OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
e_aes.c
Go to the documentation of this file.
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in
13  * the documentation and/or other materials provided with the
14  * distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  * software must display the following acknowledgment:
18  * "This product includes software developed by the OpenSSL Project
19  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  * endorse or promote products derived from this software without
23  * prior written permission. For written permission, please contact
24  * [email protected].
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  * nor may "OpenSSL" appear in their names without prior written
28  * permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  * acknowledgment:
32  * "This product includes software developed by the OpenSSL Project
33  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50 
51 #include <openssl/opensslconf.h>
52 #ifndef OPENSSL_NO_AES
53 #include <openssl/evp.h>
54 #include <openssl/err.h>
55 #include <string.h>
56 #include <assert.h>
57 #include <openssl/aes.h>
58 #include "evp_locl.h"
59 #ifndef OPENSSL_FIPS
60 #include "modes_lcl.h"
61 #include <openssl/rand.h>
62 
63 typedef struct
64  {
65  AES_KEY ks;
66  block128_f block;
67  union {
68  cbc128_f cbc;
69  ctr128_f ctr;
70  } stream;
71  } EVP_AES_KEY;
72 
73 typedef struct
74  {
75  AES_KEY ks; /* AES key schedule to use */
76  int key_set; /* Set if key initialised */
77  int iv_set; /* Set if an iv is set */
78  GCM128_CONTEXT gcm;
79  unsigned char *iv; /* Temporary IV store */
80  int ivlen; /* IV length */
81  int taglen;
82  int iv_gen; /* It is OK to generate IVs */
83  int tls_aad_len; /* TLS AAD length */
84  ctr128_f ctr;
85  } EVP_AES_GCM_CTX;
86 
87 typedef struct
88  {
89  AES_KEY ks1, ks2; /* AES key schedules to use */
90  XTS128_CONTEXT xts;
91  void (*stream)(const unsigned char *in,
92  unsigned char *out, size_t length,
93  const AES_KEY *key1, const AES_KEY *key2,
94  const unsigned char iv[16]);
95  } EVP_AES_XTS_CTX;
96 
97 typedef struct
98  {
99  AES_KEY ks; /* AES key schedule to use */
100  int key_set; /* Set if key initialised */
101  int iv_set; /* Set if an iv is set */
102  int tag_set; /* Set if tag is valid */
103  int len_set; /* Set if message length set */
104  int L, M; /* L and M parameters from RFC3610 */
105  CCM128_CONTEXT ccm;
106  ccm128_f str;
107  } EVP_AES_CCM_CTX;
108 
109 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
110 
111 #ifdef VPAES_ASM
112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113  AES_KEY *key);
114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115  AES_KEY *key);
116 
117 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118  const AES_KEY *key);
119 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120  const AES_KEY *key);
121 
122 void vpaes_cbc_encrypt(const unsigned char *in,
123  unsigned char *out,
124  size_t length,
125  const AES_KEY *key,
126  unsigned char *ivec, int enc);
127 #endif
128 #ifdef BSAES_ASM
129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
130  size_t length, const AES_KEY *key,
131  unsigned char ivec[16], int enc);
132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
133  size_t len, const AES_KEY *key,
134  const unsigned char ivec[16]);
135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
136  size_t len, const AES_KEY *key1,
137  const AES_KEY *key2, const unsigned char iv[16]);
138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
139  size_t len, const AES_KEY *key1,
140  const AES_KEY *key2, const unsigned char iv[16]);
141 #endif
142 #ifdef AES_CTR_ASM
143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
144  size_t blocks, const AES_KEY *key,
145  const unsigned char ivec[AES_BLOCK_SIZE]);
146 #endif
147 #ifdef AES_XTS_ASM
148 void AES_xts_encrypt(const char *inp,char *out,size_t len,
149  const AES_KEY *key1, const AES_KEY *key2,
150  const unsigned char iv[16]);
151 void AES_xts_decrypt(const char *inp,char *out,size_t len,
152  const AES_KEY *key1, const AES_KEY *key2,
153  const unsigned char iv[16]);
154 #endif
155 
156 #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
157  ((defined(__i386) || defined(__i386__) || \
158  defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
159  defined(__x86_64) || defined(__x86_64__) || \
160  defined(_M_AMD64) || defined(_M_X64) || \
161  defined(__INTEL__) )
162 
163 extern unsigned int OPENSSL_ia32cap_P[2];
164 
165 #ifdef VPAES_ASM
