openssl/crypto/evp/e_aes.c - Issue 2072073002: Delete bundled copy of OpenSSL and replace with README.

Side by Side Diff: openssl/crypto/evp/e_aes.c

Issue 2072073002: Delete bundled copy of OpenSSL and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/openssl@master

Patch Set: Delete bundled copy of OpenSSL and replace with README. Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
	(Empty)
1 /* ====================================================================

2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.

3 *

4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions

6 * are met:

7 *

8 * 1. Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.

10 *

11 * 2. Redistributions in binary form must reproduce the above copyright

12 * notice, this list of conditions and the following disclaimer in

13 * the documentation and/or other materials provided with the

14 * distribution.

15 *

16 * 3. All advertising materials mentioning features or use of this

17 * software must display the following acknowledgment:

18 * "This product includes software developed by the OpenSSL Project

19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

20 *

21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

22 * endorse or promote products derived from this software without

23 * prior written permission. For written permission, please contact

24 * openssl-core@openssl.org.

25 *

26 * 5. Products derived from this software may not be called "OpenSSL"

27 * nor may "OpenSSL" appear in their names without prior written

28 * permission of the OpenSSL Project.

29 *

30 * 6. Redistributions of any form whatsoever must retain the following

31 * acknowledgment:

32 * "This product includes software developed by the OpenSSL Project

33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"

34 *

35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

46 * OF THE POSSIBILITY OF SUCH DAMAGE.

47 * ====================================================================

48 *

49 */

50

51 #include <openssl/opensslconf.h>

52 #ifndef OPENSSL_NO_AES

53 #include <openssl/evp.h>

54 #include <openssl/err.h>

55 #include <string.h>

56 #include <assert.h>

57 #include <openssl/aes.h>

58 #include "evp_locl.h"

59 #ifndef OPENSSL_FIPS

60 #include "modes_lcl.h"

61 #include <openssl/rand.h>

62

63 typedef struct

64 {

65 AES_KEY ks;

66 block128_f block;

67 union {

68 cbc128_f cbc;

69 ctr128_f ctr;

70 } stream;

71 } EVP_AES_KEY;

72

73 typedef struct

74 {

75 AES_KEY ks; /* AES key schedule to use */

76 int key_set; /* Set if key initialised */

77 int iv_set; /* Set if an iv is set */

78 GCM128_CONTEXT gcm;

79 unsigned char iv; / Temporary IV store */

80 int ivlen; /* IV length */

81 int taglen;

82 int iv_gen; /* It is OK to generate IVs */

83 int tls_aad_len; /* TLS AAD length */

84 ctr128_f ctr;

85 } EVP_AES_GCM_CTX;

86

87 typedef struct

88 {

89 AES_KEY ks1, ks2; /* AES key schedules to use */

90 XTS128_CONTEXT xts;

91 void (stream)(const unsigned char in,

92 unsigned char *out, size_t length,

93 const AES_KEY key1, const AES_KEY key2,

94 const unsigned char iv[16]);

95 } EVP_AES_XTS_CTX;

96

97 typedef struct

98 {

99 AES_KEY ks; /* AES key schedule to use */

100 int key_set; /* Set if key initialised */

101 int iv_set; /* Set if an iv is set */

102 int tag_set; /* Set if tag is valid */

103 int len_set; /* Set if message length set */

104 int L, M; /* L and M parameters from RFC3610 */

105 CCM128_CONTEXT ccm;

106 ccm128_f str;

107 } EVP_AES_CCM_CTX;

108

109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))

110

111 #ifdef VPAES_ASM

112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,

113 AES_KEY *key);

114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,

115 AES_KEY *key);

116

117 void vpaes_encrypt(const unsigned char in, unsigned char out,

118 const AES_KEY *key);

119 void vpaes_decrypt(const unsigned char in, unsigned char out,

120 const AES_KEY *key);

121

122 void vpaes_cbc_encrypt(const unsigned char *in,

123 unsigned char *out,

124 size_t length,

125 const AES_KEY *key,

126 unsigned char *ivec, int enc);

127 #endif

128 #ifdef BSAES_ASM

129 void bsaes_cbc_encrypt(const unsigned char in, unsigned char out,

130 size_t length, const AES_KEY *key,

131 unsigned char ivec[16], int enc);

132 void bsaes_ctr32_encrypt_blocks(const unsigned char in, unsigned char out,

133 size_t len, const AES_KEY *key,

134 const unsigned char ivec[16]);

135 void bsaes_xts_encrypt(const unsigned char inp, unsigned char out,

136 size_t len, const AES_KEY *key1,

137 const AES_KEY *key2, const unsigned char iv[16]);

138 void bsaes_xts_decrypt(const unsigned char inp, unsigned char out,

139 size_t len, const AES_KEY *key1,

140 const AES_KEY *key2, const unsigned char iv[16]);

141 #endif

142 #ifdef AES_CTR_ASM

143 void AES_ctr32_encrypt(const unsigned char in, unsigned char out,

144 size_t blocks, const AES_KEY *key,

145 const unsigned char ivec[AES_BLOCK_SIZE]);

146 #endif

147 #ifdef AES_XTS_ASM

148 void AES_xts_encrypt(const char inp,char out,size_t len,

149 const AES_KEY key1, const AES_KEY key2,

150 const unsigned char iv[16]);

151 void AES_xts_decrypt(const char inp,char out,size_t len,

152 const AES_KEY key1, const AES_KEY key2,

153 const unsigned char iv[16]);

