OLD | NEW |
| (Empty) |
1 /* ==================================================================== | |
2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. | |
3 * | |
4 * Redistribution and use in source and binary forms, with or without | |
5 * modification, are permitted provided that the following conditions | |
6 * are met: | |
7 * | |
8 * 1. Redistributions of source code must retain the above copyright | |
9 * notice, this list of conditions and the following disclaimer. | |
10 * | |
11 * 2. Redistributions in binary form must reproduce the above copyright | |
12 * notice, this list of conditions and the following disclaimer in | |
13 * the documentation and/or other materials provided with the | |
14 * distribution. | |
15 * | |
16 * 3. All advertising materials mentioning features or use of this | |
17 * software must display the following acknowledgment: | |
18 * "This product includes software developed by the OpenSSL Project | |
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
20 * | |
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
22 * endorse or promote products derived from this software without | |
23 * prior written permission. For written permission, please contact | |
24 * openssl-core@openssl.org. | |
25 * | |
26 * 5. Products derived from this software may not be called "OpenSSL" | |
27 * nor may "OpenSSL" appear in their names without prior written | |
28 * permission of the OpenSSL Project. | |
29 * | |
30 * 6. Redistributions of any form whatsoever must retain the following | |
31 * acknowledgment: | |
32 * "This product includes software developed by the OpenSSL Project | |
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
34 * | |
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
46 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
47 * ==================================================================== | |
48 * | |
49 */ | |
50 | |
51 #include <openssl/opensslconf.h> | |
52 #ifndef OPENSSL_NO_AES | |
53 #include <openssl/evp.h> | |
54 #include <openssl/err.h> | |
55 #include <string.h> | |
56 #include <assert.h> | |
57 #include <openssl/aes.h> | |
58 #include "evp_locl.h" | |
59 #ifndef OPENSSL_FIPS | |
60 #include "modes_lcl.h" | |
61 #include <openssl/rand.h> | |
62 | |
63 typedef struct | |
64 { | |
65 AES_KEY ks; | |
66 block128_f block; | |
67 union { | |
68 cbc128_f cbc; | |
69 ctr128_f ctr; | |
70 } stream; | |
71 } EVP_AES_KEY; | |
72 | |
73 typedef struct | |
74 { | |
75 AES_KEY ks; /* AES key schedule to use */ | |
76 int key_set; /* Set if key initialised */ | |
77 int iv_set; /* Set if an iv is set */ | |
78 GCM128_CONTEXT gcm; | |
79 unsigned char *iv; /* Temporary IV store */ | |
80 int ivlen; /* IV length */ | |
81 int taglen; | |
82 int iv_gen; /* It is OK to generate IVs */ | |
83 int tls_aad_len; /* TLS AAD length */ | |
84 ctr128_f ctr; | |
85 } EVP_AES_GCM_CTX; | |
86 | |
87 typedef struct | |
88 { | |
89 AES_KEY ks1, ks2; /* AES key schedules to use */ | |
90 XTS128_CONTEXT xts; | |
91 void (*stream)(const unsigned char *in, | |
92 unsigned char *out, size_t length, | |
93 const AES_KEY *key1, const AES_KEY *key2, | |
94 const unsigned char iv[16]); | |
95 } EVP_AES_XTS_CTX; | |
96 | |
97 typedef struct | |
98 { | |
99 AES_KEY ks; /* AES key schedule to use */ | |
100 int key_set; /* Set if key initialised */ | |
101 int iv_set; /* Set if an iv is set */ | |
102 int tag_set; /* Set if tag is valid */ | |
103 int len_set; /* Set if message length set */ | |
104 int L, M; /* L and M parameters from RFC3610 */ | |
105 CCM128_CONTEXT ccm; | |
106 ccm128_f str; | |
107 } EVP_AES_CCM_CTX; | |
108 | |
109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) | |
110 | |
111 #ifdef VPAES_ASM | |
112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, | |
113 AES_KEY *key); | |
114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, | |
115 AES_KEY *key); | |
116 | |
117 void vpaes_encrypt(const unsigned char *in, unsigned char *out, | |
118 const AES_KEY *key); | |
119 void vpaes_decrypt(const unsigned char *in, unsigned char *out, | |
120 const AES_KEY *key); | |
121 | |
122 void vpaes_cbc_encrypt(const unsigned char *in, | |
123 unsigned char *out, | |
124 size_t length, | |
125 const AES_KEY *key, | |
126 unsigned char *ivec, int enc); | |
127 #endif | |
128 #ifdef BSAES_ASM | |
129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, | |
130 size_t length, const AES_KEY *key, | |
131 unsigned char ivec[16], int enc); | |
132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, | |
133 size_t len, const AES_KEY *key, | |
134 const unsigned char ivec[16]); | |
135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, | |
136 size_t len, const AES_KEY *key1, | |
137 const AES_KEY *key2, const unsigned char iv[16]); | |
138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, | |
139 size_t len, const AES_KEY *key1, | |
140 const AES_KEY *key2, const unsigned char iv[16]); | |
141 #endif | |
142 #ifdef AES_CTR_ASM | |
143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, | |
144 size_t blocks, const AES_KEY *key, | |
145 const unsigned char ivec[AES_BLOCK_SIZE]); | |
146 #endif | |
147 #ifdef AES_XTS_ASM | |
148 void AES_xts_encrypt(const char *inp,char *out,size_t len, | |
149 const AES_KEY *key1, const AES_KEY *key2, | |
150 const unsigned char iv[16]); | |
151 void AES_xts_decrypt(const char *inp,char *out,size_t len, | |
152 const AES_KEY *key1, const AES_KEY *key2, | |
153 const unsigned char iv[16]); | |
154 #endif | |
155 | |
156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \ | |
157 ((defined(__i386) || defined(__i386__) || \ | |
158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ | |
159 defined(__x86_64) || defined(__x86_64__) || \ | |
160 defined(_M_AMD64) || defined(_M_X64) || \ | |
161 defined(__INTEL__) ) | |
162 | |
163 extern unsigned int OPENSSL_ia32cap_P[2]; | |
164 | |