166 #define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
167 #endif
168 #ifdef BSAES_ASM
169 #define BSAES_CAPABLE VPAES_CAPABLE
170 #endif
171 /*
172  * AES-NI section
173  */
174 #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
175 
176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
177  AES_KEY *key);
178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
179  AES_KEY *key);
180 
181 void aesni_encrypt(const unsigned char *in, unsigned char *out,
182  const AES_KEY *key);
183 void aesni_decrypt(const unsigned char *in, unsigned char *out,
184  const AES_KEY *key);
185 
186 void aesni_ecb_encrypt(const unsigned char *in,
187  unsigned char *out,
188  size_t length,
189  const AES_KEY *key,
190  int enc);
191 void aesni_cbc_encrypt(const unsigned char *in,
192  unsigned char *out,
193  size_t length,
194  const AES_KEY *key,
195  unsigned char *ivec, int enc);
196 
197 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
198  unsigned char *out,
199  size_t blocks,
200  const void *key,
201  const unsigned char *ivec);
202 
203 void aesni_xts_encrypt(const unsigned char *in,
204  unsigned char *out,
205  size_t length,
206  const AES_KEY *key1, const AES_KEY *key2,
207  const unsigned char iv[16]);
208 
209 void aesni_xts_decrypt(const unsigned char *in,
210  unsigned char *out,
211  size_t length,
212  const AES_KEY *key1, const AES_KEY *key2,
213  const unsigned char iv[16]);
214 
215 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
216  unsigned char *out,
217  size_t blocks,
218  const void *key,
219  const unsigned char ivec[16],
220  unsigned char cmac[16]);
221 
222 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
223  unsigned char *out,
224  size_t blocks,
225  const void *key,
226  const unsigned char ivec[16],
227  unsigned char cmac[16]);
228 
229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
230  const unsigned char *iv, int enc)
231  {
232  int ret, mode;
233  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
234 
235  mode = ctx->cipher->flags & EVP_CIPH_MODE;
236  if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
237  && !enc)
238  {
239  ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
240  dat->block = (block128_f)aesni_decrypt;
241  dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
242  (cbc128_f)aesni_cbc_encrypt :
243  NULL;
244  }
245  else {
246  ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
247  dat->block = (block128_f)aesni_encrypt;
248  if (mode==EVP_CIPH_CBC_MODE)
249  dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
250  else if (mode==EVP_CIPH_CTR_MODE)
251  dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
252  else
253  dat->stream.cbc = NULL;
254  }
255 
256  if(ret < 0)
257  {
258  EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
259  return 0;
260  }
261 
262  return 1;
263  }
264 
265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
266  const unsigned char *in, size_t len)
267 {
268  aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
269 
270  return 1;
271 }
272 
273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
274  const unsigned char *in, size_t len)
275 {
276  size_t bl = ctx->cipher->block_size;
277 
278  if (len<bl) return 1;
279 
280  aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
281 
282  return 1;
283 }
284 
285 #define aesni_ofb_cipher aes_ofb_cipher
286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
287  const unsigned char *in,size_t len);
288 
289 #define aesni_cfb_cipher aes_cfb_cipher
290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
291  const unsigned char *in,size_t len);
292 
293 #define aesni_cfb8_cipher aes_cfb8_cipher
294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
295  const unsigned char *in,size_t len);
296 
297 #define aesni_cfb1_cipher aes_cfb1_cipher
298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
299  const unsigned char *in,size_t len);
300 
301 #define aesni_ctr_cipher aes_ctr_cipher
302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
303  const unsigned char *in, size_t len);
304 
305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
306  const unsigned char *iv, int enc)
307  {
308  EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
309  if (!iv && !key)
310  return 1;
311  if (key)
312  {
313  aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
314  CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
315  (block128_f)aesni_encrypt);
316  gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
317  /* If we have an iv can set it directly, otherwise use
318  * saved IV.
