1 |
|
|
/* $OpenBSD: e_aes.c,v 1.34 2017/05/02 03:59:44 deraadt Exp $ */ |
2 |
|
|
/* ==================================================================== |
3 |
|
|
* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
4 |
|
|
* |
5 |
|
|
* Redistribution and use in source and binary forms, with or without |
6 |
|
|
* modification, are permitted provided that the following conditions |
7 |
|
|
* are met: |
8 |
|
|
* |
9 |
|
|
* 1. Redistributions of source code must retain the above copyright |
10 |
|
|
* notice, this list of conditions and the following disclaimer. |
11 |
|
|
* |
12 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
13 |
|
|
* notice, this list of conditions and the following disclaimer in |
14 |
|
|
* the documentation and/or other materials provided with the |
15 |
|
|
* distribution. |
16 |
|
|
* |
17 |
|
|
* 3. All advertising materials mentioning features or use of this |
18 |
|
|
* software must display the following acknowledgment: |
19 |
|
|
* "This product includes software developed by the OpenSSL Project |
20 |
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
21 |
|
|
* |
22 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
23 |
|
|
* endorse or promote products derived from this software without |
24 |
|
|
* prior written permission. For written permission, please contact |
25 |
|
|
* openssl-core@openssl.org. |
26 |
|
|
* |
27 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
28 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
29 |
|
|
* permission of the OpenSSL Project. |
30 |
|
|
* |
31 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
32 |
|
|
* acknowledgment: |
33 |
|
|
* "This product includes software developed by the OpenSSL Project |
34 |
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
35 |
|
|
* |
36 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
37 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
38 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
39 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
40 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
41 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
42 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
43 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
44 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
45 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
46 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
47 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
48 |
|
|
* ==================================================================== |
49 |
|
|
* |
50 |
|
|
*/ |
51 |
|
|
|
52 |
|
|
#include <stdlib.h> |
53 |
|
|
#include <string.h> |
54 |
|
|
|
55 |
|
|
#include <openssl/opensslconf.h> |
56 |
|
|
|
57 |
|
|
#ifndef OPENSSL_NO_AES |
58 |
|
|
#include <openssl/aes.h> |
59 |
|
|
#include <openssl/err.h> |
60 |
|
|
#include <openssl/evp.h> |
61 |
|
|
|
62 |
|
|
#include "evp_locl.h" |
63 |
|
|
#include "modes_lcl.h" |
64 |
|
|
|
65 |
|
|
typedef struct { |
66 |
|
|
AES_KEY ks; |
67 |
|
|
block128_f block; |
68 |
|
|
union { |
69 |
|
|
cbc128_f cbc; |
70 |
|
|
ctr128_f ctr; |
71 |
|
|
} stream; |
72 |
|
|
} EVP_AES_KEY; |
73 |
|
|
|
74 |
|
|
typedef struct { |
75 |
|
|
AES_KEY ks; /* AES key schedule to use */ |
76 |
|
|
int key_set; /* Set if key initialised */ |
77 |
|
|
int iv_set; /* Set if an iv is set */ |
78 |
|
|
GCM128_CONTEXT gcm; |
79 |
|
|
unsigned char *iv; /* Temporary IV store */ |
80 |
|
|
int ivlen; /* IV length */ |
81 |
|
|
int taglen; |
82 |
|
|
int iv_gen; /* It is OK to generate IVs */ |
83 |
|
|
int tls_aad_len; /* TLS AAD length */ |
84 |
|
|
ctr128_f ctr; |
85 |
|
|
} EVP_AES_GCM_CTX; |
86 |
|
|
|
87 |
|
|
typedef struct { |
88 |
|
|
AES_KEY ks1, ks2; /* AES key schedules to use */ |
89 |
|
|
XTS128_CONTEXT xts; |
90 |
|
|
void (*stream)(const unsigned char *in, unsigned char *out, |
91 |
|
|
size_t length, const AES_KEY *key1, const AES_KEY *key2, |
92 |
|
|
const unsigned char iv[16]); |
93 |
|
|
} EVP_AES_XTS_CTX; |
94 |
|
|
|
95 |
|
|
typedef struct { |
96 |
|
|
AES_KEY ks; /* AES key schedule to use */ |
97 |
|
|
int key_set; /* Set if key initialised */ |
98 |
|
|
int iv_set; /* Set if an iv is set */ |
99 |
|
|
int tag_set; /* Set if tag is valid */ |
100 |
|
|
int len_set; /* Set if message length set */ |
101 |
|
|
int L, M; /* L and M parameters from RFC3610 */ |
102 |
|
|
CCM128_CONTEXT ccm; |
103 |
|
|
ccm128_f str; |
104 |
|
|
} EVP_AES_CCM_CTX; |
105 |
|
|
|
106 |
|
|
#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) |
107 |
|
|
|
108 |
|
|
#ifdef VPAES_ASM |
109 |
|
|
int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, |
110 |
|
|
AES_KEY *key); |
111 |
|
|
int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, |
112 |
|
