1/* ==================================================================== 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core@openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 * 49 */ 50 51#include <openssl/opensslconf.h> 52#ifndef OPENSSL_NO_AES 53#include <openssl/evp.h> 54#include <openssl/err.h> 55#include <string.h> 56#include <assert.h> 57#include <openssl/aes.h> 58#include "evp_locl.h" 59#ifndef OPENSSL_FIPS 60#include "modes_lcl.h" 61#include <openssl/rand.h> 62 63typedef struct 64 { 65 AES_KEY ks; 66 block128_f block; 67 union { 68 cbc128_f cbc; 69 ctr128_f ctr; 70 } stream; 71 } EVP_AES_KEY; 72 73typedef struct 74 { 75 AES_KEY ks; /* AES key schedule to use */ 76 int key_set; /* Set if key initialised */ 77 int iv_set; /* Set if an iv is set */ 78 GCM128_CONTEXT gcm; 79 unsigned char *iv; /* Temporary IV store */ 80 int ivlen; /* IV length */ 81 int taglen; 82 int iv_gen; /* It is OK to generate IVs */ 83 int tls_aad_len; /* TLS AAD length */ 84 ctr128_f ctr; 85 } EVP_AES_GCM_CTX; 86 87typedef struct 88 { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, 92 unsigned char *out, size_t length, 93 const AES_KEY *key1, const AES_KEY *key2, 94 const unsigned char iv[16]); 95 } EVP_AES_XTS_CTX; 96 97typedef struct 98 { 99 AES_KEY ks; /* AES key schedule to use */ 100 int key_set; /* Set if key initialised */ 101 int iv_set; /* Set if an iv is set */ 102 int tag_set; /* Set if tag is valid */ 103 int len_set; /* Set if message length set */ 104 int L, M; /* L and M parameters from RFC3610 */ 105 CCM128_CONTEXT ccm; 106 ccm128_f str; 107 } EVP_AES_CCM_CTX; 108 109#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 110 111#ifdef VPAES_ASM 112int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 115 AES_KEY *key); 116 117void vpaes_encrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119void vpaes_decrypt(const unsigned char *in, unsigned char *out, 120 const AES_KEY *key); 121 122void vpaes_cbc_encrypt(const unsigned char *in, 123 unsigned char *out, 124 size_t length, 125 const AES_KEY *key, 126 unsigned char *ivec, int enc); 127#endif 128#ifdef BSAES_ASM 129void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 130 size_t length, const AES_KEY *key, 131 unsigned char ivec[16], int enc); 132void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 133 size_t len, const AES_KEY *key, 134 const unsigned char ivec[16]); 135void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 136 size_t len, const AES_KEY *key1, 137 const AES_KEY *key2, const unsigned char iv[16]); 138void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 139 size_t len, const AES_KEY *key1, 140 const AES_KEY *key2, const unsigned char iv[16]); 141#endif 142#ifdef AES_CTR_ASM 143void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 144 size_t blocks, const AES_KEY *key, 145 const unsigned char ivec[AES_BLOCK_SIZE]); 146#endif 147#ifdef AES_XTS_ASM 148void AES_xts_encrypt(const char *inp,char *out,size_t len, 149 const AES_KEY *key1, const AES_KEY *key2, 150 const unsigned char iv[16]); 151void AES_xts_decrypt(const char *inp,char *out,size_t len, 152 const AES_KEY *key1, const AES_KEY *key2, 153 const unsigned char iv[16]); 154#endif 155 156#if defined(AES_ASM) && !defined(I386_ONLY) && ( \ 157 ((defined(__i386) || defined(__i386__) || \ 158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 159 defined(__x86_64) || defined(__x86_64__) || \ 160 defined(_M_AMD64) || defined(_M_X64) || \ 161 defined(__INTEL__) ) 162 163extern unsigned int OPENSSL_ia32cap_P[2]; 164 165#ifdef VPAES_ASM 166#define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) 167#endif 168#ifdef BSAES_ASM 169#define BSAES_CAPABLE VPAES_CAPABLE 170#endif 171/* 172 * AES-NI section 173 */ 174#define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) 175 176int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 177 AES_KEY *key); 178int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 179 AES_KEY *key); 180 181void aesni_encrypt(const unsigned char *in, unsigned char *out, 182 const AES_KEY *key); 183void aesni_decrypt(const unsigned char *in, unsigned char *out, 184 const AES_KEY *key); 185 186void aesni_ecb_encrypt(const unsigned char *in, 187 unsigned char *out, 188 size_t length, 189 const AES_KEY *key, 190 int enc); 191void aesni_cbc_encrypt(const