1 /* $OpenBSD: e_aes.c,v 1.51 2023/03/01 11:16:06 tb Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #include <limits.h> 53 #include <stdlib.h> 54 #include <string.h> 55 56 #include <openssl/opensslconf.h> 57 58 #ifndef OPENSSL_NO_AES 59 #include <openssl/aes.h> 60 #include <openssl/err.h> 61 #include <openssl/evp.h> 62 63 #include "evp_local.h" 64 #include "modes_local.h" 65 66 typedef struct { 67 AES_KEY ks; 68 block128_f block; 69 union { 70 cbc128_f cbc; 71 ctr128_f ctr; 72 } stream; 73 } EVP_AES_KEY; 74 75 typedef struct { 76 AES_KEY ks; /* AES key schedule to use */ 77 int key_set; /* Set if key initialised */ 78 int iv_set; /* Set if an iv is set */ 79 GCM128_CONTEXT gcm; 80 unsigned char *iv; /* Temporary IV store */ 81 int ivlen; /* IV length */ 82 int taglen; 83 int iv_gen; /* It is OK to generate IVs */ 84 int tls_aad_len; /* TLS AAD length */ 85 ctr128_f ctr; 86 } EVP_AES_GCM_CTX; 87 88 typedef struct { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, unsigned char *out, 92 size_t length, const AES_KEY *key1, const AES_KEY *key2, 93 const unsigned char iv[16]); 94 } EVP_AES_XTS_CTX; 95 96 typedef struct { 97 AES_KEY ks; /* AES key schedule to use */ 98 int key_set; /* Set if key initialised */ 99 int iv_set; /* Set if an iv is set */ 100 int tag_set; /* Set if tag is valid */ 101 int len_set; /* Set if message length set */ 102 int L, M; /* L and M parameters from RFC3610 */ 103 CCM128_CONTEXT ccm; 104 ccm128_f str; 105 } EVP_AES_CCM_CTX; 106 107 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 108 109 #ifdef VPAES_ASM 110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 111 AES_KEY *key); 112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 115 void vpaes_encrypt(const unsigned char *in, unsigned char *out, 116 const AES_KEY *key); 117 void vpaes_decrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 120 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 122 #endif 123 #ifdef BSAES_ASM 124 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); 126 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 127 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 128 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 129 size_t len, const AES_KEY *key1, const AES_KEY *key2, 130 const unsigned char iv[16]); 131 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 132 size_t len, const AES_KEY *key1, const AES_KEY *key2, 133 const unsigned char iv[16]); 134 #endif 135 #ifdef AES_CTR_ASM 136 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 137 size_t blocks, const AES_KEY *key, 138 const unsigned char ivec[AES_BLOCK_SIZE]); 139 #endif 140 #ifdef AES_XTS_ASM 141 void AES_xts_encrypt(const char *inp, char *out, size_t len, 142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 143 void AES_xts_decrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 145 #endif 146 147 #if defined(AES_ASM) && ( \ 148 ((defined(__i386) || defined(__i386__) || \ 149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 150 defined(__x86_64) || defined(__x86_64__) || \ 151 defined(_M_AMD64) || defined(_M_X64) || \ 152 defined(__INTEL__) ) 153 154 #include "x86_arch.h" 155 156 #ifdef VPAES_ASM 157 #define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3) 158 #endif 159 #ifdef BSAES_ASM 160 #define BSAES_CAPABLE VPAES_CAPABLE 161 #endif 162 /* 163 * AES-NI section 164 */ 165 #define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) 166 167 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 168 AES_KEY *key); 169 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 170 AES_KEY *key); 171 172 void aesni_encrypt(const unsigned char *in, unsigned char *out, 173 const AES_KEY *key); 174 void aesni_decrypt(const unsigned char *in, unsigned char *out, 175 const AES_KEY *key); 176 177 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, 178 size_t length, const AES_KEY *key, int enc); 179 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, 180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 181 182 void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 183 size_t blocks, const void *key, const unsigned char *ivec); 184 185 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, 186 size_t length, const AES_KEY *key1, const AES_KEY *key2, 187 const unsigned char iv[16]); 188 189 void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, 190 size_t length, const AES_KEY *key1, const AES_KEY *key2, 191 const unsigned char iv[16]); 192 193 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, 194 size_t blocks, const void *key, const unsigned char ivec[16], 195 unsigned char cmac[16]); 196 197 void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, 198 size_t blocks, const void *key, const unsigned char ivec[16], 199 unsigned char cmac[16]); 200 201 static int 202 aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 203 const unsigned char *iv, int enc) 204 { 205 int ret, mode; 206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 207 208 mode = ctx->cipher->flags & EVP_CIPH_MODE; 209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 210 !enc) { 211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, 212 ctx->cipher_data); 213 dat->block = (block128_f)aesni_decrypt; 214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 215 (cbc128_f)aesni_cbc_encrypt : NULL; 216 } else { 217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, 218 ctx->cipher_data); 219 dat->block = (block128_f)aesni_encrypt; 220 if (mode == EVP_CIPH_CBC_MODE) 221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 222 else if (mode == EVP_CIPH_CTR_MODE) 223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 224 else 225 dat->stream.cbc = NULL; 226 } 227 228 if (ret < 0) { 229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 230 return 0; 231 } 232 233 return 1; 234 } 235 236 static int 237 aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 238 const unsigned char *in, size_t len) 239 { 240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, 241 ctx->encrypt); 242 243 return 1; 244 } 245 246 static int 247 aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 248 const unsigned char *in, size_t len) 249 { 250 size_t bl = ctx->cipher->block_size; 251 252 if (len < bl) 253 return 1; 254 255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 256 257 return 1; 258 } 259 260 static int 261 aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 262 const unsigned char *iv, int enc) 263 { 264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 265 266 if (!iv && !key) 267 return 1; 268 if (key) { 269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 271 (block128_f)aesni_encrypt); 272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 273 /* If we have an iv can set it directly, otherwise use 274 * saved IV. 275 */ 276 if (iv == NULL && gctx->iv_set) 277 iv = gctx->iv; 278 if (iv) { 279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 280 gctx->iv_set = 1; 281 } 282 gctx->key_set = 1; 283 } else { 284 /* If key set use IV, otherwise copy */ 285 if (gctx->key_set) 286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 287 else 288 memcpy(gctx->iv, iv, gctx->ivlen); 289 gctx->iv_set = 1; 290 gctx->iv_gen = 0; 291 } 292 return 1; 293 } 294 295 static int 296 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 297 const unsigned char *iv, int enc) 298 { 299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 300 301 if (!iv && !key) 302 return 1; 303 304 if (key) { 305 /* key_len is two AES keys */ 306 if (enc) { 307 aesni_set_encrypt_key(key, ctx->key_len * 4, 308 &xctx->ks1); 309 xctx->xts.block1 = (block128_f)aesni_encrypt; 310 xctx->stream = aesni_xts_encrypt; 311 } else { 312 aesni_set_decrypt_key(key, ctx->key_len * 4, 313 &xctx->ks1); 314 xctx->xts.block1 = (block128_f)aesni_decrypt; 315 xctx->stream = aesni_xts_decrypt; 316 } 317 318 aesni_set_encrypt_key(key + ctx->key_len / 2, 319 ctx->key_len * 4, &xctx->ks2); 320 xctx->xts.block2 = (block128_f)aesni_encrypt; 321 322 xctx->xts.key1 = &xctx->ks1; 323 } 324 325 if (iv) { 326 xctx->xts.key2 = &xctx->ks2; 327 memcpy(ctx->iv, iv, 16); 328 } 329 330 return 1; 331 } 332 333 static int 334 