|
AES_KEY *key); |
113 |
|
|
|
114 |
|
|
void vpaes_encrypt(const unsigned char *in, unsigned char *out, |
115 |
|
|
const AES_KEY *key); |
116 |
|
|
void vpaes_decrypt(const unsigned char *in, unsigned char *out, |
117 |
|
|
const AES_KEY *key); |
118 |
|
|
|
119 |
|
|
void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, |
120 |
|
|
size_t length, const AES_KEY *key, unsigned char *ivec, int enc); |
121 |
|
|
#endif |
122 |
|
|
#ifdef BSAES_ASM |
123 |
|
|
void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out, |
124 |
|
|
size_t length, const AES_KEY *key, unsigned char ivec[16], int enc); |
125 |
|
|
void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, |
126 |
|
|
size_t len, const AES_KEY *key, const unsigned char ivec[16]); |
127 |
|
|
void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out, |
128 |
|
|
size_t len, const AES_KEY *key1, const AES_KEY *key2, |
129 |
|
|
const unsigned char iv[16]); |
130 |
|
|
void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out, |
131 |
|
|
size_t len, const AES_KEY *key1, const AES_KEY *key2, |
132 |
|
|
const unsigned char iv[16]); |
133 |
|
|
#endif |
134 |
|
|
#ifdef AES_CTR_ASM |
135 |
|
|
void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, |
136 |
|
|
size_t blocks, const AES_KEY *key, |
137 |
|
|
const unsigned char ivec[AES_BLOCK_SIZE]); |
138 |
|
|
#endif |
139 |
|
|
#ifdef AES_XTS_ASM |
140 |
|
|
void AES_xts_encrypt(const char *inp, char *out, size_t len, |
141 |
|
|
const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); |
142 |
|
|
void AES_xts_decrypt(const char *inp, char *out, size_t len, |
143 |
|
|
const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); |
144 |
|
|
#endif |
145 |
|
|
|
146 |
|
|
#if defined(AES_ASM) && ( \ |
147 |
|
|
((defined(__i386) || defined(__i386__) || \ |
148 |
|
|
defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ |
149 |
|
|
defined(__x86_64) || defined(__x86_64__) || \ |
150 |
|
|
defined(_M_AMD64) || defined(_M_X64) || \ |
151 |
|
|
defined(__INTEL__) ) |
152 |
|
|
|
153 |
|
|
#include "x86_arch.h" |
154 |
|
|
|
155 |
|
|
#ifdef VPAES_ASM |
156 |
|
|
#define VPAES_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3) |
157 |
|
|
#endif |
158 |
|
|
#ifdef BSAES_ASM |
159 |
|
|
#define BSAES_CAPABLE VPAES_CAPABLE |
160 |
|
|
#endif |
161 |
|
|
/* |
162 |
|
|
* AES-NI section |
163 |
|
|
*/ |
164 |
|
|
#define AESNI_CAPABLE (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) |
165 |
|
|
|
166 |
|
|
int aesni_set_encrypt_key(const unsigned char *userKey, int bits, |
167 |
|
|
AES_KEY *key); |
168 |
|
|
int aesni_set_decrypt_key(const unsigned char *userKey, int bits, |
169 |
|
|
AES_KEY *key); |
170 |
|
|
|
171 |
|
|
void aesni_encrypt(const unsigned char *in, unsigned char *out, |
172 |
|
|
const AES_KEY *key); |
173 |
|
|
void aesni_decrypt(const unsigned char *in, unsigned char *out, |
174 |
|
|
const AES_KEY *key); |
175 |
|
|
|
176 |
|
|
void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out, |
177 |
|
|
size_t length, const AES_KEY *key, int enc); |
178 |
|
|
void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, |
179 |
|
|
size_t length, const AES_KEY *key, unsigned char *ivec, int enc); |
180 |
|
|
|
181 |
|
|
void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, |
182 |
|
|
size_t blocks, const void *key, const unsigned char *ivec); |
183 |
|
|
|
184 |
|
|
void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, |
185 |
|
|
size_t length, const AES_KEY *key1, const AES_KEY *key2, |
186 |
|
|
const unsigned char iv[16]); |
187 |
|
|
|
188 |
|
|
void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, |
189 |
|
|
size_t length, const AES_KEY *key1, const AES_KEY *key2, |
190 |
|
|
const unsigned char iv[16]); |
191 |
|
|
|
192 |
|
|
void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out, |
193 |
|
|
size_t blocks, const void *key, const unsigned char ivec[16], |
194 |
|
|
unsigned char cmac[16]); |
195 |
|
|
|
196 |
|
|
void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out, |
197 |
|
|
size_t blocks, const void *key, const unsigned char ivec[16], |
198 |
|
|
unsigned char cmac[16]); |
199 |
|
|
|
200 |
|
|
static int |
201 |
|
|
aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
202 |
|
|
const unsigned char *iv, int enc) |
203 |
|
|
{ |
204 |
|
|
int ret, mode; |
205 |
|
1800 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
206 |
|
|
|
207 |
|
900 |
mode = ctx->cipher->flags & EVP_CIPH_MODE; |
208 |
✓✓ |
1800 |
if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && |
209 |
|
900 |
!enc) { |
210 |
|
219 |
ret = aesni_set_decrypt_key(key, ctx->key_len * 8, |
211 |
|
|
ctx->cipher_data); |
212 |
|
219 |
dat->block = (block128_f)aesni_decrypt; |
213 |
|
219 |
dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? |
214 |
|
|
(cbc128_f)aesni_cbc_encrypt : NULL; |
215 |
|
219 |
} else { |
216 |
|
681 |
ret = aesni_set_encrypt_key(key, ctx->key_len * 8, |
217 |
|
|
ctx->cipher_data); |
218 |
|
681 |
dat->block = (block128_f)aesni_encrypt; |
219 |
✓✓ |
681 |
if (mode == EVP_CIPH_CBC_MODE) |
220 |
|
351 |
dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt; |
221 |
✓✓ |
330 |
else if (mode == EVP_CIPH_CTR_MODE) |
222 |
|
27 |
dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; |
223 |
|
|
else |
224 |
|
303 |
dat->stream.cbc = NULL; |
225 |
|
|
} |
226 |
|
|
|
227 |
✗✓ |
900 |
if (ret < 0) { |
228 |
|
|
EVPerror(EVP_R_AES_KEY_SETUP_FAILED); |
229 |
|
|
return 0; |
230 |
|
|
} |
231 |
|
|
|
232 |
|
900 |
return 1; |
233 |
|
900 |
} |
234 |
|
|
|
235 |
|
|
static int |
236 |
|
|
aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
237 |
|
|
const unsigned char *in, size_t len) |
238 |
|
|
{ |
239 |
|
3945 |
aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, |
240 |
|
1315 |
ctx->encrypt); |
241 |
|
|
|
242 |
|
1315 |
return 1; |
243 |
|
|
} |
244 |
|
|
|
245 |
|
|
static int |
246 |
|
|
aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
247 |
|
|
const unsigned char *in, size_t len) |
248 |
|
|
{ |
249 |
|
846 |
size_t bl = ctx->cipher->block_size; |
250 |
|
|
|
251 |
✗✓ |
423 |
if (len < bl) |
252 |
|
|
return 1; |
253 |
|
|
|
254 |
|
423 |
aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); |
255 |
|
|
|
256 |
|
423 |
return 1; |
257 |
|
423 |
} |
258 |
|
|
|
259 |
|
|
#define aesni_ofb_cipher aes_ofb_cipher |
260 |
|
|
static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
261 |
|
|
const unsigned char *in, size_t len); |
262 |
|
|
|
263 |
|
|
#define aesni_cfb_cipher aes_cfb_cipher |
264 |
|
|
static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
265 |
|
|
const unsigned char *in, size_t len); |
266 |
|
|
|
267 |
|
|
#define aesni_cfb8_cipher aes_cfb8_cipher |
268 |
|
|
static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
269 |
|
|
const unsigned char *in, size_t len); |
270 |
|
|
|
271 |
|
|
#define aesni_cfb1_cipher aes_cfb1_cipher |
272 |
|
|
static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
273 |
|
|
const unsigned char *in, size_t len); |
274 |
|
|
|
275 |
|
|
#define aesni_ctr_cipher aes_ctr_cipher |
276 |
|
|
static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
277 |
|
|
const unsigned char *in, size_t len); |
278 |
|
|
|
279 |
|
|
static int |
280 |
|
|
aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
281 |
|
|
const unsigned char *iv, int enc) |
282 |
|
|
{ |
283 |
|
|
EVP_AES_GCM_CTX *gctx = ctx->cipher_data; |
284 |
|
|
|
285 |
|
|
if (!iv && !key) |
286 |
|
|
return 1; |
287 |
|
|
if (key) { |
288 |
|
|
aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); |
289 |
|
|
CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
290 |
|
|
(block128_f)aesni_encrypt); |
291 |
|
|
gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks; |
292 |
|
|
/* If we have an iv can set it directly, otherwise use |
293 |
|
|
* saved IV. |
294 |
|
|
*/ |
295 |
|
|
if (iv == NULL && gctx->iv_set) |
296 |
|
|
iv = gctx->iv; |
297 |
|
|
if (iv) { |
298 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
299 |
|
|
gctx->iv_set = 1; |
300 |
|
|
} |
301 |
|
|
gctx->key_set = 1; |
302 |
|
|
} else { |
303 |
|
|
/* If key set use IV, otherwise copy */ |
304 |
|
|
if (gctx->key_set) |
305 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
306 |
|
|
else |
307 |
|
|
memcpy(gctx->iv, iv, gctx->ivlen); |
308 |
|
|
gctx->iv_set = 1; |
309 |
|
|
gctx->iv_gen = 0; |
310 |
|
|
} |
311 |
|
|
return 1; |
312 |
|
|
} |
313 |
|
|
|
314 |
|
|
#define aesni_gcm_cipher aes_gcm_cipher |
315 |
|
|
static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
316 |
|
|
const unsigned char *in, size_t len); |
317 |
|
|
|
318 |
|
|
static int |
319 |
|
|
aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
320 |
|
|
const unsigned char *iv, int enc) |
321 |
|
|
{ |
322 |
|
|
EVP_AES_XTS_CTX *xctx = ctx->cipher_data; |
323 |
|
|
|
324 |
|
|
if (!iv && !key) |
325 |
|
|
return 1; |
326 |
|
|
|
327 |
|
|
if (key) { |
328 |
|
|
/* key_len is two AES keys */ |
329 |
|
|
if (enc) { |
330 |
|
|
aesni_set_encrypt_key(key, ctx->key_len * 4, |
331 |
|
|
&xctx->ks1); |
332 |
|
|
xctx->xts.block1 = (block128_f)aesni_encrypt; |
333 |
|
|
xctx->stream = aesni_xts_encrypt; |
334 |
|
|
} else { |
335 |
|
|
aesni_set_decrypt_key(key, ctx->key_len * 4, |
336 |
|
|
&xctx->ks1); |
337 |
|
|
xctx->xts.block1 = (block128_f)aesni_decrypt; |
338 |
|
|
xctx->stream = aesni_xts_decrypt; |
339 |
|
|
} |
340 |
|
|
|
341 |
|
|
aesni_set_encrypt_key(key + ctx->key_len / 2, |
342 |
|
|
ctx->key_len * 4, &xctx->ks2); |
