1/* $OpenBSD: e_aes.c,v 1.58 2024/04/09 13:52:41 beck Exp $ */ 2/* ==================================================================== 3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52#include <limits.h> 53#include <stdlib.h> 54#include <string.h> 55 56#include <openssl/opensslconf.h> 57 58#ifndef OPENSSL_NO_AES 59#include <openssl/aes.h> 60#include <openssl/err.h> 61#include <openssl/evp.h> 62 63#include "evp_local.h" 64#include "modes_local.h" 65 66typedef struct { 67 AES_KEY ks; 68 block128_f block; 69 union { 70 cbc128_f cbc; 71 ctr128_f ctr; 72 } stream; 73} EVP_AES_KEY; 74 75typedef struct { 76 AES_KEY ks; /* AES key schedule to use */ 77 int key_set; /* Set if key initialised */ 78 int iv_set; /* Set if an iv is set */ 79 GCM128_CONTEXT gcm; 80 unsigned char *iv; /* Temporary IV store */ 81 int ivlen; /* IV length */ 82 int taglen; 83 int iv_gen; /* It is OK to generate IVs */ 84 int tls_aad_len; /* TLS AAD length */ 85 ctr128_f ctr; 86} EVP_AES_GCM_CTX; 87 88typedef struct { 89 AES_KEY ks1, ks2; /* AES key schedules to use */ 90 XTS128_CONTEXT xts; 91 void (*stream)(const unsigned char *in, unsigned char *out, 92 size_t length, const AES_KEY *key1, const AES_KEY *key2, 93 const unsigned char iv[16]); 94} EVP_AES_XTS_CTX; 95 96typedef struct { 97 AES_KEY ks; /* AES key schedule to use */ 98 int key_set; /* Set if key initialised */ 99 int iv_set; /* Set if an iv is set */ 100 int tag_set; /* Set if tag is valid */ 101 int len_set; /* Set if message length set */ 102 int L, M; /* L and M parameters from RFC3610 */ 103 CCM128_CONTEXT ccm; 104 ccm128_f str; 105} EVP_AES_CCM_CTX; 106 107#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) 108 109#ifdef VPAES_ASM 110int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, 111 AES_KEY *key); 112int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, 113 AES_KEY *key); 114 115void vpaes_encrypt(const unsigned char *in, unsigned char *out, 116 const AES_KEY *key); 117void vpaes_decrypt(const unsigned char *in, unsigned char *out, 118 const AES_KEY *key); 119 120void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 121 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 122#endif 123#ifdef BSAES_ASM 124void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, 125 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); 126void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 127 size_t len, const AES_KEY *key, const unsigned char ivec[16]); 128void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, 129 size_t len, const AES_KEY *key1, const AES_KEY *key2, 130 const unsigned char iv[16]); 131void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, 132 size_t len, const AES_KEY *key1, const AES_KEY *key2, 133 const unsigned char iv[16]); 134#endif 135#ifdef AES_CTR_ASM 136void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 137 size_t blocks, const AES_KEY *key, 138 const unsigned char ivec[AES_BLOCK_SIZE]); 139#endif 140#ifdef AES_XTS_ASM 141void AES_xts_encrypt(const char *inp, char *out, size_t len, 142 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 143void AES_xts_decrypt(const char *inp, char *out, size_t len, 144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); 145#endif 146 147#if defined(AES_ASM) && ( \ 148 ((defined(__i386) || defined(__i386__) || \ 149 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ 150 defined(__x86_64) || defined(__x86_64__) || \ 151 defined(_M_AMD64) || defined(_M_X64) || \ 152 defined(__INTEL__) ) 153 154#include "x86_arch.h" 155 156#ifdef VPAES_ASM 157#define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3) 158#endif 159#ifdef BSAES_ASM 160#define BSAES_CAPABLE VPAES_CAPABLE 161#endif 162/* 163 * AES-NI section 164 */ 165#define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) 166 167int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 168 AES_KEY *key); 169int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 170 AES_KEY *key); 171 172void aesni_encrypt(const unsigned char *in, unsigned char *out, 173 const AES_KEY *key); 174void aesni_decrypt(const unsigned char *in, unsigned char *out, 175 const AES_KEY *key); 176 177void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, 178 size_t length, const AES_KEY *key, int enc); 179void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, 180 size_t length, const AES_KEY *key, unsigned char *ivec, int enc); 181 182void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, 183 size_t blocks, const void *key, const unsigned char *ivec); 184 185void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, 186 size_t length, const AES_KEY *key1, const AES_KEY *key2, 187 const unsigned char iv[16]); 188 189void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, 190 size_t length, const AES_KEY *key1, const AES_KEY *key2, 191 const unsigned char iv[16]); 192 193void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, 194 size_t blocks, const void *key, const unsigned char ivec[16], 195 unsigned char cmac[16]); 196 197void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, 198 size_t blocks, const void *key, const unsigned char ivec[16], 199 unsigned char cmac[16]); 200 201static int 202aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 203 const unsigned char *iv, int enc) 204{ 205 int ret, mode; 206 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 207 208 mode = ctx->cipher->flags & EVP_CIPH_MODE; 209 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 210 !enc) { 211 ret = aesni_set_decrypt_key(key, ctx->key_len * 8, 212 ctx->cipher_data); 213 dat->block = (block128_f)aesni_decrypt; 214 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 215 (cbc128_f)aesni_cbc_encrypt : NULL; 216 } else { 217 ret = aesni_set_encrypt_key(key, ctx->key_len * 8, 218 ctx->cipher_data); 219 dat->block = (block128_f)aesni_encrypt; 220 if (mode == EVP_CIPH_CBC_MODE) 221 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; 222 else if (mode == EVP_CIPH_CTR_MODE) 223 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 224 else 225 dat->stream.cbc = NULL; 226 } 227 228 if (ret < 0) { 229 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 230 return 0; 231 } 232 233 return 1; 234} 235 236static int 237aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 238 const unsigned char *in, size_t len) 239{ 240 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, 241 ctx->encrypt); 242 243 return 1; 244} 245 246static int 247aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 248 const unsigned char *in, size_t len) 249{ 250 size_t bl = ctx->cipher->block_size; 251 252 if (len < bl) 253 return 1; 254 255 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); 256 257 return 1; 258} 259 260static int 261aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 262 const unsigned char *iv, int enc) 263{ 264 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 265 266 if (!iv && !key) 267 return 1; 268 if (key) { 269 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 270 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, 271 (block128_f)aesni_encrypt); 272 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; 273 /* If we have an iv can set it directly, otherwise use 274 * saved IV. 275 */ 276 if (iv == NULL && gctx->iv_set) 277 iv = gctx->iv; 278 if (iv) { 279 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 280 gctx->iv_set = 1; 281 } 282 gctx->key_set = 1; 283 } else { 284 /* If key set use IV, otherwise copy */ 285 if (gctx->key_set) 286 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 287 else 288 memcpy(gctx->iv, iv, gctx->ivlen); 289 gctx->iv_set = 1; 290 gctx->iv_gen = 0; 291 } 292 return 1; 293} 294 295static int 296aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 297 const unsigned char *iv, int enc) 298{ 299 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 300 301 if (!iv && !key) 302 return 1; 303 304 if (key) { 305 /* key_len is two AES keys */ 306 if (enc) { 307 aesni_set_encrypt_key(key, ctx->key_len * 4, 308 &xctx->ks1); 309 xctx->xts.block1 = (block128_f)aesni_encrypt; 310 xctx->stream = aesni_xts_encrypt; 311 } else { 312 aesni_set_decrypt_key(key, ctx->key_len * 4, 313 &xctx->ks1); 314 xctx->xts.block1 = (block128_f)aesni_decrypt; 315 xctx->stream = aesni_xts_decrypt; 316 } 317 318 aesni_set_encrypt_key(key + ctx->key_len / 2, 319 ctx->key_len * 