165 #ifdef VPAES_ASM | |
166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32))) | |
167 #endif | |
168 #ifdef BSAES_ASM | |
169 #define BSAES_CAPABLE VPAES_CAPABLE | |
170 #endif | |
171 /* | |
172 * AES-NI section | |
173 */ | |
174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) | |
175 | |
176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits, | |
177 AES_KEY *key); | |
178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits, | |
179 AES_KEY *key); | |
180 | |
181 void aesni_encrypt(const unsigned char *in, unsigned char *out, | |
182 const AES_KEY *key); | |
183 void aesni_decrypt(const unsigned char *in, unsigned char *out, | |
184 const AES_KEY *key); | |
185 | |
186 void aesni_ecb_encrypt(const unsigned char *in, | |
187 unsigned char *out, | |
188 size_t length, | |
189 const AES_KEY *key, | |
190 int enc); | |
191 void aesni_cbc_encrypt(const unsigned char *in, | |
192 unsigned char *out, | |
193 size_t length, | |
194 const AES_KEY *key, | |
195 unsigned char *ivec, int enc); | |
196 | |
197 void aesni_ctr32_encrypt_blocks(const unsigned char *in, | |
198 unsigned char *out, | |
199 size_t blocks, | |
200 const void *key, | |
201 const unsigned char *ivec); | |
202 | |
203 void aesni_xts_encrypt(const unsigned char *in, | |
204 unsigned char *out, | |
205 size_t length, | |
206 const AES_KEY *key1, const AES_KEY *key2, | |
207 const unsigned char iv[16]); | |
208 | |
209 void aesni_xts_decrypt(const unsigned char *in, | |
210 unsigned char *out, | |
211 size_t length, | |
212 const AES_KEY *key1, const AES_KEY *key2, | |
213 const unsigned char iv[16]); | |
214 | |
215 void aesni_ccm64_encrypt_blocks (const unsigned char *in, | |
216 unsigned char *out, | |
217 size_t blocks, | |
218 const void *key, | |
219 const unsigned char ivec[16], | |
220 unsigned char cmac[16]); | |
221 | |
222 void aesni_ccm64_decrypt_blocks (const unsigned char *in, | |
223 unsigned char *out, | |
224 size_t blocks, | |
225 const void *key, | |
226 const unsigned char ivec[16], | |
227 unsigned char cmac[16]); | |
228 | |
229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
230 const unsigned char *iv, int enc) | |
231 { | |
232 int ret, mode; | |
233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
234 | |
235 mode = ctx->cipher->flags & EVP_CIPH_MODE; | |
236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) | |
237 && !enc) | |
238 { | |
239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_dat
a); | |
240 dat->block = (block128_f)aesni_decrypt; | |
241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? | |
242 (cbc128_f)aesni_cbc_encrypt : | |
243 NULL; | |
244 } | |
245 else { | |
246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_dat
a); | |
247 dat->block = (block128_f)aesni_encrypt; | |
248 if (mode==EVP_CIPH_CBC_MODE) | |
249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; | |
250 else if (mode==EVP_CIPH_CTR_MODE) | |
251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; | |
252 else | |
253 dat->stream.cbc = NULL; | |
254 } | |
255 | |
256 if(ret < 0) | |
257 { | |
258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); | |
259 return 0; | |
260 } | |
261 | |
262 return 1; | |
263 } | |
264 | |
265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
266 const unsigned char *in, size_t len) | |
267 { | |
268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt); | |
269 | |
270 return 1; | |
271 } | |
272 | |
273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
274 const unsigned char *in, size_t len) | |
275 { | |
276 size_t bl = ctx->cipher->block_size; | |
277 | |
278 if (len<bl) return 1; | |
279 | |
280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt); | |
281 | |
282 return 1; | |
283 } | |
284 | |
285 #define aesni_ofb_cipher aes_ofb_cipher | |
286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
287 const unsigned char *in,size_t len); | |
288 | |
289 #define aesni_cfb_cipher aes_cfb_cipher | |
290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
291 const unsigned char *in,size_t len); | |
292 | |
293 #define aesni_cfb8_cipher aes_cfb8_cipher | |
294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
295 const unsigned char *in,size_t len); | |
296 | |
297 #define aesni_cfb1_cipher aes_cfb1_cipher | |
298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
299 const unsigned char *in,size_t len); | |
300 | |
301 #define aesni_ctr_cipher aes_ctr_cipher | |
302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
303 const unsigned char *in, size_t len); | |
304 | |
305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
306 const unsigned char *iv, int enc) | |
307 { | |
308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
309 if (!iv && !key) | |
310 return 1; | |
311 if (key) | |
312 { | |
313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); | |
314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, | |
315 (block128_f)aesni_encrypt); | |
316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; | |
317 /* If we have an iv can set it directly, otherwise use | |
318 * saved IV. | |
319 */ | |
320 if (iv == NULL && gctx->iv_set) | |
321 iv = gctx->iv; | |
322 if (iv) | |
323 { | |
324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
325 gctx->iv_set = 1; | |
326 } | |
327 gctx->key_set = 1; | |
328 } | |
329 else | |
330 { | |
331 /* If key set use IV, otherwise copy */ | |
332 if (gctx->key_set) | |
333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
334 else | |
335 memcpy(gctx->iv, iv, gctx->ivlen); | |
336 gctx->iv_set = 1; | |
337 gctx->iv_gen = 0; | |
338 } | |
339 return 1; | |
340 } | |
341 | |
342 #define aesni_gcm_cipher aes_gcm_cipher | |
343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
344 const unsigned char *in, size_t len); | |
345 | |
346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
347 const unsigned char *iv, int enc) | |
348 { | |
