NID_aes_256_xts, 1967 .block_size = 1, 1968 .key_len = 2 * 32, 1969 .iv_len = 16, 1970 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1971 .init = aes_xts_init_key, 1972 .do_cipher = aes_xts_cipher, 1973 .cleanup = NULL, 1974 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1975 .ctrl = aes_xts_ctrl, 1976 }; 1977 1978 const EVP_CIPHER * 1979 EVP_aes_256_xts(void) 1980 { 1981 #ifdef AESNI_CAPABLE 1982 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; 1983 #else 1984 return &aes_256_xts; 1985 #endif 1986 } 1987 LCRYPTO_ALIAS(EVP_aes_256_xts); 1988 1989 static int 1990 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1991 { 1992 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1993 1994 switch (type) { 1995 case EVP_CTRL_INIT: 1996 cctx->key_set = 0; 1997 cctx->iv_set = 0; 1998 cctx->L = 8; 1999 cctx->M = 12; 2000 cctx->tag_set = 0; 2001 cctx->len_set = 0; 2002 return 1; 2003 2004 case EVP_CTRL_AEAD_GET_IVLEN: 2005 *(int *)ptr = 15 - cctx->L; 2006 return 1; 2007 2008 case EVP_CTRL_AEAD_SET_IVLEN: 2009 arg = 15 - arg; 2010 2011 case EVP_CTRL_CCM_SET_L: 2012 if (arg < 2 || arg > 8) 2013 return 0; 2014 cctx->L = arg; 2015 return 1; 2016 2017 case EVP_CTRL_CCM_SET_TAG: 2018 if ((arg & 1) || arg < 4 || arg > 16) 2019 return 0; 2020 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 2021 return 0; 2022 if (ptr) { 2023 cctx->tag_set = 1; 2024 memcpy(c->buf, ptr, arg); 2025 } 2026 cctx->M = arg; 2027 return 1; 2028 2029 case EVP_CTRL_CCM_GET_TAG: 2030 if (!c->encrypt || !cctx->tag_set) 2031 return 0; 2032 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 2033 return 0; 2034 cctx->tag_set = 0; 2035 cctx->iv_set = 0; 2036 cctx->len_set = 0; 2037 return 1; 2038 2039 case EVP_CTRL_COPY: 2040 { 2041 EVP_CIPHER_CTX *out = ptr; 2042 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 2043 2044 if (cctx->ccm.key) { 2045 if (cctx->ccm.key != &cctx->ks) 2046 return 0; 2047 cctx_out->ccm.key = &cctx_out->ks; 2048 } 2049 return 1; 2050 } 2051 2052 default: 2053 return -1; 2054 } 2055 } 2056 2057 static int 2058 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2059 const unsigned char *iv, int enc) 2060 { 2061 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2062 2063 if (!iv && !key) 2064 return 1; 2065 if (key) do { 2066 #ifdef VPAES_CAPABLE 2067 if (VPAES_CAPABLE) { 2068 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 2069 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2070 &cctx->ks, (block128_f)vpaes_encrypt); 2071 cctx->str = NULL; 2072 cctx->key_set = 1; 2073 break; 2074 } 2075 #endif 2076 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 2077 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2078 &cctx->ks, (block128_f)AES_encrypt); 2079 cctx->str = NULL; 2080 cctx->key_set = 1; 2081 } while (0); 2082 if (iv) { 2083 memcpy(ctx->iv, iv, 15 - cctx->L); 2084 cctx->iv_set = 1; 2085 } 2086 return 1; 2087 } 2088 2089 static int 2090 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2091 const unsigned char *in, size_t len) 2092 { 2093 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2094 CCM128_CONTEXT *ccm = &cctx->ccm; 2095 2096 /* If not set up, return error */ 2097 if (!cctx->iv_set && !cctx->key_set) 2098 return -1; 2099 if (!ctx->encrypt && !cctx->tag_set) 2100 return -1; 2101 2102 if (!out) { 2103 if (!in) { 2104 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, 2105 len)) 