4, &xctx->ks2); 320 xctx->xts.block2 = (block128_f)aesni_encrypt; 321 322 xctx->xts.key1 = &xctx->ks1; 323 } 324 325 if (iv) { 326 xctx->xts.key2 = &xctx->ks2; 327 memcpy(ctx->iv, iv, 16); 328 } 329 330 return 1; 331} 332 333static int 334aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 335 const unsigned char *iv, int enc) 336{ 337 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 338 339 if (!iv && !key) 340 return 1; 341 if (key) { 342 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 344 &cctx->ks, (block128_f)aesni_encrypt); 345 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : 346 (ccm128_f)aesni_ccm64_decrypt_blocks; 347 cctx->key_set = 1; 348 } 349 if (iv) { 350 memcpy(ctx->iv, iv, 15 - cctx->L); 351 cctx->iv_set = 1; 352 } 353 return 1; 354} 355 356#endif 357 358static int 359aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 360 const unsigned char *iv, int enc) 361{ 362 int ret, mode; 363 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 364 365 mode = ctx->cipher->flags & EVP_CIPH_MODE; 366 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && 367 !enc) 368#ifdef BSAES_CAPABLE 369 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { 370 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 371 &dat->ks); 372 dat->block = (block128_f)AES_decrypt; 373 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; 374 } else 375#endif 376#ifdef VPAES_CAPABLE 377 if (VPAES_CAPABLE) { 378 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, 379 &dat->ks); 380 dat->block = (block128_f)vpaes_decrypt; 381 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 382 (cbc128_f)vpaes_cbc_encrypt : NULL; 383 } else 384#endif 385 { 386 ret = AES_set_decrypt_key(key, ctx->key_len * 8, 387 &dat->ks); 388 dat->block = (block128_f)AES_decrypt; 389 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 390 (cbc128_f)AES_cbc_encrypt : NULL; 391 } else 392#ifdef BSAES_CAPABLE 393 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { 394 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 395 &dat->ks); 396 dat->block = (block128_f)AES_encrypt; 397 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; 398 } else 399#endif 400#ifdef VPAES_CAPABLE 401 if (VPAES_CAPABLE) { 402 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, 403 &dat->ks); 404 dat->block = (block128_f)vpaes_encrypt; 405 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 406 (cbc128_f)vpaes_cbc_encrypt : NULL; 407 } else 408#endif 409 { 410 ret = AES_set_encrypt_key(key, ctx->key_len * 8, 411 &dat->ks); 412 dat->block = (block128_f)AES_encrypt; 413 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? 414 (cbc128_f)AES_cbc_encrypt : NULL; 415#ifdef AES_CTR_ASM 416 if (mode == EVP_CIPH_CTR_MODE) 417 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; 418#endif 419 } 420 421 if (ret < 0) { 422 EVPerror(EVP_R_AES_KEY_SETUP_FAILED); 423 return 0; 424 } 425 426 return 1; 427} 428 429static int 430aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 431 const unsigned char *in, size_t len) 432{ 433 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 434 435 if (dat->stream.cbc) 436 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, 437 ctx->encrypt); 438 else if (ctx->encrypt) 439 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, 440 dat->block); 441 else 442 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, 443 dat->block); 444 445 return 1; 446} 447 448static int 449aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 450 const unsigned char *in, size_t len) 451{ 452 size_t bl = ctx->cipher->block_size; 453 size_t i; 454 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 455 456 if (len < bl) 457 return 1; 458 459 for (i = 0, len -= bl; i <= len; i += bl) 460 (*dat->block)(in + i, out + i, &dat->ks); 461 462 return 1; 463} 464 465static int 466aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 467 const unsigned char *in, size_t len) 468{ 469 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 470 471 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 472 dat->block); 473 return 1; 474} 475 476static int 477aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 478 const unsigned char *in, size_t len) 479{ 480 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 481 482 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 483 ctx->encrypt, dat->block); 484 return 1; 485} 486 487static int 488aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 489 const unsigned char *in, size_t len) 490{ 491 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 492 493 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, 494 ctx->encrypt, dat->block); 495 return 1; 496} 497 498static int 499aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 500 const unsigned char *in, size_t len) 501{ 502 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 503 504 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { 505 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, 506 &ctx->num, ctx->encrypt, dat->block); 507 return 1; 508 } 509 510 while (len >= MAXBITCHUNK) { 511 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, 512 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 513 len -= MAXBITCHUNK; 514 in += MAXBITCHUNK; 515 out += MAXBITCHUNK; 516 } 517 if (len) 518 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, 519 ctx->iv, &ctx->num, ctx->encrypt, dat->block); 520 521 return 1; 522} 523 524static int 525aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 526 const unsigned char *in, size_t len) 527{ 528 unsigned int num = ctx->num; 529 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 530 531 if (dat->stream.ctr) 532 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, 533 ctx->iv, ctx->buf, &num, dat->stream.ctr); 534 else 535 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, 536 ctx->iv, ctx->buf, &num, dat->block); 537 ctx->num = (size_t)num; 538 return 1; 539} 540 541 542#ifdef AESNI_CAPABLE 543static const EVP_CIPHER aesni_128_cbc = { 544 .nid = NID_aes_128_cbc, 545 .block_size = 16, 546 .key_len = 16, 547 .iv_len = 16, 548 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 549 .init = aesni_init_key, 550 .do_cipher = aesni_cbc_cipher, 551 .ctx_size = sizeof(EVP_AES_KEY), 552}; 553#endif 554 555static const EVP_CIPHER aes_128_cbc = { 556 .nid = NID_aes_128_cbc, 557 .block_size = 16, 558 .key_len = 16, 559 .iv_len = 16, 560 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 561 .init = aes_init_key, 562 .do_cipher = aes_cbc_cipher, 563 .ctx_size = sizeof(EVP_AES_KEY), 564}; 565 566const EVP_CIPHER * 567EVP_aes_128_cbc(void) 568{ 569#ifdef AESNI_CAPABLE 570 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; 571#else 572 return &aes_128_cbc; 573#endif 574} 575LCRYPTO_ALIAS(EVP_aes_128_cbc); 576 577#ifdef AESNI_CAPABLE 578static const EVP_CIPHER aesni_128_ecb = { 579 .nid = NID_aes_128_ecb, 580 .block_size = 16, 581 .key_len = 16, 582 .iv_len = 0, 583 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 584 .init = aesni_init_key, 585 .do_cipher = aesni_ecb_cipher, 586 .ctx_size = sizeof(EVP_AES_KEY), 587}; 588#endif 589 590static const EVP_CIPHER aes_128_ecb = { 591 .nid = NID_aes_128_ecb, 592 .block_size = 16, 593 .key_len = 16, 594 .iv_len = 0, 595 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 596 .init = aes_init_key, 597 .do_cipher = aes_ecb_cipher, 598 .ctx_size = sizeof(EVP_AES_KEY), 599}; 600 601const EVP_CIPHER * 602EVP_aes_128_ecb(void) 603{ 604#ifdef AESNI_CAPABLE 605 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; 606#else 607 return &aes_128_ecb; 608#endif 609} 610LCRYPTO_ALIAS(EVP_aes_128_ecb); 611 612#ifdef AESNI_CAPABLE 613static const EVP_CIPHER aesni_128_ofb = { 614 .nid = NID_aes_128_ofb128, 615 .block_size = 1, 616 .key_len = 16, 617 .iv_len = 16, 618 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 619 .init = aesni_init_key, 620 .do_cipher = aes_ofb_cipher, 621 .ctx_size = sizeof(EVP_AES_KEY), 622}; 623#endif 624 625static const EVP_CIPHER aes_128_ofb = { 626 .nid = NID_aes_128_ofb128, 627 .block_size = 1, 628 .key_len = 16, 629 .iv_len = 16, 630 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 631 .init = aes_init_key, 632 .do_cipher = aes_ofb_cipher, 633 .ctx_size = sizeof(EVP_AES_KEY), 634}; 635 636const EVP_CIPHER * 637EVP_aes_128_ofb(void) 638{ 639#ifdef AESNI_CAPABLE 640 