349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; | |
350 if (!iv && !key) | |
351 return 1; | |
352 | |
353 if (key) | |
354 { | |
355 /* key_len is two AES keys */ | |
356 if (enc) | |
357 { | |
358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1)
; | |
359 xctx->xts.block1 = (block128_f)aesni_encrypt; | |
360 xctx->stream = aesni_xts_encrypt; | |
361 } | |
362 else | |
363 { | |
364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1)
; | |
365 xctx->xts.block1 = (block128_f)aesni_decrypt; | |
366 xctx->stream = aesni_xts_decrypt; | |
367 } | |
368 | |
369 aesni_set_encrypt_key(key + ctx->key_len/2, | |
370 ctx->key_len * 4, &xctx->ks2); | |
371 xctx->xts.block2 = (block128_f)aesni_encrypt; | |
372 | |
373 xctx->xts.key1 = &xctx->ks1; | |
374 } | |
375 | |
376 if (iv) | |
377 { | |
378 xctx->xts.key2 = &xctx->ks2; | |
379 memcpy(ctx->iv, iv, 16); | |
380 } | |
381 | |
382 return 1; | |
383 } | |
384 | |
385 #define aesni_xts_cipher aes_xts_cipher | |
386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
387 const unsigned char *in, size_t len); | |
388 | |
389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
390 const unsigned char *iv, int enc) | |
391 { | |
392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; | |
393 if (!iv && !key) | |
394 return 1; | |
395 if (key) | |
396 { | |
397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); | |
398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | |
399 &cctx->ks, (block128_f)aesni_encrypt); | |
400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks : | |
401 (ccm128_f)aesni_ccm64_decrypt_blocks; | |
402 cctx->key_set = 1; | |
403 } | |
404 if (iv) | |
405 { | |
406 memcpy(ctx->iv, iv, 15 - cctx->L); | |
407 cctx->iv_set = 1; | |
408 } | |
409 return 1; | |
410 } | |
411 | |
412 #define aesni_ccm_cipher aes_ccm_cipher | |
413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
414 const unsigned char *in, size_t len); | |
415 | |
416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ | |
417 static const EVP_CIPHER aesni_##keylen##_##mode = { \ | |
418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ | |
419 flags|EVP_CIPH_##MODE##_MODE, \ | |
420 aesni_init_key, \ | |
421 aesni_##mode##_cipher, \ | |
422 NULL, \ | |
423 sizeof(EVP_AES_KEY), \ | |
424 NULL,NULL,NULL,NULL }; \ | |
425 static const EVP_CIPHER aes_##keylen##_##mode = { \ | |
426 nid##_##keylen##_##nmode,blocksize, \ | |
427 keylen/8,ivlen, \ | |
428 flags|EVP_CIPH_##MODE##_MODE, \ | |
429 aes_init_key, \ | |
430 aes_##mode##_cipher, \ | |
431 NULL, \ | |
432 sizeof(EVP_AES_KEY), \ | |
433 NULL,NULL,NULL,NULL }; \ | |
434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ | |
435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } | |
436 | |
437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ | |
438 static const EVP_CIPHER aesni_##keylen##_##mode = { \ | |
439 nid##_##keylen##_##mode,blocksize, \ | |
440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
441 flags|EVP_CIPH_##MODE##_MODE, \ | |
442 aesni_##mode##_init_key, \ | |
443 aesni_##mode##_cipher, \ | |
444 aes_##mode##_cleanup, \ | |
445 sizeof(EVP_AES_##MODE##_CTX), \ | |
446 NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
447 static const EVP_CIPHER aes_##keylen##_##mode = { \ | |
448 nid##_##keylen##_##mode,blocksize, \ | |
449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
450 flags|EVP_CIPH_##MODE##_MODE, \ | |
451 aes_##mode##_init_key, \ | |
452 aes_##mode##_cipher, \ | |
453 aes_##mode##_cleanup, \ | |
454 sizeof(EVP_AES_##MODE##_CTX), \ | |
455 NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ | |
457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; } | |
458 | |
459 #else | |
460 | |
461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ | |
462 static const EVP_CIPHER aes_##keylen##_##mode = { \ | |
463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ | |
464 flags|EVP_CIPH_##MODE##_MODE, \ | |
465 aes_init_key, \ | |
466 aes_##mode##_cipher, \ | |
467 NULL, \ | |
468 sizeof(EVP_AES_KEY), \ | |
469 NULL,NULL,NULL,NULL }; \ | |
470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ | |
471 { return &aes_##keylen##_##mode; } | |
472 | |
473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ | |
474 static const EVP_CIPHER aes_##keylen##_##mode = { \ | |
475 nid##_##keylen##_##mode,blocksize, \ | |
476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ | |
477 flags|EVP_CIPH_##MODE##_MODE, \ | |
478 aes_##mode##_init_key, \ | |
479 aes_##mode##_cipher, \ | |
480 aes_##mode##_cleanup, \ | |
481 sizeof(EVP_AES_##MODE##_CTX), \ | |
482 NULL,NULL,aes_##mode##_ctrl,NULL }; \ | |
483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ | |
484 { return &aes_##keylen##_##mode; } | |
485 #endif | |
486 | |
487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ | |
488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DE
FAULT_ASN1) \ | |
489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEF
AULT_ASN1) \ | |
490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_
DEFAULT_ASN1) \ | |
491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_
DEFAULT_ASN1) \ | |
492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ | |
493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ | |
494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) | |
495 | |
496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
497 const unsigned char *iv, int enc) | |
498 { | |
499 int ret, mode; | |
500 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
501 | |
502 mode = ctx->cipher->flags & EVP_CIPH_MODE; | |
503 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) | |
504 && !enc) | |
505 #ifdef BSAES_CAPABLE | |
506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE) | |
507 { | |
508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); | |
509 dat->block = (block128_f)AES_decrypt; | |
510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; | |