343 |
|
|
xctx->xts.block2 = (block128_f)aesni_encrypt; |
344 |
|
|
|
345 |
|
|
xctx->xts.key1 = &xctx->ks1; |
346 |
|
|
} |
347 |
|
|
|
348 |
|
|
if (iv) { |
349 |
|
|
xctx->xts.key2 = &xctx->ks2; |
350 |
|
|
memcpy(ctx->iv, iv, 16); |
351 |
|
|
} |
352 |
|
|
|
353 |
|
|
return 1; |
354 |
|
|
} |
355 |
|
|
|
356 |
|
|
#define aesni_xts_cipher aes_xts_cipher |
357 |
|
|
static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
358 |
|
|
const unsigned char *in, size_t len); |
359 |
|
|
|
360 |
|
|
static int |
361 |
|
|
aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
362 |
|
|
const unsigned char *iv, int enc) |
363 |
|
|
{ |
364 |
|
|
EVP_AES_CCM_CTX *cctx = ctx->cipher_data; |
365 |
|
|
|
366 |
|
|
if (!iv && !key) |
367 |
|
|
return 1; |
368 |
|
|
if (key) { |
369 |
|
|
aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); |
370 |
|
|
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
371 |
|
|
&cctx->ks, (block128_f)aesni_encrypt); |
372 |
|
|
cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks : |
373 |
|
|
(ccm128_f)aesni_ccm64_decrypt_blocks; |
374 |
|
|
cctx->key_set = 1; |
375 |
|
|
} |
376 |
|
|
if (iv) { |
377 |
|
|
memcpy(ctx->iv, iv, 15 - cctx->L); |
378 |
|
|
cctx->iv_set = 1; |
379 |
|
|
} |
380 |
|
|
return 1; |
381 |
|
|
} |
382 |
|
|
|
383 |
|
|
#define aesni_ccm_cipher aes_ccm_cipher |
384 |
|
|
static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
385 |
|
|
const unsigned char *in, size_t len); |
386 |
|
|
|
387 |
|
|
#define BLOCK_CIPHER_generic(n,keylen,blocksize,ivlen,nmode,mode,MODE,fl) \ |
388 |
|
|
static const EVP_CIPHER aesni_##keylen##_##mode = { \ |
389 |
|
|
.nid = n##_##keylen##_##nmode, \ |
390 |
|
|
.block_size = blocksize, \ |
391 |
|
|
.key_len = keylen / 8, \ |
392 |
|
|
.iv_len = ivlen, \ |
393 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
394 |
|
|
.init = aesni_init_key, \ |
395 |
|
|
.do_cipher = aesni_##mode##_cipher, \ |
396 |
|
|
.ctx_size = sizeof(EVP_AES_KEY) \ |
397 |
|
|
}; \ |
398 |
|
|
static const EVP_CIPHER aes_##keylen##_##mode = { \ |
399 |
|
|
.nid = n##_##keylen##_##nmode, \ |
400 |
|
|
.block_size = blocksize, \ |
401 |
|
|
.key_len = keylen / 8, \ |
402 |
|
|
.iv_len = ivlen, \ |
403 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
404 |
|
|
.init = aes_init_key, \ |
405 |
|
|
.do_cipher = aes_##mode##_cipher, \ |
406 |
|
|
.ctx_size = sizeof(EVP_AES_KEY) \ |
407 |
|
|
}; \ |
408 |
|
|
const EVP_CIPHER * \ |
409 |
|
|
EVP_aes_##keylen##_##mode(void) \ |
410 |
|
|
{ \ |
411 |
|
|
return AESNI_CAPABLE ? \ |
412 |
|
|
&aesni_##keylen##_##mode : &aes_##keylen##_##mode; \ |
413 |
|
|
} |
414 |
|
|
|
415 |
|
|
#define BLOCK_CIPHER_custom(n,keylen,blocksize,ivlen,mode,MODE,fl) \ |
416 |
|
|
static const EVP_CIPHER aesni_##keylen##_##mode = { \ |
417 |
|
|
.nid = n##_##keylen##_##mode, \ |
418 |
|
|
.block_size = blocksize, \ |
419 |
|
|
.key_len = \ |
420 |
|
|
(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ |
421 |
|
|
keylen / 8, \ |
422 |
|
|
.iv_len = ivlen, \ |
423 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
424 |
|
|
.init = aesni_##mode##_init_key, \ |
425 |
|
|
.do_cipher = aesni_##mode##_cipher, \ |
426 |
|
|
.cleanup = aes_##mode##_cleanup, \ |
427 |
|
|
.ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ |
428 |
|
|
.ctrl = aes_##mode##_ctrl \ |
429 |
|
|
}; \ |
430 |
|
|
static const EVP_CIPHER aes_##keylen##_##mode = { \ |
431 |
|
|
.nid = n##_##keylen##_##mode, \ |
432 |
|
|
.block_size = blocksize, \ |
433 |
|
|
.key_len = \ |
434 |
|
|
(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ |
435 |
|
|
keylen / 8, \ |
436 |
|
|
.iv_len = ivlen, \ |
437 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
438 |
|
|
.init = aes_##mode##_init_key, \ |
439 |
|
|
.do_cipher = aes_##mode##_cipher, \ |
440 |
|
|
.cleanup = aes_##mode##_cleanup, \ |
441 |
|
|
.ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ |
442 |
|
|
.ctrl = aes_##mode##_ctrl \ |
443 |
|
|
}; \ |
444 |
|
|
const EVP_CIPHER * \ |
445 |
|
|
EVP_aes_##keylen##_##mode(void) \ |
446 |
|
|
{ \ |
447 |
|
|
return AESNI_CAPABLE ? \ |
448 |
|
|
&aesni_##keylen##_##mode : &aes_##keylen##_##mode; \ |
449 |
|
|
} |
450 |
|
|
|
451 |
|
|
#else |
452 |
|
|
|
453 |
|
|
#define BLOCK_CIPHER_generic(n,keylen,blocksize,ivlen,nmode,mode,MODE,fl) \ |
454 |
|
|
static const EVP_CIPHER aes_##keylen##_##mode = { \ |
455 |
|
|
.nid = n##_##keylen##_##nmode, \ |
456 |
|
|
.block_size = blocksize, \ |
457 |
|
|
.key_len = keylen / 8, \ |
458 |
|
|
.iv_len = ivlen, \ |
459 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
460 |
|
|
.init = aes_init_key, \ |
461 |
|
|
.do_cipher = aes_##mode##_cipher, \ |
462 |
|
|
.ctx_size = sizeof(EVP_AES_KEY) \ |
463 |
|
|
}; \ |
464 |
|
|