2106 return -1; 2107 cctx->len_set = 1; 2108 return len; 2109 } 2110 /* If have AAD need message length */ 2111 if (!cctx->len_set && len) 2112 return -1; 2113 CRYPTO_ccm128_aad(ccm, in, len); 2114 return len; 2115 } 2116 /* EVP_*Final() doesn't return any data */ 2117 if (!in) 2118 return 0; 2119 /* If not set length yet do it */ 2120 if (!cctx->len_set) { 2121 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 2122 return -1; 2123 cctx->len_set = 1; 2124 } 2125 if (ctx->encrypt) { 2126 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 2127 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) 2128 return -1; 2129 cctx->tag_set = 1; 2130 return len; 2131 } else { 2132 int rv = -1; 2133 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 2134 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 2135 unsigned char tag[16]; 2136 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 2137 if (!memcmp(tag, ctx->buf, cctx->M)) 2138 rv = len; 2139 } 2140 } 2141 if (rv == -1) 2142 explicit_bzero(out, len); 2143 cctx->iv_set = 0; 2144 cctx->tag_set = 0; 2145 cctx->len_set = 0; 2146 return rv; 2147 } 2148 2149 } 2150 2151 #ifdef AESNI_CAPABLE 2152 static const EVP_CIPHER aesni_128_ccm = { 2153 .nid = NID_aes_128_ccm, 2154 .block_size = 1, 2155 .key_len = 16, 2156 .iv_len = 12, 2157 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2158 .init = aesni_ccm_init_key, 2159 .do_cipher = aes_ccm_cipher, 2160 .cleanup = NULL, 2161 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2162 .ctrl = aes_ccm_ctrl, 2163 }; 2164 #endif 2165 2166 static const EVP_CIPHER aes_128_ccm = { 2167 .nid = NID_aes_128_ccm, 2168 .block_size = 1, 2169 .key_len = 16, 2170 .iv_len = 12, 2171 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2172 .init = aes_ccm_init_key, 2173 .do_cipher = aes_ccm_cipher, 2174 .cleanup = NULL, 2175 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2176 .ctrl = aes_ccm_ctrl, 2177 }; 2178 2179 const EVP_CIPHER * 2180 EVP_aes_128_ccm(void) 2181 { 2182 #ifdef AESNI_CAPABLE 2183 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; 2184 #else 2185 return &aes_128_ccm; 2186 #endif 2187 } 2188 LCRYPTO_ALIAS(EVP_aes_128_ccm); 2189 2190 #ifdef AESNI_CAPABLE 2191 static const EVP_CIPHER aesni_192_ccm = { 2192 .nid = NID_aes_192_ccm, 2193 .block_size = 1, 2194 .key_len = 24, 2195 .iv_len = 12, 2196 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2197 .init = aesni_ccm_init_key, 2198 .do_cipher = aes_ccm_cipher, 2199 .cleanup = NULL, 2200 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2201 .ctrl = aes_ccm_ctrl, 2202 }; 2203 #endif 2204 2205 static const EVP_CIPHER aes_192_ccm = { 2206 .nid = NID_aes_192_ccm, 2207 .block_size = 1, 2208 .key_len = 24, 2209 .iv_len = 12, 2210 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2211 .init = aes_ccm_init_key, 2212 .do_cipher = aes_ccm_cipher, 2213 .cleanup = NULL, 2214 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2215 .ctrl = aes_ccm_ctrl, 2216 }; 2217 2218 const EVP_CIPHER * 2219 EVP_aes_192_ccm(void) 2220 { 2221 #ifdef AESNI_CAPABLE 2222 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; 2223 #else 2224 return &aes_192_ccm; 2225 #endif 2226 } 2227 LCRYPTO_ALIAS(EVP_aes_192_ccm); 2228 2229 #ifdef AESNI_CAPABLE 2230 static const EVP_CIPHER aesni_256_ccm = { 2231 .nid = NID_aes_256_ccm, 2232 .block_size = 1, 2233 .key_len = 32, 2234 .iv_len = 12, 2235 