511 } | |
512 else | |
513 #endif | |
514 #ifdef VPAES_CAPABLE | |
515 if (VPAES_CAPABLE) | |
516 { | |
517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks); | |
518 dat->block = (block128_f)vpaes_decrypt; | |
519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? | |
520 (cbc128_f)vpaes_cbc_encrypt : | |
521 NULL; | |
522 } | |
523 else | |
524 #endif | |
525 { | |
526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks); | |
527 dat->block = (block128_f)AES_decrypt; | |
528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? | |
529 (cbc128_f)AES_cbc_encrypt : | |
530 NULL; | |
531 } | |
532 else | |
533 #ifdef BSAES_CAPABLE | |
534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE) | |
535 { | |
536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); | |
537 dat->block = (block128_f)AES_encrypt; | |
538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; | |
539 } | |
540 else | |
541 #endif | |
542 #ifdef VPAES_CAPABLE | |
543 if (VPAES_CAPABLE) | |
544 { | |
545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks); | |
546 dat->block = (block128_f)vpaes_encrypt; | |
547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? | |
548 (cbc128_f)vpaes_cbc_encrypt : | |
549 NULL; | |
550 } | |
551 else | |
552 #endif | |
553 { | |
554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks); | |
555 dat->block = (block128_f)AES_encrypt; | |
556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ? | |
557 (cbc128_f)AES_cbc_encrypt : | |
558 NULL; | |
559 #ifdef AES_CTR_ASM | |
560 if (mode==EVP_CIPH_CTR_MODE) | |
561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; | |
562 #endif | |
563 } | |
564 | |
565 if(ret < 0) | |
566 { | |
567 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); | |
568 return 0; | |
569 } | |
570 | |
571 return 1; | |
572 } | |
573 | |
574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
575 const unsigned char *in, size_t len) | |
576 { | |
577 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
578 | |
579 if (dat->stream.cbc) | |
580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt); | |
581 else if (ctx->encrypt) | |
582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); | |
583 else | |
584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block); | |
585 | |
586 return 1; | |
587 } | |
588 | |
589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
590 const unsigned char *in, size_t len) | |
591 { | |
592 size_t bl = ctx->cipher->block_size; | |
593 size_t i; | |
594 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
595 | |
596 if (len<bl) return 1; | |
597 | |
598 for (i=0,len-=bl;i<=len;i+=bl) | |
599 (*dat->block)(in+i,out+i,&dat->ks); | |
600 | |
601 return 1; | |
602 } | |
603 | |
604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
605 const unsigned char *in,size_t len) | |
606 { | |
607 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
608 | |
609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks, | |
610 ctx->iv,&ctx->num,dat->block); | |
611 return 1; | |
612 } | |
613 | |
614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
615 const unsigned char *in,size_t len) | |
616 { | |
617 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
618 | |
619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks, | |
620 ctx->iv,&ctx->num,ctx->encrypt,dat->block); | |
621 return 1; | |
622 } | |
623 | |
624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
625 const unsigned char *in,size_t len) | |
626 { | |
627 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
628 | |
629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks, | |
630 ctx->iv,&ctx->num,ctx->encrypt,dat->block); | |
631 return 1; | |
632 } | |
633 | |
634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, | |
635 const unsigned char *in,size_t len) | |
636 { | |
637 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
638 | |
639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { | |
640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks, | |
641 ctx->iv,&ctx->num,ctx->encrypt,dat->block); | |
642 return 1; | |
643 } | |
644 | |
645 while (len>=MAXBITCHUNK) { | |
646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks, | |
647 ctx->iv,&ctx->num,ctx->encrypt,dat->block); | |
648 len-=MAXBITCHUNK; | |
649 } | |
650 if (len) | |
651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks, | |
652 ctx->iv,&ctx->num,ctx->encrypt,dat->block); | |
653 | |
654 return 1; | |
655 } | |
656 | |
657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, | |
658 const unsigned char *in, size_t len) | |
659 { | |
660 unsigned int num = ctx->num; | |
661 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | |
662 | |
663 if (dat->stream.ctr) | |
664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks, | |
665 ctx->iv,ctx->buf,&num,dat->stream.ctr); | |
666 else | |
667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks, | |
668 ctx->iv,ctx->buf,&num,dat->block); | |
669 ctx->num = (size_t)num; | |
670 return 1; | |
671 } | |
672 | |
673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS) | |
674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS) | |
675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS) | |
676 | |
677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) | |
678 { | |
679 EVP_AES_GCM_CTX *gctx = c->cipher_data; | |
680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); | |
681 if (gctx->iv != c->iv) | |
682 OPENSSL_free(gctx->iv); | |
683 return 1; | |
684 } | |
685 | |
686 /* increment counter (64-bit int) by 1 */ | |
687 static void ctr64_inc(unsigned char *counter) { | |
688 int n=8; | |
689 unsigned char c; | |
690 | |
691 do { | |
692 --n; | |
693 c = counter[n]; | |
694 ++c; | |
695 counter[n] = c; | |
696 if (c) return; | |
697 } while (n); | |
698 } | |
699 | |
700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) | |