unsigned char *in, 192 unsigned char *out, 193 size_t length, 194 const AES_KEY *key, 195 unsigned char *ivec, int enc); 196 197void aesni_ctr32_encrypt_blocks(const unsigned char *in, 198 unsigned char *out, 199 size_t blocks, 200 const void *key, 201 const unsigned char *ivec); 202 203void aesni_xts_encrypt(const unsigned char *in, 204 unsigned char *out, 205 size_t length, 206 const AES_KEY *key1, const AES_KEY *key2, 207 const unsigned char iv[16]); 208 209void aesni_xts_decrypt(const unsigned char *in, 210 unsigned char *out, 211 size_t length, 212 const AES_KEY *key1, const AES_KEY *key2, 213 const unsigned char iv[16]); 214 215void aesni_ccm64_encrypt_blocks (const unsigned char *in, 216 unsigned char *out, 217 size_t blocks, 218 const void *key, 219 const unsigned char ivec[16], 220 unsigned char cmac[16]); 221 222void aesni_ccm64_decrypt_blocks (const unsigned char *in, 223 unsigned char *out, 224 size_t blocks, 225 const void *key, 226 const unsigned char ivec[16], 227 unsigned char cmac[16]); 228 229static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 230 const unsigned char *iv, int enc) 231 { 232 int ret, mode; 233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 234 235 mode = ctx->cipher->flags & EVP_CIPH_MODE; 236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 237 && !enc) 238 { 239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data); 240 dat->block = (block128_f)aesni_decrypt; 241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 242 (cbc128_f)aesni_cbc_encrypt : 243 NULL; 244 } 245 else { 246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data); 247 dat->block = (block128_f)aesni_encrypt; 248 if (mode==EVP_CIPH_CBC_MODE) 249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 250 else if (mode==EVP_CIPH_CTR_MODE) 251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 252 else 253 dat->stream.cbc = NULL; 254 } 255 256 if(ret < 0) 257 { 258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 259 return 0; 260 } 261 262 return 1; 263 } 264 265static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 266 const unsigned char *in, size_t len) 267{ 268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); 269 270 return 1; 271} 272 273static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 274 const unsigned char *in, size_t len) 275{ 276 size_t bl = ctx->cipher->block_size; 277 278 if (len<bl) return 1; 279 280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); 281 282 return 1; 283} 284 285#define aesni_ofb_cipher aes_ofb_cipher 286static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 287 const unsigned char *in,size_t len); 288 289#define aesni_cfb_cipher aes_cfb_cipher 290static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 291 const unsigned char *in,size_t len); 292 293#define aesni_cfb8_cipher aes_cfb8_cipher 294static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 295 const unsigned char *in,size_t len); 296 297#define aesni_cfb1_cipher aes_cfb1_cipher 298static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 299 const unsigned char *in,size_t len); 300 301#define aesni_ctr_cipher aes_ctr_cipher 302static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 303 const unsigned char *in, size_t len); 304 305static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 306 const unsigned char *iv, int enc) 307 { 308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 309 if (!iv && !key) 310 return 1; 311 if (key) 312 { 313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 315 (block128_f)aesni_encrypt); 316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 317 /* If we have an iv can set it directly, otherwise use 318 * saved IV. 319 */ 320 if (iv == NULL && gctx->iv_set) 321 iv = gctx->iv; 322 if (iv) 323 { 324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 325 gctx->iv_set = 1; 326 } 327 gctx->key_set = 1; 328 } 329 else 330 { 331 /* If key set use IV, otherwise copy */ 332 if (gctx->key_set) 333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 334 else 335 memcpy(gctx->iv, iv, gctx->ivlen); 336 gctx->iv_set = 1; 337 gctx->iv_gen = 0; 338 } 339 return 1; 340 } 341 342#define aesni_gcm_cipher aes_gcm_cipher 343static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 344 const unsigned char *in, size_t len); 345 