const EVP_CIPHER * \ |
465 |
|
|
EVP_aes_##keylen##_##mode(void) \ |
466 |
|
|
{ \ |
467 |
|
|
return &aes_##keylen##_##mode; \ |
468 |
|
|
} |
469 |
|
|
|
470 |
|
|
#define BLOCK_CIPHER_custom(n,keylen,blocksize,ivlen,mode,MODE,fl) \ |
471 |
|
|
static const EVP_CIPHER aes_##keylen##_##mode = { \ |
472 |
|
|
.nid = n##_##keylen##_##mode, \ |
473 |
|
|
.block_size = blocksize, \ |
474 |
|
|
.key_len = \ |
475 |
|
|
(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ |
476 |
|
|
keylen / 8, \ |
477 |
|
|
.iv_len = ivlen, \ |
478 |
|
|
.flags = fl | EVP_CIPH_##MODE##_MODE, \ |
479 |
|
|
.init = aes_##mode##_init_key, \ |
480 |
|
|
.do_cipher = aes_##mode##_cipher, \ |
481 |
|
|
.cleanup = aes_##mode##_cleanup, \ |
482 |
|
|
.ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ |
483 |
|
|
.ctrl = aes_##mode##_ctrl \ |
484 |
|
|
}; \ |
485 |
|
|
const EVP_CIPHER * \ |
486 |
|
|
EVP_aes_##keylen##_##mode(void) \ |
487 |
|
|
{ \ |
488 |
|
|
return &aes_##keylen##_##mode; \ |
489 |
|
|
} |
490 |
|
|
|
491 |
|
|
#endif |
492 |
|
|
|
493 |
|
|
#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ |
494 |
|
|
BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ |
495 |
|
|
BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ |
496 |
|
|
BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ |
497 |
|
|
BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ |
498 |
|
|
BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ |
499 |
|
|
BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ |
500 |
|
|
BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) |
501 |
|
|
|
502 |
|
|
static int |
503 |
|
|
aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
504 |
|
|
const unsigned char *iv, int enc) |
505 |
|
|
{ |
506 |
|
|
int ret, mode; |
507 |
|
|
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
508 |
|
|
|
509 |
|
|
mode = ctx->cipher->flags & EVP_CIPH_MODE; |
510 |
|
|
if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && |
511 |
|
|
!enc) |
512 |
|
|
#ifdef BSAES_CAPABLE |
513 |
|
|
if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { |
514 |
|
|
ret = AES_set_decrypt_key(key, ctx->key_len * 8, |
515 |
|
|
&dat->ks); |
516 |
|
|
dat->block = (block128_f)AES_decrypt; |
517 |
|
|
dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; |
518 |
|
|
} else |
519 |
|
|
#endif |
520 |
|
|
#ifdef VPAES_CAPABLE |
521 |
|
|
if (VPAES_CAPABLE) { |
522 |
|
|
ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, |
523 |
|
|
&dat->ks); |
524 |
|
|
dat->block = (block128_f)vpaes_decrypt; |
525 |
|
|
dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? |
526 |
|
|
(cbc128_f)vpaes_cbc_encrypt : NULL; |
527 |
|
|
} else |
528 |
|
|
#endif |
529 |
|
|
{ |
530 |
|
|
ret = AES_set_decrypt_key(key, ctx->key_len * 8, |
531 |
|
|
&dat->ks); |
532 |
|
|
dat->block = (block128_f)AES_decrypt; |
533 |
|
|
dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? |
534 |
|
|
(cbc128_f)AES_cbc_encrypt : NULL; |
535 |
|
|
} else |
536 |
|
|
#ifdef BSAES_CAPABLE |
537 |
|
|
if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { |
538 |
|
|
ret = AES_set_encrypt_key(key, ctx->key_len * 8, |
539 |
|
|
&dat->ks); |
540 |
|
|
dat->block = (block128_f)AES_encrypt; |
541 |
|
|
dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; |
542 |
|
|
} else |
543 |
|
|
#endif |
544 |
|
|
#ifdef VPAES_CAPABLE |
545 |
|
|
if (VPAES_CAPABLE) { |
546 |
|
|
ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, |
547 |
|
|
&dat->ks); |
548 |
|
|
dat->block = (block128_f)vpaes_encrypt; |
549 |
|
|
dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? |
550 |
|
|
(cbc128_f)vpaes_cbc_encrypt : NULL; |
551 |
|
|
} else |
552 |
|
|
#endif |
553 |
|
|
{ |
554 |
|
|
ret = AES_set_encrypt_key(key, ctx->key_len * 8, |
555 |
|
|
&dat->ks); |
556 |
|
|
dat->block = (block128_f)AES_encrypt; |
557 |
|
|
dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? |
558 |
|
|
(cbc128_f)AES_cbc_encrypt : NULL; |
559 |
|
|
#ifdef AES_CTR_ASM |
560 |
|
|
if (mode == EVP_CIPH_CTR_MODE) |
561 |
|
|
dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt; |
562 |
|
|
#endif |
563 |
|
|
} |
564 |
|
|
|
565 |
|
|
if (ret < 0) { |
566 |
|
|
EVPerror(EVP_R_AES_KEY_SETUP_FAILED); |
567 |
|
|
return 0; |
568 |
|
|
} |
569 |
|
|
|
570 |
|
|
return 1; |
571 |
|
|
} |
572 |
|
|
|
573 |
|
|
static int |
574 |
|
|
aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
575 |
|
|
const unsigned char *in, size_t len) |
576 |
|
|
{ |
577 |
|
|
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
578 |
|
|
|
579 |
|
|
if (dat->stream.cbc) |
580 |
|
|
(*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, |
581 |
|
|
ctx->encrypt); |
582 |
|
|
else if (ctx->encrypt) |
583 |
|
|
CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, |