319  */
320  if (iv == NULL && gctx->iv_set)
321  iv = gctx->iv;
322  if (iv)
323  {
324  CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
325  gctx->iv_set = 1;
326  }
327  gctx->key_set = 1;
328  }
329  else
330  {
331  /* If key set use IV, otherwise copy */
332  if (gctx->key_set)
333  CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
334  else
335  memcpy(gctx->iv, iv, gctx->ivlen);
336  gctx->iv_set = 1;
337  gctx->iv_gen = 0;
338  }
339  return 1;
340  }
341 
342 #define aesni_gcm_cipher aes_gcm_cipher
343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
344  const unsigned char *in, size_t len);
345 
346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
347  const unsigned char *iv, int enc)
348  {
349  EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
350  if (!iv && !key)
351  return 1;
352 
353  if (key)
354  {
355  /* key_len is two AES keys */
356  if (enc)
357  {
358  aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
359  xctx->xts.block1 = (block128_f)aesni_encrypt;
360  xctx->stream = aesni_xts_encrypt;
361  }
362  else
363  {
364  aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
365  xctx->xts.block1 = (block128_f)aesni_decrypt;
366  xctx->stream = aesni_xts_decrypt;
367  }
368 
369  aesni_set_encrypt_key(key + ctx->key_len/2,
370  ctx->key_len * 4, &xctx->ks2);
371  xctx->xts.block2 = (block128_f)aesni_encrypt;
372 
373  xctx->xts.key1 = &xctx->ks1;
374  }
375 
376  if (iv)
377  {
378  xctx->xts.key2 = &xctx->ks2;
379  memcpy(ctx->iv, iv, 16);
380  }
381 
382  return 1;
383  }
384 
385 #define aesni_xts_cipher aes_xts_cipher
386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
387  const unsigned char *in, size_t len);
388 
389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
390  const unsigned char *iv, int enc)
391  {
392  EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
393  if (!iv && !key)
394  return 1;
395  if (key)
396  {
397  aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
398  CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
399  &cctx->ks, (block128_f)aesni_encrypt);
400  cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
401  (ccm128_f)aesni_ccm64_decrypt_blocks;
402  cctx->key_set = 1;
403  }
404  if (iv)
405  {
406  memcpy(ctx->iv, iv, 15 - cctx->L);
407  cctx->iv_set = 1;
408  }
409  return 1;
410  }
411 
412 #define aesni_ccm_cipher aes_ccm_cipher
413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414  const unsigned char *in, size_t len);
415 
416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
417 static const EVP_CIPHER aesni_##keylen##_##mode = { \
418  nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
419  flags|EVP_CIPH_##MODE##_MODE, \
420  aesni_init_key, \
421  aesni_##mode##_cipher, \
422  NULL, \
423  sizeof(EVP_AES_KEY), \
424  NULL,NULL,NULL,NULL }; \
425 static const EVP_CIPHER aes_##keylen##_##mode = { \
426  nid##_##keylen##_##nmode,blocksize, \
427  keylen/8,ivlen, \
428  flags|EVP_CIPH_##MODE##_MODE, \
429  aes_init_key, \
430  aes_##mode##_cipher, \
431  NULL, \
432  sizeof(EVP_AES_KEY), \
433  NULL,NULL,NULL,NULL }; \
434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
436 
437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
438 static const EVP_CIPHER aesni_##keylen##_##mode = { \
439  nid##_##keylen##_##mode,blocksize, \
440  (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
441  flags|EVP_CIPH_##MODE##_MODE, \
442  aesni_##mode##_init_key, \
443  aesni_##mode##_cipher, \
444  aes_##mode##_cleanup, \
445  sizeof(EVP_AES_##MODE##_CTX), \
446  NULL,NULL,aes_##mode##_ctrl,NULL }; \
447 static const EVP_CIPHER aes_##keylen##_##mode = { \
448  nid##_##keylen##_##mode,blocksize, \
449  (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
450  flags|EVP_CIPH_##MODE##_MODE, \
451  aes_##mode##_init_key, \
452  aes_##mode##_cipher, \
453  aes_##mode##_cleanup, \
454  sizeof(EVP_AES_##MODE##_CTX), \
455  NULL,NULL,aes_##mode##_ctrl,NULL }; \
456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
458 
459 #else
460 
461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
462 static const EVP_CIPHER aes_##keylen##_##mode = { \
463  nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
464  flags|EVP_CIPH_##MODE##_MODE, \
465  aes_init_key, \
466  aes_##mode##_cipher, \
467  NULL, \
468  sizeof(EVP_AES_KEY), \
469  NULL,NULL,NULL,NULL }; \
470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