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; 641#else 642 return &aes_128_ofb; 643#endif 644} 645LCRYPTO_ALIAS(EVP_aes_128_ofb); 646 647#ifdef AESNI_CAPABLE 648static const EVP_CIPHER aesni_128_cfb = { 649 .nid = NID_aes_128_cfb128, 650 .block_size = 1, 651 .key_len = 16, 652 .iv_len = 16, 653 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 654 .init = aesni_init_key, 655 .do_cipher = aes_cfb_cipher, 656 .ctx_size = sizeof(EVP_AES_KEY), 657}; 658#endif 659 660static const EVP_CIPHER aes_128_cfb = { 661 .nid = NID_aes_128_cfb128, 662 .block_size = 1, 663 .key_len = 16, 664 .iv_len = 16, 665 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 666 .init = aes_init_key, 667 .do_cipher = aes_cfb_cipher, 668 .ctx_size = sizeof(EVP_AES_KEY), 669}; 670 671const EVP_CIPHER * 672EVP_aes_128_cfb128(void) 673{ 674#ifdef AESNI_CAPABLE 675 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; 676#else 677 return &aes_128_cfb; 678#endif 679} 680LCRYPTO_ALIAS(EVP_aes_128_cfb128); 681 682#ifdef AESNI_CAPABLE 683static const EVP_CIPHER aesni_128_cfb1 = { 684 .nid = NID_aes_128_cfb1, 685 .block_size = 1, 686 .key_len = 16, 687 .iv_len = 16, 688 .flags = EVP_CIPH_CFB_MODE, 689 .init = aesni_init_key, 690 .do_cipher = aes_cfb1_cipher, 691 .ctx_size = sizeof(EVP_AES_KEY), 692}; 693#endif 694 695static const EVP_CIPHER aes_128_cfb1 = { 696 .nid = NID_aes_128_cfb1, 697 .block_size = 1, 698 .key_len = 16, 699 .iv_len = 16, 700 .flags = EVP_CIPH_CFB_MODE, 701 .init = aes_init_key, 702 .do_cipher = aes_cfb1_cipher, 703 .ctx_size = sizeof(EVP_AES_KEY), 704}; 705 706const EVP_CIPHER * 707EVP_aes_128_cfb1(void) 708{ 709#ifdef AESNI_CAPABLE 710 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; 711#else 712 return &aes_128_cfb1; 713#endif 714} 715LCRYPTO_ALIAS(EVP_aes_128_cfb1); 716 717#ifdef AESNI_CAPABLE 718static const EVP_CIPHER aesni_128_cfb8 = { 719 .nid = NID_aes_128_cfb8, 720 .block_size = 1, 721 .key_len = 16, 722 .iv_len = 16, 723 .flags = EVP_CIPH_CFB_MODE, 724 .init = aesni_init_key, 725 .do_cipher = aes_cfb8_cipher, 726 .ctx_size = sizeof(EVP_AES_KEY), 727}; 728#endif 729 730static const EVP_CIPHER aes_128_cfb8 = { 731 .nid = NID_aes_128_cfb8, 732 .block_size = 1, 733 .key_len = 16, 734 .iv_len = 16, 735 .flags = EVP_CIPH_CFB_MODE, 736 .init = aes_init_key, 737 .do_cipher = aes_cfb8_cipher, 738 .ctx_size = sizeof(EVP_AES_KEY), 739}; 740 741const EVP_CIPHER * 742EVP_aes_128_cfb8(void) 743{ 744#ifdef AESNI_CAPABLE 745 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; 746#else 747 return &aes_128_cfb8; 748#endif 749} 750LCRYPTO_ALIAS(EVP_aes_128_cfb8); 751 752#ifdef AESNI_CAPABLE 753static const EVP_CIPHER aesni_128_ctr = { 754 .nid = NID_aes_128_ctr, 755 .block_size = 1, 756 .key_len = 16, 757 .iv_len = 16, 758 .flags = EVP_CIPH_CTR_MODE, 759 .init = aesni_init_key, 760 .do_cipher = aes_ctr_cipher, 761 .ctx_size = sizeof(EVP_AES_KEY), 762}; 763#endif 764 765static const EVP_CIPHER aes_128_ctr = { 766 .nid = NID_aes_128_ctr, 767 .block_size = 1, 768 .key_len = 16, 769 .iv_len = 16, 770 .flags = EVP_CIPH_CTR_MODE, 771 .init = aes_init_key, 772 .do_cipher = aes_ctr_cipher, 773 .ctx_size = sizeof(EVP_AES_KEY), 774}; 775 776const EVP_CIPHER * 777EVP_aes_128_ctr(void) 778{ 779#ifdef AESNI_CAPABLE 780 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; 781#else 782 return &aes_128_ctr; 783#endif 784} 785LCRYPTO_ALIAS(EVP_aes_128_ctr); 786 787 788#ifdef AESNI_CAPABLE 789static const EVP_CIPHER aesni_192_cbc = { 790 .nid = NID_aes_192_cbc, 791 .block_size = 16, 792 .key_len = 24, 793 .iv_len = 16, 794 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 795 .init = aesni_init_key, 796 .do_cipher = aesni_cbc_cipher, 797 .ctx_size = sizeof(EVP_AES_KEY), 798}; 799#endif 800 801static const EVP_CIPHER aes_192_cbc = { 802 .nid = NID_aes_192_cbc, 803 .block_size = 16, 804 .key_len = 24, 805 .iv_len = 16, 806 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 807 .init = aes_init_key, 808 .do_cipher = aes_cbc_cipher, 809 .ctx_size = sizeof(EVP_AES_KEY), 810}; 811 812const EVP_CIPHER * 813EVP_aes_192_cbc(void) 814{ 815#ifdef AESNI_CAPABLE 816 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; 817#else 818 return &aes_192_cbc; 819#endif 820} 821LCRYPTO_ALIAS(EVP_aes_192_cbc); 822 823#ifdef AESNI_CAPABLE 824static const EVP_CIPHER aesni_192_ecb = { 825 .nid = NID_aes_192_ecb, 826 .block_size = 16, 827 .key_len = 24, 828 .iv_len = 0, 829 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 830 .init = aesni_init_key, 831 .do_cipher = aesni_ecb_cipher, 832 .ctx_size = sizeof(EVP_AES_KEY), 833}; 834#endif 835 836static const EVP_CIPHER aes_192_ecb = { 837 .nid = NID_aes_192_ecb, 838 .block_size = 16, 839 .key_len = 24, 840 .iv_len = 0, 841 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 842 .init = aes_init_key, 843 .do_cipher = aes_ecb_cipher, 844 .ctx_size = sizeof(EVP_AES_KEY), 845}; 846 847const EVP_CIPHER * 848EVP_aes_192_ecb(void) 849{ 850#ifdef AESNI_CAPABLE 851 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; 852#else 853 return &aes_192_ecb; 854#endif 855} 856LCRYPTO_ALIAS(EVP_aes_192_ecb); 857 858#ifdef AESNI_CAPABLE 859static const EVP_CIPHER aesni_192_ofb = { 860 .nid = NID_aes_192_ofb128, 861 .block_size = 1, 862 .key_len = 24, 863 .iv_len = 16, 864 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 865 .init = aesni_init_key, 866 .do_cipher = aes_ofb_cipher, 867 .ctx_size = sizeof(EVP_AES_KEY), 868}; 869#endif 870 871static const EVP_CIPHER aes_192_ofb = { 872 .nid = NID_aes_192_ofb128, 873 .block_size = 1, 874 .key_len = 24, 875 .iv_len = 16, 876 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 877 .init = aes_init_key, 878 .do_cipher = aes_ofb_cipher, 879 .ctx_size = sizeof(EVP_AES_KEY), 880}; 881 882const EVP_CIPHER * 883EVP_aes_192_ofb(void) 884{ 885#ifdef AESNI_CAPABLE 886 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; 887#else 888 return &aes_192_ofb; 889#endif 890} 891LCRYPTO_ALIAS(EVP_aes_192_ofb); 892 893#ifdef AESNI_CAPABLE 894static const EVP_CIPHER aesni_192_cfb = { 895 .nid = NID_aes_192_cfb128, 896 .block_size = 1, 897 .key_len = 24, 898 .iv_len = 16, 899 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 900 .init = aesni_init_key, 901 .do_cipher = aes_cfb_cipher, 902 .ctx_size = sizeof(EVP_AES_KEY), 903}; 904#endif 905 906static const EVP_CIPHER aes_192_cfb = { 907 .nid = NID_aes_192_cfb128, 908 .block_size = 1, 909 .key_len = 24, 910 .iv_len = 16, 911 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 912 .init = aes_init_key, 913 .do_cipher = aes_cfb_cipher, 914 .ctx_size = sizeof(EVP_AES_KEY), 915}; 916 917const EVP_CIPHER * 918EVP_aes_192_cfb128(void) 919{ 920#ifdef AESNI_CAPABLE 921 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; 922#else 923 return &aes_192_cfb; 924#endif 925} 926LCRYPTO_ALIAS(EVP_aes_192_cfb128); 927 928#ifdef AESNI_CAPABLE 929static const EVP_CIPHER aesni_192_cfb1 = { 930 .nid = NID_aes_192_cfb1, 931 .block_size = 1, 932 .key_len = 24, 933 .iv_len = 16, 934 .flags = EVP_CIPH_CFB_MODE, 935 .init = aesni_init_key, 936 .do_cipher = aes_cfb1_cipher, 937 .ctx_size = sizeof(EVP_AES_KEY), 938}; 939#endif 940 941static const EVP_CIPHER aes_192_cfb1 = { 942 .nid = NID_aes_192_cfb1, 943 .block_size = 1, 944 .key_len = 24, 945 .iv_len = 16, 946 .flags = EVP_CIPH_CFB_MODE, 947 .init = aes_init_key, 948 .do_cipher = aes_cfb1_cipher, 949 .ctx_size = sizeof(EVP_AES_KEY), 950}; 951 952const EVP_CIPHER * 953EVP_aes_192_cfb1(void) 954{ 955#ifdef AESNI_CAPABLE 956 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; 957#else 958 return &aes_192_cfb1; 959#endif 960} 961LCRYPTO_ALIAS(EVP_aes_192_cfb1); 962 963#ifdef AESNI_CAPABLE 964static const EVP_CIPHER aesni_192_cfb8 = { 965 .nid = NID_aes_192_cfb8, 966 .block_size = 1, 967 .key_len = 24, 968 .iv_len = 16, 969 .flags = EVP_CIPH_CFB_MODE, 970 .init = aesni_init_key, 971 .do_cipher = aes_cfb8_cipher, 972 .ctx_size = sizeof(EVP_AES_KEY), 973}; 974#endif 975 976static const EVP_CIPHER aes_192_cfb8 = { 977 .nid = NID_aes_192_cfb8, 978 .block_size = 1, 979 .key_len = 24, 980 .iv_len = 16, 981 .flags = EVP_CIPH_CFB_MODE, 982 .init = aes_init_key, 983 .do_cipher = aes_cfb8_cipher, 984 .ctx_size = sizeof(EVP_AES_KEY), 985}; 986 987const EVP_CIPHER * 988EVP_aes_192_cfb8(void) 989{ 990#ifdef AESNI_CAPABLE 991 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; 992#else 