584 |
|
|
dat->block); |
585 |
|
|
else |
586 |
|
|
CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, |
587 |
|
|
dat->block); |
588 |
|
|
|
589 |
|
|
return 1; |
590 |
|
|
} |
591 |
|
|
|
592 |
|
|
static int |
593 |
|
|
aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
594 |
|
|
const unsigned char *in, size_t len) |
595 |
|
|
{ |
596 |
|
|
size_t bl = ctx->cipher->block_size; |
597 |
|
|
size_t i; |
598 |
|
|
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
599 |
|
|
|
600 |
|
|
if (len < bl) |
601 |
|
|
return 1; |
602 |
|
|
|
603 |
|
|
for (i = 0, len -= bl; i <= len; i += bl) |
604 |
|
|
(*dat->block)(in + i, out + i, &dat->ks); |
605 |
|
|
|
606 |
|
|
return 1; |
607 |
|
|
} |
608 |
|
|
|
609 |
|
|
static int |
610 |
|
|
aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
611 |
|
|
const unsigned char *in, size_t len) |
612 |
|
|
{ |
613 |
|
480 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
614 |
|
|
|
615 |
|
480 |
CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, |
616 |
|
240 |
dat->block); |
617 |
|
240 |
return 1; |
618 |
|
|
} |
619 |
|
|
|
620 |
|
|
static int |
621 |
|
|
aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
622 |
|
|
const unsigned char *in, size_t len) |
623 |
|
|
{ |
624 |
|
480 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
625 |
|
|
|
626 |
|
480 |
CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, |
627 |
|
240 |
ctx->encrypt, dat->block); |
628 |
|
240 |
return 1; |
629 |
|
|
} |
630 |
|
|
|
631 |
|
|
static int |
632 |
|
|
aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
633 |
|
|
const unsigned char *in, size_t len) |
634 |
|
|
{ |
635 |
|
336 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
636 |
|
|
|
637 |
|
336 |
CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, |
638 |
|
168 |
ctx->encrypt, dat->block); |
639 |
|
168 |
return 1; |
640 |
|
|
} |
641 |
|
|
|
642 |
|
|
static int |
643 |
|
|
aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
644 |
|
|
const unsigned char *in, size_t len) |
645 |
|
|
{ |
646 |
|
336 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
647 |
|
|
|
648 |
✗✓ |
168 |
if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) { |
649 |
|
|
CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv, |
650 |
|
|
&ctx->num, ctx->encrypt, dat->block); |
651 |
|
|
return 1; |
652 |
|
|
} |
653 |
|
|
|
654 |
✗✓ |
336 |
while (len >= MAXBITCHUNK) { |
655 |
|
|
CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, |
656 |
|
|
ctx->iv, &ctx->num, ctx->encrypt, dat->block); |
657 |
|
|
len -= MAXBITCHUNK; |
658 |
|
|
} |
659 |
✓✗ |
168 |
if (len) |
660 |
|
336 |
CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, |
661 |
|
168 |
ctx->iv, &ctx->num, ctx->encrypt, dat->block); |
662 |
|
|
|
663 |
|
168 |
return 1; |
664 |
|
168 |
} |
665 |
|
|
|
666 |
|
|
static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, |
667 |
|
|
const unsigned char *in, size_t len) |
668 |
|
|
{ |
669 |
|
54 |
unsigned int num = ctx->num; |
670 |
|
27 |
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
671 |
|
|
|
672 |
✓✗ |
27 |
if (dat->stream.ctr) |
673 |
|
27 |
CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, |
674 |
|
|
ctx->iv, ctx->buf, &num, dat->stream.ctr); |
675 |
|
|
else |
676 |
|
|
CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, |
677 |
|
|
ctx->iv, ctx->buf, &num, dat->block); |
678 |
|
27 |
ctx->num = (size_t)num; |
679 |
|
27 |
return 1; |
680 |
|
27 |
} |
681 |
|
|
|
682 |
|
26106 |
BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) |
683 |
|
25746 |
BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) |
684 |
|
25792 |
BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) |
685 |
|
|
|
686 |
|
|
static int |
687 |
|
|
aes_gcm_cleanup(EVP_CIPHER_CTX *c) |
688 |
|
|
{ |
689 |
|
|
EVP_AES_GCM_CTX *gctx = c->cipher_data; |
690 |
|
|
|
691 |
|
|
if (gctx->iv != c->iv) |
692 |
|
|
free(gctx->iv); |
693 |
|
|
explicit_bzero(gctx, sizeof(*gctx)); |
694 |
|
|
return 1; |
695 |
|
|
} |
696 |
|
|
|
697 |
|
|
/* increment counter (64-bit int) by 1 */ |
698 |
|
|
static void |
699 |
|
|
ctr64_inc(unsigned char *counter) |
700 |
|
|
{ |
701 |
|
|
int n = 8; |
702 |
|
|
unsigned char c; |
703 |
|
|
|
704 |
|
|
do { |
705 |
|
|
--n; |
706 |
|
|
c = counter[n]; |
707 |
|
|
++c; |
708 |
|
|
counter[n] = c; |
709 |
|
|
if (c) |
710 |
|
|
return; |
711 |
|
|
} while (n); |
712 |
|
|
} |
713 |
|
|
|
714 |
|
|
static int |
715 |
|
|
aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
716 |
|
|
{ |
717 |
|
|
EVP_AES_GCM_CTX *gctx = c->cipher_data; |
718 |
|
|
|
719 |
|
|
switch (type) { |
720 |
|
|
case EVP_CTRL_INIT: |
721 |
|
|
gctx->key_set = 0; |
722 |
|
|
gctx->iv_set = 0; |
723 |
|
|
gctx->ivlen = c->cipher->iv_len; |