701 { | |
702 EVP_AES_GCM_CTX *gctx = c->cipher_data; | |
703 switch (type) | |
704 { | |
705 case EVP_CTRL_INIT: | |
706 gctx->key_set = 0; | |
707 gctx->iv_set = 0; | |
708 gctx->ivlen = c->cipher->iv_len; | |
709 gctx->iv = c->iv; | |
710 gctx->taglen = -1; | |
711 gctx->iv_gen = 0; | |
712 gctx->tls_aad_len = -1; | |
713 return 1; | |
714 | |
715 case EVP_CTRL_GCM_SET_IVLEN: | |
716 if (arg <= 0) | |
717 return 0; | |
718 #ifdef OPENSSL_FIPS | |
719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_AL
LOW) | |
720 && arg < 12) | |
721 return 0; | |
722 #endif | |
723 /* Allocate memory for IV if needed */ | |
724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) | |
725 { | |
726 if (gctx->iv != c->iv) | |
727 OPENSSL_free(gctx->iv); | |
728 gctx->iv = OPENSSL_malloc(arg); | |
729 if (!gctx->iv) | |
730 return 0; | |
731 } | |
732 gctx->ivlen = arg; | |
733 return 1; | |
734 | |
735 case EVP_CTRL_GCM_SET_TAG: | |
736 if (arg <= 0 || arg > 16 || c->encrypt) | |
737 return 0; | |
738 memcpy(c->buf, ptr, arg); | |
739 gctx->taglen = arg; | |
740 return 1; | |
741 | |
742 case EVP_CTRL_GCM_GET_TAG: | |
743 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) | |
744 return 0; | |
745 memcpy(ptr, c->buf, arg); | |
746 return 1; | |
747 | |
748 case EVP_CTRL_GCM_SET_IV_FIXED: | |
749 /* Special case: -1 length restores whole IV */ | |
750 if (arg == -1) | |
751 { | |
752 memcpy(gctx->iv, ptr, gctx->ivlen); | |
753 gctx->iv_gen = 1; | |
754 return 1; | |
755 } | |
756 /* Fixed field must be at least 4 bytes and invocation field | |
757 * at least 8. | |
758 */ | |
759 if ((arg < 4) || (gctx->ivlen - arg) < 8) | |
760 return 0; | |
761 if (arg) | |
762 memcpy(gctx->iv, ptr, arg); | |
763 if (c->encrypt && | |
764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) | |
765 return 0; | |
766 gctx->iv_gen = 1; | |
767 return 1; | |
768 | |
769 case EVP_CTRL_GCM_IV_GEN: | |
770 if (gctx->iv_gen == 0 || gctx->key_set == 0) | |
771 return 0; | |
772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); | |
773 if (arg <= 0 || arg > gctx->ivlen) | |
774 arg = gctx->ivlen; | |
775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); | |
776 /* Invocation field will be at least 8 bytes in size and | |
777 * so no need to check wrap around or increment more than | |
778 * last 8 bytes. | |
779 */ | |
780 ctr64_inc(gctx->iv + gctx->ivlen - 8); | |
781 gctx->iv_set = 1; | |
782 return 1; | |
783 | |
784 case EVP_CTRL_GCM_SET_IV_INV: | |
785 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) | |
786 return 0; | |
787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); | |
788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); | |
789 gctx->iv_set = 1; | |
790 return 1; | |
791 | |
792 case EVP_CTRL_AEAD_TLS1_AAD: | |
793 /* Save the AAD for later use */ | |
794 if (arg != 13) | |
795 return 0; | |
796 memcpy(c->buf, ptr, arg); | |
797 gctx->tls_aad_len = arg; | |
798 { | |
799 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1]; | |
800 /* Correct length for explicit IV */ | |
801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
802 /* If decrypting correct for tag too */ | |
803 if (!c->encrypt) | |
804 len -= EVP_GCM_TLS_TAG_LEN; | |
805 c->buf[arg-2] = len>>8; | |
806 c->buf[arg-1] = len & 0xff; | |
807 } | |
808 /* Extra padding: tag appended to record */ | |
809 return EVP_GCM_TLS_TAG_LEN; | |
810 | |
811 default: | |
812 return -1; | |
813 | |
814 } | |
815 } | |
816 | |
817 static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, | |
818 const unsigned char *key, size_t key_len) | |
819 { | |
820 #ifdef BSAES_CAPABLE | |
821 if (BSAES_CAPABLE) | |
822 { | |
823 AES_set_encrypt_key(key,key_len*8,aes_key); | |
824 CRYPTO_gcm128_init(gcm_ctx,aes_key, | |
825 (block128_f)AES_encrypt); | |
826 return (ctr128_f)bsaes_ctr32_encrypt_blocks; | |
827 } | |
828 #endif | |
829 #ifdef VPAES_CAPABLE | |
830 if (VPAES_CAPABLE) | |
831 { | |
832 vpaes_set_encrypt_key(key,key_len*8,aes_key); | |
833 CRYPTO_gcm128_init(gcm_ctx,aes_key, | |
834 (block128_f)vpaes_encrypt); | |
835 return NULL; | |
836 } | |
837 #endif | |
838 AES_set_encrypt_key(key, key_len*8, aes_key); | |
839 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); | |
840 #ifdef AES_CTR_ASM | |
841 return (ctr128_f)AES_ctr32_encrypt; | |
842 #else | |
843 return NULL; | |
844 #endif | |
845 } | |
846 | |
847 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
848 const unsigned char *iv, int enc) | |
849 { | |
850 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
851 if (!iv && !key) | |
852 return 1; | |
853 if (key) | |
854 { | |
855 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key
_len); | |
856 /* If we have an iv can set it directly, otherwise use | |
857 * saved IV. | |
858 */ | |
859 if (iv == NULL && gctx->iv_set) | |
860 iv = gctx->iv; | |
861 if (iv) | |
862 { | |
863 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
864 gctx->iv_set = 1; | |
865 } | |
866 gctx->key_set = 1; | |
867 } | |
868 else | |
869 { | |
870 /* If key set use IV, otherwise copy */ | |
871 if (gctx->key_set) | |
872 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | |
873 else | |
874 memcpy(gctx->iv, iv, gctx->ivlen); | |
875 gctx->iv_set = 1; | |
876 gctx->iv_gen = 0; | |
877 } | |
878 return 1; | |
879 } | |
880 | |
881 /* Handle TLS GCM packet format. This consists of the last portion of the IV | |
882 * followed by the payload and finally the tag. On encrypt generate IV, | |
883 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload | |
884 * and verify tag. | |
885 */ | |
886 | |
887 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
888 const unsigned char *in, size_t len) | |
889 { | |
890 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
891 int rv = -1; | |
892 /* Encrypt/decrypt must be performed in place */ | |
893 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN)
) | |