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 335 const unsigned char *iv, int enc) 336 { 337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 338 339 if (!iv && !key) 340 return 1; 341 if (key) { 342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 344 &cctx->ks, (block128_f)aesni_encrypt); 345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : 346 (ccm128_f)aesni_ccm64_decrypt_blocks; 347 cctx->key_set = 1; 348 } 349 if (iv) { 350 memcpy(ctx->iv, iv, 15 - cctx->L); 351 cctx->iv_set = 1; 352 } 353 return 1; 354 } 355 356 #endif 357 358 static int 359 aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 360 const unsigned char *iv, int enc) 361 { 362 int ret, mode; 363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 364 365 mode = ctx->cipher->flags & EVP_CIPH_MODE; 366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 367 !enc) 368 #ifdef BSAES_CAPABLE 369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 370 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 371 &dat->ks); 372 dat->block = (block128_f)AES_decrypt; 373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 374 } else 375 #endif 376 #ifdef VPAES_CAPABLE 377 if (VPAES_CAPABLE) { 378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, 379 &dat->ks); 380 dat->block = (block128_f)vpaes_decrypt; 381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 382 (cbc128_f)vpaes_cbc_encrypt : NULL; 383 } else 384 #endif 385 { 386 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 387 &dat->ks); 388 dat->block = (block128_f)AES_decrypt; 389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 390 (cbc128_f)AES_cbc_encrypt : NULL; 391 } else 392 #ifdef BSAES_CAPABLE 393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 394 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 395 &dat->ks); 396 dat->block = (block128_f)AES_encrypt; 397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 398 } else 399 #endif 400 #ifdef VPAES_CAPABLE 401 if (VPAES_CAPABLE) { 402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, 403 &dat->ks); 404 dat->block = (block128_f)vpaes_encrypt; 405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 406 (cbc128_f)vpaes_cbc_encrypt : NULL; 407 } else 408 #endif 409 { 410 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 411 &dat->ks); 412 dat->block = (block128_f)AES_encrypt; 413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 414 (cbc128_f)AES_cbc_encrypt : NULL; 415 #ifdef AES_CTR_ASM 416 if (mode == EVP_CIPH_CTR_MODE) 417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 418 #endif 419 } 420 421 if (ret < 0) { 422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 423 return 0; 424 } 425 426 return 1; 427 } 428 429 static int 430 aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 431 const unsigned char *in, size_t len) 432 { 433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 434 435 if (dat->stream.cbc) 436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, 437 ctx->encrypt); 438 else if (ctx->encrypt) 439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, 440 dat->block); 441 else 442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, 443 dat->block); 444 445 return 1; 446 } 447 448 static int 449 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 450 const unsigned char *in, size_t len) 451 { 452 size_t bl = ctx->cipher->block_size; 453 size_t i; 454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 455 456 if (len < bl) 457 return 1; 458 459 for (i = 0, len -= bl; i <= len; i += bl) 460 (*dat->block)(in + i, out + i, &dat->ks); 461 462 return 1; 463 } 464 465 static int 466 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 467 const unsigned char *in, size_t len) 468 { 469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 470 471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 472 dat->block); 473 return 1; 474 } 475 476 static int 477 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 478 const unsigned char *in, size_t len) 479 { 480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 481 482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 483 ctx->encrypt, dat->block); 484 return 1; 485 } 486 487 static int 488 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 489 const unsigned char *in, size_t len) 490 { 491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 492 493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 494 ctx->encrypt, dat->block); 495 return 1; 496 } 497 498 static int 499 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 500 const unsigned char *in, size_t len) 501 { 502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 503 504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, 506 &ctx->num, ctx->encrypt, dat->block); 507 return 1; 508 } 509 510 while (len >= MAXBITCHUNK) { 511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, 512 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 513 len -= MAXBITCHUNK; 514 in += MAXBITCHUNK; 515 out += MAXBITCHUNK; 516 } 517 if (len) 518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, 519 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 520 521 return 1; 522 } 523 524 static int 525 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 526 const unsigned char *in, size_t len) 527 { 528 unsigned int num = ctx->num; 529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 530 531 if (dat->stream.ctr) 532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 533 ctx->iv, ctx->buf, &num, dat->stream.ctr); 534 else 535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 536 ctx->iv, ctx->buf, &num, dat->block); 537 ctx->num = (size_t)num; 538 return 1; 539 } 540 541 542 #ifdef AESNI_CAPABLE 543 static const EVP_CIPHER aesni_128_cbc = { 544 .nid = NID_aes_128_cbc, 545 .block_size = 16, 546 .key_len = 16, 547 .iv_len = 16, 548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 549 .init = aesni_init_key, 550 .do_cipher = aesni_cbc_cipher, 551 .ctx_size = sizeof(EVP_AES_KEY), 552 }; 553 #endif 554 555 static const EVP_CIPHER aes_128_cbc = { 556 .nid = NID_aes_128_cbc, 557 .block_size = 16, 558 .key_len = 16, 559 .iv_len = 16, 560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 561 .init = aes_init_key, 562 .do_cipher = aes_cbc_cipher, 563 .ctx_size = sizeof(EVP_AES_KEY), 564 }; 565 566 const EVP_CIPHER * 567 EVP_aes_128_cbc(void) 568 { 569 #ifdef AESNI_CAPABLE 570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; 571 #else 572 return &aes_128_cbc; 573 #endif 574 } 575 576 #ifdef AESNI_CAPABLE 577 static const EVP_CIPHER aesni_128_ecb = { 578 .nid = NID_aes_128_ecb, 579 .block_size = 16, 580 .key_len = 16, 581 .iv_len = 0, 582 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 583 .init = aesni_init_key, 584 .do_cipher = aesni_ecb_cipher, 585 .ctx_size = sizeof(EVP_AES_KEY), 586 }; 587 #endif 588 589 static const EVP_CIPHER aes_128_ecb = { 590 .nid = NID_aes_128_ecb, 591 .block_size = 16, 592 .key_len = 16, 593 .iv_len = 0, 594 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 595 .init = aes_init_key, 596 .do_cipher = aes_ecb_cipher, 597 .ctx_size = sizeof(EVP_AES_KEY), 598 }; 599 600 const EVP_CIPHER * 601 EVP_aes_128_ecb(void) 602 { 603 #ifdef AESNI_CAPABLE 604 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; 605 #else 606 return &aes_128_ecb; 607 #endif 608 } 609 610 #ifdef AESNI_CAPABLE 611 static const EVP_CIPHER aesni_128_ofb = { 612 .nid = NID_aes_128_ofb128, 613 .block_size = 1, 614 .key_len = 16, 615 .iv_len = 16, 616 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 617 .init = aesni_init_key, 618 .do_cipher = aes_ofb_cipher, 619 .ctx_size = sizeof(EVP_AES_KEY), 620 }; 621 #endif 622 623 static const EVP_CIPHER aes_128_ofb = { 624 .nid = NID_aes_128_ofb128, 625 .block_size = 1, 626 .key_len = 16, 627 .iv_len = 16, 628 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 629 .init = aes_init_key, 630 .do_cipher = aes_ofb_cipher, 631 .ctx_size = sizeof(EVP_AES_KEY), 632 }; 633 634 const EVP_CIPHER * 635 EVP_aes_128_ofb(void) 636 { 637 #ifdef AESNI_CAPABLE 638 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; 639 #else 640 return &aes_128_ofb; 641 #endif 642 } 643 644 #ifdef AESNI_CAPABLE 645 static const EVP_CIPHER