724 |
|
|
gctx->iv = c->iv; |
725 |
|
|
gctx->taglen = -1; |
726 |
|
|
gctx->iv_gen = 0; |
727 |
|
|
gctx->tls_aad_len = -1; |
728 |
|
|
return 1; |
729 |
|
|
|
730 |
|
|
case EVP_CTRL_GCM_SET_IVLEN: |
731 |
|
|
if (arg <= 0) |
732 |
|
|
return 0; |
733 |
|
|
/* Allocate memory for IV if needed */ |
734 |
|
|
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { |
735 |
|
|
if (gctx->iv != c->iv) |
736 |
|
|
free(gctx->iv); |
737 |
|
|
gctx->iv = malloc(arg); |
738 |
|
|
if (!gctx->iv) |
739 |
|
|
return 0; |
740 |
|
|
} |
741 |
|
|
gctx->ivlen = arg; |
742 |
|
|
return 1; |
743 |
|
|
|
744 |
|
|
case EVP_CTRL_GCM_SET_TAG: |
745 |
|
|
if (arg <= 0 || arg > 16 || c->encrypt) |
746 |
|
|
return 0; |
747 |
|
|
memcpy(c->buf, ptr, arg); |
748 |
|
|
gctx->taglen = arg; |
749 |
|
|
return 1; |
750 |
|
|
|
751 |
|
|
case EVP_CTRL_GCM_GET_TAG: |
752 |
|
|
if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) |
753 |
|
|
return 0; |
754 |
|
|
memcpy(ptr, c->buf, arg); |
755 |
|
|
return 1; |
756 |
|
|
|
757 |
|
|
case EVP_CTRL_GCM_SET_IV_FIXED: |
758 |
|
|
/* Special case: -1 length restores whole IV */ |
759 |
|
|
if (arg == -1) { |
760 |
|
|
memcpy(gctx->iv, ptr, gctx->ivlen); |
761 |
|
|
gctx->iv_gen = 1; |
762 |
|
|
return 1; |
763 |
|
|
} |
764 |
|
|
/* Fixed field must be at least 4 bytes and invocation field |
765 |
|
|
* at least 8. |
766 |
|
|
*/ |
767 |
|
|
if ((arg < 4) || (gctx->ivlen - arg) < 8) |
768 |
|
|
return 0; |
769 |
|
|
if (arg) |
770 |
|
|
memcpy(gctx->iv, ptr, arg); |
771 |
|
|
if (c->encrypt) |
772 |
|
|
arc4random_buf(gctx->iv + arg, gctx->ivlen - arg); |
773 |
|
|
gctx->iv_gen = 1; |
774 |
|
|
return 1; |
775 |
|
|
|
776 |
|
|
case EVP_CTRL_GCM_IV_GEN: |
777 |
|
|
if (gctx->iv_gen == 0 || gctx->key_set == 0) |
778 |
|
|
return 0; |
779 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); |
780 |
|
|
if (arg <= 0 || arg > gctx->ivlen) |
781 |
|
|
arg = gctx->ivlen; |
782 |
|
|
memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); |
783 |
|
|
/* Invocation field will be at least 8 bytes in size and |
784 |
|
|
* so no need to check wrap around or increment more than |
785 |
|
|
* last 8 bytes. |
786 |
|
|
*/ |
787 |
|
|
ctr64_inc(gctx->iv + gctx->ivlen - 8); |
788 |
|
|
gctx->iv_set = 1; |
789 |
|
|
return 1; |
790 |
|
|
|
791 |
|
|
case EVP_CTRL_GCM_SET_IV_INV: |
792 |
|
|
if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) |
793 |
|
|
return 0; |
794 |
|
|
memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); |
795 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); |
796 |
|
|
gctx->iv_set = 1; |
797 |
|
|
return 1; |
798 |
|
|
|
799 |
|
|
case EVP_CTRL_AEAD_TLS1_AAD: |
800 |
|
|
/* Save the AAD for later use */ |
801 |
|
|
if (arg != 13) |
802 |
|
|
return 0; |
803 |
|
|
memcpy(c->buf, ptr, arg); |
804 |
|
|
gctx->tls_aad_len = arg; |
805 |
|
|
{ |
806 |
|
|
unsigned int len = c->buf[arg - 2] << 8 | |
807 |
|
|
c->buf[arg - 1]; |
808 |
|
|
|
809 |
|
|
/* Correct length for explicit IV */ |
810 |
|
|
if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) |
811 |
|
|
return 0; |
812 |
|
|
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; |
813 |
|
|
|
814 |
|
|
/* If decrypting correct for tag too */ |
815 |
|
|
if (!c->encrypt) { |
816 |
|
|
if (len < EVP_GCM_TLS_TAG_LEN) |
817 |
|
|
return 0; |
818 |
|
|
len -= EVP_GCM_TLS_TAG_LEN; |
819 |
|
|
} |
820 |
|
|
c->buf[arg - 2] = len >> 8; |
821 |
|
|
c->buf[arg - 1] = len & 0xff; |
822 |
|
|
} |
823 |
|
|
/* Extra padding: tag appended to record */ |
824 |
|
|
return EVP_GCM_TLS_TAG_LEN; |
825 |
|
|
|
826 |
|
|
case EVP_CTRL_COPY: |
827 |
|
|
{ |
828 |
|
|
EVP_CIPHER_CTX *out = ptr; |
829 |
|
|
EVP_AES_GCM_CTX *gctx_out = out->cipher_data; |
830 |
|
|
|
831 |
|
|
if (gctx->gcm.key) { |
832 |
|
|
if (gctx->gcm.key != &gctx->ks) |
833 |
|
|
return 0; |
834 |
|
|
gctx_out->gcm.key = &gctx_out->ks; |
835 |
|
|
} |
836 |
|
|
if (gctx->iv == c->iv) |
837 |
|
|
gctx_out->iv = out->iv; |
838 |
|
|
else { |
839 |
|
|
gctx_out->iv = malloc(gctx->ivlen); |
840 |
|
|
if (!gctx_out->iv) |
841 |
|
|
return 0; |
842 |
|
|
memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); |
843 |
|
|
} |
844 |
|
|
return 1; |
845 |
|
|
} |
846 |
|
|
|
847 |
|
|
default: |
848 |
|
|
return -1; |
849 |
|
|
|
850 |
|
|
} |
851 |
|
|
} |
852 |
|
|
|
853 |
|
|
static ctr128_f |
854 |
|
|
aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, |
855 |
|
|
const unsigned char *key, size_t key_len) |
856 |
|
|
{ |
857 |
|
|
#ifdef BSAES_CAPABLE |
858 |
|
|
if (BSAES_CAPABLE) { |
859 |
|
|
AES_set_encrypt_key(key, key_len * 8, aes_key); |
860 |
|
|
CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); |
861 |
|
|
return (ctr128_f)bsaes_ctr32_encrypt_blocks; |
862 |
|
|
} else |