993 return &aes_192_cfb8; 994#endif 995} 996LCRYPTO_ALIAS(EVP_aes_192_cfb8); 997 998#ifdef AESNI_CAPABLE 999static const EVP_CIPHER aesni_192_ctr = { 1000 .nid = NID_aes_192_ctr, 1001 .block_size = 1, 1002 .key_len = 24, 1003 .iv_len = 16, 1004 .flags = EVP_CIPH_CTR_MODE, 1005 .init = aesni_init_key, 1006 .do_cipher = aes_ctr_cipher, 1007 .ctx_size = sizeof(EVP_AES_KEY), 1008}; 1009#endif 1010 1011static const EVP_CIPHER aes_192_ctr = { 1012 .nid = NID_aes_192_ctr, 1013 .block_size = 1, 1014 .key_len = 24, 1015 .iv_len = 16, 1016 .flags = EVP_CIPH_CTR_MODE, 1017 .init = aes_init_key, 1018 .do_cipher = aes_ctr_cipher, 1019 .ctx_size = sizeof(EVP_AES_KEY), 1020}; 1021 1022const EVP_CIPHER * 1023EVP_aes_192_ctr(void) 1024{ 1025#ifdef AESNI_CAPABLE 1026 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; 1027#else 1028 return &aes_192_ctr; 1029#endif 1030} 1031LCRYPTO_ALIAS(EVP_aes_192_ctr); 1032 1033 1034#ifdef AESNI_CAPABLE 1035static const EVP_CIPHER aesni_256_cbc = { 1036 .nid = NID_aes_256_cbc, 1037 .block_size = 16, 1038 .key_len = 32, 1039 .iv_len = 16, 1040 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1041 .init = aesni_init_key, 1042 .do_cipher = aesni_cbc_cipher, 1043 .ctx_size = sizeof(EVP_AES_KEY), 1044}; 1045#endif 1046 1047static const EVP_CIPHER aes_256_cbc = { 1048 .nid = NID_aes_256_cbc, 1049 .block_size = 16, 1050 .key_len = 32, 1051 .iv_len = 16, 1052 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, 1053 .init = aes_init_key, 1054 .do_cipher = aes_cbc_cipher, 1055 .ctx_size = sizeof(EVP_AES_KEY), 1056}; 1057 1058const EVP_CIPHER * 1059EVP_aes_256_cbc(void) 1060{ 1061#ifdef AESNI_CAPABLE 1062 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; 1063#else 1064 return &aes_256_cbc; 1065#endif 1066} 1067LCRYPTO_ALIAS(EVP_aes_256_cbc); 1068 1069#ifdef AESNI_CAPABLE 1070static const EVP_CIPHER aesni_256_ecb = { 1071 .nid = NID_aes_256_ecb, 1072 .block_size = 16, 1073 .key_len = 32, 1074 .iv_len = 0, 1075 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1076 .init = aesni_init_key, 1077 .do_cipher = aesni_ecb_cipher, 1078 .ctx_size = sizeof(EVP_AES_KEY), 1079}; 1080#endif 1081 1082static const EVP_CIPHER aes_256_ecb = { 1083 .nid = NID_aes_256_ecb, 1084 .block_size = 16, 1085 .key_len = 32, 1086 .iv_len = 0, 1087 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, 1088 .init = aes_init_key, 1089 .do_cipher = aes_ecb_cipher, 1090 .ctx_size = sizeof(EVP_AES_KEY), 1091}; 1092 1093const EVP_CIPHER * 1094EVP_aes_256_ecb(void) 1095{ 1096#ifdef AESNI_CAPABLE 1097 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; 1098#else 1099 return &aes_256_ecb; 1100#endif 1101} 1102LCRYPTO_ALIAS(EVP_aes_256_ecb); 1103 1104#ifdef AESNI_CAPABLE 1105static const EVP_CIPHER aesni_256_ofb = { 1106 .nid = NID_aes_256_ofb128, 1107 .block_size = 1, 1108 .key_len = 32, 1109 .iv_len = 16, 1110 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1111 .init = aesni_init_key, 1112 .do_cipher = aes_ofb_cipher, 1113 .ctx_size = sizeof(EVP_AES_KEY), 1114}; 1115#endif 1116 1117static const EVP_CIPHER aes_256_ofb = { 1118 .nid = NID_aes_256_ofb128, 1119 .block_size = 1, 1120 .key_len = 32, 1121 .iv_len = 16, 1122 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, 1123 .init = aes_init_key, 1124 .do_cipher = aes_ofb_cipher, 1125 .ctx_size = sizeof(EVP_AES_KEY), 1126}; 1127 1128const EVP_CIPHER * 1129EVP_aes_256_ofb(void) 1130{ 1131#ifdef AESNI_CAPABLE 1132 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; 1133#else 1134 return &aes_256_ofb; 1135#endif 1136} 1137LCRYPTO_ALIAS(EVP_aes_256_ofb); 1138 1139#ifdef AESNI_CAPABLE 1140static const EVP_CIPHER aesni_256_cfb = { 1141 .nid = NID_aes_256_cfb128, 1142 .block_size = 1, 1143 .key_len = 32, 1144 .iv_len = 16, 1145 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1146 .init = aesni_init_key, 1147 .do_cipher = aes_cfb_cipher, 1148 .ctx_size = sizeof(EVP_AES_KEY), 1149}; 1150#endif 1151 1152static const EVP_CIPHER aes_256_cfb = { 1153 .nid = NID_aes_256_cfb128, 1154 .block_size = 1, 1155 .key_len = 32, 1156 .iv_len = 16, 1157 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, 1158 .init = aes_init_key, 1159 .do_cipher = aes_cfb_cipher, 1160 .ctx_size = sizeof(EVP_AES_KEY), 1161}; 1162 1163const EVP_CIPHER * 1164EVP_aes_256_cfb128(void) 1165{ 1166#ifdef AESNI_CAPABLE 1167 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; 1168#else 1169 return &aes_256_cfb; 1170#endif 1171} 1172LCRYPTO_ALIAS(EVP_aes_256_cfb128); 1173 1174#ifdef AESNI_CAPABLE 1175static const EVP_CIPHER aesni_256_cfb1 = { 1176 .nid = NID_aes_256_cfb1, 1177 .block_size = 1, 1178 .key_len = 32, 1179 .iv_len = 16, 1180 .flags = EVP_CIPH_CFB_MODE, 1181 .init = aesni_init_key, 1182 .do_cipher = aes_cfb1_cipher, 1183 .ctx_size = sizeof(EVP_AES_KEY), 1184}; 1185#endif 1186 1187static const EVP_CIPHER aes_256_cfb1 = { 1188 .nid = NID_aes_256_cfb1, 1189 .block_size = 1, 1190 .key_len = 32, 1191 .iv_len = 16, 1192 .flags = EVP_CIPH_CFB_MODE, 1193 .init = aes_init_key, 1194 .do_cipher = aes_cfb1_cipher, 1195 .ctx_size = sizeof(EVP_AES_KEY), 1196}; 1197 1198const EVP_CIPHER * 1199EVP_aes_256_cfb1(void) 1200{ 1201#ifdef AESNI_CAPABLE 1202 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; 1203#else 1204 return &aes_256_cfb1; 1205#endif 1206} 1207LCRYPTO_ALIAS(EVP_aes_256_cfb1); 1208 1209#ifdef AESNI_CAPABLE 1210static const EVP_CIPHER aesni_256_cfb8 = { 1211 .nid = NID_aes_256_cfb8, 1212 .block_size = 1, 1213 .key_len = 32, 1214 .iv_len = 16, 1215 .flags = EVP_CIPH_CFB_MODE, 1216 .init = aesni_init_key, 1217 .do_cipher = aes_cfb8_cipher, 1218 .ctx_size = sizeof(EVP_AES_KEY), 1219}; 1220#endif 1221 1222static const EVP_CIPHER aes_256_cfb8 = { 1223 .nid = NID_aes_256_cfb8, 1224 .block_size = 1, 1225 .key_len = 32, 1226 .iv_len = 16, 1227 .flags = EVP_CIPH_CFB_MODE, 1228 .init = aes_init_key, 1229 .do_cipher = aes_cfb8_cipher, 1230 .ctx_size = sizeof(EVP_AES_KEY), 1231}; 1232 1233const EVP_CIPHER * 1234EVP_aes_256_cfb8(void) 1235{ 1236#ifdef AESNI_CAPABLE 1237 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; 1238#else 1239 return &aes_256_cfb8; 1240#endif 1241} 1242LCRYPTO_ALIAS(EVP_aes_256_cfb8); 1243 1244#ifdef AESNI_CAPABLE 1245static const EVP_CIPHER aesni_256_ctr = { 1246 .nid = NID_aes_256_ctr, 1247 .block_size = 1, 1248 .key_len = 32, 1249 .iv_len = 16, 1250 .flags = EVP_CIPH_CTR_MODE, 1251 .init = aesni_init_key, 1252 .do_cipher = aes_ctr_cipher, 1253 .ctx_size = sizeof(EVP_AES_KEY), 1254}; 1255#endif 1256 1257static const EVP_CIPHER aes_256_ctr = { 1258 .nid = NID_aes_256_ctr, 1259 .block_size = 1, 1260 .key_len = 32, 1261 .iv_len = 16, 1262 .flags = EVP_CIPH_CTR_MODE, 1263 .init = aes_init_key, 1264 .do_cipher = aes_ctr_cipher, 1265 .ctx_size = sizeof(EVP_AES_KEY), 1266}; 1267 1268const EVP_CIPHER * 1269EVP_aes_256_ctr(void) 1270{ 1271#ifdef AESNI_CAPABLE 1272 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; 1273#else 1274 return &aes_256_ctr; 1275#endif 1276} 1277LCRYPTO_ALIAS(EVP_aes_256_ctr); 1278 1279static int 1280aes_gcm_cleanup(EVP_CIPHER_CTX *c) 1281{ 1282 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1283 1284 if (gctx->iv != c->iv) 1285 free(gctx->iv); 1286 1287 explicit_bzero(gctx, sizeof(*gctx)); 1288 1289 return 1; 1290} 1291 1292/* increment counter (64-bit int) by 1 */ 1293static void 1294ctr64_inc(unsigned char *counter) 1295{ 1296 int n = 8; 1297 unsigned char c; 1298 1299 do { 1300 --n; 1301 c = counter[n]; 1302 ++c; 1303 counter[n] = c; 1304 if (c) 1305 return; 1306 } while (n); 1307} 1308 1309static int 1310aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1311{ 1312 EVP_AES_GCM_CTX *gctx = c->cipher_data; 1313 1314 switch (type) { 1315 case EVP_CTRL_INIT: 1316 gctx->key_set = 0; 1317 gctx->iv_set = 0; 1318 if (c->cipher->iv_len == 0) { 1319 EVPerror(EVP_R_INVALID_IV_LENGTH); 1320 return 0; 1321 } 1322 gctx->ivlen = c->cipher->iv_len; 1323 gctx->iv = c->iv; 1324 gctx->taglen = -1; 1325 gctx->iv_gen = 0; 1326 gctx->tls_aad_len = -1; 1327 return 1; 1328 1329 case EVP_CTRL_AEAD_GET_IVLEN: 1330 *(int *)ptr = gctx->ivlen; 1331 return 1; 1332 1333 case EVP_CTRL_AEAD_SET_IVLEN: 1334 if (arg <= 0) 1335 return 0; 1336 /* Allocate memory for IV if needed */ 1337 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { 1338 if (gctx->iv != c->iv) 1339 free(gctx->iv); 1340 gctx->iv = malloc(arg); 1341 if (!gctx->iv) 1342 return 0; 1343 } 1344 gctx->ivlen = arg; 1345 return 1; 1346 1347 case EVP_CTRL_GCM_SET_TAG: 1348 if (arg <= 0 || arg > 16 || c->encrypt) 1349 return 0; 1350 memcpy(c->buf, ptr, arg); 1351 gctx->taglen = arg; 1352 return 1; 1353 1354 case EVP_CTRL_GCM_GET_TAG: 1355 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) 1356 return 0; 1357 memcpy(ptr, c->buf, arg); 1358 return 1; 1359 1360 case EVP_CTRL_GCM_SET_IV_FIXED: 1361 /* Special case: -1 length restores whole IV */ 1362 if (arg == -1) { 1363 memcpy(gctx->iv, ptr, gctx->ivlen); 1364 gctx->iv_gen = 1; 1365 return 1; 1366 } 1367 /* Fixed field must be at least 4 bytes and invocation field 1368 * at least 8. 