aesni_128_cfb = { 646 .nid = NID_aes_128_cfb128, 647 .block_size = 1, 648 .key_len = 16, 649 .iv_len = 16, 650 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 651 .init = aesni_init_key, 652 .do_cipher = aes_cfb_cipher, 653 .ctx_size = sizeof(EVP_AES_KEY), 654 }; 655 #endif 656 657 static const EVP_CIPHER aes_128_cfb = { 658 .nid = NID_aes_128_cfb128, 659 .block_size = 1, 660 .key_len = 16, 661 .iv_len = 16, 662 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 663 .init = aes_init_key, 664 .do_cipher = aes_cfb_cipher, 665 .ctx_size = sizeof(EVP_AES_KEY), 666 }; 667 668 const EVP_CIPHER * 669 EVP_aes_128_cfb(void) 670 { 671 #ifdef AESNI_CAPABLE 672 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; 673 #else 674 return &aes_128_cfb; 675 #endif 676 } 677 678 #ifdef AESNI_CAPABLE 679 static const EVP_CIPHER aesni_128_cfb1 = { 680 .nid = NID_aes_128_cfb1, 681 .block_size = 1, 682 .key_len = 16, 683 .iv_len = 16, 684 .flags = EVP_CIPH_CFB_MODE, 685 .init = aesni_init_key, 686 .do_cipher = aes_cfb1_cipher, 687 .ctx_size = sizeof(EVP_AES_KEY), 688 }; 689 #endif 690 691 static const EVP_CIPHER aes_128_cfb1 = { 692 .nid = NID_aes_128_cfb1, 693 .block_size = 1, 694 .key_len = 16, 695 .iv_len = 16, 696 .flags = EVP_CIPH_CFB_MODE, 697 .init = aes_init_key, 698 .do_cipher = aes_cfb1_cipher, 699 .ctx_size = sizeof(EVP_AES_KEY), 700 }; 701 702 const EVP_CIPHER * 703 EVP_aes_128_cfb1(void) 704 { 705 #ifdef AESNI_CAPABLE 706 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; 707 #else 708 return &aes_128_cfb1; 709 #endif 710 } 711 712 #ifdef AESNI_CAPABLE 713 static const EVP_CIPHER aesni_128_cfb8 = { 714 .nid = NID_aes_128_cfb8, 715 .block_size = 1, 716 .key_len = 16, 717 .iv_len = 16, 718 .flags = EVP_CIPH_CFB_MODE, 719 .init = aesni_init_key, 720 .do_cipher = aes_cfb8_cipher, 721 .ctx_size = sizeof(EVP_AES_KEY), 722 }; 723 #endif 724 725 static const EVP_CIPHER aes_128_cfb8 = { 726 .nid = NID_aes_128_cfb8, 727 .block_size = 1, 728 .key_len = 16, 729 .iv_len = 16, 730 .flags = EVP_CIPH_CFB_MODE, 731 .init = aes_init_key, 732 .do_cipher = aes_cfb8_cipher, 733 .ctx_size = sizeof(EVP_AES_KEY), 734 }; 735 736 const EVP_CIPHER * 737 EVP_aes_128_cfb8(void) 738 { 739 #ifdef AESNI_CAPABLE 740 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; 741 #else 742 return &aes_128_cfb8; 743 #endif 744 } 745 746 #ifdef AESNI_CAPABLE 747 static const EVP_CIPHER aesni_128_ctr = { 748 .nid = NID_aes_128_ctr, 749 .block_size = 1, 750 .key_len = 16, 751 .iv_len = 16, 752 .flags = EVP_CIPH_CTR_MODE, 753 .init = aesni_init_key, 754 .do_cipher = aes_ctr_cipher, 755 .ctx_size = sizeof(EVP_AES_KEY), 756 }; 757 #endif 758 759 static const EVP_CIPHER aes_128_ctr = { 760 .nid = NID_aes_128_ctr, 761 .block_size = 1, 762 .key_len = 16, 763 .iv_len = 16, 764 .flags = EVP_CIPH_CTR_MODE, 765 .init = aes_init_key, 766 .do_cipher = aes_ctr_cipher, 767 .ctx_size = sizeof(EVP_AES_KEY), 768 }; 769 770 const EVP_CIPHER * 771 EVP_aes_128_ctr(void) 772 { 773 #ifdef AESNI_CAPABLE 774 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; 775 #else 776 return &aes_128_ctr; 777 #endif 778 } 779 780 781 #ifdef AESNI_CAPABLE 782 static const EVP_CIPHER aesni_192_cbc = { 783 .nid = NID_aes_192_cbc, 784 .block_size = 16, 785 .key_len = 24, 786 .iv_len = 16, 787 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 788 .init = aesni_init_key, 789 .do_cipher = aesni_cbc_cipher, 790 .ctx_size = sizeof(EVP_AES_KEY), 791 }; 792 #endif 793 794 static const EVP_CIPHER aes_192_cbc = { 795 .nid = NID_aes_192_cbc, 796 .block_size = 16, 797 .key_len = 24, 798 .iv_len = 16, 799 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 800 .init = aes_init_key, 801 .do_cipher = aes_cbc_cipher, 802 .ctx_size = sizeof(EVP_AES_KEY), 803 }; 804 805 const EVP_CIPHER * 806 EVP_aes_192_cbc(void) 807 { 808 #ifdef AESNI_CAPABLE 809 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; 810 #else 811 return &aes_192_cbc; 812 #endif 813 } 814 815 #ifdef AESNI_CAPABLE 816 static const EVP_CIPHER aesni_192_ecb = { 817 .nid = NID_aes_192_ecb, 818 .block_size = 16, 819 .key_len = 24, 820 .iv_len = 0, 821 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 822 .init = aesni_init_key, 823 .do_cipher = aesni_ecb_cipher, 824 .ctx_size = sizeof(EVP_AES_KEY), 825 }; 826 #endif 827 828 static const EVP_CIPHER aes_192_ecb = { 829 .nid = NID_aes_192_ecb, 830 .block_size = 16, 831 .key_len = 24, 832 .iv_len = 0, 833 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 834 .init = aes_init_key, 835 .do_cipher = aes_ecb_cipher, 836 .ctx_size = sizeof(EVP_AES_KEY), 837 }; 838 839 const EVP_CIPHER * 840 EVP_aes_192_ecb(void) 841 { 842 #ifdef AESNI_CAPABLE 843 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; 844 #else 845 return &aes_192_ecb; 846 #endif 847 } 848 849 #ifdef AESNI_CAPABLE 850 static const EVP_CIPHER aesni_192_ofb = { 851 .nid = NID_aes_192_ofb128, 852 .block_size = 1, 853 .key_len = 24, 854 .iv_len = 16, 855 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 856 .init = aesni_init_key, 857 .do_cipher = aes_ofb_cipher, 858 .ctx_size = sizeof(EVP_AES_KEY), 859 }; 860 #endif 861 862 static const EVP_CIPHER aes_192_ofb = { 863 .nid = NID_aes_192_ofb128, 864 .block_size = 1, 865 .key_len = 24, 866 .iv_len = 16, 867 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 868 .init = aes_init_key, 869 .do_cipher = aes_ofb_cipher, 870 .ctx_size = sizeof(EVP_AES_KEY), 871 }; 872 873 const EVP_CIPHER * 874 EVP_aes_192_ofb(void) 875 { 876 #ifdef AESNI_CAPABLE 877 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; 878 #else 879 return &aes_192_ofb; 880 #endif 881 } 882 883 #ifdef AESNI_CAPABLE 884 static const EVP_CIPHER aesni_192_cfb = { 885 .nid = NID_aes_192_cfb128, 886 .block_size = 1, 887 .key_len = 24, 888 .iv_len = 16, 889 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 890 .init = aesni_init_key, 891 .do_cipher = aes_cfb_cipher, 892 .ctx_size = sizeof(EVP_AES_KEY), 893 }; 894 #endif 895 896 static const EVP_CIPHER aes_192_cfb = { 897 .nid = NID_aes_192_cfb128, 898 .block_size = 1, 899 .key_len = 24, 900 .iv_len = 16, 901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 902 .init = aes_init_key, 903 .do_cipher = aes_cfb_cipher, 904 .ctx_size = sizeof(EVP_AES_KEY), 905 }; 906 907 const EVP_CIPHER * 908 EVP_aes_192_cfb(void) 909 { 910 #ifdef AESNI_CAPABLE 911 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; 912 #else 913 return &aes_192_cfb; 914 #endif 915 } 916 917 #ifdef AESNI_CAPABLE 918 static const EVP_CIPHER aesni_192_cfb1 = { 919 .nid = NID_aes_192_cfb1, 920 .block_size = 1, 921 .key_len = 24, 922 .iv_len = 16, 923 .flags = EVP_CIPH_CFB_MODE, 924 .init = aesni_init_key, 925 .do_cipher = aes_cfb1_cipher, 926 .ctx_size = sizeof(EVP_AES_KEY), 927 }; 928 #endif 929 930 static const EVP_CIPHER aes_192_cfb1 = { 931 .nid = NID_aes_192_cfb1, 932 .block_size = 1, 933 .key_len = 24, 934 .iv_len = 16, 935 .flags = EVP_CIPH_CFB_MODE, 936 .init = aes_init_key, 937 .do_cipher = aes_cfb1_cipher, 938 .ctx_size = sizeof(EVP_AES_KEY), 939 }; 940 941 const EVP_CIPHER * 942 EVP_aes_192_cfb1(void) 943 { 944 #ifdef AESNI_CAPABLE 945 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; 946 #else 947 return &aes_192_cfb1; 948 #endif 949 } 950 951 #ifdef AESNI_CAPABLE 952 static const EVP_CIPHER aesni_192_cfb8 = { 953 .nid = NID_aes_192_cfb8, 954 .block_size = 1, 955 .key_len = 24, 956 .iv_len = 16, 957 .flags = EVP_CIPH_CFB_MODE, 958 .init = aesni_init_key, 959 .do_cipher = aes_cfb8_cipher, 960 .ctx_size = sizeof(EVP_AES_KEY), 961 }; 962 #endif 963 964 static const EVP_CIPHER aes_192_cfb8 = { 965 .nid = NID_aes_192_cfb8, 966 .block_size = 1, 967 .key_len = 24, 968 .iv_len = 16, 969 .flags = EVP_CIPH_CFB_MODE, 970 .init = aes_init_key, 971 .do_cipher = aes_cfb8_cipher, 972 .ctx_size = sizeof(EVP_AES_KEY), 973 }; 974 975 const EVP_CIPHER * 976 EVP_aes_192_cfb8(void) 977 { 978 #ifdef AESNI_CAPABLE 979 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; 980 #else 981 return &aes_192_cfb8; 982 #endif 983 } 984 985 #ifdef AESNI_CAPABLE 986 static const EVP_CIPHER aesni_192_ctr = { 987 .nid = NID_aes_192_ctr, 988 .block_size = 1, 989 .key_len = 24, 990 .iv_len = 16, 