154 #endif

155

156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \

157 ((defined(__i386) \|\| defined(__i386__) \|\| \

158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))\|\| \

159 defined(__x86_64) \|\| defined(__x86_64__) \|\| \

160 defined(_M_AMD64) \|\| defined(_M_X64) \|\| \

161 defined(__INTEL__) )

162

163 extern unsigned int OPENSSL_ia32cap_P[2];

164

165 #ifdef VPAES_ASM

166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))

167 #endif

168 #ifdef BSAES_ASM

169 #define BSAES_CAPABLE VPAES_CAPABLE

170 #endif

171 /*

172 * AES-NI section

173 */

174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))

175

176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,

177 AES_KEY *key);

178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,

179 AES_KEY *key);

180

181 void aesni_encrypt(const unsigned char in, unsigned char out,

182 const AES_KEY *key);

183 void aesni_decrypt(const unsigned char in, unsigned char out,

184 const AES_KEY *key);

185

186 void aesni_ecb_encrypt(const unsigned char *in,

187 unsigned char *out,

188 size_t length,

189 const AES_KEY *key,

190 int enc);

191 void aesni_cbc_encrypt(const unsigned char *in,

192 unsigned char *out,

193 size_t length,

194 const AES_KEY *key,

195 unsigned char *ivec, int enc);

196

197 void aesni_ctr32_encrypt_blocks(const unsigned char *in,

198 unsigned char *out,

199 size_t blocks,

200 const void *key,

201 const unsigned char *ivec);

202

203 void aesni_xts_encrypt(const unsigned char *in,

204 unsigned char *out,

205 size_t length,

206 const AES_KEY key1, const AES_KEY key2,

207 const unsigned char iv[16]);

208

209 void aesni_xts_decrypt(const unsigned char *in,

210 unsigned char *out,

211 size_t length,

212 const AES_KEY key1, const AES_KEY key2,

213 const unsigned char iv[16]);

214

215 void aesni_ccm64_encrypt_blocks (const unsigned char *in,

216 unsigned char *out,

217 size_t blocks,

218 const void *key,

219 const unsigned char ivec[16],

220 unsigned char cmac[16]);

221

222 void aesni_ccm64_decrypt_blocks (const unsigned char *in,

223 unsigned char *out,

224 size_t blocks,

225 const void *key,

226 const unsigned char ivec[16],

227 unsigned char cmac[16]);

228

229 static int aesni_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

230 const unsigned char *iv, int enc)

231 {

232 int ret, mode;

233 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

234

235 mode = ctx->cipher->flags & EVP_CIPH_MODE;

236 if ((mode == EVP_CIPH_ECB_MODE \|\| mode == EVP_CIPH_CBC_MODE)

237 && !enc)

238 {

239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_dat a);

240 dat->block = (block128_f)aesni_decrypt;

241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?

242 (cbc128_f)aesni_cbc_encrypt :

243 NULL;

244 }

245 else {

246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_dat a);

247 dat->block = (block128_f)aesni_encrypt;

248 if (mode==EVP_CIPH_CBC_MODE)

249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;

250 else if (mode==EVP_CIPH_CTR_MODE)

251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;

252 else

253 dat->stream.cbc = NULL;

254 }

255

256 if(ret < 0)

257 {

258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);

259 return 0;

260 }

261

262 return 1;

263 }

264

265 static int aesni_cbc_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

266 const unsigned char *in, size_t len)

267 {

268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);

269

270 return 1;

271 }

272

273 static int aesni_ecb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

274 const unsigned char *in, size_t len)

275 {

276 size_t bl = ctx->cipher->block_size;

277

278 if (len<bl) return 1;

279

280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);

281

282 return 1;

283 }

284

285 #define aesni_ofb_cipher aes_ofb_cipher

286 static int aesni_ofb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

287 const unsigned char *in,size_t len);

288

289 #define aesni_cfb_cipher aes_cfb_cipher

290 static int aesni_cfb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

291 const unsigned char *in,size_t len);

292

293 #define aesni_cfb8_cipher aes_cfb8_cipher

294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

295 const unsigned char *in,size_t len);

296

297 #define aesni_cfb1_cipher aes_cfb1_cipher

298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

299 const unsigned char *in,size_t len);

300

301 #define aesni_ctr_cipher aes_ctr_cipher

302 static int aesni_ctr_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

303 const unsigned char *in, size_t len);

304

305 static int aesni_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

306 const unsigned char *iv, int enc)

307 {

308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;

309 if (!iv && !key)

310 return 1;

311 if (key)

312 {

313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);

314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,

315 (block128_f)aesni_encrypt);

316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;

317 /* If we have an iv can set it directly, otherwise use

318 * saved IV.