346static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 347 const unsigned char *iv, int enc) 348 { 349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 350 if (!iv && !key) 351 return 1; 352 353 if (key) 354 { 355 /* key_len is two AES keys */ 356 if (enc) 357 { 358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 359 xctx->xts.block1 = (block128_f)aesni_encrypt; 360 xctx->stream = aesni_xts_encrypt; 361 } 362 else 363 { 364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 365 xctx->xts.block1 = (block128_f)aesni_decrypt; 366 xctx->stream = aesni_xts_decrypt; 367 } 368 369 aesni_set_encrypt_key(key + ctx->key_len/2, 370 ctx->key_len * 4, &xctx->ks2); 371 xctx->xts.block2 = (block128_f)aesni_encrypt; 372 373 xctx->xts.key1 = &xctx->ks1; 374 } 375 376 if (iv) 377 { 378 xctx->xts.key2 = &xctx->ks2; 379 memcpy(ctx->iv, iv, 16); 380 } 381 382 return 1; 383 } 384 385#define aesni_xts_cipher aes_xts_cipher 386static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 387 const unsigned char *in, size_t len); 388 389static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 390 const unsigned char *iv, int enc) 391 { 392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 393 if (!iv && !key) 394 return 1; 395 if (key) 396 { 397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 399 &cctx->ks, (block128_f)aesni_encrypt); 400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : 401 (ccm128_f)aesni_ccm64_decrypt_blocks; 402 cctx->key_set = 1; 403 } 404 if (iv) 405 { 406 memcpy(ctx->iv, iv, 15 - cctx->L); 407 cctx->iv_set = 1; 408 } 409 return 1; 410 } 411 412#define aesni_ccm_cipher aes_ccm_cipher 413static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 414 const unsigned char *in, size_t len); 415 416#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 417static const EVP_CIPHER aesni_##keylen##_##mode = { \ 418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 419 flags|EVP_CIPH_##MODE##_MODE, \ 420 aesni_init_key, \ 421 aesni_##mode##_cipher, \ 422 NULL, \ 423 sizeof(EVP_AES_KEY), \ 424 NULL,NULL,NULL,NULL }; \ 425static const EVP_CIPHER aes_##keylen##_##mode = { \ 426 nid##_##keylen##_##nmode,blocksize, \ 427 keylen/8,ivlen, \ 428 flags|EVP_CIPH_##MODE##_MODE, \ 429 aes_init_key, \ 430 aes_##mode##_cipher, \ 431 NULL, \ 432 sizeof(EVP_AES_KEY), \ 433 NULL,NULL,NULL,NULL }; \ 434const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 435{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 436 437#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 438static const EVP_CIPHER aesni_##keylen##_##mode = { \ 439 nid##_##keylen##_##mode,blocksize, \ 440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 441 flags|EVP_CIPH_##MODE##_MODE, \ 442 aesni_##mode##_init_key, \ 443 aesni_##mode##_cipher, \ 444 aes_##mode##_cleanup, \ 445 sizeof(EVP_AES_##MODE##_CTX), \ 446 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 447static const EVP_CIPHER aes_##keylen##_##mode = { \ 448 nid##_##keylen##_##mode,blocksize, \ 449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 450 flags|EVP_CIPH_##MODE##_MODE, \ 451 aes_##mode##_init_key, \ 452 aes_##mode##_cipher, \ 453 aes_##mode##_cleanup, \ 454 sizeof(EVP_AES_##MODE##_CTX), \ 455 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 456const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 457{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } 458 459#else 460 461#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ 462static const EVP_CIPHER aes_##keylen##_##mode = { \ 463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ 464 flags|EVP_CIPH_##MODE##_MODE, \ 465 aes_init_key, \ 466 aes_##mode##_cipher, \ 467 NULL, \ 468 sizeof(EVP_AES_KEY), \ 469 NULL,NULL,NULL,NULL }; \ 470const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 471{ return &aes_##keylen##_##mode; } 472 473#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ 474static const EVP_CIPHER aes_##keylen##_##mode = { \ 475 nid##_##keylen##_##mode,blocksize, \ 476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ 477 flags|EVP_CIPH_##MODE##_MODE, \ 478 aes_##mode##_init_key, \ 479 aes_##mode##_cipher, \ 480 aes_##mode##_cleanup, \ 481 sizeof(EVP_AES_##MODE##_CTX), \ 482 NULL,NULL,aes_##mode##_ctrl,NULL }; \ 483const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ 484{ return &aes_##keylen##_##mode; } 485#endif 486 487#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ 488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ 492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ 493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ 494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) 495 496static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 497 const unsigned char *iv, int enc) 498 { 499 int ret, mode; 500 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 501 502 mode = ctx->cipher->flags & EVP_CIPH_MODE; 503 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) 504 && !enc) 505#ifdef BSAES_CAPABLE 506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) 507 { 508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 509 dat->block = (block128_f)AES_decrypt; 510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 511 } 512 else 513#endif 514#ifdef VPAES_CAPABLE 515 if (VPAES_CAPABLE) 516 { 517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 518 dat->block = (block128_f)vpaes_decrypt; 519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 520 (cbc128_f)vpaes_cbc_encrypt : 521 NULL; 522 } 523 else 524#endif 525 { 526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); 527 dat->block = (block128_f)AES_decrypt; 528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 529 (cbc128_f)AES_cbc_encrypt : 530 NULL; 531 } 532 else 533#ifdef BSAES_CAPABLE 534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) 535 { 536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 537 dat->block = (block128_f)AES_encrypt; 538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 539 } 540 else 541#endif 542#ifdef VPAES_CAPABLE 543 if (VPAES_CAPABLE) 544 { 545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 546 dat->block = (block128_f)vpaes_encrypt; 547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 548 (cbc128_f)vpaes_cbc_encrypt : 549 NULL; 550 } 551 else 552#endif 553 { 554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); 555 dat->block = (block128_f)AES_encrypt; 556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? 557 (cbc128_f)AES_cbc_encrypt : 558 NULL; 559#ifdef AES_CTR_ASM 560 if (mode==EVP_CIPH_CTR_MODE) 561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 562#endif 563 } 564 565 if(ret < 0) 566 { 567 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); 568 return 0; 569 } 570 571 return 1; 572 } 573 574static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 575 const unsigned char *in, size_t len) 576{ 577 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 578 579 if (dat->stream.cbc) 580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); 581 else if (ctx->encrypt) 582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 583 else 584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); 585 586 return 1; 587} 588 589static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 590 const unsigned char *in, size_t len) 591{ 592 size_t bl = ctx->cipher->block_size; 593 size_t i; 594 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 595 596 if (len<bl) return 1; 597 598 for (i=0,len-=bl;i<=len;i+=bl) 599 (*dat->block)(in+i,out+i,&dat->ks); 600 601 return 1; 602} 603 604static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 605 const unsigned char *in,size_t len) 606{ 607 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 608 609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, 610 ctx->iv,&ctx->num,dat->block); 611 return 1; 612} 613 614static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 615 const unsigned char *in,size_t len) 616{ 617 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 618 619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, 620 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 621 return 1; 622} 623 624static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 625 const unsigned char *in,size_t len) 626{ 627 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 628 629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, 630 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 631 return 1; 632} 633 634static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, 635 const unsigned char *in,size_t len) 636{ 637 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 638 639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, 