991 .flags = EVP_CIPH_CTR_MODE, 992 .init = aesni_init_key, 993 .do_cipher = aes_ctr_cipher, 994 .ctx_size = sizeof(EVP_AES_KEY), 995 }; 996 #endif 997 998 static const EVP_CIPHER aes_192_ctr = { 999 .nid = NID_aes_192_ctr, 1000 .block_size = 1, 1001 .key_len = 24, 1002 .iv_len = 16, 1003 .flags = EVP_CIPH_CTR_MODE, 1004 .init = aes_init_key, 1005 .do_cipher = aes_ctr_cipher, 1006 .ctx_size = sizeof(EVP_AES_KEY), 1007 }; 1008 1009 const EVP_CIPHER * 1010 EVP_aes_192_ctr(void) 1011 { 1012 #ifdef AESNI_CAPABLE 1013 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; 1014 #else 1015 return &aes_192_ctr; 1016 #endif 1017 } 1018 1019 1020 #ifdef AESNI_CAPABLE 1021 static const EVP_CIPHER aesni_256_cbc = { 1022 .nid = NID_aes_256_cbc, 1023 .block_size = 16, 1024 .key_len = 32, 1025 .iv_len = 16, 1026 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1027 .init = aesni_init_key, 1028 .do_cipher = aesni_cbc_cipher, 1029 .ctx_size = sizeof(EVP_AES_KEY), 1030 }; 1031 #endif 1032 1033 static const EVP_CIPHER aes_256_cbc = { 1034 .nid = NID_aes_256_cbc, 1035 .block_size = 16, 1036 .key_len = 32, 1037 .iv_len = 16, 1038 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1039 .init = aes_init_key, 1040 .do_cipher = aes_cbc_cipher, 1041 .ctx_size = sizeof(EVP_AES_KEY), 1042 }; 1043 1044 const EVP_CIPHER * 1045 EVP_aes_256_cbc(void) 1046 { 1047 #ifdef AESNI_CAPABLE 1048 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; 1049 #else 1050 return &aes_256_cbc; 1051 #endif 1052 } 1053 1054 #ifdef AESNI_CAPABLE 1055 static const EVP_CIPHER aesni_256_ecb = { 1056 .nid = NID_aes_256_ecb, 1057 .block_size = 16, 1058 .key_len = 32, 1059 .iv_len = 0, 1060 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1061 .init = aesni_init_key, 1062 .do_cipher = aesni_ecb_cipher, 1063 .ctx_size = sizeof(EVP_AES_KEY), 1064 }; 1065 #endif 1066 1067 static const EVP_CIPHER aes_256_ecb = { 1068 .nid = NID_aes_256_ecb, 1069 .block_size = 16, 1070 .key_len = 32, 1071 .iv_len = 0, 1072 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1073 .init = aes_init_key, 1074 .do_cipher = aes_ecb_cipher, 1075 .ctx_size = sizeof(EVP_AES_KEY), 1076 }; 1077 1078 const EVP_CIPHER * 1079 EVP_aes_256_ecb(void) 1080 { 1081 #ifdef AESNI_CAPABLE 1082 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; 1083 #else 1084 return &aes_256_ecb; 1085 #endif 1086 } 1087 1088 #ifdef AESNI_CAPABLE 1089 static const EVP_CIPHER aesni_256_ofb = { 1090 .nid = NID_aes_256_ofb128, 1091 .block_size = 1, 1092 .key_len = 32, 1093 .iv_len = 16, 1094 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1095 .init = aesni_init_key, 1096 .do_cipher = aes_ofb_cipher, 1097 .ctx_size = sizeof(EVP_AES_KEY), 1098 }; 1099 #endif 1100 1101 static const EVP_CIPHER aes_256_ofb = { 1102 .nid = NID_aes_256_ofb128, 1103 .block_size = 1, 1104 .key_len = 32, 1105 .iv_len = 16, 1106 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1107 .init = aes_init_key, 1108 .do_cipher = aes_ofb_cipher, 1109 .ctx_size = sizeof(EVP_AES_KEY), 1110 }; 1111 1112 const EVP_CIPHER * 1113 EVP_aes_256_ofb(void) 1114 { 1115 #ifdef AESNI_CAPABLE 1116 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; 1117 #else 1118 return &aes_256_ofb; 1119 #endif 1120 } 1121 1122 #ifdef AESNI_CAPABLE 1123 static const EVP_CIPHER aesni_256_cfb = { 1124 .nid = NID_aes_256_cfb128, 1125 .block_size = 1, 1126 .key_len = 32, 1127 .iv_len = 16, 1128 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1129 .init = aesni_init_key, 1130 .do_cipher = aes_cfb_cipher, 1131 .ctx_size = sizeof(EVP_AES_KEY), 1132 }; 1133 #endif 1134 1135 static const EVP_CIPHER aes_256_cfb = { 1136 .nid = NID_aes_256_cfb128, 1137 .block_size = 1, 1138 .key_len = 32, 1139 .iv_len = 16, 1140 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1141 .init = aes_init_key, 1142 .do_cipher = aes_cfb_cipher, 1143 .ctx_size = sizeof(EVP_AES_KEY), 1144 }; 1145 1146 const EVP_CIPHER * 1147 EVP_aes_256_cfb(void) 1148 { 1149 #ifdef AESNI_CAPABLE 1150 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; 1151 #else 1152 return &aes_256_cfb; 1153 #endif 1154 } 1155 1156 #ifdef AESNI_CAPABLE 1157 static const EVP_CIPHER aesni_256_cfb1 = { 1158 .nid = NID_aes_256_cfb1, 1159 .block_size = 1, 1160 .key_len = 32, 1161 .iv_len = 16, 1162 .flags = EVP_CIPH_CFB_MODE, 1163 .init = aesni_init_key, 1164 .do_cipher = aes_cfb1_cipher, 1165 .ctx_size = sizeof(EVP_AES_KEY), 1166 }; 1167 #endif 1168 1169 static const EVP_CIPHER aes_256_cfb1 = { 1170 .nid = NID_aes_256_cfb1, 1171 .block_size = 1, 1172 .key_len = 32, 1173 .iv_len = 16, 1174 .flags = EVP_CIPH_CFB_MODE, 1175 .init = aes_init_key, 1176 .do_cipher = aes_cfb1_cipher, 1177 .ctx_size = sizeof(EVP_AES_KEY), 1178 }; 1179 1180 const EVP_CIPHER * 1181 EVP_aes_256_cfb1(void) 1182 { 1183 #ifdef AESNI_CAPABLE 1184 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; 1185 #else 1186 return &aes_256_cfb1; 1187 #endif 1188 } 1189 1190 #ifdef AESNI_CAPABLE 1191 static const EVP_CIPHER aesni_256_cfb8 = { 1192 .nid = NID_aes_256_cfb8, 1193 .block_size = 1, 1194 .key_len = 32, 1195 .iv_len = 16, 1196 .flags = EVP_CIPH_CFB_MODE, 1197 .init = aesni_init_key, 1198 .do_cipher = aes_cfb8_cipher, 1199 .ctx_size = sizeof(EVP_AES_KEY), 1200 }; 1201 #endif 1202 1203 static const EVP_CIPHER aes_256_cfb8 = { 1204 .nid = NID_aes_256_cfb8, 1205 .block_size = 1, 1206 .key_len = 32, 1207 .iv_len = 16, 1208 .flags = EVP_CIPH_CFB_MODE, 1209 .init = aes_init_key, 1210 .do_cipher = aes_cfb8_cipher, 1211 .ctx_size = sizeof(EVP_AES_KEY), 1212 }; 1213 1214 const EVP_CIPHER * 1215 EVP_aes_256_cfb8(void) 1216 { 1217 #ifdef AESNI_CAPABLE 1218 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; 1219 #else 1220 return &aes_256_cfb8; 1221 #endif 1222 } 1223 1224 #ifdef AESNI_CAPABLE 1225 static const EVP_CIPHER aesni_256_ctr = { 1226 .nid = NID_aes_256_ctr, 1227 .block_size = 1, 1228 .key_len = 32, 1229 .iv_len = 16, 1230 .flags = EVP_CIPH_CTR_MODE, 1231 .init = aesni_init_key, 1232 .do_cipher = aes_ctr_cipher, 1233 .ctx_size = sizeof(EVP_AES_KEY), 1234 }; 1235 #endif 1236 1237 static const EVP_CIPHER aes_256_ctr = { 1238 .nid = NID_aes_256_ctr, 1239 .block_size = 1, 1240 .key_len = 32, 1241 .iv_len = 16, 1242 .flags = EVP_CIPH_CTR_MODE, 1243 .init = aes_init_key, 1244 .do_cipher = aes_ctr_cipher, 1245 .ctx_size = sizeof(EVP_AES_KEY), 1246 }; 1247 1248 const EVP_CIPHER * 1249 EVP_aes_256_ctr(void) 1250 { 1251 #ifdef AESNI_CAPABLE 1252 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; 1253 #else 1254 return &aes_256_ctr; 1255 #endif 1256 } 1257 1258 static int 1259 aes_gcm_cleanup(EVP_CIPHER_CTX *c) 1260 { 1261 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1262 1263 if (gctx->iv != c->iv) 1264 free(gctx->iv); 1265 1266 explicit_bzero(gctx, sizeof(*gctx)); 1267 1268 return 1; 1269 } 1270 1271 /* increment counter (64-bit int) by 1 */ 1272 static void 1273 ctr64_inc(unsigned char *counter) 1274 { 1275 int n = 8; 1276 unsigned char c; 1277 1278 do { 1279 --n; 1280 c = counter[n]; 1281 ++c; 1282 counter[n] = c; 1283 if (c) 1284 return; 1285 } while (n); 1286 } 1287 1288 static int 1289 aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1290 { 1291 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1292 1293 switch (type) { 1294 case EVP_CTRL_INIT: 1295 gctx->key_set = 0; 1296 gctx->iv_set = 0; 1297 if (c->cipher->iv_len == 0) { 1298 EVPerror(EVP_R_INVALID_IV_LENGTH); 1299 return 0; 1300 } 1301 gctx->ivlen = c->cipher->iv_len; 1302 gctx->iv = c->iv; 1303 gctx->taglen = -1; 1304 gctx->iv_gen = 0; 1305 gctx->tls_aad_len = -1; 1306 return 1; 1307 1308 case EVP_CTRL_GCM_SET_IVLEN: 1309 if (arg <= 0) 1310 return 0; 1311 /* Allocate memory for IV if needed */ 1312 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 1313 if (gctx->iv != c->iv) 1314 free(gctx->iv); 1315 gctx->iv = malloc(arg); 1316 if (!gctx->iv) 1317 return 0; 1318 } 1319 gctx->ivlen = arg; 1320 return 1; 1321 1322 case EVP_CTRL_GCM_SET_TAG: 1323 if (arg <= 0 || arg > 16 || c->encrypt) 1324 return 0; 1325 memcpy(c->buf, ptr, arg); 1326 gctx->taglen = arg; 1327 return 1; 1328 1329 case EVP_CTRL_GCM_GET_TAG: 1330 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 1331 return 0; 1332 memcpy(ptr, c->buf, arg); 1333 return 1; 1334 1335 case EVP_CTRL_GCM_SET_IV_FIXED: 1336 /* Special case: -1 length restores whole IV */ 1337 if (arg == -1) { 1338 memcpy(gctx->iv, ptr, gctx->ivlen); 1339 gctx->iv_gen = 1; 1340 return 1; 1341 } 1342 /* Fixed field must be at least 4 bytes and invocation field 1343 * at least 8. 