319 */

320 if (iv == NULL && gctx->iv_set)

321 iv = gctx->iv;

322 if (iv)

323 {

324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);

325 gctx->iv_set = 1;

326 }

327 gctx->key_set = 1;

328 }

329 else

330 {

331 /* If key set use IV, otherwise copy */

332 if (gctx->key_set)

333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);

334 else

335 memcpy(gctx->iv, iv, gctx->ivlen);

336 gctx->iv_set = 1;

337 gctx->iv_gen = 0;

338 }

339 return 1;

340 }

341

342 #define aesni_gcm_cipher aes_gcm_cipher

343 static int aesni_gcm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

344 const unsigned char *in, size_t len);

345

346 static int aesni_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

347 const unsigned char *iv, int enc)

348 {

349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;

350 if (!iv && !key)

351 return 1;

352

353 if (key)

354 {

355 /* key_len is two AES keys */

356 if (enc)

357 {

358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1) ;

359 xctx->xts.block1 = (block128_f)aesni_encrypt;

360 xctx->stream = aesni_xts_encrypt;

361 }

362 else

363 {

364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1) ;

365 xctx->xts.block1 = (block128_f)aesni_decrypt;

366 xctx->stream = aesni_xts_decrypt;

367 }

368

369 aesni_set_encrypt_key(key + ctx->key_len/2,

370 ctx->key_len * 4, &xctx->ks2);

371 xctx->xts.block2 = (block128_f)aesni_encrypt;

372

373 xctx->xts.key1 = &xctx->ks1;

374 }

375

376 if (iv)

377 {

378 xctx->xts.key2 = &xctx->ks2;

379 memcpy(ctx->iv, iv, 16);

380 }

381

382 return 1;

383 }

384

385 #define aesni_xts_cipher aes_xts_cipher

386 static int aesni_xts_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

387 const unsigned char *in, size_t len);

388

389 static int aesni_ccm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

390 const unsigned char *iv, int enc)

391 {

392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;

393 if (!iv && !key)

394 return 1;

395 if (key)

396 {

397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);

398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,

399 &cctx->ks, (block128_f)aesni_encrypt);

400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :

401 (ccm128_f)aesni_ccm64_decrypt_blocks;

402 cctx->key_set = 1;

403 }

404 if (iv)

405 {

406 memcpy(ctx->iv, iv, 15 - cctx->L);

407 cctx->iv_set = 1;

408 }

409 return 1;

410 }

411

412 #define aesni_ccm_cipher aes_ccm_cipher

413 static int aesni_ccm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

414 const unsigned char *in, size_t len);

415

416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \

417 static const EVP_CIPHER aesni_##keylen##_##mode = { \

418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \

419 flags\|EVP_CIPH_##MODE##_MODE, \

420 aesni_init_key, \

421 aesni_##mode##_cipher, \

422 NULL, \

423 sizeof(EVP_AES_KEY), \

424 NULL,NULL,NULL,NULL }; \

425 static const EVP_CIPHER aes_##keylen##_##mode = { \

426 nid##_##keylen##_##nmode,blocksize, \

427 keylen/8,ivlen, \

428 flags\|EVP_CIPH_##MODE##_MODE, \

429 aes_init_key, \

430 aes_##mode##_cipher, \

431 NULL, \

432 sizeof(EVP_AES_KEY), \

433 NULL,NULL,NULL,NULL }; \

434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \

435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }

436

437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \

438 static const EVP_CIPHER aesni_##keylen##_##mode = { \

439 nid##_##keylen##_##mode,blocksize, \

440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \

441 flags\|EVP_CIPH_##MODE##_MODE, \

442 aesni_##mode##_init_key, \

443 aesni_##mode##_cipher, \

444 aes_##mode##_cleanup, \

445 sizeof(EVP_AES_##MODE##_CTX), \

446 NULL,NULL,aes_##mode##_ctrl,NULL }; \

447 static const EVP_CIPHER aes_##keylen##_##mode = { \

448 nid##_##keylen##_##mode,blocksize, \

449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \

450 flags\|EVP_CIPH_##MODE##_MODE, \

451 aes_##mode##_init_key, \

452 aes_##mode##_cipher, \

453 aes_##mode##_cleanup, \

454 sizeof(EVP_AES_##MODE##_CTX), \

455 NULL,NULL,aes_##mode##_ctrl,NULL }; \

456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \

457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }

458

459 #else

460

461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \

462 static const EVP_CIPHER aes_##keylen##_##mode = { \

463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \

464 flags\|EVP_CIPH_##MODE##_MODE, \

465 aes_init_key, \

466 aes_##mode##_cipher, \

467 NULL, \

468 sizeof(EVP_AES_KEY), \

469 NULL,NULL,NULL,NULL }; \

470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \

471 { return &aes_##keylen##_##mode; }

472

473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \

474 static const EVP_CIPHER aes_##keylen##_##mode = { \

475 nid##_##keylen##_##mode,blocksize, \

476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \

477 flags\|EVP_CIPH_##MODE##_MODE, \

478 aes_##mode##_init_key, \

479 aes_##mode##_cipher, \

480 aes_##mode##_cleanup, \

481 sizeof(EVP_AES_##MODE##_CTX), \

482 NULL,NULL,aes_##mode##_ctrl,NULL }; \

483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \

484 { return &aes_##keylen##_##mode; }

485 #endif

486

487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \

488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags\|EVP_CIPH_FLAG_DE FAULT_ASN1) \

489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags\|EVP_CIPH_FLAG_DEF AULT_ASN1) \

490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags\|EVP_CIPH_FLAG_ DEFAULT_ASN1) \

491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags\|EVP_CIPH_FLAG_ DEFAULT_ASN1) \

492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \

493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \

494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)

495

496 static int aes_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

497 const unsigned char *iv, int enc)

498 {

499 int ret, mode;

500 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

501

502 mode = ctx->cipher->flags & EVP_CIPH_MODE;

503 if ((mode == EVP_CIPH_ECB_MODE \|\| mode == EVP_CIPH_CBC_MODE)

504 && !enc)

505 #ifdef BSAES_CAPABLE

506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)

507 {

508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);

509 dat->block = (block128_f)AES_decrypt;

510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;

511 }

512 else

513 #endif

514 #ifdef VPAES_CAPABLE

515 if (VPAES_CAPABLE)

516 {

517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);

518 dat->block = (block128_f)vpaes_decrypt;

519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?