894 return -1; | |
895 /* Set IV from start of buffer or generate IV and write to start | |
896 * of buffer. | |
897 */ | |
898 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? | |
899 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, | |
900 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) | |
901 goto err; | |
902 /* Use saved AAD */ | |
903 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) | |
904 goto err; | |
905 /* Fix buffer and length to point to payload */ | |
906 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
907 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
908 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; | |
909 if (ctx->encrypt) | |
910 { | |
911 /* Encrypt payload */ | |
912 if (gctx->ctr) | |
913 { | |
914 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, | |
915 in, out, len, | |
916 gctx->ctr)) | |
917 goto err; | |
918 } | |
919 else { | |
920 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) | |
921 goto err; | |
922 } | |
923 out += len; | |
924 /* Finally write tag */ | |
925 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); | |
926 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; | |
927 } | |
928 else | |
929 { | |
930 /* Decrypt */ | |
931 if (gctx->ctr) | |
932 { | |
933 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, | |
934 in, out, len, | |
935 gctx->ctr)) | |
936 goto err; | |
937 } | |
938 else { | |
939 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) | |
940 goto err; | |
941 } | |
942 /* Retrieve tag */ | |
943 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, | |
944 EVP_GCM_TLS_TAG_LEN); | |
945 /* If tag mismatch wipe buffer */ | |
946 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) | |
947 { | |
948 OPENSSL_cleanse(out, len); | |
949 goto err; | |
950 } | |
951 rv = len; | |
952 } | |
953 | |
954 err: | |
955 gctx->iv_set = 0; | |
956 gctx->tls_aad_len = -1; | |
957 return rv; | |
958 } | |
959 | |
960 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
961 const unsigned char *in, size_t len) | |
962 { | |
963 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
964 /* If not set up, return error */ | |
965 if (!gctx->key_set) | |
966 return -1; | |
967 | |
968 if (gctx->tls_aad_len >= 0) | |
969 return aes_gcm_tls_cipher(ctx, out, in, len); | |
970 | |
971 if (!gctx->iv_set) | |
972 return -1; | |
973 if (in) | |
974 { | |
975 if (out == NULL) | |
976 { | |
977 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) | |
978 return -1; | |
979 } | |
980 else if (ctx->encrypt) | |
981 { | |
982 if (gctx->ctr) | |
983 { | |
984 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, | |
985 in, out, len, | |
986 gctx->ctr)) | |
987 return -1; | |
988 } | |
989 else { | |
990 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, l
en)) | |
991 return -1; | |
992 } | |
993 } | |
994 else | |
995 { | |
996 if (gctx->ctr) | |
997 { | |
998 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, | |
999 in, out, len, | |
1000 gctx->ctr)) | |
1001 return -1; | |
1002 } | |
1003 else { | |
1004 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, l
en)) | |
1005 return -1; | |
1006 } | |
1007 } | |
1008 return len; | |
1009 } | |
1010 else | |
1011 { | |
1012 if (!ctx->encrypt) | |
1013 { | |
1014 if (gctx->taglen < 0) | |
1015 return -1; | |
1016 if (CRYPTO_gcm128_finish(&gctx->gcm, | |
1017 ctx->buf, gctx->taglen) != 0) | |
1018 return -1; | |
1019 gctx->iv_set = 0; | |
1020 return 0; | |
1021 } | |
1022 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); | |
1023 gctx->taglen = 16; | |
1024 /* Don't reuse the IV */ | |
1025 gctx->iv_set = 0; | |
1026 return 0; | |
1027 } | |
1028 | |
1029 } | |
1030 | |
1031 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ | |
1032 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | |
1033 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) | |
1034 | |
1035 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM, | |
1036 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) | |
1037 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM, | |
1038 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) | |
1039 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM, | |
1040 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) | |
1041 | |
1042 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) | |
1043 { | |
1044 EVP_AES_XTS_CTX *xctx = c->cipher_data; | |
1045 if (type != EVP_CTRL_INIT) | |
1046 return -1; | |
1047 /* key1 and key2 are used as an indicator both key and IV are set */ | |
1048 xctx->xts.key1 = NULL; | |
1049 xctx->xts.key2 = NULL; | |
1050 return 1; | |
1051 } | |
1052 | |
1053 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
1054 const unsigned char *iv, int enc) | |
1055 { | |
1056 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; | |
1057 if (!iv && !key) | |
1058 return 1; | |
1059 | |
1060 if (key) do | |
1061 { | |
1062 #ifdef AES_XTS_ASM | |
1063 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; | |
1064 #else | |
1065 xctx->stream = NULL; | |
1066 #endif | |
1067 /* key_len is two AES keys */ | |
1068 #ifdef BSAES_CAPABLE | |
1069 if (BSAES_CAPABLE) | |
1070 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decry
pt; | |
1071 else | |
1072 #endif | |
1073 #ifdef VPAES_CAPABLE | |
1074 if (VPAES_CAPABLE) | |
1075 { | |
1076 if (enc) | |
1077 { | |
1078 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1)
; | |
1079 xctx->xts.block1 = (block128_f)vpaes_encrypt; | |
1080 } | |
1081 else | |
1082 { | |
1083 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1)
; | |
1084 xctx->xts.block1 = (block128_f)vpaes_decrypt; | |
1085 } | |
1086 | |
1087 vpaes_set_encrypt_key(key + ctx->key_len/2, | |
1088 ctx->key_len * 4, &xctx->ks2); | |
1089 xctx->xts.block2 = (block128_f)vpaes_encrypt; | |
1090 | |
1091 xctx->xts.key1 = &xctx->ks1; | |
1092 break; | |
1093 } | |