1344 */ 1345 if ((arg < 4) || (gctx->ivlen - arg) < 8) 1346 return 0; 1347 if (arg) 1348 memcpy(gctx->iv, ptr, arg); 1349 if (c->encrypt) 1350 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); 1351 gctx->iv_gen = 1; 1352 return 1; 1353 1354 case EVP_CTRL_GCM_IV_GEN: 1355 if (gctx->iv_gen == 0 || gctx->key_set == 0) 1356 return 0; 1357 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1358 if (arg <= 0 || arg > gctx->ivlen) 1359 arg = gctx->ivlen; 1360 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 1361 /* Invocation field will be at least 8 bytes in size and 1362 * so no need to check wrap around or increment more than 1363 * last 8 bytes. 1364 */ 1365 ctr64_inc(gctx->iv + gctx->ivlen - 8); 1366 gctx->iv_set = 1; 1367 return 1; 1368 1369 case EVP_CTRL_GCM_SET_IV_INV: 1370 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 1371 return 0; 1372 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 1373 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1374 gctx->iv_set = 1; 1375 return 1; 1376 1377 case EVP_CTRL_AEAD_TLS1_AAD: 1378 /* Save the AAD for later use */ 1379 if (arg != 13) 1380 return 0; 1381 memcpy(c->buf, ptr, arg); 1382 gctx->tls_aad_len = arg; 1383 { 1384 unsigned int len = c->buf[arg - 2] << 8 | 1385 c->buf[arg - 1]; 1386 1387 /* Correct length for explicit IV */ 1388 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) 1389 return 0; 1390 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1391 1392 /* If decrypting correct for tag too */ 1393 if (!c->encrypt) { 1394 if (len < EVP_GCM_TLS_TAG_LEN) 1395 return 0; 1396 len -= EVP_GCM_TLS_TAG_LEN; 1397 } 1398 c->buf[arg - 2] = len >> 8; 1399 c->buf[arg - 1] = len & 0xff; 1400 } 1401 /* Extra padding: tag appended to record */ 1402 return EVP_GCM_TLS_TAG_LEN; 1403 1404 case EVP_CTRL_COPY: 1405 { 1406 EVP_CIPHER_CTX *out = ptr; 1407 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 1408 1409 if (gctx->gcm.key) { 1410 if (gctx->gcm.key != &gctx->ks) 1411 return 0; 1412 gctx_out->gcm.key = &gctx_out->ks; 1413 } 1414 1415 if (gctx->iv == c->iv) { 1416 gctx_out->iv = out->iv; 1417 } else { 1418 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) 1419 return 0; 1420 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 1421 } 1422 return 1; 1423 } 1424 1425 default: 1426 return -1; 1427 1428 } 1429 } 1430 1431 static ctr128_f 1432 aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, 1433 const unsigned char *key, size_t key_len) 1434 { 1435 #ifdef BSAES_CAPABLE 1436 if (BSAES_CAPABLE) { 1437 AES_set_encrypt_key(key, key_len * 8, aes_key); 1438 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1439 return (ctr128_f)bsaes_ctr32_encrypt_blocks; 1440 } else 1441 #endif 1442 #ifdef VPAES_CAPABLE 1443 if (VPAES_CAPABLE) { 1444 vpaes_set_encrypt_key(key, key_len * 8, aes_key); 1445 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); 1446 return NULL; 1447 } else 1448 #endif 1449 (void)0; /* terminate potentially open 'else' */ 1450 1451 AES_set_encrypt_key(key, key_len * 8, aes_key); 1452 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1453 #ifdef AES_CTR_ASM 1454 return (ctr128_f)AES_ctr32_encrypt; 1455 #else 1456 return NULL; 1457 #endif 1458 } 1459 1460 static int 1461 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1462 const unsigned char *iv, int enc) 1463 { 1464 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1465 1466 if (!iv && !key) 1467 return 1; 1468 if (key) { 1469 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, 1470 key, ctx->key_len); 1471 1472 /* If we have an iv can set it directly, otherwise use 1473 * saved IV. 1474 */ 1475 if (iv == NULL && gctx->iv_set) 1476 iv = gctx->iv; 1477 if (iv) { 1478 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1479 gctx->iv_set = 1; 1480 } 1481 gctx->key_set = 1; 1482 } else { 1483 /* If key set use IV, otherwise copy */ 1484 if (gctx->key_set) 1485 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1486 else 1487 memcpy(gctx->iv, iv, gctx->ivlen); 1488 gctx->iv_set = 1; 1489 gctx->iv_gen = 0; 1490 } 1491 return 1; 1492 } 1493 1494 /* Handle TLS GCM packet format. This consists of the last portion of the IV 1495 * followed by the payload and finally the tag. On encrypt generate IV, 1496 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 1497 * and verify tag. 1498 */ 1499 1500 static int 1501 aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1502 const unsigned char *in, size_t len) 1503 { 1504 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1505 int rv = -1; 1506 1507 /* Encrypt/decrypt must be performed in place */ 1508 if (out != in || 1509 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 1510 return -1; 1511 1512 /* Set IV from start of buffer or generate IV and write to start 1513 * of buffer. 1514 */ 1515 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1516 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1517 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1518 goto err; 1519 1520 /* Use saved AAD */ 1521 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1522 goto err; 1523 1524 /* Fix buffer and length to point to payload */ 1525 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1526 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1527 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1528 if (ctx->encrypt) { 1529 /* Encrypt payload */ 1530 if (gctx->ctr) { 1531 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, 1532 len, gctx->ctr)) 1533 goto err; 1534 } else { 1535 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1536 goto err; 1537 } 1538 out += len; 1539 1540 /* Finally write tag */ 1541 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1542 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1543 } else { 1544 /* Decrypt */ 1545 if (gctx->ctr) { 1546 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, 1547 len, gctx->ctr)) 1548 goto err; 1549 } else { 1550 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1551 goto err; 1552 } 1553 /* Retrieve tag */ 1554 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 1555 1556 /* If tag mismatch wipe buffer */ 1557 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 1558 explicit_bzero(out, len); 1559 goto err; 1560 } 1561 rv = len; 1562 } 1563 1564 err: 1565 gctx->iv_set = 0; 1566 gctx->tls_aad_len = -1; 1567 return rv; 1568 } 1569 1570 static int 1571 aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1572 const unsigned char *in, size_t len) 1573 { 1574 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1575 1576 /* If not set up, return error */ 1577 if (!gctx->key_set) 1578 return -1; 1579 1580 if (gctx->tls_aad_len >= 0) 1581 return aes_gcm_tls_cipher(ctx, out, in, len); 1582 1583 if (!gctx->iv_set) 1584 return -1; 1585 1586 if (in) { 1587 if (out == NULL) { 1588 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1589 return -1; 1590 } else if (ctx->encrypt) { 1591 if (gctx->ctr) { 1592 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1593 in, out, len, gctx->ctr)) 1594 return -1; 1595 } else { 1596 if (CRYPTO_gcm128_encrypt(&gctx->gcm, 1597 in, out, len)) 1598 return -1; 1599 } 1600 } else { 1601 if (gctx->ctr) { 1602 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1603 in, out, len, gctx->ctr)) 1604 return -1; 1605 } else { 1606 if (CRYPTO_gcm128_decrypt(&gctx->gcm, 1607 in, out, len)) 1608 return -1; 1609 } 1610 } 1611 return len; 1612 } else { 1613 if (!ctx->encrypt) { 1614 if (gctx->taglen < 0) 1615 return -1; 1616 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, 1617 gctx->taglen) != 0) 1618 return -1; 1619 gctx->iv_set = 0; 1620 return 0; 1621 } 1622 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1623 gctx->taglen = 16; 1624 1625 /* Don't reuse the IV */ 1626 gctx->iv_set = 0; 1627 return 0; 1628 } 1629 1630 } 1631 1632 #define CUSTOM_FLAGS \ 1633 