471 { return &aes_##keylen##_##mode; }
472 
473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
474 static const EVP_CIPHER aes_##keylen##_##mode = { \
475  nid##_##keylen##_##mode,blocksize, \
476  (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
477  flags|EVP_CIPH_##MODE##_MODE, \
478  aes_##mode##_init_key, \
479  aes_##mode##_cipher, \
480  aes_##mode##_cleanup, \
481  sizeof(EVP_AES_##MODE##_CTX), \
482  NULL,NULL,aes_##mode##_ctrl,NULL }; \
483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
484 { return &aes_##keylen##_##mode; }
485 #endif
486 
487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
488  BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
489  BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
490  BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
491  BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
492  BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
493  BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
494  BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
495 
496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
497  const unsigned char *iv, int enc)
498  {
499  int ret, mode;
500  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
501 
502  mode = ctx->cipher->flags & EVP_CIPH_MODE;
503  if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
504  && !enc)
505 #ifdef BSAES_CAPABLE
506  if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
507  {
508  ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
509  dat->block = (block128_f)AES_decrypt;
510  dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
511  }
512  else
513 #endif
514 #ifdef VPAES_CAPABLE
515  if (VPAES_CAPABLE)
516  {
517  ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
518  dat->block = (block128_f)vpaes_decrypt;
519  dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
520  (cbc128_f)vpaes_cbc_encrypt :
521  NULL;
522  }
523  else
524 #endif
525  {
526  ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
527  dat->block = (block128_f)AES_decrypt;
528  dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
529  (cbc128_f)AES_cbc_encrypt :
530  NULL;
531  }
532  else
533 #ifdef BSAES_CAPABLE
534  if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
535  {
536  ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
537  dat->block = (block128_f)AES_encrypt;
538  dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
539  }
540  else
541 #endif
542 #ifdef VPAES_CAPABLE
543  if (VPAES_CAPABLE)
544  {
545  ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
546  dat->block = (block128_f)vpaes_encrypt;
547  dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
548  (cbc128_f)vpaes_cbc_encrypt :
549  NULL;
550  }
551  else
552 #endif
553  {
554  ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
555  dat->block = (block128_f)AES_encrypt;
556  dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
557  (cbc128_f)AES_cbc_encrypt :
558  NULL;
559 #ifdef AES_CTR_ASM
560  if (mode==EVP_CIPH_CTR_MODE)
561  dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
562 #endif
563  }
564 
565  if(ret < 0)
566  {
567  EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
568  return 0;
569  }
570 
571  return 1;
572  }
573 
574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
575  const unsigned char *in, size_t len)
576 {
577  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
578 
579  if (dat->stream.cbc)
580  (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
581  else if (ctx->encrypt)
582  CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
583  else
584  CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
585 
586  return 1;
587 }
588 
589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
590  const unsigned char *in, size_t len)
591 {
592  size_t bl = ctx->cipher->block_size;
593  size_t i;
594  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
595 
596  if (len<bl) return 1;
597 
598  for (i=0,len-=bl;i<=len;i+=bl)
599  (*dat->block)(in+i,out+i,&dat->ks);
600 
601  return 1;
602 }
603 
604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
605  const unsigned char *in,size_t len)
606 {
607  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
608 
609  CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
610  ctx->iv,&ctx->num,dat->block);
611  return 1;
612 }
613 
614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
615  const unsigned char *in,size_t len)