641 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 642 return 1; 643 } 644 645 while (len>=MAXBITCHUNK) { 646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, 647 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 648 len-=MAXBITCHUNK; 649 } 650 if (len) 651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, 652 ctx->iv,&ctx->num,ctx->encrypt,dat->block); 653 654 return 1; 655} 656 657static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, 658 const unsigned char *in, size_t len) 659{ 660 unsigned int num = ctx->num; 661 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 662 663 if (dat->stream.ctr) 664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, 665 ctx->iv,ctx->buf,&num,dat->stream.ctr); 666 else 667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, 668 ctx->iv,ctx->buf,&num,dat->block); 669 ctx->num = (size_t)num; 670 return 1; 671} 672 673BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) 674BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) 675BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) 676 677static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) 678 { 679 EVP_AES_GCM_CTX *gctx = c->cipher_data; 680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 681 if (gctx->iv != c->iv) 682 OPENSSL_free(gctx->iv); 683 return 1; 684 } 685 686/* increment counter (64-bit int) by 1 */ 687static void ctr64_inc(unsigned char *counter) { 688 int n=8; 689 unsigned char c; 690 691 do { 692 --n; 693 c = counter[n]; 694 ++c; 695 counter[n] = c; 696 if (c) return; 697 } while (n); 698} 699 700static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 701 { 702 EVP_AES_GCM_CTX *gctx = c->cipher_data; 703 switch (type) 704 { 705 case EVP_CTRL_INIT: 706 gctx->key_set = 0; 707 gctx->iv_set = 0; 708 gctx->ivlen = c->cipher->iv_len; 709 gctx->iv = c->iv; 710 gctx->taglen = -1; 711 gctx->iv_gen = 0; 712 gctx->tls_aad_len = -1; 713 return 1; 714 715 case EVP_CTRL_GCM_SET_IVLEN: 716 if (arg <= 0) 717 return 0; 718#ifdef OPENSSL_FIPS 719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) 720 && arg < 12) 721 return 0; 722#endif 723 /* Allocate memory for IV if needed */ 724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) 725 { 726 if (gctx->iv != c->iv) 727 OPENSSL_free(gctx->iv); 728 gctx->iv = OPENSSL_malloc(arg); 729 if (!gctx->iv) 730 return 0; 731 } 732 gctx->ivlen = arg; 733 return 1; 734 735 case EVP_CTRL_GCM_SET_TAG: 736 if (arg <= 0 || arg > 16 || c->encrypt) 737 return 0; 738 memcpy(c->buf, ptr, arg); 739 gctx->taglen = arg; 740 return 1; 741 742 case EVP_CTRL_GCM_GET_TAG: 743 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 744 return 0; 745 memcpy(ptr, c->buf, arg); 746 return 1; 747 748 case EVP_CTRL_GCM_SET_IV_FIXED: 749 /* Special case: -1 length restores whole IV */ 750 if (arg == -1) 751 { 752 memcpy(gctx->iv, ptr, gctx->ivlen); 753 gctx->iv_gen = 1; 754 return 1; 755 } 756 /* Fixed field must be at least 4 bytes and invocation field 757 * at least 8. 758 */ 759 if ((arg < 4) || (gctx->ivlen - arg) < 8) 760 return 0; 761 if (arg) 762 memcpy(gctx->iv, ptr, arg); 763 if (c->encrypt && 764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) 765 return 0; 766 gctx->iv_gen = 1; 767 return 1; 768 769 case EVP_CTRL_GCM_IV_GEN: 770 if (gctx->iv_gen == 0 || gctx->key_set == 0) 771 return 0; 772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 773 if (arg <= 0 || arg > gctx->ivlen) 774 arg = gctx->ivlen; 775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 776 /* Invocation field will be at least 8 bytes in size and 777 * so no need to check wrap around or increment more than 778 * last 8 bytes. 779 */ 780 ctr64_inc(gctx->iv + gctx->ivlen - 8); 781 gctx->iv_set = 1; 782 return 1; 783 784 case EVP_CTRL_GCM_SET_IV_INV: 785 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 786 return 0; 787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 789 gctx->iv_set = 1; 790 return 1; 791 792 case EVP_CTRL_AEAD_TLS1_AAD: 793 /* Save the AAD for later use */ 794 if (arg != 13) 795 return 0; 796 memcpy(c->buf, ptr, arg); 797 gctx->tls_aad_len = arg; 798 { 799 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; 800 /* Correct length for explicit IV */ 801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 802 /* If decrypting correct