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1634 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ 1635 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1636 1637 1638 #ifdef AESNI_CAPABLE 1639 static const EVP_CIPHER aesni_128_gcm = { 1640 .nid = NID_aes_128_gcm, 1641 .block_size = 1, 1642 .key_len = 16, 1643 .iv_len = 12, 1644 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1645 .init = aesni_gcm_init_key, 1646 .do_cipher = aes_gcm_cipher, 1647 .cleanup = aes_gcm_cleanup, 1648 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1649 .ctrl = aes_gcm_ctrl, 1650 }; 1651 #endif 1652 1653 static const EVP_CIPHER aes_128_gcm = { 1654 .nid = NID_aes_128_gcm, 1655 .block_size = 1, 1656 .key_len = 16, 1657 .iv_len = 12, 1658 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1659 .init = aes_gcm_init_key, 1660 .do_cipher = aes_gcm_cipher, 1661 .cleanup = aes_gcm_cleanup, 1662 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1663 .ctrl = aes_gcm_ctrl, 1664 }; 1665 1666 const EVP_CIPHER * 1667 EVP_aes_128_gcm(void) 1668 { 1669 #ifdef AESNI_CAPABLE 1670 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; 1671 #else 1672 return &aes_128_gcm; 1673 #endif 1674 } 1675 1676 #ifdef AESNI_CAPABLE 1677 static const EVP_CIPHER aesni_192_gcm = { 1678 .nid = NID_aes_192_gcm, 1679 .block_size = 1, 1680 .key_len = 24, 1681 .iv_len = 12, 1682 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1683 .init = aesni_gcm_init_key, 1684 .do_cipher = aes_gcm_cipher, 1685 .cleanup = aes_gcm_cleanup, 1686 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1687 .ctrl = aes_gcm_ctrl, 1688 }; 1689 #endif 1690 1691 static const EVP_CIPHER aes_192_gcm = { 1692 .nid = NID_aes_192_gcm, 1693 .block_size = 1, 1694 .key_len = 24, 1695 .iv_len = 12, 1696 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1697 .init = aes_gcm_init_key, 1698 .do_cipher = aes_gcm_cipher, 1699 .cleanup = aes_gcm_cleanup, 1700 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1701 .ctrl = aes_gcm_ctrl, 1702 }; 1703 1704 const EVP_CIPHER * 1705 EVP_aes_192_gcm(void) 1706 { 1707 #ifdef AESNI_CAPABLE 1708 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; 1709 #else 1710 return &aes_192_gcm; 1711 #endif 1712 } 1713 1714 #ifdef AESNI_CAPABLE 1715 static const EVP_CIPHER aesni_256_gcm = { 1716 .nid = NID_aes_256_gcm, 1717 .block_size = 1, 1718 .key_len = 32, 1719 .iv_len = 12, 1720 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1721 .init = aesni_gcm_init_key, 1722 .do_cipher = aes_gcm_cipher, 1723 .cleanup = aes_gcm_cleanup, 1724 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1725 .ctrl = aes_gcm_ctrl, 1726 }; 1727 #endif 1728 1729 static const EVP_CIPHER aes_256_gcm = { 1730 .nid = NID_aes_256_gcm, 1731 .block_size = 1, 1732 .key_len = 32, 1733 .iv_len = 12, 1734 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1735 .init = aes_gcm_init_key, 1736 .do_cipher = aes_gcm_cipher, 1737 .cleanup = aes_gcm_cleanup, 1738 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1739 .ctrl = aes_gcm_ctrl, 1740 }; 1741 1742 const EVP_CIPHER * 1743 EVP_aes_256_gcm(void) 1744 { 1745 #ifdef AESNI_CAPABLE 1746 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; 1747 #else 1748 return &aes_256_gcm; 1749 #endif 1750 } 1751 1752 static int 1753 aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1754 { 1755 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1756 1757 switch (type) { 1758 case EVP_CTRL_INIT: 1759 /* 1760 * key1 and key2 are used as an indicator both key and IV 1761 * are set 1762 */ 1763 xctx->xts.key1 = NULL; 1764 xctx->xts.key2 = NULL; 1765 return 1; 1766 1767 case EVP_CTRL_COPY: 1768 { 1769 EVP_CIPHER_CTX *out = ptr; 1770 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1771 1772 if (xctx->xts.key1) { 1773 if (xctx->xts.key1 != &xctx->ks1) 1774 return 0; 1775 xctx_out->xts.key1 = &xctx_out->ks1; 1776 } 1777 if (xctx->xts.key2) { 1778 if (xctx->xts.key2 != &xctx->ks2) 1779 return 0; 1780 xctx_out->xts.key2 = &xctx_out->ks2; 1781 } 1782 return 1; 1783 } 1784 } 1785 return -1; 1786 } 1787 1788 static int 1789 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1790 const unsigned char *iv, int enc) 1791 { 1792 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1793 1794 if (!iv && !key) 1795 return 1; 1796 1797 if (key) do { 1798 #ifdef AES_XTS_ASM 1799 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1800 #else 1801 xctx->stream = NULL; 1802 #endif 1803 /* key_len is two AES keys */ 1804 #ifdef BSAES_CAPABLE 1805 if (BSAES_CAPABLE) 1806 xctx->stream = enc ? bsaes_xts_encrypt : 1807 bsaes_xts_decrypt; 1808 else 1809 #endif 1810 #ifdef VPAES_CAPABLE 1811 if (VPAES_CAPABLE) { 1812 if (enc) { 1813 vpaes_set_encrypt_key(key, ctx->key_len * 4, 1814 &xctx->ks1); 1815 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1816 } else { 1817 vpaes_set_decrypt_key(key, ctx->key_len * 4, 1818 &xctx->ks1); 1819 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1820 } 1821 1822 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1823 ctx->key_len * 4, &xctx->ks2); 1824 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1825 1826 xctx->xts.key1 = &xctx->ks1; 1827 break; 1828 } else 1829 #endif 1830 (void)0; /* terminate potentially open 'else' */ 1831 1832 if (enc) { 1833 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1834 xctx->xts.block1 = (block128_f)AES_encrypt; 1835 } else { 1836 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1837 xctx->xts.block1 = (block128_f)AES_decrypt; 1838 } 1839 1840 AES_set_encrypt_key(key + ctx->key_len / 2, 1841 ctx->key_len * 4, &xctx->ks2); 1842 xctx->xts.block2 = (block128_f)AES_encrypt; 1843 1844 xctx->xts.key1 = &xctx->ks1; 1845 } while (0); 1846 1847 if (iv) { 1848 xctx->xts.key2 = &xctx->ks2; 1849 memcpy(ctx->iv, iv, 16); 1850 } 1851 1852 return 1; 1853 } 1854 1855 static int 1856 aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1857 const unsigned char *in, size_t len) 1858 { 1859 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1860 1861 if (!xctx->xts.key1 || !xctx->xts.key2) 1862 return 0; 1863 if (!out || !in || len < AES_BLOCK_SIZE) 1864 return 0; 1865 1866 if (xctx->stream) 1867 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, 1868 ctx->iv); 1869 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1870 ctx->encrypt)) 1871 return 0; 1872 return 1; 1873 } 1874 1875 #define XTS_FLAGS \ 1876 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1877 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1878 1879 1880 #ifdef AESNI_CAPABLE 1881 static const EVP_CIPHER aesni_128_xts = { 1882 .nid = NID_aes_128_xts, 1883 .block_size = 1, 1884 .key_len = 2 * 16, 1885 .iv_len = 16, 1886 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1887 .init = aesni_xts_init_key, 1888 .do_cipher = aes_xts_cipher, 1889 .cleanup = NULL, 1890 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1891 .ctrl = aes_xts_ctrl, 1892 }; 1893 #endif 1894 1895 static const EVP_CIPHER aes_128_xts = { 1896 .nid = NID_aes_128_xts, 1897 .block_size = 1, 1898 .key_len = 2 * 16, 1899 .iv_len = 16, 1900 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1901 .init = aes_xts_init_key, 1902 .do_cipher = aes_xts_cipher, 1903 .cleanup = NULL, 1904 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1905 .ctrl = aes_xts_ctrl, 1906 }; 1907 1908 const EVP_CIPHER * 1909 EVP_aes_128_xts(void) 1910 { 1911 #ifdef AESNI_CAPABLE 1912 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; 1913 #else 1914 return &aes_128_xts; 1915 #endif 1916 } 1917 1918 #ifdef AESNI_CAPABLE 1919 static const EVP_CIPHER aesni_256_xts = { 1920 .nid = NID_aes_256_xts, 1921 .block_size = 1, 1922 .key_len = 2 * 32, 1923 .iv_len = 16, 1924 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1925 .init = aesni_xts_init_key, 1926 .do_cipher = aes_xts_cipher, 1927 .cleanup = NULL, 1928 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1929 .ctrl = aes_xts_ctrl, 1930 }; 1931 #endif 1932 1933 static const EVP_CIPHER aes_256_xts = { 1934 .nid = NID_aes_256_xts, 1935 .block_size = 1, 1936 .key_len = 2 * 32, 1937 .iv_len = 16, 1938 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1939 .init = aes_xts_init_key, 