520 (cbc128_f)vpaes_cbc_encrypt :

521 NULL;

522 }

523 else

524 #endif

525 {

526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);

527 dat->block = (block128_f)AES_decrypt;

528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?

529 (cbc128_f)AES_cbc_encrypt :

530 NULL;

531 }

532 else

533 #ifdef BSAES_CAPABLE

534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)

535 {

536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);

537 dat->block = (block128_f)AES_encrypt;

538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;

539 }

540 else

541 #endif

542 #ifdef VPAES_CAPABLE

543 if (VPAES_CAPABLE)

544 {

545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);

546 dat->block = (block128_f)vpaes_encrypt;

547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?

548 (cbc128_f)vpaes_cbc_encrypt :

549 NULL;

550 }

551 else

552 #endif

553 {

554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);

555 dat->block = (block128_f)AES_encrypt;

556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?

557 (cbc128_f)AES_cbc_encrypt :

558 NULL;

559 #ifdef AES_CTR_ASM

560 if (mode==EVP_CIPH_CTR_MODE)

561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;

562 #endif

563 }

564

565 if(ret < 0)

566 {

567 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);

568 return 0;

569 }

570

571 return 1;

572 }

573

574 static int aes_cbc_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

575 const unsigned char *in, size_t len)

576 {

577 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

578

579 if (dat->stream.cbc)

580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);

581 else if (ctx->encrypt)

582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);

583 else

584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);

585

586 return 1;

587 }

588

589 static int aes_ecb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

590 const unsigned char *in, size_t len)

591 {

592 size_t bl = ctx->cipher->block_size;

593 size_t i;

594 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

595

596 if (len<bl) return 1;

597

598 for (i=0,len-=bl;i<=len;i+=bl)

599 (*dat->block)(in+i,out+i,&dat->ks);

600

601 return 1;

602 }

603

604 static int aes_ofb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

605 const unsigned char *in,size_t len)

606 {

607 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

608

609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,

610 ctx->iv,&ctx->num,dat->block);

611 return 1;

612 }

613

614 static int aes_cfb_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

615 const unsigned char *in,size_t len)

616 {

617 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

618

619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,

620 ctx->iv,&ctx->num,ctx->encrypt,dat->block);

621 return 1;

622 }

623

624 static int aes_cfb8_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

625 const unsigned char *in,size_t len)

626 {

627 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

628

629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,

630 ctx->iv,&ctx->num,ctx->encrypt,dat->block);

631 return 1;

632 }

633

634 static int aes_cfb1_cipher(EVP_CIPHER_CTX ctx,unsigned char out,

635 const unsigned char *in,size_t len)

636 {

637 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

638

639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {

640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,

641 ctx->iv,&ctx->num,ctx->encrypt,dat->block);

642 return 1;

643 }

644

645 while (len>=MAXBITCHUNK) {

646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,

647 ctx->iv,&ctx->num,ctx->encrypt,dat->block);

648 len-=MAXBITCHUNK;

649 }

650 if (len)

651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,

652 ctx->iv,&ctx->num,ctx->encrypt,dat->block);

653

654 return 1;

655 }

656

657 static int aes_ctr_cipher (EVP_CIPHER_CTX ctx, unsigned char out,

658 const unsigned char *in, size_t len)

659 {

660 unsigned int num = ctx->num;

661 EVP_AES_KEY dat = (EVP_AES_KEY )ctx->cipher_data;

662

663 if (dat->stream.ctr)

664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,

665 ctx->iv,ctx->buf,&num,dat->stream.ctr);

666 else

667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,

668 ctx->iv,ctx->buf,&num,dat->block);

669 ctx->num = (size_t)num;

670 return 1;

671 }

672

673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)

674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)

675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)

676

677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)

678 {

679 EVP_AES_GCM_CTX *gctx = c->cipher_data;

680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));

681 if (gctx->iv != c->iv)

682 OPENSSL_free(gctx->iv);

683 return 1;

684 }

685

686 /* increment counter (64-bit int) by 1 */

687 static void ctr64_inc(unsigned char *counter) {

688 int n=8;

689 unsigned char c;

690

691 do {

692 --n;

693 c = counter[n];

694 ++c;

695 counter[n] = c;

696 if (c) return;

697 } while (n);

698 }

699

700 static int aes_gcm_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)

701 {

702 EVP_AES_GCM_CTX *gctx = c->cipher_data;

703 switch (type)

704 {

705 case EVP_CTRL_INIT:

706 gctx->key_set = 0;

707 gctx->iv_set = 0;

708 gctx->ivlen = c->cipher->iv_len;

709 gctx->iv = c->iv;

710 gctx->taglen = -1;

711 gctx->iv_gen = 0;

712 gctx->tls_aad_len = -1;

713 return 1;

714

715 case EVP_CTRL_GCM_SET_IVLEN:

716 if (arg <= 0)

717 return 0;

718 #ifdef OPENSSL_FIPS

719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_AL LOW)

720 && arg < 12)

721 return 0;

722 #endif

723 /* Allocate memory for IV if needed */

724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))