1369 */ 1370 if ((arg < 4) || (gctx->ivlen - arg) < 8) 1371 return 0; 1372 if (arg) 1373 memcpy(gctx->iv, ptr, arg); 1374 if (c->encrypt) 1375 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); 1376 gctx->iv_gen = 1; 1377 return 1; 1378 1379 case EVP_CTRL_GCM_IV_GEN: 1380 if (gctx->iv_gen == 0 || gctx->key_set == 0) 1381 return 0; 1382 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1383 if (arg <= 0 || arg > gctx->ivlen) 1384 arg = gctx->ivlen; 1385 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 1386 /* Invocation field will be at least 8 bytes in size and 1387 * so no need to check wrap around or increment more than 1388 * last 8 bytes. 1389 */ 1390 ctr64_inc(gctx->iv + gctx->ivlen - 8); 1391 gctx->iv_set = 1; 1392 return 1; 1393 1394 case EVP_CTRL_GCM_SET_IV_INV: 1395 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) 1396 return 0; 1397 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 1398 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); 1399 gctx->iv_set = 1; 1400 return 1; 1401 1402 case EVP_CTRL_AEAD_TLS1_AAD: 1403 /* Save the AAD for later use */ 1404 if (arg != 13) 1405 return 0; 1406 memcpy(c->buf, ptr, arg); 1407 gctx->tls_aad_len = arg; 1408 { 1409 unsigned int len = c->buf[arg - 2] << 8 | 1410 c->buf[arg - 1]; 1411 1412 /* Correct length for explicit IV */ 1413 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) 1414 return 0; 1415 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1416 1417 /* If decrypting correct for tag too */ 1418 if (!c->encrypt) { 1419 if (len < EVP_GCM_TLS_TAG_LEN) 1420 return 0; 1421 len -= EVP_GCM_TLS_TAG_LEN; 1422 } 1423 c->buf[arg - 2] = len >> 8; 1424 c->buf[arg - 1] = len & 0xff; 1425 } 1426 /* Extra padding: tag appended to record */ 1427 return EVP_GCM_TLS_TAG_LEN; 1428 1429 case EVP_CTRL_COPY: 1430 { 1431 EVP_CIPHER_CTX *out = ptr; 1432 EVP_AES_GCM_CTX *gctx_out = out->cipher_data; 1433 1434 if (gctx->gcm.key) { 1435 if (gctx->gcm.key != &gctx->ks) 1436 return 0; 1437 gctx_out->gcm.key = &gctx_out->ks; 1438 } 1439 1440 if (gctx->iv == c->iv) { 1441 gctx_out->iv = out->iv; 1442 } else { 1443 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) 1444 return 0; 1445 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); 1446 } 1447 return 1; 1448 } 1449 1450 default: 1451 return -1; 1452 1453 } 1454} 1455 1456static ctr128_f 1457aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, 1458 const unsigned char *key, size_t key_len) 1459{ 1460#ifdef BSAES_CAPABLE 1461 if (BSAES_CAPABLE) { 1462 AES_set_encrypt_key(key, key_len * 8, aes_key); 1463 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1464 return (ctr128_f)bsaes_ctr32_encrypt_blocks; 1465 } else 1466#endif 1467#ifdef VPAES_CAPABLE 1468 if (VPAES_CAPABLE) { 1469 vpaes_set_encrypt_key(key, key_len * 8, aes_key); 1470 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); 1471 return NULL; 1472 } else 1473#endif 1474 (void)0; /* terminate potentially open 'else' */ 1475 1476 AES_set_encrypt_key(key, key_len * 8, aes_key); 1477 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); 1478#ifdef AES_CTR_ASM 1479 return (ctr128_f)AES_ctr32_encrypt; 1480#else 1481 return NULL; 1482#endif 1483} 1484 1485static int 1486aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1487 const unsigned char *iv, int enc) 1488{ 1489 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1490 1491 if (!iv && !key) 1492 return 1; 1493 if (key) { 1494 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, 1495 key, ctx->key_len); 1496 1497 /* If we have an iv can set it directly, otherwise use 1498 * saved IV. 1499 */ 1500 if (iv == NULL && gctx->iv_set) 1501 iv = gctx->iv; 1502 if (iv) { 1503 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1504 gctx->iv_set = 1; 1505 } 1506 gctx->key_set = 1; 1507 } else { 1508 /* If key set use IV, otherwise copy */ 1509 if (gctx->key_set) 1510 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); 1511 else 1512 memcpy(gctx->iv, iv, gctx->ivlen); 1513 gctx->iv_set = 1; 1514 gctx->iv_gen = 0; 1515 } 1516 return 1; 1517} 1518 1519/* Handle TLS GCM packet format. This consists of the last portion of the IV 1520 * followed by the payload and finally the tag. On encrypt generate IV, 1521 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload 1522 * and verify tag. 1523 */ 1524 1525static int 1526aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1527 const unsigned char *in, size_t len) 1528{ 1529 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1530 int rv = -1; 1531 1532 /* Encrypt/decrypt must be performed in place */ 1533 if (out != in || 1534 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) 1535 return -1; 1536 1537 /* Set IV from start of buffer or generate IV and write to start 1538 * of buffer. 1539 */ 1540 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? 1541 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, 1542 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) 1543 goto err; 1544 1545 /* Use saved AAD */ 1546 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) 1547 goto err; 1548 1549 /* Fix buffer and length to point to payload */ 1550 in += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1551 out += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1552 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1553 if (ctx->encrypt) { 1554 /* Encrypt payload */ 1555 if (gctx->ctr) { 1556 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, 1557 len, gctx->ctr)) 1558 goto err; 1559 } else { 1560 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) 1561 goto err; 1562 } 1563 out += len; 1564 1565 /* Finally write tag */ 1566 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); 1567 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 1568 } else { 1569 /* Decrypt */ 1570 if (gctx->ctr) { 1571 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, 1572 len, gctx->ctr)) 1573 goto err; 1574 } else { 1575 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) 1576 goto err; 1577 } 1578 /* Retrieve tag */ 1579 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); 1580 1581 /* If tag mismatch wipe buffer */ 1582 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { 1583 explicit_bzero(out, len); 1584 goto err; 1585 } 1586 rv = len; 1587 } 1588 1589err: 1590 gctx->iv_set = 0; 1591 gctx->tls_aad_len = -1; 1592 return rv; 1593} 1594 1595static int 1596aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1597 const unsigned char *in, size_t len) 1598{ 1599 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; 1600 1601 /* If not set up, return error */ 1602 if (!gctx->key_set) 1603 return -1; 1604 1605 if (gctx->tls_aad_len >= 0) 1606 return aes_gcm_tls_cipher(ctx, out, in, len); 1607 1608 if (!gctx->iv_set) 1609 return -1; 1610 1611 if (in) { 1612 if (out == NULL) { 1613 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) 1614 return -1; 1615 } else if (ctx->encrypt) { 1616 if (gctx->ctr) { 1617 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, 1618 in, out, len, gctx->ctr)) 1619 return -1; 1620 } else { 1621 if (CRYPTO_gcm128_encrypt(&gctx->gcm, 1622 in, out, len)) 1623 return -1; 1624 } 1625 } else { 1626 if (gctx->ctr) { 1627 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, 1628 in, out, len, gctx->ctr)) 1629 return -1; 1630 } else { 1631 if (CRYPTO_gcm128_decrypt(&gctx->gcm, 1632 in, out, len)) 1633 return -1; 1634 } 1635 } 1636 return len; 1637 } else { 1638 if (!ctx->encrypt) { 1639 if (gctx->taglen < 0) 1640 return -1; 1641 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, 1642 gctx->taglen) != 0) 1643 return -1; 1644 gctx->iv_set = 0; 1645 return 0; 1646 } 1647 