616 {
617  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
618 
619  CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
620  ctx->iv,&ctx->num,ctx->encrypt,dat->block);
621  return 1;
622 }
623 
624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
625  const unsigned char *in,size_t len)
626 {
627  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
628 
629  CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
630  ctx->iv,&ctx->num,ctx->encrypt,dat->block);
631  return 1;
632 }
633 
634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
635  const unsigned char *in,size_t len)
636 {
637  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
638 
639  if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
640  CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
641  ctx->iv,&ctx->num,ctx->encrypt,dat->block);
642  return 1;
643  }
644 
645  while (len>=MAXBITCHUNK) {
646  CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
647  ctx->iv,&ctx->num,ctx->encrypt,dat->block);
648  len-=MAXBITCHUNK;
649  }
650  if (len)
651  CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
652  ctx->iv,&ctx->num,ctx->encrypt,dat->block);
653 
654  return 1;
655 }
656 
657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
658  const unsigned char *in, size_t len)
659 {
660  unsigned int num = ctx->num;
661  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
662 
663  if (dat->stream.ctr)
664  CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
665  ctx->iv,ctx->buf,&num,dat->stream.ctr);
666  else
667  CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
668  ctx->iv,ctx->buf,&num,dat->block);
669  ctx->num = (size_t)num;
670  return 1;
671 }
672 
673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
676 
677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
678  {
679  EVP_AES_GCM_CTX *gctx = c->cipher_data;
680  OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
681  if (gctx->iv != c->iv)
682  OPENSSL_free(gctx->iv);
683  return 1;
684  }
685 
686 /* increment counter (64-bit int) by 1 */
687 static void ctr64_inc(unsigned char *counter) {
688  int n=8;
689  unsigned char c;
690 
691  do {
692  --n;
693  c = counter[n];
694  ++c;
695  counter[n] = c;
696  if (c) return;
697  } while (n);
698 }
699 
700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
701  {
702  EVP_AES_GCM_CTX *gctx = c->cipher_data;
703  switch (type)
704  {
705  case EVP_CTRL_INIT:
706  gctx->key_set = 0;
707  gctx->iv_set = 0;
708  gctx->ivlen = c->cipher->iv_len;
709  gctx->iv = c->iv;
710  gctx->taglen = -1;
711  gctx->iv_gen = 0;
712  gctx->tls_aad_len = -1;
713  return 1;
714 
715  case EVP_CTRL_GCM_SET_IVLEN:
716  if (arg <= 0)
717  return 0;
718 #ifdef OPENSSL_FIPS
719  if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
720  && arg < 12)
721  return 0;
722 #endif
723  /* Allocate memory for IV if needed */
724  if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
725  {
726  if (gctx->iv != c->iv)
727  OPENSSL_free(gctx->iv);
728  gctx->iv = OPENSSL_malloc(arg);
729  if (!gctx->iv)
730  return 0;
731  }
732  gctx->ivlen = arg;
733  return 1;
734 
735  case EVP_CTRL_GCM_SET_TAG:
736  if (arg <= 0 || arg > 16 || c->encrypt)
737  return 0;
738  memcpy(c->buf, ptr, arg);
739  gctx->taglen = arg;
740  return 1;
741 
742  case EVP_CTRL_GCM_GET_TAG:
743  if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
744  return 0;
745  memcpy(ptr, c->buf, arg);
746  return 1;
747 
748  case EVP_CTRL_GCM_SET_IV_FIXED:
749  /* Special case: -1 length restores whole IV */
750  if (arg == -1)
751  {
752  memcpy(gctx->iv, ptr, gctx->ivlen);
753  gctx->iv_gen = 1;
754  return 1;
755  }
756  /* Fixed field must be at least 4 bytes and invocation field
757  * at least 8.
758  */
759  if ((arg < 4) || (gctx->ivlen - arg) < 8)
760  return 0;
761  if (arg)
762  memcpy(gctx->iv, ptr, arg);
763  if (c->encrypt &&
764  RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
765  return 0;
766  gctx->iv_gen = 1;
767  return 1;
768 
769  case EVP_CTRL_GCM_IV_GEN:
770  if (gctx->iv_gen == 0 || gctx->key_set == 0)
771  return 0;
772  CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
773  if (arg <= 0 || arg > gctx->ivlen)
774  arg = gctx->ivlen;
775  memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
776  /* Invocation field will be at least 8 bytes in size and
777  * so no need to check wrap around or increment more than
778  * last 8 bytes.