725 {

726 if (gctx->iv != c->iv)

727 OPENSSL_free(gctx->iv);

728 gctx->iv = OPENSSL_malloc(arg);

729 if (!gctx->iv)

730 return 0;

731 }

732 gctx->ivlen = arg;

733 return 1;

734

735 case EVP_CTRL_GCM_SET_TAG:

736 if (arg <= 0 \|\| arg > 16 \|\| c->encrypt)

737 return 0;

738 memcpy(c->buf, ptr, arg);

739 gctx->taglen = arg;

740 return 1;

741

742 case EVP_CTRL_GCM_GET_TAG:

743 if (arg <= 0 \|\| arg > 16 \|\| !c->encrypt \|\| gctx->taglen < 0)

744 return 0;

745 memcpy(ptr, c->buf, arg);

746 return 1;

747

748 case EVP_CTRL_GCM_SET_IV_FIXED:

749 /* Special case: -1 length restores whole IV */

750 if (arg == -1)

751 {

752 memcpy(gctx->iv, ptr, gctx->ivlen);

753 gctx->iv_gen = 1;

754 return 1;

755 }

756 /* Fixed field must be at least 4 bytes and invocation field

757 * at least 8.

758 */

759 if ((arg < 4) \|\| (gctx->ivlen - arg) < 8)

760 return 0;

761 if (arg)

762 memcpy(gctx->iv, ptr, arg);

763 if (c->encrypt &&

764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)

765 return 0;

766 gctx->iv_gen = 1;

767 return 1;

768

769 case EVP_CTRL_GCM_IV_GEN:

770 if (gctx->iv_gen == 0 \|\| gctx->key_set == 0)

771 return 0;

772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);

773 if (arg <= 0 \|\| arg > gctx->ivlen)

774 arg = gctx->ivlen;

775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);

776 /* Invocation field will be at least 8 bytes in size and

777 * so no need to check wrap around or increment more than

778 * last 8 bytes.

779 */

780 ctr64_inc(gctx->iv + gctx->ivlen - 8);

781 gctx->iv_set = 1;

782 return 1;

783

784 case EVP_CTRL_GCM_SET_IV_INV:

785 if (gctx->iv_gen == 0 \|\| gctx->key_set == 0 \|\| c->encrypt)

786 return 0;

787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);

788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);

789 gctx->iv_set = 1;

790 return 1;

791

792 case EVP_CTRL_AEAD_TLS1_AAD:

793 /* Save the AAD for later use */

794 if (arg != 13)

795 return 0;

796 memcpy(c->buf, ptr, arg);

797 gctx->tls_aad_len = arg;

798 {

799 unsigned int len=c->buf[arg-2]<<8\|c->buf[arg-1];

800 /* Correct length for explicit IV */

801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;

802 /* If decrypting correct for tag too */

803 if (!c->encrypt)

804 len -= EVP_GCM_TLS_TAG_LEN;

805 c->buf[arg-2] = len>>8;

806 c->buf[arg-1] = len & 0xff;

807 }

808 /* Extra padding: tag appended to record */

809 return EVP_GCM_TLS_TAG_LEN;

810

811 default:

812 return -1;

813

814 }

815 }

816

817 static ctr128_f aes_gcm_set_key(AES_KEY aes_key, GCM128_CONTEXT gcm_ctx,

818 const unsigned char *key, size_t key_len)

819 {

820 #ifdef BSAES_CAPABLE

821 if (BSAES_CAPABLE)

822 {

823 AES_set_encrypt_key(key,key_len*8,aes_key);

824 CRYPTO_gcm128_init(gcm_ctx,aes_key,

825 (block128_f)AES_encrypt);

826 return (ctr128_f)bsaes_ctr32_encrypt_blocks;

827 }

828 #endif

829 #ifdef VPAES_CAPABLE

830 if (VPAES_CAPABLE)

831 {

832 vpaes_set_encrypt_key(key,key_len*8,aes_key);

833 CRYPTO_gcm128_init(gcm_ctx,aes_key,

834 (block128_f)vpaes_encrypt);

835 return NULL;

836 }

837 #endif

838 AES_set_encrypt_key(key, key_len*8, aes_key);

839 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);

840 #ifdef AES_CTR_ASM

841 return (ctr128_f)AES_ctr32_encrypt;

842 #else

843 return NULL;

844 #endif

845 }

846

847 static int aes_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

848 const unsigned char *iv, int enc)

849 {

850 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;

851 if (!iv && !key)

852 return 1;

853 if (key)

854 {

855 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key _len);

856 /* If we have an iv can set it directly, otherwise use

857 * saved IV.

858 */

859 if (iv == NULL && gctx->iv_set)

860 iv = gctx->iv;

861 if (iv)

862 {

863 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);

864 gctx->iv_set = 1;

865 }

866 gctx->key_set = 1;

867 }

868 else

869 {

870 /* If key set use IV, otherwise copy */

871 if (gctx->key_set)

872 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);

873 else

874 memcpy(gctx->iv, iv, gctx->ivlen);

875 gctx->iv_set = 1;

876 gctx->iv_gen = 0;

877 }

878 return 1;

879 }

880

881 /* Handle TLS GCM packet format. This consists of the last portion of the IV

882 * followed by the payload and finally the tag. On encrypt generate IV,

883 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload

884 * and verify tag.