for tag too */ 803 if (!c->encrypt) 804 len -= EVP_GCM_TLS_TAG_LEN; 805 c->buf[arg-2] = len>>8; 806 c->buf[arg-1] = len & 0xff; 807 } 808 /* Extra padding: tag appended to record */ 809 return EVP_GCM_TLS_TAG_LEN; 810 811 default: 812 return -1; 813 814 } 815 } 816 817static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 818 const unsigned char *iv, int enc) 819 { 820 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 821 if (!iv && !key) 822 return 1; 823 if (key) 824 { do { 825#ifdef BSAES_CAPABLE 826 if (BSAES_CAPABLE) 827 { 828 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 829 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 830 (block128_f)AES_encrypt); 831 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 832 break; 833 } 834 else 835#endif 836#ifdef VPAES_CAPABLE 837 if (VPAES_CAPABLE) 838 { 839 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); 840 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, 841 (block128_f)vpaes_encrypt); 842 gctx->ctr = NULL; 843 break; 844 } 845#endif 846 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 847 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 848#ifdef AES_CTR_ASM 849 gctx->ctr = (ctr128_f)AES_ctr32_encrypt; 850#else 851 gctx->ctr = NULL; 852#endif 853 } while (0); 854 855 /* If we have an iv can set it directly, otherwise use 856 * saved IV. 857 */ 858 if (iv == NULL && gctx->iv_set) 859 iv = gctx->iv; 860 if (iv) 861 { 862 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 863 gctx->iv_set = 1; 864 } 865 gctx->key_set = 1; 866 } 867 else 868 { 869 /* If key set use IV, otherwise copy */ 870 if (gctx->key_set) 871 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 872 else 873 memcpy(gctx->iv, iv, gctx->ivlen); 874 gctx->iv_set = 1; 875 gctx->iv_gen = 0; 876 } 877 return 1; 878 } 879 880/* Handle TLS GCM packet format. This consists of the last portion of the IV 881 * followed by the payload and finally the tag. On encrypt generate IV, 882 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 883 * and verify tag. 884 */ 885 886static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 887 const unsigned char *in, size_t len) 888 { 889 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 890 int rv = -1; 891 /* Encrypt/decrypt must be performed in place */ 892 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)) 893 return -1; 894 /* Set IV from start of buffer or generate IV and write to start 895 * of buffer. 896 */ 897 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 898 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 899 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 900 goto err; 901 /* Use saved AAD */ 902 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 903 goto err; 904 /* Fix buffer and length to point to payload */ 905 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 906 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 907 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 908 if (ctx->encrypt) 909 { 910 /* Encrypt payload */ 911 if (gctx->ctr) 912 { 913 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 914 in, out, len, 915 gctx->ctr)) 916 goto err; 917 } 918 else { 919 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 920 goto err; 921 } 922 out += len; 923 /* Finally write tag */ 924 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 925 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 926 } 927 else 928 { 929 /* Decrypt */ 930 if (gctx->ctr) 931 { 932 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 933 in, out, len, 934 gctx->ctr)) 935 goto err; 936 } 937 else { 938 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 939 goto err; 940 } 941 /* Retrieve tag */ 942 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 943 EVP_GCM_TLS_TAG_LEN); 944 /* If tag mismatch wipe buffer */ 945 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) 946 { 947 OPENSSL_cleanse(out, len); 948 goto err; 949 } 950 rv = len; 951 } 952 953 err: 954 gctx->iv_set = 0; 955 gctx->tls_aad_len = -1; 956 return rv; 957 } 958 959static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 960 const unsigned char *in, size_t len) 961 { 962 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 963 /* If not set up, return error */ 964 if (!gctx->key_set) 965 return -1; 966 967 if (gctx->tls_aad_len >= 0) 968 return aes_gcm_tls_cipher(ctx, out, in, len); 969 970 if (!gctx->iv_set) 971 return -1; 972 if (!ctx->encrypt && gctx->taglen < 0) 973 return -1; 974 if (in) 975 { 976 if (out == NULL) 977 { 978 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 979 return -1; 980 } 981 else if (ctx->encrypt) 982 { 983 if (gctx->ctr) 984 { 985 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 986 in, out, len, 987 gctx->ctr)) 988 return -1; 989 } 990 else { 991 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 992 return -1; 993 } 994 } 995 else 996 { 997 if (gctx->ctr) 998 { 999 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1000 in, out, len, 1001 gctx->ctr)) 1002 return -1; 1003 } 1004 else { 1005 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1006 return -1; 1007 } 1008 } 1009 return len; 1010 } 1011 else 1012 { 1013 if (!ctx->encrypt) 1014 { 1015 if (CRYPTO_gcm128_finish(&gctx->gcm, 1016 ctx->buf, gctx->taglen) != 0) 1017 return -1; 1018 gctx->iv_set = 0; 1019 return 0; 1020 } 1021 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1022 gctx->taglen = 16; 1023 /* Don't reuse the IV */ 1024 gctx->iv_set = 0; 1025 return 0; 1026 } 1027 1028 } 1029 1030#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ 1031 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 1032 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1033 1034BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, 1035 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1036BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, 1037 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1038BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, 1039 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1040 1041static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1042 { 1043 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1044 if (type != EVP_CTRL_INIT) 1045 return -1; 1046 /* key1 and key2 are used as an indicator both key and IV are set */ 1047 xctx->xts.key1 = NULL; 1048 xctx->xts.key2 = NULL; 1049 return 1; 1050 } 1051 1052static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1053 const unsigned char *iv, int enc) 1054 { 1055 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1056 if (!iv && !key) 1057 return 1; 1058 1059 if (key) do 1060 { 1061#ifdef AES_XTS_ASM 1062 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1063#else 1064 xctx->stream = NULL; 1065#endif 1066 /* key_len is two AES keys */ 1067#ifdef BSAES_CAPABLE 1068 if (BSAES_CAPABLE) 1069 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt; 1070 else 1071#endif 1072#ifdef VPAES_CAPABLE 1073 if (VPAES_CAPABLE) 1074 { 1075 if (enc) 1076 { 1077 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1078 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1079 } 1080 else 1081 { 1082 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1083 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1084 } 1085 1086 vpaes_set_encrypt_key(key + ctx->key_len/2, 1087 ctx->key_len * 4, &xctx->ks2); 1088 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1089 1090 xctx->xts.key1 = &xctx->ks1; 1091 break; 1092 } 1093#endif 1094 if (enc) 1095 { 1096 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1097 xctx->xts.block1 = (block128_f)AES_encrypt; 1098 } 1099 else 1100 { 1101 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1102 xctx->xts.block1 = (block128_f)AES_decrypt; 1103 } 1104 1105 AES_set_encrypt_key(key + ctx->key_len/2, 1106 ctx->key_len * 4, &xctx->ks2); 1107 xctx->xts.block2 = (block128_f)AES_encrypt; 1108 1109 xctx->xts.key1 = &xctx->ks1; 1110 } while (0); 1111 1112 if (iv) 1113 { 1114 xctx->xts.key2 = &xctx->ks2; 1115 memcpy(ctx->iv, iv, 16); 1116 } 1117 1118 return 1; 1119 } 1120 1121static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1122 const unsigned char *in, size_t len) 1123 { 1124 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1125 if (!xctx->xts.key1 || !xctx->xts.key2) 1126 return 0; 1127 if (!out || !in || len<AES_BLOCK_SIZE) 1128 return 0; 1129#ifdef OPENSSL_FIPS 1130 /* Requirement of SP800-38E */ 1131 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && 1132 (len > (1UL<<20)*16)) 1133 { 1134 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); 1135 return 0; 1136 } 1137#endif 1138 if (xctx->stream) 1139 (*xctx->stream)(in, out, len, 1140 xctx->xts.key1, xctx->xts.key2, ctx->iv); 1141 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1142 ctx->encrypt)) 1143 return 0; 1144 return 1; 1145 } 1146 1147#define aes_xts_cleanup NULL 1148 1149#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1150 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1151 1152BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1153BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1154 1155static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1156 { 1157 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1158 switch (type) 1159 { 1160 case EVP_CTRL_INIT: 1161 cctx->key_set = 0; 1162 cctx->iv_set = 0; 1163 cctx->L = 8; 1164 cctx->M = 12; 1165 cctx->tag_set = 0; 1166 cctx->len_set = 0; 1167 return 1; 1168 1169 case EVP_CTRL_CCM_SET_IVLEN: 1170 arg = 15 - arg; 1171 case EVP_CTRL_CCM_SET_L: 1172 if (arg < 2 || arg > 8) 1173 return 0; 1174 cctx->L = arg; 1175 return 1; 1176 1177 case EVP_CTRL_CCM_SET_TAG: 1178 if ((arg & 1) || arg < 4 || arg > 16) 1179 return 0; 1180 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 1181 return 0; 1182 if (ptr) 1183 { 1184 cctx->tag_set = 1; 1185 memcpy(c->buf, ptr, arg); 1186 } 1187 cctx->M = arg; 1188 return 1; 1189 1190 case EVP_CTRL_CCM_GET_TAG: 1191 if (!c->encrypt || !cctx->tag_set) 1192 return 0; 1193 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 1194 return 0; 1195 cctx->tag_set = 0; 1196 cctx->iv_set = 0; 1197 cctx->len_set = 0; 1198 return 1; 1199 1200 default: 1201 return -1; 1202 1203 } 1204 } 1205 1206static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1207 const unsigned char *iv, int enc) 1208 { 1209 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1210 if (!iv && !key) 1211 return 1; 1212 if (key) do 1213 { 1214#ifdef VPAES_CAPABLE 1215 if (VPAES_CAPABLE) 1216 { 1217 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 1218 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1219 &cctx->ks, (block128_f)vpaes_encrypt); 1220 cctx->key_set = 1; 1221 break; 1222 } 1223#endif 1224 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 1225 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1226 &cctx->ks, (block128_f)AES_encrypt); 1227 cctx->str = NULL; 1228 cctx->key_set = 1; 1229 } while (0); 1230 if (iv) 1231 { 1232 memcpy(ctx->iv, iv, 15 - cctx->L); 1233 cctx->iv_set = 1; 1234 } 1235 return 1; 1236 } 1237 1238static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1239 const unsigned char *in, size_t len) 1240 { 1241 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 1242 CCM128_CONTEXT *ccm = &cctx->ccm; 1243 /* If not set up, return error */ 1244 if (!cctx->iv_set && !cctx->key_set) 1245 return -1; 1246 if (!ctx->encrypt && !cctx->tag_set) 1247 return -1; 1248 if (!out) 1249 { 1250 if (!in) 1251 { 1252 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) 1253 return -1; 1254 cctx->len_set = 1; 1255 return len; 1256 } 1257 /* If have AAD need message length */ 1258 if (!cctx->len_set && len) 1259 return -1; 1260 CRYPTO_ccm128_aad(ccm, in, len); 1261 return len; 1262 } 1263 /* EVP_*Final() doesn't return any data */ 1264 if (!in) 1265 return 0; 1266 /* If not set length yet do it */ 1267 if (!cctx->len_set) 1268 { 1269 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 1270 return -1; 1271 cctx->len_set = 1; 1272 } 1273 if (ctx->encrypt) 1274 { 1275 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 1276 cctx->str) : 1277 CRYPTO_ccm128_encrypt(ccm, in, out, len)) 1278 return -1; 1279 cctx->tag_set = 1; 1280 return len; 1281 } 1282 else 1283 { 1284 int rv = -1; 1285 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 1286 cctx->str) : 1287 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) 1288 { 1289 unsigned char tag[16]; 1290 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) 1291 { 1292 if (!memcmp(tag, ctx->buf, cctx->M)) 1293 rv = len; 1294 } 1295 } 1296 if (rv == -1) 1297 OPENSSL_cleanse(out, len); 1298 cctx->iv_set = 0; 1299 cctx->tag_set = 0; 1300 cctx->len_set = 0; 1301 return rv; 1302 } 1303 1304 } 1305 1306#define aes_ccm_cleanup NULL 1307 1308BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1309BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1310BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1311 1312#endif 1313#endif 1314