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2236 .init = aesni_ccm_init_key, 2237 .do_cipher = aes_ccm_cipher, 2238 .cleanup = NULL, 2239 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2240 .ctrl = aes_ccm_ctrl, 2241 }; 2242 #endif 2243 2244 static const EVP_CIPHER aes_256_ccm = { 2245 .nid = NID_aes_256_ccm, 2246 .block_size = 1, 2247 .key_len = 32, 2248 .iv_len = 12, 2249 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2250 .init = aes_ccm_init_key, 2251 .do_cipher = aes_ccm_cipher, 2252 .cleanup = NULL, 2253 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2254 .ctrl = aes_ccm_ctrl, 2255 }; 2256 2257 const EVP_CIPHER * 2258 EVP_aes_256_ccm(void) 2259 { 2260 #ifdef AESNI_CAPABLE 2261 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; 2262 #else 2263 return &aes_256_ccm; 2264 #endif 2265 } 2266 LCRYPTO_ALIAS(EVP_aes_256_ccm); 2267 2268 #define EVP_AEAD_AES_GCM_TAG_LEN 16 2269 2270 struct aead_aes_gcm_ctx { 2271 union { 2272 double align; 2273 AES_KEY ks; 2274 } ks; 2275 GCM128_CONTEXT gcm; 2276 ctr128_f ctr; 2277 unsigned char tag_len; 2278 }; 2279 2280 static int 2281 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, 2282 size_t tag_len) 2283 { 2284 struct aead_aes_gcm_ctx *gcm_ctx; 2285 const size_t key_bits = key_len * 8; 2286 2287 /* EVP_AEAD_CTX_init should catch this. */ 2288 if (key_bits != 128 && key_bits != 256) { 2289 EVPerror(EVP_R_BAD_KEY_LENGTH); 2290 return 0; 2291 } 2292 2293 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) 2294 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 2295 2296 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 2297 EVPerror(EVP_R_TAG_TOO_LARGE); 2298 return 0; 2299 } 2300 2301 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) 2302 return 0; 2303 2304 #ifdef AESNI_CAPABLE 2305 if (AESNI_CAPABLE) { 2306 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); 2307 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, 2308 (block128_f)aesni_encrypt); 2309 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 2310 } else 2311 #endif 2312 { 2313 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, 2314 key, key_len); 2315 } 2316 gcm_ctx->tag_len = tag_len; 2317 ctx->aead_state = gcm_ctx; 2318 2319 return 1; 2320 } 2321 2322 static void 2323 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) 2324 { 2325 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2326 2327 freezero(gcm_ctx, sizeof(*gcm_ctx)); 2328 } 2329 2330 static int 2331 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2332 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2333 const unsigned char *in, size_t in_len, const unsigned char *ad, 2334 size_t ad_len) 2335 { 2336 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2337 GCM128_CONTEXT gcm; 2338 size_t bulk = 0; 2339 2340 if (max_out_len < in_len + gcm_ctx->tag_len) { 2341 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2342 return 0; 2343 } 2344 2345 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2346 2347 if (nonce_len == 0) { 2348 EVPerror(EVP_R_INVALID_IV_LENGTH); 2349 return 0; 2350 } 2351 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2352 2353 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2354 return 0; 2355 2356 if (gcm_ctx->ctr) { 2357 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, 2358 in_len - bulk, gcm_ctx->ctr)) 2359 return 0; 2360 } else { 2361 