885 */

886

887 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

888 const unsigned char *in, size_t len)

889 {

890 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;

891 int rv = -1;

892 /* Encrypt/decrypt must be performed in place */

893 if (out != in \|\| len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN) )

894 return -1;

895 /* Set IV from start of buffer or generate IV and write to start

896 * of buffer.

897 */

898 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?

899 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,

900 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)

901 goto err;

902 /* Use saved AAD */

903 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))

904 goto err;

905 /* Fix buffer and length to point to payload */

906 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;

907 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;

908 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;

909 if (ctx->encrypt)

910 {

911 /* Encrypt payload */

912 if (gctx->ctr)

913 {

914 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,

915 in, out, len,

916 gctx->ctr))

917 goto err;

918 }

919 else {

920 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))

921 goto err;

922 }

923 out += len;

924 /* Finally write tag */

925 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);

926 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;

927 }

928 else

929 {

930 /* Decrypt */

931 if (gctx->ctr)

932 {

933 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,

934 in, out, len,

935 gctx->ctr))

936 goto err;

937 }

938 else {

939 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))

940 goto err;

941 }

942 /* Retrieve tag */

943 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,

944 EVP_GCM_TLS_TAG_LEN);

945 /* If tag mismatch wipe buffer */

946 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))

947 {

948 OPENSSL_cleanse(out, len);

949 goto err;

950 }

951 rv = len;

952 }

953

954 err:

955 gctx->iv_set = 0;

956 gctx->tls_aad_len = -1;

957 return rv;

958 }

959

960 static int aes_gcm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

961 const unsigned char *in, size_t len)

962 {

963 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;

964 /* If not set up, return error */

965 if (!gctx->key_set)

966 return -1;

967

968 if (gctx->tls_aad_len >= 0)

969 return aes_gcm_tls_cipher(ctx, out, in, len);

970

971 if (!gctx->iv_set)

972 return -1;

973 if (in)

974 {

975 if (out == NULL)

976 {

977 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))

978 return -1;

979 }

980 else if (ctx->encrypt)

981 {

982 if (gctx->ctr)

983 {

984 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,

985 in, out, len,

986 gctx->ctr))

987 return -1;

988 }

989 else {

990 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, l en))

991 return -1;

992 }

993 }

994 else

995 {

996 if (gctx->ctr)

997 {

998 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,

999 in, out, len,

1000 gctx->ctr))

1001 return -1;

1002 }

1003 else {

1004 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, l en))

1005 return -1;

1006 }

1007 }

1008 return len;

1009 }

1010 else

1011 {

1012 if (!ctx->encrypt)

1013 {

1014 if (gctx->taglen < 0)

1015 return -1;

1016 if (CRYPTO_gcm128_finish(&gctx->gcm,

1017 ctx->buf, gctx->taglen) != 0)

1018 return -1;

1019 gctx->iv_set = 0;

1020 return 0;

1021 }

1022 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);

1023 gctx->taglen = 16;

1024 /* Don't reuse the IV */

1025 gctx->iv_set = 0;

1026 return 0;

1027 }

1028

1029 }

1030

1031 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \

1032 \| EVP_CIPH_CUSTOM_IV \| EVP_CIPH_FLAG_CUSTOM_CIPHER \

1033 \| EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT)

1034

1035 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,

1036 EVP_CIPH_FLAG_FIPS\|EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS)

1037 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,

1038 EVP_CIPH_FLAG_FIPS\|EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS)

1039 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,

1040 EVP_CIPH_FLAG_FIPS\|EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS)

1041

1042 static int aes_xts_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)

1043 {

1044 EVP_AES_XTS_CTX *xctx = c->cipher_data;

1045 if (type != EVP_CTRL_INIT)

1046 return -1;

1047 /* key1 and key2 are used as an indicator both key and IV are set */

1048 xctx->xts.key1 = NULL;

1049 xctx->xts.key2 = NULL;

1050 return 1;

1051 }

1052

1053 static int aes_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

1054 const unsigned char *iv, int enc)

1055 {

1056 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;

1057 if (!iv && !key)

1058 return 1;

1059

1060 if (key) do

1061 {

1062 #ifdef AES_XTS_ASM

1063 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;

1064 #else

1065 xctx->stream = NULL;

1066 #endif

1067 /* key_len is two AES keys */

1068 #ifdef BSAES_CAPABLE

1069 if (BSAES_CAPABLE)

1070 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decry pt;

1071 else

1072 #endif

1073 #ifdef VPAES_CAPABLE

1074 if (VPAES_CAPABLE)

1075 {

1076 if (enc)

1077 {

1078 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1) ;

1079 xctx->xts.block1 = (block128_f)vpaes_encrypt;

1080 }

1081 else

1082 {

1083 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1) ;

1084 xctx->xts.block1 = (block128_f)vpaes_decrypt;

1085 }

1086

1087 vpaes_set_encrypt_key(key + ctx->key_len/2,

1088 ctx->key_len * 4, &xctx->ks2);

1089 xctx->xts.block2 = (block128_f)vpaes_encrypt;

1090

1091 xctx->xts.key1 = &xctx->ks1;

1092 break;

1093 }

1094 #endif

1095 if (enc)

1096 {

1097 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);

1098 xctx->xts.block1 = (block128_f)AES_encrypt;

1099 }

1100 else

1101 {

1102 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);

1103 xctx->xts.block1 = (block128_f)AES_decrypt;

1104 }

1105

1106 AES_set_encrypt_key(key + ctx->key_len/2,

1107 ctx->key_len * 4, &xctx->ks2);