1940 .do_cipher = aes_xts_cipher, 1941 .cleanup = NULL, 1942 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1943 .ctrl = aes_xts_ctrl, 1944 }; 1945 1946 const EVP_CIPHER * 1947 EVP_aes_256_xts(void) 1948 { 1949 #ifdef AESNI_CAPABLE 1950 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; 1951 #else 1952 return &aes_256_xts; 1953 #endif 1954 } 1955 1956 static int 1957 aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1958 { 1959 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1960 1961 switch (type) { 1962 case EVP_CTRL_INIT: 1963 cctx->key_set = 0; 1964 cctx->iv_set = 0; 1965 cctx->L = 8; 1966 cctx->M = 12; 1967 cctx->tag_set = 0; 1968 cctx->len_set = 0; 1969 return 1; 1970 1971 case EVP_CTRL_CCM_SET_IVLEN: 1972 arg = 15 - arg; 1973 1974 case EVP_CTRL_CCM_SET_L: 1975 if (arg < 2 || arg > 8) 1976 return 0; 1977 cctx->L = arg; 1978 return 1; 1979 1980 case EVP_CTRL_CCM_SET_TAG: 1981 if ((arg & 1) || arg < 4 || arg > 16) 1982 return 0; 1983 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1984 return 0; 1985 if (ptr) { 1986 cctx->tag_set = 1; 1987 memcpy(c->buf, ptr, arg); 1988 } 1989 cctx->M = arg; 1990 return 1; 1991 1992 case EVP_CTRL_CCM_GET_TAG: 1993 if (!c->encrypt || !cctx->tag_set) 1994 return 0; 1995 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1996 return 0; 1997 cctx->tag_set = 0; 1998 cctx->iv_set = 0; 1999 cctx->len_set = 0; 2000 return 1; 2001 2002 case EVP_CTRL_COPY: 2003 { 2004 EVP_CIPHER_CTX *out = ptr; 2005 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 2006 2007 if (cctx->ccm.key) { 2008 if (cctx->ccm.key != &cctx->ks) 2009 return 0; 2010 cctx_out->ccm.key = &cctx_out->ks; 2011 } 2012 return 1; 2013 } 2014 2015 default: 2016 return -1; 2017 } 2018 } 2019 2020 static int 2021 aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2022 const unsigned char *iv, int enc) 2023 { 2024 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2025 2026 if (!iv && !key) 2027 return 1; 2028 if (key) do { 2029 #ifdef VPAES_CAPABLE 2030 if (VPAES_CAPABLE) { 2031 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 2032 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2033 &cctx->ks, (block128_f)vpaes_encrypt); 2034 cctx->str = NULL; 2035 cctx->key_set = 1; 2036 break; 2037 } 2038 #endif 2039 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 2040 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2041 &cctx->ks, (block128_f)AES_encrypt); 2042 cctx->str = NULL; 2043 cctx->key_set = 1; 2044 } while (0); 2045 if (iv) { 2046 memcpy(ctx->iv, iv, 15 - cctx->L); 2047 cctx->iv_set = 1; 2048 } 2049 return 1; 2050 } 2051 2052 static int 2053 aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2054 const unsigned char *in, size_t len) 2055 { 2056 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2057 CCM128_CONTEXT *ccm = &cctx->ccm; 2058 2059 /* If not set up, return error */ 2060 if (!cctx->iv_set && !cctx->key_set) 2061 return -1; 2062 if (!ctx->encrypt && !cctx->tag_set) 2063 return -1; 2064 2065 if (!out) { 2066 if (!in) { 2067 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, 2068 len)) 2069 return -1; 2070 cctx->len_set = 1; 2071 return len; 2072 } 2073 /* If have AAD need message length */ 2074 if (!cctx->len_set && len) 2075 return -1; 2076 CRYPTO_ccm128_aad(ccm, in, len); 2077 return len; 2078 } 2079 /* EVP_*Final() doesn't return any data */ 2080 if (!in) 2081 return 0; 2082 /* If not set length yet do it */ 2083 if (!cctx->len_set) { 2084 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 2085 return -1; 2086 cctx->len_set = 1; 2087 } 2088 if (ctx->encrypt) { 2089 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 2090 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) 2091 return -1; 2092 cctx->tag_set = 1; 2093 return len; 2094 } else { 2095 int rv = -1; 2096 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 2097 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 2098 unsigned char tag[16]; 2099 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 2100 if (!memcmp(tag, ctx->buf, cctx->M)) 2101 rv = len; 2102 } 2103 } 2104 if (rv == -1) 2105 explicit_bzero(out, len); 2106 cctx->iv_set = 0; 2107 cctx->tag_set = 0; 2108 cctx->len_set = 0; 2109 return rv; 2110 } 2111 2112 } 2113 2114 #ifdef AESNI_CAPABLE 2115 static const EVP_CIPHER aesni_128_ccm = { 2116 .nid = NID_aes_128_ccm, 2117 .block_size = 1, 2118 .key_len = 16, 2119 .iv_len = 12, 2120 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2121 .init = aesni_ccm_init_key, 2122 .do_cipher = aes_ccm_cipher, 2123 .cleanup = NULL, 2124 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2125 .ctrl = aes_ccm_ctrl, 2126 }; 2127 #endif 2128 2129 static const EVP_CIPHER aes_128_ccm = { 2130 .nid = NID_aes_128_ccm, 2131 .block_size = 1, 2132 .key_len = 16, 2133 .iv_len = 12, 2134 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2135 .init = aes_ccm_init_key, 2136 .do_cipher = aes_ccm_cipher, 2137 .cleanup = NULL, 2138 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2139 .ctrl = aes_ccm_ctrl, 2140 }; 2141 2142 const EVP_CIPHER * 2143 EVP_aes_128_ccm(void) 2144 { 2145 #ifdef AESNI_CAPABLE 2146 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; 2147 #else 2148 return &aes_128_ccm; 2149 #endif 2150 } 2151 2152 #ifdef AESNI_CAPABLE 2153 static const EVP_CIPHER aesni_192_ccm = { 2154 .nid = NID_aes_192_ccm, 2155 .block_size = 1, 2156 .key_len = 24, 2157 .iv_len = 12, 2158 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2159 .init = aesni_ccm_init_key, 2160 .do_cipher = aes_ccm_cipher, 2161 .cleanup = NULL, 2162 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2163 .ctrl = aes_ccm_ctrl, 2164 }; 2165 #endif 2166 2167 static const EVP_CIPHER aes_192_ccm = { 2168 .nid = NID_aes_192_ccm, 2169 .block_size = 1, 2170 .key_len = 24, 2171 .iv_len = 12, 2172 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2173 .init = aes_ccm_init_key, 2174 .do_cipher = aes_ccm_cipher, 2175 .cleanup = NULL, 2176 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2177 .ctrl = aes_ccm_ctrl, 2178 }; 2179 2180 const EVP_CIPHER * 2181 EVP_aes_192_ccm(void) 2182 { 2183 #ifdef AESNI_CAPABLE 2184 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; 2185 #else 2186 return &aes_192_ccm; 2187 #endif 2188 } 2189 2190 #ifdef AESNI_CAPABLE 2191 static const EVP_CIPHER aesni_256_ccm = { 2192 .nid = NID_aes_256_ccm, 2193 .block_size = 1, 2194 .key_len = 32, 2195 .iv_len = 12, 2196 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2197 .init = aesni_ccm_init_key, 2198 .do_cipher = aes_ccm_cipher, 2199 .cleanup = NULL, 2200 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2201 .ctrl = aes_ccm_ctrl, 2202 }; 2203 #endif 2204 2205 static const EVP_CIPHER aes_256_ccm = { 2206 .nid = NID_aes_256_ccm, 2207 .block_size = 1, 2208 .key_len = 32, 2209 .iv_len = 12, 2210 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2211 .init = aes_ccm_init_key, 2212 .do_cipher = aes_ccm_cipher, 2213 .cleanup = NULL, 2214 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2215 .ctrl = aes_ccm_ctrl, 2216 }; 2217 2218 const EVP_CIPHER * 2219 EVP_aes_256_ccm(void) 2220 { 2221 #ifdef AESNI_CAPABLE 2222 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; 2223 #else 2224 return &aes_256_ccm; 2225 #endif 2226 } 2227 2228 #define EVP_AEAD_AES_GCM_TAG_LEN 16 2229 2230 struct aead_aes_gcm_ctx { 2231 union { 2232 double align; 2233 AES_KEY ks; 2234 } ks; 2235 GCM128_CONTEXT gcm; 2236 ctr128_f ctr; 2237 unsigned char tag_len; 2238 }; 2239 2240 static int 2241 aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, 2242 size_t tag_len) 2243 { 2244 struct aead_aes_gcm_ctx *gcm_ctx; 2245 const size_t key_bits = key_len * 8; 2246 2247 /* EVP_AEAD_CTX_init should catch this. */ 2248 if (key_bits != 128 && key_bits != 256) { 2249 EVPerror(EVP_R_BAD_KEY_LENGTH); 2250 return 0; 2251 } 2252 2253 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) 2254 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 2255 2256 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 2257 EVPerror(EVP_R_TAG_TOO_LARGE); 2258 return 0; 2259 } 2260 2261 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) 2262 return 0; 2263 2264 #ifdef AESNI_CAPABLE 