779  */
780  ctr64_inc(gctx->iv + gctx->ivlen - 8);
781  gctx->iv_set = 1;
782  return 1;
783 
784  case EVP_CTRL_GCM_SET_IV_INV:
785  if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
786  return 0;
787  memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
788  CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
789  gctx->iv_set = 1;
790  return 1;
791 
792  case EVP_CTRL_AEAD_TLS1_AAD:
793  /* Save the AAD for later use */
794  if (arg != 13)
795  return 0;
796  memcpy(c->buf, ptr, arg);
797  gctx->tls_aad_len = arg;
798  {
799  unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
800  /* Correct length for explicit IV */
801  len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
802  /* If decrypting correct for tag too */
803  if (!c->encrypt)
804  len -= EVP_GCM_TLS_TAG_LEN;
805  c->buf[arg-2] = len>>8;
806  c->buf[arg-1] = len & 0xff;
807  }
808  /* Extra padding: tag appended to record */
809  return EVP_GCM_TLS_TAG_LEN;
810 
811  default:
812  return -1;
813 
814  }
815  }
816 
817 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
818  const unsigned char *iv, int enc)
819  {
820  EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
821  if (!iv && !key)
822  return 1;
823  if (key)
824  { do {
825 #ifdef BSAES_CAPABLE
826  if (BSAES_CAPABLE)
827  {
828  AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
829  CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
830  (block128_f)AES_encrypt);
831  gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
832  break;
833  }
834  else
835 #endif
836 #ifdef VPAES_CAPABLE
837  if (VPAES_CAPABLE)
838  {
839  vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
840  CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
841  (block128_f)vpaes_encrypt);
842  gctx->ctr = NULL;
843  break;
844  }
845 #endif
846  AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
847  CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
848 #ifdef AES_CTR_ASM
849  gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
850 #else
851  gctx->ctr = NULL;
852 #endif
853  } while (0);
854 
855  /* If we have an iv can set it directly, otherwise use
856  * saved IV.
857  */
858  if (iv == NULL && gctx->iv_set)
859  iv = gctx->iv;
860  if (iv)
861  {
862  CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
863  gctx->iv_set = 1;
864  }
865  gctx->key_set = 1;
866  }
867  else
868  {
869  /* If key set use IV, otherwise copy */
870  if (gctx->key_set)
871  CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
872  else
873  memcpy(gctx->iv, iv, gctx->ivlen);
874  gctx->iv_set = 1;
875  gctx->iv_gen = 0;
876  }
877  return 1;
878  }
879 
880 /* Handle TLS GCM packet format. This consists of the last portion of the IV
881  * followed by the payload and finally the tag. On encrypt generate IV,
882  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
883  * and verify tag.
884  */
885 
886 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
887  const unsigned char *in, size_t len)
888  {
889  EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
890  int rv = -1;
891  /* Encrypt/decrypt must be performed in place */
892  if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
893  return -1;
894  /* Set IV from start of buffer or generate IV and write to start
895  * of buffer.
896  */
897  if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
898  EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
899  EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
900  goto err;
901  /* Use saved AAD */
902  if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
903  goto err;
904  /* Fix buffer and length to point to payload */
905  in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
906  out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
907  len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
908  if (ctx->encrypt)
909  {
910  /* Encrypt payload */
911  if (gctx->ctr)
912  {
913  if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
914  in, out, len,
915  gctx->ctr))
916  goto err;
917  }
918  else {
919  if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
920  goto err;
921  }
922  out += len;
923  /* Finally write tag */
924  CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
925  rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
926  }
927  else
928  {
929  /* Decrypt */
930  if (gctx->ctr)
931  {
932  if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
933  in, out, len,
934  gctx->ctr))
935  goto err;
936  }
937  else {
938  if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
939  goto err;
940  }
941  /* Retrieve tag */
942  CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
943  EVP_GCM_TLS_TAG_LEN);
944  /* If tag mismatch wipe buffer */