1108 xctx->xts.block2 = (block128_f)AES_encrypt;

1109

1110 xctx->xts.key1 = &xctx->ks1;

1111 } while (0);

1112

1113 if (iv)

1114 {

1115 xctx->xts.key2 = &xctx->ks2;

1116 memcpy(ctx->iv, iv, 16);

1117 }

1118

1119 return 1;

1120 }

1121

1122 static int aes_xts_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

1123 const unsigned char *in, size_t len)

1124 {

1125 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;

1126 if (!xctx->xts.key1 \|\| !xctx->xts.key2)

1127 return 0;

1128 if (!out \|\| !in \|\| len<AES_BLOCK_SIZE)

1129 return 0;

1130 #ifdef OPENSSL_FIPS

1131 /* Requirement of SP800-38E */

1132 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) & &

1133 (len > (1UL<<20)*16))

1134 {

1135 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);

1136 return 0;

1137 }

1138 #endif

1139 if (xctx->stream)

1140 (*xctx->stream)(in, out, len,

1141 xctx->xts.key1, xctx->xts.key2, ctx->iv);

1142 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,

1143 ctx->encrypt))

1144 return 0;

1145 return 1;

1146 }

1147

1148 #define aes_xts_cleanup NULL

1149

1150 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \| EVP_CIPH_CUSTOM_IV \

1151 \| EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT)

1152

1153 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS\|XTS_FLAGS)

1154 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS\|XTS_FLAGS)

1155

1156 static int aes_ccm_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)

1157 {

1158 EVP_AES_CCM_CTX *cctx = c->cipher_data;

1159 switch (type)

1160 {

1161 case EVP_CTRL_INIT:

1162 cctx->key_set = 0;

1163 cctx->iv_set = 0;

1164 cctx->L = 8;

1165 cctx->M = 12;

1166 cctx->tag_set = 0;

1167 cctx->len_set = 0;

1168 return 1;

1169

1170 case EVP_CTRL_CCM_SET_IVLEN:

1171 arg = 15 - arg;

1172 case EVP_CTRL_CCM_SET_L:

1173 if (arg < 2 \|\| arg > 8)

1174 return 0;

1175 cctx->L = arg;

1176 return 1;

1177

1178 case EVP_CTRL_CCM_SET_TAG:

1179 if ((arg & 1) \|\| arg < 4 \|\| arg > 16)

1180 return 0;

1181 if ((c->encrypt && ptr) \|\| (!c->encrypt && !ptr))

1182 return 0;

1183 if (ptr)

1184 {

1185 cctx->tag_set = 1;

1186 memcpy(c->buf, ptr, arg);

1187 }

1188 cctx->M = arg;

1189 return 1;

1190

1191 case EVP_CTRL_CCM_GET_TAG:

1192 if (!c->encrypt \|\| !cctx->tag_set)

1193 return 0;

1194 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))

1195 return 0;

1196 cctx->tag_set = 0;

1197 cctx->iv_set = 0;

1198 cctx->len_set = 0;

1199 return 1;

1200

1201 default:

1202 return -1;

1203

1204 }

1205 }

1206

1207 static int aes_ccm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,

1208 const unsigned char *iv, int enc)

1209 {

1210 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;

1211 if (!iv && !key)

1212 return 1;

1213 if (key) do

1214 {

1215 #ifdef VPAES_CAPABLE

1216 if (VPAES_CAPABLE)

1217 {

1218 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);

1219 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,

1220 &cctx->ks, (block128_f)vpaes_encrypt);

1221 cctx->str = NULL;

1222 cctx->key_set = 1;

1223 break;

1224 }

1225 #endif

1226 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);

1227 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,

1228 &cctx->ks, (block128_f)AES_encrypt);

1229 cctx->str = NULL;

1230 cctx->key_set = 1;

1231 } while (0);

1232 if (iv)

1233 {

1234 memcpy(ctx->iv, iv, 15 - cctx->L);

1235 cctx->iv_set = 1;

1236 }

1237 return 1;

1238 }

1239

1240 static int aes_ccm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,

1241 const unsigned char *in, size_t len)

1242 {

1243 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;

1244 CCM128_CONTEXT *ccm = &cctx->ccm;

1245 /* If not set up, return error */

1246 if (!cctx->iv_set && !cctx->key_set)

1247 return -1;

1248 if (!ctx->encrypt && !cctx->tag_set)

1249 return -1;

1250 if (!out)

1251 {

1252 if (!in)

1253 {

1254 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))

1255 return -1;

1256 cctx->len_set = 1;

1257 return len;

1258 }

1259 /* If have AAD need message length */

1260 if (!cctx->len_set && len)

1261 return -1;

1262 CRYPTO_ccm128_aad(ccm, in, len);

1263 return len;

1264 }

1265 /* EVP_Final() doesn't return any data /

1266 if (!in)

1267 return 0;

1268 /* If not set length yet do it */

1269 if (!cctx->len_set)

1270 {

1271 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))

1272 return -1;

1273 cctx->len_set = 1;

1274 }

1275 if (ctx->encrypt)

1276 {

1277 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,

1278 cctx->str) :

1279 CRYPTO_ccm128_encrypt(ccm, in, out, len))

1280 return -1;

1281 cctx->tag_set = 1;

1282 return len;

1283 }

1284 else

1285 {

1286 int rv = -1;

1287 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,

1288 cctx->str) :