1094 #endif | |
1095 if (enc) | |
1096 { | |
1097 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); | |
1098 xctx->xts.block1 = (block128_f)AES_encrypt; | |
1099 } | |
1100 else | |
1101 { | |
1102 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); | |
1103 xctx->xts.block1 = (block128_f)AES_decrypt; | |
1104 } | |
1105 | |
1106 AES_set_encrypt_key(key + ctx->key_len/2, | |
1107 ctx->key_len * 4, &xctx->ks2); | |
1108 xctx->xts.block2 = (block128_f)AES_encrypt; | |
1109 | |
1110 xctx->xts.key1 = &xctx->ks1; | |
1111 } while (0); | |
1112 | |
1113 if (iv) | |
1114 { | |
1115 xctx->xts.key2 = &xctx->ks2; | |
1116 memcpy(ctx->iv, iv, 16); | |
1117 } | |
1118 | |
1119 return 1; | |
1120 } | |
1121 | |
1122 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
1123 const unsigned char *in, size_t len) | |
1124 { | |
1125 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; | |
1126 if (!xctx->xts.key1 || !xctx->xts.key2) | |
1127 return 0; | |
1128 if (!out || !in || len<AES_BLOCK_SIZE) | |
1129 return 0; | |
1130 #ifdef OPENSSL_FIPS | |
1131 /* Requirement of SP800-38E */ | |
1132 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &
& | |
1133 (len > (1UL<<20)*16)) | |
1134 { | |
1135 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); | |
1136 return 0; | |
1137 } | |
1138 #endif | |
1139 if (xctx->stream) | |
1140 (*xctx->stream)(in, out, len, | |
1141 xctx->xts.key1, xctx->xts.key2, ctx->iv); | |
1142 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, | |
1143 ctx->encrypt)) | |
1144 return 0; | |
1145 return 1; | |
1146 } | |
1147 | |
1148 #define aes_xts_cleanup NULL | |
1149 | |
1150 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ | |
1151 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) | |
1152 | |
1153 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) | |
1154 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS) | |
1155 | |
1156 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) | |
1157 { | |
1158 EVP_AES_CCM_CTX *cctx = c->cipher_data; | |
1159 switch (type) | |
1160 { | |
1161 case EVP_CTRL_INIT: | |
1162 cctx->key_set = 0; | |
1163 cctx->iv_set = 0; | |
1164 cctx->L = 8; | |
1165 cctx->M = 12; | |
1166 cctx->tag_set = 0; | |
1167 cctx->len_set = 0; | |
1168 return 1; | |
1169 | |
1170 case EVP_CTRL_CCM_SET_IVLEN: | |
1171 arg = 15 - arg; | |
1172 case EVP_CTRL_CCM_SET_L: | |
1173 if (arg < 2 || arg > 8) | |
1174 return 0; | |
1175 cctx->L = arg; | |
1176 return 1; | |
1177 | |
1178 case EVP_CTRL_CCM_SET_TAG: | |
1179 if ((arg & 1) || arg < 4 || arg > 16) | |
1180 return 0; | |
1181 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) | |
1182 return 0; | |
1183 if (ptr) | |
1184 { | |
1185 cctx->tag_set = 1; | |
1186 memcpy(c->buf, ptr, arg); | |
1187 } | |
1188 cctx->M = arg; | |
1189 return 1; | |
1190 | |
1191 case EVP_CTRL_CCM_GET_TAG: | |
1192 if (!c->encrypt || !cctx->tag_set) | |
1193 return 0; | |
1194 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) | |
1195 return 0; | |
1196 cctx->tag_set = 0; | |
1197 cctx->iv_set = 0; | |
1198 cctx->len_set = 0; | |
1199 return 1; | |
1200 | |
1201 default: | |
1202 return -1; | |
1203 | |
1204 } | |
1205 } | |
1206 | |
1207 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
1208 const unsigned char *iv, int enc) | |
1209 { | |
1210 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; | |
1211 if (!iv && !key) | |
1212 return 1; | |
1213 if (key) do | |
1214 { | |
1215 #ifdef VPAES_CAPABLE | |
1216 if (VPAES_CAPABLE) | |
1217 { | |
1218 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); | |
1219 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | |
1220 &cctx->ks, (block128_f)vpaes_encrypt); | |
1221 cctx->str = NULL; | |
1222 cctx->key_set = 1; | |
1223 break; | |
1224 } | |
1225 #endif | |
1226 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); | |
1227 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | |
1228 &cctx->ks, (block128_f)AES_encrypt); | |
1229 cctx->str = NULL; | |
1230 cctx->key_set = 1; | |
1231 } while (0); | |
1232 if (iv) | |
1233 { | |
1234 memcpy(ctx->iv, iv, 15 - cctx->L); | |
1235 cctx->iv_set = 1; | |
1236 } | |
1237 return 1; | |
1238 } | |
1239 | |
1240 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |
1241 const unsigned char *in, size_t len) | |
1242 { | |
1243 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; | |
1244 CCM128_CONTEXT *ccm = &cctx->ccm; | |
1245 /* If not set up, return error */ | |
1246 if (!cctx->iv_set && !cctx->key_set) | |
1247 return -1; | |
1248 if (!ctx->encrypt && !cctx->tag_set) | |
1249 return -1; | |
1250 if (!out) | |
1251 { | |
1252 if (!in) | |
1253 { | |
1254 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len)) | |
1255 return -1; | |
1256 cctx->len_set = 1; | |
1257 return len; | |
1258 } | |
1259 /* If have AAD need message length */ | |
1260 if (!cctx->len_set && len) | |
1261 return -1; | |
1262 CRYPTO_ccm128_aad(ccm, in, len); | |
1263 return len; | |
1264 } | |
1265 /* EVP_*Final() doesn't return any data */ | |
1266 if (!in) | |
1267 return 0; | |
1268 /* If not set length yet do it */ | |
1269 if (!cctx->len_set) | |
1270 { | |
1271 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) | |
1272 return -1; | |
1273 cctx->len_set = 1; | |
1274 } | |
1275 if (ctx->encrypt) | |
1276 { | |
1277 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, | |
1278 cctx->str) : | |
1279 CRYPTO_ccm128_encrypt(ccm, in, out, len)) | |
1280 return -1; | |
1281 cctx->tag_set = 1; | |
1282 return len; | |
1283 } | |
1284 else | |
1285 { | |
1286 int rv = -1; | |
1287 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, | |
1288 cctx->str) : | |
1289 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) | |
1290 { | |
1291 unsigned char tag[16]; | |
1292 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) | |
1293 { | |
1294 if (!memcmp(tag, ctx->buf, cctx->M)) | |