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, 2362 in_len - bulk)) 2363 return 0; 2364 } 2365 2366 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); 2367 *out_len = in_len + gcm_ctx->tag_len; 2368 2369 return 1; 2370 } 2371 2372 static int 2373 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2374 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2375 const unsigned char *in, size_t in_len, const unsigned char *ad, 2376 size_t ad_len) 2377 { 2378 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2379 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; 2380 GCM128_CONTEXT gcm; 2381 size_t plaintext_len; 2382 size_t bulk = 0; 2383 2384 if (in_len < gcm_ctx->tag_len) { 2385 EVPerror(EVP_R_BAD_DECRYPT); 2386 return 0; 2387 } 2388 2389 plaintext_len = in_len - gcm_ctx->tag_len; 2390 2391 if (max_out_len < plaintext_len) { 2392 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2393 return 0; 2394 } 2395 2396 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2397 2398 if (nonce_len == 0) { 2399 EVPerror(EVP_R_INVALID_IV_LENGTH); 2400 return 0; 2401 } 2402 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2403 2404 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2405 return 0; 2406 2407 if (gcm_ctx->ctr) { 2408 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 2409 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) 2410 return 0; 2411 } else { 2412 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 2413 in_len - bulk - gcm_ctx->tag_len)) 2414 return 0; 2415 } 2416 2417 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); 2418 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { 2419 EVPerror(EVP_R_BAD_DECRYPT); 2420 return 0; 2421 } 2422 2423 *out_len = plaintext_len; 2424 2425 return 1; 2426 } 2427 2428 static const EVP_AEAD aead_aes_128_gcm = { 2429 .key_len = 16, 2430 .nonce_len = 12, 2431 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2432 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2433 2434 .init = aead_aes_gcm_init, 2435 .cleanup = aead_aes_gcm_cleanup, 2436 .seal = aead_aes_gcm_seal, 2437 .open = aead_aes_gcm_open, 2438 }; 2439 2440 static const EVP_AEAD aead_aes_256_gcm = { 2441 .key_len = 32, 2442 .nonce_len = 12, 2443 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2444 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2445 2446 .init = aead_aes_gcm_init, 2447 .cleanup = aead_aes_gcm_cleanup, 2448 .seal = aead_aes_gcm_seal, 2449 .open = aead_aes_gcm_open, 2450 }; 2451 2452 const EVP_AEAD * 2453 EVP_aead_aes_128_gcm(void) 2454 { 2455 return &aead_aes_128_gcm; 2456 } 2457 LCRYPTO_ALIAS(EVP_aead_aes_128_gcm); 2458 2459 const EVP_AEAD * 2460 EVP_aead_aes_256_gcm(void) 2461 { 2462 return &aead_aes_256_gcm; 2463 } 2464 LCRYPTO_ALIAS(EVP_aead_aes_256_gcm); 2465 2466 typedef struct { 2467 union { 2468 double align; 2469 AES_KEY ks; 2470 } ks; 2471 unsigned char *iv; 2472 } EVP_AES_WRAP_CTX; 2473 2474 static int 2475 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2476 const unsigned char *iv, int enc) 2477 { 2478 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; 2479 2480 if (iv == NULL && key == NULL) 2481 return 1; 2482 2483 if (key != NULL) { 2484 if (ctx->encrypt) 2485 AES_set_encrypt_key(key, 8 * ctx->key_len, 2486 &wctx->ks.ks); 2487 else 2488 AES_set_decrypt_key(key, 8 * ctx->key_len, 2489 &wctx->ks.ks); 2490 2491 if (iv == NULL) 2492 wctx->iv = NULL; 