2265 if (AESNI_CAPABLE) { 2266 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); 2267 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, 2268 (block128_f)aesni_encrypt); 2269 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 2270 } else 2271 #endif 2272 { 2273 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, 2274 key, key_len); 2275 } 2276 gcm_ctx->tag_len = tag_len; 2277 ctx->aead_state = gcm_ctx; 2278 2279 return 1; 2280 } 2281 2282 static void 2283 aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) 2284 { 2285 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2286 2287 freezero(gcm_ctx, sizeof(*gcm_ctx)); 2288 } 2289 2290 static int 2291 aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2292 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2293 const unsigned char *in, size_t in_len, const unsigned char *ad, 2294 size_t ad_len) 2295 { 2296 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2297 GCM128_CONTEXT gcm; 2298 size_t bulk = 0; 2299 2300 if (max_out_len < in_len + gcm_ctx->tag_len) { 2301 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2302 return 0; 2303 } 2304 2305 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2306 2307 if (nonce_len == 0) { 2308 EVPerror(EVP_R_INVALID_IV_LENGTH); 2309 return 0; 2310 } 2311 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2312 2313 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2314 return 0; 2315 2316 if (gcm_ctx->ctr) { 2317 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, 2318 in_len - bulk, gcm_ctx->ctr)) 2319 return 0; 2320 } else { 2321 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, 2322 in_len - bulk)) 2323 return 0; 2324 } 2325 2326 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); 2327 *out_len = in_len + gcm_ctx->tag_len; 2328 2329 return 1; 2330 } 2331 2332 static int 2333 aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2334 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2335 const unsigned char *in, size_t in_len, const unsigned char *ad, 2336 size_t ad_len) 2337 { 2338 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2339 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; 2340 GCM128_CONTEXT gcm; 2341 size_t plaintext_len; 2342 size_t bulk = 0; 2343 2344 if (in_len < gcm_ctx->tag_len) { 2345 EVPerror(EVP_R_BAD_DECRYPT); 2346 return 0; 2347 } 2348 2349 plaintext_len = in_len - gcm_ctx->tag_len; 2350 2351 if (max_out_len < plaintext_len) { 2352 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2353 return 0; 2354 } 2355 2356 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2357 2358 if (nonce_len == 0) { 2359 EVPerror(EVP_R_INVALID_IV_LENGTH); 2360 return 0; 2361 } 2362 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2363 2364 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2365 return 0; 2366 2367 if (gcm_ctx->ctr) { 2368 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 2369 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) 2370 return 0; 2371 } else { 2372 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 2373 in_len - bulk - gcm_ctx->tag_len)) 2374 return 0; 2375 } 2376 2377 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); 2378 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { 2379 EVPerror(EVP_R_BAD_DECRYPT); 2380 return 0; 2381 } 2382 2383 *out_len = plaintext_len; 2384 2385 return 1; 2386 } 2387 2388 static const EVP_AEAD aead_aes_128_gcm = { 2389 .key_len = 16, 2390 .nonce_len = 12, 2391 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2392 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2393 2394 .init = aead_aes_gcm_init, 2395 .cleanup = aead_aes_gcm_cleanup, 2396 .seal = aead_aes_gcm_seal, 2397 .open = aead_aes_gcm_open, 2398 }; 2399 2400 static const EVP_AEAD aead_aes_256_gcm = { 2401 .key_len = 32, 2402 .nonce_len = 12, 2403 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2404 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2405 2406 .init = aead_aes_gcm_init, 2407 .cleanup = aead_aes_gcm_cleanup, 2408 .seal = aead_aes_gcm_seal, 2409 .open = aead_aes_gcm_open, 2410 }; 2411 2412 const EVP_AEAD * 2413 EVP_aead_aes_128_gcm(void) 2414 { 2415 return &aead_aes_128_gcm; 2416 } 2417 2418 const EVP_AEAD * 2419 EVP_aead_aes_256_gcm(void) 2420 { 2421 return &aead_aes_256_gcm; 2422 } 2423 2424 typedef struct { 2425 union { 2426 double align; 2427 AES_KEY ks; 2428 } ks; 2429 unsigned char *iv; 2430 } EVP_AES_WRAP_CTX; 2431 2432 static int 2433 aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2434 const unsigned char *iv, int enc) 2435 { 2436 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; 2437 2438 if (iv == NULL && key == NULL) 2439 return 1; 2440 2441 if (key != NULL) { 2442 if (ctx->encrypt) 2443 AES_set_encrypt_key(key, 8 * ctx->key_len, 2444 &wctx->ks.ks); 2445 else 2446 AES_set_decrypt_key(key, 8 * ctx->key_len, 2447 &wctx->ks.ks); 2448 2449 if (iv == NULL) 2450 wctx->iv = NULL; 2451 } 2452 2453 if (iv != NULL) { 2454 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 2455 wctx->iv = ctx->iv; 2456 } 2457 2458 return 1; 2459 } 2460 2461 static int 2462 aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2463 const unsigned char *in, size_t inlen) 2464 { 2465 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; 2466 int ret; 2467 2468 if (in == NULL) 2469 return 0; 2470 2471 if (inlen % 8 != 0) 2472 return -1; 2473 if (ctx->encrypt && inlen < 8) 2474 return -1; 2475 if (!ctx->encrypt && inlen < 16) 2476 return -1; 2477 if (inlen > INT_MAX) 2478 return -1; 2479 2480 if (out == NULL) { 2481 if (ctx->encrypt) 2482 return inlen + 8; 2483 else 2484 return inlen - 8; 2485 } 2486 2487 if (ctx->encrypt) 2488 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, 2489 (unsigned int)inlen); 2490 else 2491 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, 2492 (unsigned int)inlen); 2493 2494 return ret != 0 ? ret : -1; 2495 } 2496 2497 static int 2498 aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 2499 { 2500 EVP_AES_WRAP_CTX *wctx = c->cipher_data; 2501 2502 switch (type) { 2503 case EVP_CTRL_COPY: 2504 { 2505 EVP_CIPHER_CTX *out = ptr; 2506 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; 2507 2508 if (wctx->iv != NULL) { 2509 if (c->iv != wctx->iv) 2510 return 0; 2511 2512 wctx_out->iv = out->iv; 2513 } 2514 2515 return 1; 2516 } 2517 } 2518 2519 return -1; 2520 } 2521 2522 #define WRAP_FLAGS \ 2523 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ 2524 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ 2525 EVP_CIPH_CUSTOM_COPY ) 2526 2527 static const EVP_CIPHER aes_128_wrap = { 2528 .nid = NID_id_aes128_wrap, 2529 .block_size = 8, 2530 .key_len = 16, 2531 .iv_len = 8, 2532 .flags = WRAP_FLAGS, 2533 .init = aes_wrap_init_key, 2534 .do_cipher = aes_wrap_cipher, 2535 .cleanup = NULL, 2536 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2537 .set_asn1_parameters = NULL, 2538 .get_asn1_parameters = NULL, 2539 .ctrl = aes_wrap_ctrl, 2540 .app_data = NULL, 2541 }; 2542 2543 const EVP_CIPHER * 2544 EVP_aes_128_wrap(void) 2545 { 2546 return &aes_128_wrap; 2547 } 2548 2549 static const EVP_CIPHER aes_192_wrap = { 2550 .nid = NID_id_aes192_wrap, 2551 .block_size = 8, 2552 .key_len = 24, 2553 .iv_len = 8, 2554 .flags = WRAP_FLAGS, 2555 .init = aes_wrap_init_key, 2556 .do_cipher = aes_wrap_cipher, 2557 .cleanup = NULL, 2558 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2559 .set_asn1_parameters = NULL, 2560 .get_asn1_parameters = NULL, 2561 .ctrl = aes_wrap_ctrl, 2562 .app_data = NULL, 2563 }; 2564 2565 const EVP_CIPHER * 2566 EVP_aes_192_wrap(void) 2567 { 2568 return &aes_192_wrap; 2569 } 2570 2571 static const EVP_CIPHER aes_256_wrap = { 2572 .nid = NID_id_aes256_wrap, 2573 .block_size = 8, 2574 .key_len = 32, 2575 .iv_len = 8, 2576 .flags = WRAP_FLAGS, 2577 .init = aes_wrap_init_key, 2578 .do_cipher = aes_wrap_cipher, 2579 .cleanup = NULL, 2580 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2581 .set_asn1_parameters = NULL, 2582 .get_asn1_parameters = NULL, 2583 .ctrl = aes_wrap_ctrl, 2584 .app_data = NULL, 2585 }; 2586 2587 const EVP_CIPHER * 2588 EVP_aes_256_wrap(void) 2589 { 2590 return &aes_256_wrap; 2591 } 2592 2593 #endif 2594