1295 rv = len; | |
1296 } | |
1297 } | |
1298 if (rv == -1) | |
1299 OPENSSL_cleanse(out, len); | |
1300 cctx->iv_set = 0; | |
1301 cctx->tag_set = 0; | |
1302 cctx->len_set = 0; | |
1303 return rv; | |
1304 } | |
1305 | |
1306 } | |
1307 | |
1308 #define aes_ccm_cleanup NULL | |
1309 | |
1310 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | |
1311 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | |
1312 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | |
1313 | |
1314 #define EVP_AEAD_AES_128_GCM_TAG_LEN 16 | |
1315 | |
1316 struct aead_aes_128_gcm_ctx { | |
1317 union { double align; AES_KEY ks; } ks; | |
1318 GCM128_CONTEXT gcm; | |
1319 ctr128_f ctr; | |
1320 unsigned char tag_len; | |
1321 }; | |
1322 | |
1323 static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx, | |
1324 const unsigned char *key, size_t key_len, size_t tag_len) | |
1325 { | |
1326 struct aead_aes_128_gcm_ctx *gcm_ctx; | |
1327 | |
1328 if (key_len*8 != 128) | |
1329 { | |
1330 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH); | |
1331 return 0; /* EVP_AEAD_CTX_init should catch this. */ | |
1332 } | |
1333 | |
1334 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) | |
1335 tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN; | |
1336 | |
1337 if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN) | |
1338 { | |
1339 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE); | |
1340 return 0; | |
1341 } | |
1342 | |
1343 gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx)); | |
1344 if (gcm_ctx == NULL) | |
1345 return 0; | |
1346 | |
1347 #ifdef AESNI_CAPABLE | |
1348 if (AESNI_CAPABLE) | |
1349 { | |
1350 aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks); | |
1351 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, | |
1352 (block128_f)aesni_encrypt); | |
1353 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; | |
1354 } | |
1355 else | |
1356 #endif | |
1357 { | |
1358 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, | |
1359 key, key_len); | |
1360 } | |
1361 gcm_ctx->tag_len = tag_len; | |
1362 ctx->aead_state = gcm_ctx; | |
1363 | |
1364 return 1; | |
1365 } | |
1366 | |
1367 static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx) | |
1368 { | |
1369 struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
1370 OPENSSL_free(gcm_ctx); | |
1371 } | |
1372 | |
1373 static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx, | |
1374 unsigned char *out, size_t max_out_len, | |
1375 const unsigned char *nonce, size_t nonce_len, | |
1376 const unsigned char *in, size_t in_len, | |
1377 const unsigned char *ad, size_t ad_len) | |
1378 { | |
1379 size_t bulk = 0; | |
1380 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
1381 GCM128_CONTEXT gcm; | |
1382 | |
1383 if (max_out_len < in_len + gcm_ctx->tag_len) | |
1384 { | |
1385 EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL); | |
1386 return -1; | |
1387 } | |
1388 | |
1389 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | |
1390 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | |
1391 | |
1392 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | |
1393 return -1; | |
1394 | |
1395 if (gcm_ctx->ctr) | |
1396 { | |
1397 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, | |
1398 in_len - bulk, gcm_ctx->ctr)) | |
1399 return -1; | |
1400 } | |
1401 else | |
1402 { | |
1403 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, | |
1404 in_len - bulk)) | |
1405 return -1; | |
1406 } | |
1407 | |
1408 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); | |
1409 return in_len + gcm_ctx->tag_len; | |
1410 } | |
1411 | |
1412 static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx, | |
1413 unsigned char *out, size_t max_out_len, | |
1414 const unsigned char *nonce, size_t nonce_len, | |
1415 const unsigned char *in, size_t in_len, | |
1416 const unsigned char *ad, size_t ad_len) | |
1417 { | |
1418 size_t bulk = 0; | |
1419 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
1420 unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN]; | |
1421 size_t out_len; | |
1422 GCM128_CONTEXT gcm; | |
1423 | |
1424 if (in_len < gcm_ctx->tag_len) | |
1425 { | |
1426 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); | |
1427 return -1; | |
1428 } | |
1429 | |
1430 out_len = in_len - gcm_ctx->tag_len; | |
1431 | |
1432 if (max_out_len < out_len) | |
1433 { | |
1434 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL); | |
1435 return -1; | |
1436 } | |
1437 | |
1438 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | |
1439 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | |
1440 | |
1441 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | |
1442 return -1; | |
1443 | |
1444 if (gcm_ctx->ctr) | |
1445 { | |
1446 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, | |
1447 in_len-bulk-gcm_ctx->tag_len, | |
1448 gcm_ctx->ctr)) | |
1449 return -1; | |
1450 } | |
1451 else | |
1452 { | |
1453 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, | |
1454 in_len - bulk - gcm_ctx->tag_len)) | |
1455 return -1; | |
1456 } | |
1457 | |
1458 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); | |
1459 if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0) | |
1460 { | |
1461 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); | |
1462 return -1; | |
1463 } | |
1464 | |
1465 return out_len; | |
1466 } | |
1467 | |
1468 static const EVP_AEAD aead_aes_128_gcm = { | |
1469 16, /* key len */ | |
1470 12, /* nonce len */ | |
1471 EVP_AEAD_AES_128_GCM_TAG_LEN, /* overhead */ | |
1472 EVP_AEAD_AES_128_GCM_TAG_LEN, /* max tag length */ | |
1473 | |
1474 aead_aes_128_gcm_init, | |
1475 aead_aes_128_gcm_cleanup, | |
1476 aead_aes_128_gcm_seal, | |
1477 aead_aes_128_gcm_open, | |
1478 }; | |
1479 | |
1480 const EVP_AEAD *EVP_aead_aes_128_gcm() | |
1481 { | |
1482 return &aead_aes_128_gcm; | |
1483 } | |
1484 | |
1485 #endif | |
1486 #endif | |
OLD | NEW |