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); 1648 gctx->taglen = 16; 1649 1650 /* Don't reuse the IV */ 1651 gctx->iv_set = 0; 1652 return 0; 1653 } 1654 1655} 1656 1657#define CUSTOM_FLAGS \ 1658 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1659 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \ 1660 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ 1661 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1662 1663 1664#ifdef AESNI_CAPABLE 1665static const EVP_CIPHER aesni_128_gcm = { 1666 .nid = NID_aes_128_gcm, 1667 .block_size = 1, 1668 .key_len = 16, 1669 .iv_len = 12, 1670 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1671 .init = aesni_gcm_init_key, 1672 .do_cipher = aes_gcm_cipher, 1673 .cleanup = aes_gcm_cleanup, 1674 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1675 .ctrl = aes_gcm_ctrl, 1676}; 1677#endif 1678 1679static const EVP_CIPHER aes_128_gcm = { 1680 .nid = NID_aes_128_gcm, 1681 .block_size = 1, 1682 .key_len = 16, 1683 .iv_len = 12, 1684 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1685 .init = aes_gcm_init_key, 1686 .do_cipher = aes_gcm_cipher, 1687 .cleanup = aes_gcm_cleanup, 1688 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1689 .ctrl = aes_gcm_ctrl, 1690}; 1691 1692const EVP_CIPHER * 1693EVP_aes_128_gcm(void) 1694{ 1695#ifdef AESNI_CAPABLE 1696 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; 1697#else 1698 return &aes_128_gcm; 1699#endif 1700} 1701LCRYPTO_ALIAS(EVP_aes_128_gcm); 1702 1703#ifdef AESNI_CAPABLE 1704static const EVP_CIPHER aesni_192_gcm = { 1705 .nid = NID_aes_192_gcm, 1706 .block_size = 1, 1707 .key_len = 24, 1708 .iv_len = 12, 1709 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1710 .init = aesni_gcm_init_key, 1711 .do_cipher = aes_gcm_cipher, 1712 .cleanup = aes_gcm_cleanup, 1713 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1714 .ctrl = aes_gcm_ctrl, 1715}; 1716#endif 1717 1718static const EVP_CIPHER aes_192_gcm = { 1719 .nid = NID_aes_192_gcm, 1720 .block_size = 1, 1721 .key_len = 24, 1722 .iv_len = 12, 1723 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1724 .init = aes_gcm_init_key, 1725 .do_cipher = aes_gcm_cipher, 1726 .cleanup = aes_gcm_cleanup, 1727 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1728 .ctrl = aes_gcm_ctrl, 1729}; 1730 1731const EVP_CIPHER * 1732EVP_aes_192_gcm(void) 1733{ 1734#ifdef AESNI_CAPABLE 1735 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; 1736#else 1737 return &aes_192_gcm; 1738#endif 1739} 1740LCRYPTO_ALIAS(EVP_aes_192_gcm); 1741 1742#ifdef AESNI_CAPABLE 1743static const EVP_CIPHER aesni_256_gcm = { 1744 .nid = NID_aes_256_gcm, 1745 .block_size = 1, 1746 .key_len = 32, 1747 .iv_len = 12, 1748 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1749 .init = aesni_gcm_init_key, 1750 .do_cipher = aes_gcm_cipher, 1751 .cleanup = aes_gcm_cleanup, 1752 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1753 .ctrl = aes_gcm_ctrl, 1754}; 1755#endif 1756 1757static const EVP_CIPHER aes_256_gcm = { 1758 .nid = NID_aes_256_gcm, 1759 .block_size = 1, 1760 .key_len = 32, 1761 .iv_len = 12, 1762 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, 1763 .init = aes_gcm_init_key, 1764 .do_cipher = aes_gcm_cipher, 1765 .cleanup = aes_gcm_cleanup, 1766 .ctx_size = sizeof(EVP_AES_GCM_CTX), 1767 .ctrl = aes_gcm_ctrl, 1768}; 1769 1770const EVP_CIPHER * 1771EVP_aes_256_gcm(void) 1772{ 1773#ifdef AESNI_CAPABLE 1774 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; 1775#else 1776 return &aes_256_gcm; 1777#endif 1778} 1779LCRYPTO_ALIAS(EVP_aes_256_gcm); 1780 1781static int 1782aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1783{ 1784 EVP_AES_XTS_CTX *xctx = c->cipher_data; 1785 1786 switch (type) { 1787 case EVP_CTRL_INIT: 1788 /* 1789 * key1 and key2 are used as an indicator both key and IV 1790 * are set 1791 */ 1792 xctx->xts.key1 = NULL; 1793 xctx->xts.key2 = NULL; 1794 return 1; 1795 1796 case EVP_CTRL_COPY: 1797 { 1798 EVP_CIPHER_CTX *out = ptr; 1799 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 1800 1801 if (xctx->xts.key1) { 1802 if (xctx->xts.key1 != &xctx->ks1) 1803 return 0; 1804 xctx_out->xts.key1 = &xctx_out->ks1; 1805 } 1806 if (xctx->xts.key2) { 1807 if (xctx->xts.key2 != &xctx->ks2) 1808 return 0; 1809 xctx_out->xts.key2 = &xctx_out->ks2; 1810 } 1811 return 1; 1812 } 1813 } 1814 return -1; 1815} 1816 1817static int 1818aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1819 const unsigned char *iv, int enc) 1820{ 1821 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1822 1823 if (!iv && !key) 1824 return 1; 1825 1826 if (key) do { 1827#ifdef AES_XTS_ASM 1828 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; 1829#else 1830 xctx->stream = NULL; 1831#endif 1832 /* key_len is two AES keys */ 1833#ifdef BSAES_CAPABLE 1834 if (BSAES_CAPABLE) 1835 xctx->stream = enc ? bsaes_xts_encrypt : 1836 bsaes_xts_decrypt; 1837 else 1838#endif 1839#ifdef VPAES_CAPABLE 1840 if (VPAES_CAPABLE) { 1841 if (enc) { 1842 vpaes_set_encrypt_key(key, ctx->key_len * 4, 1843 &xctx->ks1); 1844 xctx->xts.block1 = (block128_f)vpaes_encrypt; 1845 } else { 1846 vpaes_set_decrypt_key(key, ctx->key_len * 4, 1847 &xctx->ks1); 1848 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1849 } 1850 1851 vpaes_set_encrypt_key(key + ctx->key_len / 2, 1852 ctx->key_len * 4, &xctx->ks2); 1853 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1854 1855 xctx->xts.key1 = &xctx->ks1; 1856 break; 1857 } else 1858#endif 1859 (void)0; /* terminate potentially open 'else' */ 1860 1861 if (enc) { 1862 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1863 xctx->xts.block1 = (block128_f)AES_encrypt; 1864 } else { 1865 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1866 xctx->xts.block1 = (block128_f)AES_decrypt; 1867 } 1868 1869 AES_set_encrypt_key(key + ctx->key_len / 2, 1870 ctx->key_len * 4, &xctx->ks2); 1871 xctx->xts.block2 = (block128_f)AES_encrypt; 1872 1873 xctx->xts.key1 = &xctx->ks1; 1874 } while (0); 1875 1876 if (iv) { 1877 xctx->xts.key2 = &xctx->ks2; 1878 memcpy(ctx->iv, iv, 16); 1879 } 1880 1881 return 1; 1882} 1883 1884static int 1885aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 1886 const unsigned char *in, size_t len) 1887{ 1888 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 1889 1890 if (!xctx->xts.key1 || !xctx->xts.key2) 1891 return 0; 1892 if (!out || !in || len < AES_BLOCK_SIZE) 1893 return 0; 1894 1895 if (xctx->stream) 1896 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, 1897 ctx->iv); 1898 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, 1899 ctx->encrypt)) 1900 return 0; 1901 return 1; 1902} 1903 1904#define XTS_FLAGS \ 1905 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ 1906 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) 1907 1908 1909#ifdef AESNI_CAPABLE 1910static const EVP_CIPHER aesni_128_xts = { 1911 .nid = NID_aes_128_xts, 1912 .block_size = 1, 1913 .key_len = 2 * 16, 1914 .iv_len = 16, 1915 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1916 .init = aesni_xts_init_key, 1917 .do_cipher = aes_xts_cipher, 1918 .cleanup = NULL, 1919 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1920 .ctrl = aes_xts_ctrl, 1921}; 1922#endif 1923 1924static const EVP_CIPHER aes_128_xts = { 1925 .nid = NID_aes_128_xts, 1926 .block_size = 1, 1927 .key_len = 2 * 16, 1928 .iv_len = 16, 1929 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1930 .init = aes_xts_init_key, 1931 .do_cipher = aes_xts_cipher, 1932 .cleanup = NULL, 1933 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1934 .ctrl = aes_xts_ctrl, 1935}; 1936 1937const EVP_CIPHER * 1938EVP_aes_128_xts(void) 1939{ 1940#ifdef AESNI_CAPABLE 1941 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; 1942#else 1943 return &aes_128_xts; 1944#endif 1945} 1946LCRYPTO_ALIAS(EVP_aes_128_xts); 1947 1948#ifdef AESNI_CAPABLE 1949static const EVP_CIPHER aesni_256_xts = { 1950 .nid = NID_aes_256_xts, 1951 .block_size = 1, 1952 .key_len = 2 * 32, 1953 .iv_len = 16, 1954 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1955 .init = aesni_xts_init_key, 1956 .do_cipher = aes_xts_cipher, 1957 .cleanup = NULL, 1958 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1959 .ctrl = aes_xts_ctrl, 1960}; 1961#endif 1962 1963static const EVP_CIPHER aes_256_xts = { 1964 .nid = NID_aes_256_xts, 1965 .block_size = 1, 1966 .key_len = 2 * 32, 1967 .iv_len = 16, 1968 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, 1969 .init = aes_xts_init_key, 1970 .do_cipher = aes_xts_cipher, 1971 .cleanup = NULL, 1972 .ctx_size = sizeof(EVP_AES_XTS_CTX), 1973 .ctrl = aes_xts_ctrl, 1974}; 1975 1976const EVP_CIPHER * 1977EVP_aes_256_xts(void) 1978{ 1979#ifdef AESNI_CAPABLE 1980 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; 1981#else 1982 return &aes_256_xts; 1983#endif 1984} 1985LCRYPTO_ALIAS(EVP_aes_256_xts); 1986 1987static int 1988aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1989{ 1990 EVP_AES_CCM_CTX *cctx = c->cipher_data; 1991 1992 switch (type) { 1993 case EVP_CTRL_INIT: 1994 cctx->key_set = 0; 1995 cctx->iv_set = 0; 1996 cctx->L = 8; 1997 cctx->M = 12; 1998 cctx->tag_set = 0; 1999 cctx->len_set = 0; 2000 return 1; 2001 2002 case EVP_CTRL_AEAD_GET_IVLEN: 2003 *(int *)ptr = 15 - cctx->L; 2004 return 1; 2005 2006 case EVP_CTRL_AEAD_SET_IVLEN: 2007 arg = 15 - arg; 2008 2009 case EVP_CTRL_CCM_SET_L: 2010 if (arg < 2 || arg > 8) 2011 return 0; 2012 cctx->L = arg; 2013 return 1; 2014 2015 case EVP_CTRL_CCM_SET_TAG: 2016 if ((arg & 1) || arg < 4 || arg > 16) 2017 return 0; 2018 if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) 2019 return 0; 2020 if (ptr) { 2021 cctx->tag_set = 1; 2022 memcpy(c->buf, ptr, arg); 2023 } 2024 cctx->M = arg; 2025 return 1; 2026 2027 case EVP_CTRL_CCM_GET_TAG: 2028 if (!c->encrypt || !cctx->tag_set) 2029 return 0; 2030 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) 2031 return 0; 2032 cctx->tag_set = 0; 2033 cctx->iv_set = 0; 2034 cctx->len_set = 0; 2035 return 1; 2036 2037 case EVP_CTRL_COPY: 2038 { 2039 EVP_CIPHER_CTX *out = ptr; 2040 EVP_AES_CCM_CTX *cctx_out = out->cipher_data; 2041 2042 if (cctx->ccm.key) { 2043 if (cctx->ccm.key != &cctx->ks) 2044 return 0; 2045 cctx_out->ccm.key = &cctx_out->ks; 2046 } 2047 return 1; 2048 } 2049 2050 default: 2051 return -1; 2052 } 2053} 2054 2055static int 2056aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2057 const unsigned char *iv, int enc) 2058{ 2059 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2060 2061 if (!iv && !key) 2062 return 1; 2063 if (key) do { 2064#ifdef VPAES_CAPABLE 2065 if (VPAES_CAPABLE) { 2066 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 2067 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2068 &cctx->ks, (block128_f)vpaes_encrypt); 2069 cctx->str = NULL; 2070 cctx->key_set = 1; 2071 break; 2072 } 2073#endif 2074 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); 2075 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 2076 &cctx->ks, (block128_f)AES_encrypt); 2077 cctx->str = NULL; 2078 cctx->key_set = 1; 2079 } while (0); 2080 if (iv) { 2081 memcpy(ctx->iv, iv, 15 - cctx->L); 2082 cctx->iv_set = 1; 2083 } 2084 return 1; 2085} 2086 2087static int 2088aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2089 const unsigned char *in, size_t len) 2090{ 2091 EVP_AES_CCM_CTX *cctx = ctx->cipher_data; 2092 CCM128_CONTEXT *ccm = &cctx->ccm; 2093 2094 /* If not set up, return error */ 2095 if (!cctx->iv_set && !cctx->key_set) 2096 return -1; 2097 if (!ctx->encrypt && !cctx->tag_set) 2098 return -1; 2099 2100 if (!out) { 2101 if (!in) { 2102 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, 2103 len)) 2104 return -1; 2105 cctx->len_set = 1; 2106 return len; 2107 } 2108 /* If have AAD need message length */ 2109 if (!cctx->len_set && len) 2110 return -1; 2111 CRYPTO_ccm128_aad(ccm, in, len); 2112 return len; 2113 } 2114 /* EVP_*Final() doesn't return any data */ 2115 if (!in) 2116 return 0; 2117 /* If not set length yet do it */ 2118 if (!cctx->len_set) { 2119 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) 2120 return -1; 2121 cctx->len_set = 1; 2122 } 2123 if (ctx->encrypt) { 2124 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, 2125 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) 2126 return -1; 2127 cctx->tag_set = 1; 2128 return len; 2129 } else { 2130 int rv = -1; 2131 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, 2132 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { 2133 unsigned char tag[16]; 2134 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { 2135 if (!memcmp(tag, ctx->buf, cctx->M)) 2136 rv = len; 2137 } 2138 } 2139 if (rv == -1) 2140 explicit_bzero(out, len); 2141 cctx->iv_set = 0; 2142 cctx->tag_set = 0; 2143 cctx->len_set = 0; 2144 return rv; 2145 } 2146 2147} 2148 2149#ifdef AESNI_CAPABLE 2150static const EVP_CIPHER aesni_128_ccm = { 2151 .nid = NID_aes_128_ccm, 2152 .block_size = 1, 2153 .key_len = 16, 2154 .iv_len = 12, 2155 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2156 .init = aesni_ccm_init_key, 2157 .do_cipher = aes_ccm_cipher, 2158 .cleanup = NULL, 2159 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2160 .ctrl = aes_ccm_ctrl, 2161}; 2162#endif 2163 2164static const EVP_CIPHER aes_128_ccm = { 2165 .nid = NID_aes_128_ccm, 2166 .block_size = 1, 2167 .key_len = 16, 2168 .iv_len = 12, 2169 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2170 .init = aes_ccm_init_key, 2171 .do_cipher = aes_ccm_cipher, 2172 .cleanup = NULL, 2173 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2174 .ctrl = aes_ccm_ctrl, 2175}; 2176 2177const EVP_CIPHER * 2178EVP_aes_128_ccm(void) 2179{ 2180#ifdef AESNI_CAPABLE 2181 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; 2182#else 2183 return &aes_128_ccm; 2184#endif 2185} 2186LCRYPTO_ALIAS(EVP_aes_128_ccm); 2187 2188#ifdef AESNI_CAPABLE 2189static const EVP_CIPHER aesni_192_ccm = { 2190 .nid = NID_aes_192_ccm, 2191 .block_size = 1, 2192 .key_len = 24, 2193 .iv_len = 12, 2194 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2195 .init = aesni_ccm_init_key, 2196 .do_cipher = aes_ccm_cipher, 2197 .cleanup = NULL, 2198 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2199 .ctrl = aes_ccm_ctrl, 2200}; 2201#endif 2202 2203static const EVP_CIPHER aes_192_ccm = { 2204 .nid = NID_aes_192_ccm, 2205 .block_size = 1, 2206 .key_len = 24, 2207 .iv_len = 12, 2208 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2209 .init = aes_ccm_init_key, 2210 .do_cipher = aes_ccm_cipher, 2211 .cleanup = NULL, 2212 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2213 .ctrl = aes_ccm_ctrl, 2214}; 2215 2216const EVP_CIPHER * 2217EVP_aes_192_ccm(void) 2218{ 2219#ifdef AESNI_CAPABLE 2220 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; 2221#else 2222 return &aes_192_ccm; 2223#endif 2224} 2225LCRYPTO_ALIAS(EVP_aes_192_ccm); 2226 2227#ifdef AESNI_CAPABLE 2228static const EVP_CIPHER aesni_256_ccm = { 2229 .nid = NID_aes_256_ccm, 2230 .block_size = 1, 2231 .key_len = 32, 2232 .iv_len = 12, 2233 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2234 .init = aesni_ccm_init_key, 2235 .do_cipher = aes_ccm_cipher, 2236 .cleanup = NULL, 2237 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2238 .ctrl = aes_ccm_ctrl, 2239}; 2240#endif 2241 2242static const EVP_CIPHER aes_256_ccm = { 2243 .nid = NID_aes_256_ccm, 2244 .block_size = 1, 2245 .key_len = 32, 2246 .iv_len = 12, 2247 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, 2248 .init = aes_ccm_init_key, 2249 .do_cipher = aes_ccm_cipher, 2250 .cleanup = NULL, 2251 .ctx_size = sizeof(EVP_AES_CCM_CTX), 2252 .ctrl = aes_ccm_ctrl, 2253}; 2254 2255const EVP_CIPHER * 2256EVP_aes_256_ccm(void) 2257{ 2258#ifdef AESNI_CAPABLE 2259 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; 2260#else 2261 return &aes_256_ccm; 2262#endif 2263} 2264LCRYPTO_ALIAS(EVP_aes_256_ccm); 2265 2266#define EVP_AEAD_AES_GCM_TAG_LEN 16 2267 2268struct aead_aes_gcm_ctx { 2269 union { 2270 double align; 2271 AES_KEY ks; 2272 } ks; 2273 GCM128_CONTEXT gcm; 2274 ctr128_f ctr; 2275 unsigned char tag_len; 2276}; 2277 2278static int 2279aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, 2280 size_t tag_len) 2281{ 2282 struct aead_aes_gcm_ctx *gcm_ctx; 2283 const size_t key_bits = key_len * 8; 2284 2285 /* EVP_AEAD_CTX_init should catch this. */ 2286 if (key_bits != 128 && key_bits != 256) { 2287 EVPerror(EVP_R_BAD_KEY_LENGTH); 2288 return 0; 2289 } 2290 2291 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) 2292 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 2293 2294 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 2295 EVPerror(EVP_R_TAG_TOO_LARGE); 2296 return 0; 2297 } 2298 2299 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) 