1289 !CRYPTO_ccm128_decrypt(ccm, in, out, len))

1290 {

1291 unsigned char tag[16];

1292 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))

1293 {

1294 if (!memcmp(tag, ctx->buf, cctx->M))

1295 rv = len;

1296 }

1297 }

1298 if (rv == -1)

1299 OPENSSL_cleanse(out, len);

1300 cctx->iv_set = 0;

1301 cctx->tag_set = 0;

1302 cctx->len_set = 0;

1303 return rv;

1304 }

1305

1306 }

1307

1308 #define aes_ccm_cleanup NULL

1309

1310 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS\|CUSTOM_FLAGS)

1311 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS\|CUSTOM_FLAGS)

1312 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS\|CUSTOM_FLAGS)

1313

1314 #define EVP_AEAD_AES_128_GCM_TAG_LEN 16

1315

1316 struct aead_aes_128_gcm_ctx {

1317 union { double align; AES_KEY ks; } ks;

1318 GCM128_CONTEXT gcm;

1319 ctr128_f ctr;

1320 unsigned char tag_len;

1321 };

1322

1323 static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx,

1324 const unsigned char *key, size_t key_len, size_t tag_len)

1325 {

1326 struct aead_aes_128_gcm_ctx *gcm_ctx;

1327

1328 if (key_len*8 != 128)

1329 {

1330 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH);

1331 return 0; /* EVP_AEAD_CTX_init should catch this. */

1332 }

1333

1334 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)

1335 tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN;

1336

1337 if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN)

1338 {

1339 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE);

1340 return 0;

1341 }

1342

1343 gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx));

1344 if (gcm_ctx == NULL)

1345 return 0;

1346

1347 #ifdef AESNI_CAPABLE

1348 if (AESNI_CAPABLE)

1349 {

1350 aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks);

1351 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,

1352 (block128_f)aesni_encrypt);

1353 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;

1354 }

1355 else

1356 #endif

1357 {

1358 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,

1359 key, key_len);

1360 }

1361 gcm_ctx->tag_len = tag_len;

1362 ctx->aead_state = gcm_ctx;

1363

1364 return 1;

1365 }

1366

1367 static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx)

1368 {

1369 struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;

1370 OPENSSL_free(gcm_ctx);

1371 }

1372

1373 static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx,

1374 unsigned char *out, size_t max_out_len,

1375 const unsigned char *nonce, size_t nonce_len,

1376 const unsigned char *in, size_t in_len,

1377 const unsigned char *ad, size_t ad_len)

1378 {

1379 size_t bulk = 0;

1380 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;

1381 GCM128_CONTEXT gcm;

1382

1383 if (max_out_len < in_len + gcm_ctx->tag_len)

1384 {

1385 EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL);

1386 return -1;

1387 }

1388

1389 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));

1390 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);

1391

1392 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))

1393 return -1;

1394

1395 if (gcm_ctx->ctr)

1396 {

1397 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,

1398 in_len - bulk, gcm_ctx->ctr))

1399 return -1;

1400 }

1401 else

1402 {

1403 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,

1404 in_len - bulk))

1405 return -1;

1406 }

1407

1408 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);

1409 return in_len + gcm_ctx->tag_len;

1410 }

1411

1412 static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx,

1413 unsigned char *out, size_t max_out_len,

1414 const unsigned char *nonce, size_t nonce_len,

1415 const unsigned char *in, size_t in_len,

1416 const unsigned char *ad, size_t ad_len)

1417 {

1418 size_t bulk = 0;

1419 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;

1420 unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN];

1421 size_t out_len;

1422 GCM128_CONTEXT gcm;

1423

1424 if (in_len < gcm_ctx->tag_len)

1425 {

1426 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);

1427 return -1;

1428 }

1429

1430 out_len = in_len - gcm_ctx->tag_len;

1431

1432 if (max_out_len < out_len)

1433 {

1434 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL);

1435 return -1;

1436 }

1437

1438 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));

1439 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);

1440

1441 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))

1442 return -1;

1443

1444 if (gcm_ctx->ctr)

1445 {

1446 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,

1447 in_len-bulk-gcm_ctx->tag_len,

1448 gcm_ctx->ctr))

1449 return -1;

1450 }

1451 else

1452 {

1453 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,

1454 in_len - bulk - gcm_ctx->tag_len))

1455 return -1;

1456 }

1457

1458 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);

1459 if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0)

1460 {

1461 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);

1462 return -1;

1463 }

1464

1465 return out_len;

1466 }

1467

1468 static const EVP_AEAD aead_aes_128_gcm = {

1469 16, /* key len */

1470 12, /* nonce len */

1471 EVP_AEAD_AES_128_GCM_TAG_LEN, /* overhead */

1472 EVP_AEAD_AES_128_GCM_TAG_LEN, /* max tag length */

1473

1474 aead_aes_128_gcm_init,

1475 aead_aes_128_gcm_cleanup,

1476 aead_aes_128_gcm_seal,

1477 aead_aes_128_gcm_open,

1478 };

1479

1480 const EVP_AEAD *EVP_aead_aes_128_gcm()

1481 {

1482 return &aead_aes_128_gcm;

1483 }

1484

1485 #endif

1486 #endif

OLD	NEW

« no previous file with comments | « openssl/crypto/evp/digest.c ('k') | openssl/crypto/evp/e_aes_cbc_hmac_sha1.c » ('j') | no next file with comments »