2493 } 2494 2495 if (iv != NULL) { 2496 int iv_len = EVP_CIPHER_CTX_iv_length(ctx); 2497 2498 if (iv_len < 0 || iv_len > sizeof(ctx->iv)) 2499 return 0; 2500 memcpy(ctx->iv, iv, iv_len); 2501 wctx->iv = ctx->iv; 2502 } 2503 2504 return 1; 2505 } 2506 2507 static int 2508 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2509 const unsigned char *in, size_t inlen) 2510 { 2511 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; 2512 int ret; 2513 2514 if (in == NULL) 2515 return 0; 2516 2517 if (inlen % 8 != 0) 2518 return -1; 2519 if (ctx->encrypt && inlen < 8) 2520 return -1; 2521 if (!ctx->encrypt && inlen < 16) 2522 return -1; 2523 if (inlen > INT_MAX) 2524 return -1; 2525 2526 if (out == NULL) { 2527 if (ctx->encrypt) 2528 return inlen + 8; 2529 else 2530 return inlen - 8; 2531 } 2532 2533 if (ctx->encrypt) 2534 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, 2535 (unsigned int)inlen); 2536 else 2537 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, 2538 (unsigned int)inlen); 2539 2540 return ret != 0 ? ret : -1; 2541 } 2542 2543 static int 2544 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 2545 { 2546 EVP_AES_WRAP_CTX *wctx = c->cipher_data; 2547 2548 switch (type) { 2549 case EVP_CTRL_COPY: 2550 { 2551 EVP_CIPHER_CTX *out = ptr; 2552 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; 2553 2554 if (wctx->iv != NULL) { 2555 if (c->iv != wctx->iv) 2556 return 0; 2557 2558 wctx_out->iv = out->iv; 2559 } 2560 2561 return 1; 2562 } 2563 } 2564 2565 return -1; 2566 } 2567 2568 #define WRAP_FLAGS \ 2569 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ 2570 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ 2571 EVP_CIPH_CUSTOM_COPY ) 2572 2573 static const EVP_CIPHER aes_128_wrap = { 2574 .nid = NID_id_aes128_wrap, 2575 .block_size = 8, 2576 .key_len = 16, 2577 .iv_len = 8, 2578 .flags = WRAP_FLAGS, 2579 .init = aes_wrap_init_key, 2580 .do_cipher = aes_wrap_cipher, 2581 .cleanup = NULL, 2582 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2583 .set_asn1_parameters = NULL, 2584 .get_asn1_parameters = NULL, 2585 .ctrl = aes_wrap_ctrl, 2586 }; 2587 2588 const EVP_CIPHER * 2589 EVP_aes_128_wrap(void) 2590 { 2591 return &aes_128_wrap; 2592 } 2593 LCRYPTO_ALIAS(EVP_aes_128_wrap); 2594 2595 static const EVP_CIPHER aes_192_wrap = { 2596 .nid = NID_id_aes192_wrap, 2597 .block_size = 8, 2598 .key_len = 24, 2599 .iv_len = 8, 2600 .flags = WRAP_FLAGS, 2601 .init = aes_wrap_init_key, 2602 .do_cipher = aes_wrap_cipher, 2603 .cleanup = NULL, 2604 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2605 .set_asn1_parameters = NULL, 2606 .get_asn1_parameters = NULL, 2607 .ctrl = aes_wrap_ctrl, 2608 }; 2609 2610 const EVP_CIPHER * 2611 EVP_aes_192_wrap(void) 2612 { 2613 return &aes_192_wrap; 2614 } 2615 LCRYPTO_ALIAS(EVP_aes_192_wrap); 2616 2617 static const EVP_CIPHER aes_256_wrap = { 2618 .nid = NID_id_aes256_wrap, 2619 .block_size = 8, 2620 .key_len = 32, 2621 .iv_len = 8, 2622 .flags = WRAP_FLAGS, 2623 .init = aes_wrap_init_key, 2624 .do_cipher = aes_wrap_cipher, 2625 .cleanup = NULL, 2626 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2627 .set_asn1_parameters = NULL, 2628 .get_asn1_parameters = NULL, 2629 .ctrl = aes_wrap_ctrl, 2630 }; 2631 2632 const EVP_CIPHER * 2633 EVP_aes_256_wrap(void) 2634 { 2635 return &aes_256_wrap; 2636 } 2637 LCRYPTO_ALIAS(EVP_aes_256_wrap); 2638 2639 #endif 2640