945  if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
946  {
947  OPENSSL_cleanse(out, len);
948  goto err;
949  }
950  rv = len;
951  }
952 
953  err:
954  gctx->iv_set = 0;
955  gctx->tls_aad_len = -1;
956  return rv;
957  }
958 
959 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
960  const unsigned char *in, size_t len)
961  {
962  EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
963  /* If not set up, return error */
964  if (!gctx->key_set)
965  return -1;
966 
967  if (gctx->tls_aad_len >= 0)
968  return aes_gcm_tls_cipher(ctx, out, in, len);
969 
970  if (!gctx->iv_set)
971  return -1;
972  if (!ctx->encrypt && gctx->taglen < 0)
973  return -1;
974  if (in)
975  {
976  if (out == NULL)
977  {
978  if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
979  return -1;
980  }
981  else if (ctx->encrypt)
982  {
983  if (gctx->ctr)
984  {
985  if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
986  in, out, len,
987  gctx->ctr))
988  return -1;
989  }
990  else {
991  if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
992  return -1;
993  }
994  }
995  else
996  {
997  if (gctx->ctr)
998  {
999  if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1000  in, out, len,
1001  gctx->ctr))
1002  return -1;
1003  }
1004  else {
1005  if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1006  return -1;
1007  }
1008  }
1009  return len;
1010  }
1011  else
1012  {
1013  if (!ctx->encrypt)
1014  {
1015  if (CRYPTO_gcm128_finish(&gctx->gcm,
1016  ctx->buf, gctx->taglen) != 0)
1017  return -1;
1018  gctx->iv_set = 0;
1019  return 0;
1020  }
1021  CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1022  gctx->taglen = 16;
1023  /* Don't reuse the IV */
1024  gctx->iv_set = 0;
1025  return 0;
1026  }
1027 
1028  }
1029 
1030 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1031  | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1032  | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1033 
1034 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1035  EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1036 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1037  EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1038 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1039  EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1040 
1041 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1042  {
1043  EVP_AES_XTS_CTX *xctx = c->cipher_data;
1044  if (type != EVP_CTRL_INIT)
1045  return -1;
1046  /* key1 and key2 are used as an indicator both key and IV are set */
1047  xctx->xts.key1 = NULL;
1048  xctx->xts.key2 = NULL;
1049  return 1;
1050  }
1051 
1052 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1053  const unsigned char *iv, int enc)
1054  {
1055  EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1056  if (!iv && !key)
1057  return 1;
1058 
1059  if (key) do
1060  {
1061 #ifdef AES_XTS_ASM
1062  xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1063 #else
1064  xctx->stream = NULL;
1065 #endif
1066  /* key_len is two AES keys */
1067 #ifdef BSAES_CAPABLE
1068  if (BSAES_CAPABLE)
1069  xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1070  else
1071 #endif
1072 #ifdef VPAES_CAPABLE
1073  if (VPAES_CAPABLE)
1074  {
1075  if (enc)
1076  {
1077  vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1078  xctx->xts.block1 = (block128_f)vpaes_encrypt;
1079  }
1080  else
1081  {
1082  vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1083  xctx->xts.block1 = (block128_f)vpaes_decrypt;
1084  }
1085 
1086  vpaes_set_encrypt_key(key + ctx->key_len/2,
1087  ctx->key_len * 4, &xctx->ks2);
1088  xctx->xts.block2 = (block128_f)vpaes_encrypt;
1089 
1090  xctx->xts.key1 = &xctx->ks1;
1091  break;
1092  }
1093 #endif
1094  if (enc)
1095  {
1096  AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1097  xctx->xts.block1 = (block128_f)AES_encrypt;
1098  }
1099  else
1100  {
1101  AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1102  xctx->xts.block1 = (block128_f)AES_decrypt;
1103  }
1104 
1105  AES_set_encrypt_key(key + ctx->key_len/2,
1106  ctx->key_len * 4, &xctx->ks2);
1107  xctx->xts.block2 = (block128_f)AES_encrypt;
1108 
1109  xctx->xts.key1 = &xctx->ks1;
1110  } while (0);
1111 
1112  if (iv)
1113  {
1114  xctx->xts.key2 = &xctx->ks2;
1115  memcpy(ctx->iv, iv, 16);
1116  }
1117 
1118  return 1;
1119  }
1120 
1121 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1122  const unsigned char *in, size_t len)
1123  {
1124  EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1125  if (!xctx->xts.key1 || !xctx->xts.key2)
1126  return 0;
1127  if (!out || !in || len<AES_BLOCK_SIZE)
1128  return 0;
1129 #ifdef OPENSSL_FIPS
1130  /* Requirement of SP800-38E */