2300 return 0; 2301 2302#ifdef AESNI_CAPABLE 2303 if (AESNI_CAPABLE) { 2304 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); 2305 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, 2306 (block128_f)aesni_encrypt); 2307 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; 2308 } else 2309#endif 2310 { 2311 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, 2312 key, key_len); 2313 } 2314 gcm_ctx->tag_len = tag_len; 2315 ctx->aead_state = gcm_ctx; 2316 2317 return 1; 2318} 2319 2320static void 2321aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) 2322{ 2323 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2324 2325 freezero(gcm_ctx, sizeof(*gcm_ctx)); 2326} 2327 2328static int 2329aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2330 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2331 const unsigned char *in, size_t in_len, const unsigned char *ad, 2332 size_t ad_len) 2333{ 2334 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2335 GCM128_CONTEXT gcm; 2336 size_t bulk = 0; 2337 2338 if (max_out_len < in_len + gcm_ctx->tag_len) { 2339 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2340 return 0; 2341 } 2342 2343 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2344 2345 if (nonce_len == 0) { 2346 EVPerror(EVP_R_INVALID_IV_LENGTH); 2347 return 0; 2348 } 2349 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2350 2351 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2352 return 0; 2353 2354 if (gcm_ctx->ctr) { 2355 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, 2356 in_len - bulk, gcm_ctx->ctr)) 2357 return 0; 2358 } else { 2359 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, 2360 in_len - bulk)) 2361 return 0; 2362 } 2363 2364 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); 2365 *out_len = in_len + gcm_ctx->tag_len; 2366 2367 return 1; 2368} 2369 2370static int 2371aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, 2372 size_t max_out_len, const unsigned char *nonce, size_t nonce_len, 2373 const unsigned char *in, size_t in_len, const unsigned char *ad, 2374 size_t ad_len) 2375{ 2376 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; 2377 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; 2378 GCM128_CONTEXT gcm; 2379 size_t plaintext_len; 2380 size_t bulk = 0; 2381 2382 if (in_len < gcm_ctx->tag_len) { 2383 EVPerror(EVP_R_BAD_DECRYPT); 2384 return 0; 2385 } 2386 2387 plaintext_len = in_len - gcm_ctx->tag_len; 2388 2389 if (max_out_len < plaintext_len) { 2390 EVPerror(EVP_R_BUFFER_TOO_SMALL); 2391 return 0; 2392 } 2393 2394 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); 2395 2396 if (nonce_len == 0) { 2397 EVPerror(EVP_R_INVALID_IV_LENGTH); 2398 return 0; 2399 } 2400 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); 2401 2402 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) 2403 return 0; 2404 2405 if (gcm_ctx->ctr) { 2406 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 2407 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) 2408 return 0; 2409 } else { 2410 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 2411 in_len - bulk - gcm_ctx->tag_len)) 2412 return 0; 2413 } 2414 2415 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); 2416 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { 2417 EVPerror(EVP_R_BAD_DECRYPT); 2418 return 0; 2419 } 2420 2421 *out_len = plaintext_len; 2422 2423 return 1; 2424} 2425 2426static const EVP_AEAD aead_aes_128_gcm = { 2427 .key_len = 16, 2428 .nonce_len = 12, 2429 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2430 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2431 2432 .init = aead_aes_gcm_init, 2433 .cleanup = aead_aes_gcm_cleanup, 2434 .seal = aead_aes_gcm_seal, 2435 .open = aead_aes_gcm_open, 2436}; 2437 2438static const EVP_AEAD aead_aes_256_gcm = { 2439 .key_len = 32, 2440 .nonce_len = 12, 2441 .overhead = EVP_AEAD_AES_GCM_TAG_LEN, 2442 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, 2443 2444 .init = aead_aes_gcm_init, 2445 .cleanup = aead_aes_gcm_cleanup, 2446 .seal = aead_aes_gcm_seal, 2447 .open = aead_aes_gcm_open, 2448}; 2449 2450const EVP_AEAD * 2451EVP_aead_aes_128_gcm(void) 2452{ 2453 return &aead_aes_128_gcm; 2454} 2455LCRYPTO_ALIAS(EVP_aead_aes_128_gcm); 2456 2457const EVP_AEAD * 2458EVP_aead_aes_256_gcm(void) 2459{ 2460 return &aead_aes_256_gcm; 2461} 2462LCRYPTO_ALIAS(EVP_aead_aes_256_gcm); 2463 2464typedef struct { 2465 union { 2466 double align; 2467 AES_KEY ks; 2468 } ks; 2469 unsigned char *iv; 2470} EVP_AES_WRAP_CTX; 2471 2472static int 2473aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 2474 const unsigned char *iv, int enc) 2475{ 2476 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; 2477 2478 if (iv == NULL && key == NULL) 2479 return 1; 2480 2481 if (key != NULL) { 2482 if (ctx->encrypt) 2483 AES_set_encrypt_key(key, 8 * ctx->key_len, 2484 &wctx->ks.ks); 2485 else 2486 AES_set_decrypt_key(key, 8 * ctx->key_len, 2487 &wctx->ks.ks); 2488 2489 if (iv == NULL) 2490 wctx->iv = NULL; 2491 } 2492 2493 if (iv != NULL) { 2494 int iv_len = EVP_CIPHER_CTX_iv_length(ctx); 2495 2496 if (iv_len < 0 || iv_len > sizeof(ctx->iv)) 2497 return 0; 2498 memcpy(ctx->iv, iv, iv_len); 2499 wctx->iv = ctx->iv; 2500 } 2501 2502 return 1; 2503} 2504 2505static int 2506aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 2507 const unsigned char *in, size_t inlen) 2508{ 2509 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; 2510 int ret; 2511 2512 if (in == NULL) 2513 return 0; 2514 2515 if (inlen % 8 != 0) 2516 return -1; 2517 if (ctx->encrypt && inlen < 8) 2518 return -1; 2519 if (!ctx->encrypt && inlen < 16) 2520 return -1; 2521 if (inlen > INT_MAX) 2522 return -1; 2523 2524 if (out == NULL) { 2525 if (ctx->encrypt) 2526 return inlen + 8; 2527 else 2528 return inlen - 8; 2529 } 2530 2531 if (ctx->encrypt) 2532 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, 2533 (unsigned int)inlen); 2534 else 2535 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, 2536 (unsigned int)inlen); 2537 2538 return ret != 0 ? ret : -1; 2539} 2540 2541static int 2542aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 2543{ 2544 EVP_AES_WRAP_CTX *wctx = c->cipher_data; 2545 2546 switch (type) { 2547 case EVP_CTRL_COPY: 2548 { 2549 EVP_CIPHER_CTX *out = ptr; 2550 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; 2551 2552 if (wctx->iv != NULL) { 2553 if (c->iv != wctx->iv) 2554 return 0; 2555 2556 wctx_out->iv = out->iv; 2557 } 2558 2559 return 1; 2560 } 2561 } 2562 2563 return -1; 2564} 2565 2566#define WRAP_FLAGS \ 2567 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ 2568 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ 2569 EVP_CIPH_CUSTOM_COPY ) 2570 2571static const EVP_CIPHER aes_128_wrap = { 2572 .nid = NID_id_aes128_wrap, 2573 .block_size = 8, 2574 .key_len = 16, 2575 .iv_len = 8, 2576 .flags = WRAP_FLAGS, 2577 .init = aes_wrap_init_key, 2578 .do_cipher = aes_wrap_cipher, 2579 .cleanup = NULL, 2580 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2581 .set_asn1_parameters = NULL, 2582 .get_asn1_parameters = NULL, 2583 .ctrl = aes_wrap_ctrl, 2584}; 2585 2586const EVP_CIPHER * 2587EVP_aes_128_wrap(void) 2588{ 2589 return &aes_128_wrap; 2590} 2591LCRYPTO_ALIAS(EVP_aes_128_wrap); 2592 2593static const EVP_CIPHER aes_192_wrap = { 2594 .nid = NID_id_aes192_wrap, 2595 .block_size = 8, 2596 .key_len = 24, 2597 .iv_len = 8, 2598 .flags = WRAP_FLAGS, 2599 .init = aes_wrap_init_key, 2600 .do_cipher = aes_wrap_cipher, 2601 .cleanup = NULL, 2602 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2603 .set_asn1_parameters = NULL, 2604 .get_asn1_parameters = NULL, 2605 .ctrl = aes_wrap_ctrl, 2606}; 2607 2608const EVP_CIPHER * 2609EVP_aes_192_wrap(void) 2610{ 2611 return &aes_192_wrap; 2612} 2613LCRYPTO_ALIAS(EVP_aes_192_wrap); 2614 2615static const EVP_CIPHER aes_256_wrap = { 2616 .nid = NID_id_aes256_wrap, 2617 .block_size = 8, 2618 .key_len = 32, 2619 .iv_len = 8, 2620 .flags = WRAP_FLAGS, 2621 .init = aes_wrap_init_key, 2622 .do_cipher = aes_wrap_cipher, 2623 .cleanup = NULL, 2624 .ctx_size = sizeof(EVP_AES_WRAP_CTX), 2625 .set_asn1_parameters = NULL, 2626 .get_asn1_parameters = NULL, 2627 .ctrl = aes_wrap_ctrl, 2628}; 2629 2630const EVP_CIPHER * 2631EVP_aes_256_wrap(void) 2632{ 2633 return &aes_256_wrap; 2634} 2635LCRYPTO_ALIAS(EVP_aes_256_wrap); 2636 2637#endif 2638