1131  if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1132  (len > (1UL<<20)*16))
1133  {
1134  EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1135  return 0;
1136  }
1137 #endif
1138  if (xctx->stream)
1139  (*xctx->stream)(in, out, len,
1140  xctx->xts.key1, xctx->xts.key2, ctx->iv);
1141  else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1142  ctx->encrypt))
1143  return 0;
1144  return 1;
1145  }
1146 
1147 #define aes_xts_cleanup NULL
1148 
1149 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1150  | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1151 
1152 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1153 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1154 
1155 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1156  {
1157  EVP_AES_CCM_CTX *cctx = c->cipher_data;
1158  switch (type)
1159  {
1160  case EVP_CTRL_INIT:
1161  cctx->key_set = 0;
1162  cctx->iv_set = 0;
1163  cctx->L = 8;
1164  cctx->M = 12;
1165  cctx->tag_set = 0;
1166  cctx->len_set = 0;
1167  return 1;
1168 
1169  case EVP_CTRL_CCM_SET_IVLEN:
1170  arg = 15 - arg;
1171  case EVP_CTRL_CCM_SET_L:
1172  if (arg < 2 || arg > 8)
1173  return 0;
1174  cctx->L = arg;
1175  return 1;
1176 
1177  case EVP_CTRL_CCM_SET_TAG:
1178  if ((arg & 1) || arg < 4 || arg > 16)
1179  return 0;
1180  if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1181  return 0;
1182  if (ptr)
1183  {
1184  cctx->tag_set = 1;
1185  memcpy(c->buf, ptr, arg);
1186  }
1187  cctx->M = arg;
1188  return 1;
1189 
1190  case EVP_CTRL_CCM_GET_TAG:
1191  if (!c->encrypt || !cctx->tag_set)
1192  return 0;
1193  if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1194  return 0;
1195  cctx->tag_set = 0;
1196  cctx->iv_set = 0;
1197  cctx->len_set = 0;
1198  return 1;
1199 
1200  default:
1201  return -1;
1202 
1203  }
1204  }
1205 
1206 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1207  const unsigned char *iv, int enc)
1208  {
1209  EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1210  if (!iv && !key)
1211  return 1;
1212  if (key) do
1213  {
1214 #ifdef VPAES_CAPABLE
1215  if (VPAES_CAPABLE)
1216  {
1217  vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1218  CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1219  &cctx->ks, (block128_f)vpaes_encrypt);
1220  cctx->key_set = 1;
1221  break;
1222  }
1223 #endif
1224  AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1225  CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1226  &cctx->ks, (block128_f)AES_encrypt);
1227  cctx->str = NULL;
1228  cctx->key_set = 1;
1229  } while (0);
1230  if (iv)
1231  {
1232  memcpy(ctx->iv, iv, 15 - cctx->L);
1233  cctx->iv_set = 1;
1234  }
1235  return 1;
1236  }
1237 
1238 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1239  const unsigned char *in, size_t len)
1240  {
1241  EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1242  CCM128_CONTEXT *ccm = &cctx->ccm;
1243  /* If not set up, return error */
1244  if (!cctx->iv_set && !cctx->key_set)
1245  return -1;
1246  if (!ctx->encrypt && !cctx->tag_set)
1247  return -1;
1248  if (!out)
1249  {
1250  if (!in)
1251  {
1252  if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1253  return -1;
1254  cctx->len_set = 1;
1255  return len;
1256  }
1257  /* If have AAD need message length */
1258  if (!cctx->len_set && len)
1259  return -1;
1260  CRYPTO_ccm128_aad(ccm, in, len);
1261  return len;
1262  }
1263  /* EVP_*Final() doesn't return any data */
1264  if (!in)
1265  return 0;
1266  /* If not set length yet do it */
1267  if (!cctx->len_set)
1268  {
1269  if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1270  return -1;
1271  cctx->len_set = 1;
1272  }
1273  if (ctx->encrypt)
1274  {
1275  if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1276  cctx->str) :
1277  CRYPTO_ccm128_encrypt(ccm, in, out, len))
1278  return -1;
1279  cctx->tag_set = 1;
1280  return len;
1281  }
1282  else
1283  {
1284  int rv = -1;
1285  if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1286  cctx->str) :
1287  !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1288  {
1289  unsigned char tag[16];
1290  if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1291  {
1292  if (!memcmp(tag, ctx->buf, cctx->M))
1293  rv = len;
1294  }
1295  }
1296  if (rv == -1)
1297  OPENSSL_cleanse(out, len);
1298  cctx->iv_set = 0;
1299  cctx->tag_set = 0;
1300  cctx->len_set = 0;
1301  return rv;
1302  }
1303 
1304  }
1305 
1306 #define aes_ccm_cleanup NULL
1307 
1308 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1309 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1310 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1311 
1312 #endif
1313 #endif
Generated on Thu Jan 10 2013 09:53:36 for OpenSSL by   doxygen 1.8.2