863 |
|
|
#endif |
864 |
|
|
#ifdef VPAES_CAPABLE |
865 |
|
|
if (VPAES_CAPABLE) { |
866 |
|
|
vpaes_set_encrypt_key(key, key_len * 8, aes_key); |
867 |
|
|
CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt); |
868 |
|
|
return NULL; |
869 |
|
|
} else |
870 |
|
|
#endif |
871 |
|
|
(void)0; /* terminate potentially open 'else' */ |
872 |
|
|
|
873 |
|
|
AES_set_encrypt_key(key, key_len * 8, aes_key); |
874 |
|
|
CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); |
875 |
|
|
#ifdef AES_CTR_ASM |
876 |
|
|
return (ctr128_f)AES_ctr32_encrypt; |
877 |
|
|
#else |
878 |
|
|
return NULL; |
879 |
|
|
#endif |
880 |
|
|
} |
881 |
|
|
|
882 |
|
|
static int |
883 |
|
|
aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
884 |
|
|
const unsigned char *iv, int enc) |
885 |
|
|
{ |
886 |
|
|
EVP_AES_GCM_CTX *gctx = ctx->cipher_data; |
887 |
|
|
|
888 |
|
|
if (!iv && !key) |
889 |
|
|
return 1; |
890 |
|
|
if (key) { |
891 |
|
|
gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, |
892 |
|
|
key, ctx->key_len); |
893 |
|
|
|
894 |
|
|
/* If we have an iv can set it directly, otherwise use |
895 |
|
|
* saved IV. |
896 |
|
|
*/ |
897 |
|
|
if (iv == NULL && gctx->iv_set) |
898 |
|
|
iv = gctx->iv; |
899 |
|
|
if (iv) { |
900 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
901 |
|
|
gctx->iv_set = 1; |
902 |
|
|
} |
903 |
|
|
gctx->key_set = 1; |
904 |
|
|
} else { |
905 |
|
|
/* If key set use IV, otherwise copy */ |
906 |
|
|
if (gctx->key_set) |
907 |
|
|
CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
908 |
|
|
else |
909 |
|
|
memcpy(gctx->iv, iv, gctx->ivlen); |
910 |
|
|
gctx->iv_set = 1; |
911 |
|
|
gctx->iv_gen = 0; |
912 |
|
|
} |
913 |
|
|
return 1; |
914 |
|
|
} |
915 |
|
|
|
916 |
|
|
/* Handle TLS GCM packet format. This consists of the last portion of the IV |
917 |
|
|
* followed by the payload and finally the tag. On encrypt generate IV, |
918 |
|
|
* encrypt payload and write the tag. On verify retrieve IV, decrypt payload |
919 |
|
|
* and verify tag. |
920 |
|
|
*/ |
921 |
|
|
|
922 |
|
|
static int |
923 |
|
|
aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
924 |
|
|
const unsigned char *in, size_t len) |
925 |
|
|
{ |
926 |
|
|
EVP_AES_GCM_CTX *gctx = ctx->cipher_data; |
927 |
|
|
int rv = -1; |
928 |
|
|
|
929 |
|
|
/* Encrypt/decrypt must be performed in place */ |
930 |
|
|
if (out != in || |
931 |
|
|
len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) |
932 |
|
|
return -1; |
933 |
|
|
|
934 |
|
|
/* Set IV from start of buffer or generate IV and write to start |
935 |
|
|
* of buffer. |
936 |
|
|
*/ |
937 |
|
|
if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? |
938 |
|
|
EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, |
939 |
|
|
EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) |
940 |
|
|
goto err; |
941 |
|
|
|
942 |
|
|
/* Use saved AAD */ |
943 |
|
|
if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len)) |
944 |
|
|
goto err; |
945 |
|
|
|
946 |
|
|
/* Fix buffer and length to point to payload */ |
947 |
|
|
in += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
948 |
|
|
out += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
949 |
|
|
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
950 |
|
|
if (ctx->encrypt) { |
951 |
|
|
/* Encrypt payload */ |
952 |
|
|
if (gctx->ctr) { |
953 |
|
|
if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, |
954 |
|
|
len, gctx->ctr)) |
955 |
|
|
goto err; |
956 |
|
|
} else { |
957 |
|
|
if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) |
958 |
|
|
goto err; |
959 |
|
|
} |
960 |
|
|
out += len; |
961 |
|
|
|
962 |
|
|
/* Finally write tag */ |
963 |
|
|
CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); |
964 |
|
|
rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
965 |
|
|
} else { |
966 |
|
|
/* Decrypt */ |
967 |
|
|
if (gctx->ctr) { |
968 |
|
|
if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, |
969 |
|
|
len, gctx->ctr)) |
970 |
|
|
goto err; |
971 |
|
|
} else { |
972 |
|
|
if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) |
973 |
|
|
goto err; |
974 |
|
|
} |
975 |
|
|
/* Retrieve tag */ |
976 |
|
|
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); |
977 |
|
|
|
978 |
|
|
/* If tag mismatch wipe buffer */ |
979 |
|
|
if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { |
980 |
|
|
explicit_bzero(out, len); |
981 |
|
|
goto err; |
982 |
|
|
} |
983 |
|
|
rv = len; |
984 |
|
|
} |
985 |
|
|
|
986 |
|
|
err: |
987 |
|
|
gctx->iv_set = 0; |
988 |
|
|
gctx->tls_aad_len = -1; |
989 |
|
|
return rv; |
990 |
|
|
} |
991 |
|
|
|
992 |
|
|
static int |
993 |
|
|
aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
994 |
|
|
const unsigned char *in, size_t len) |
995 |
|
|
{ |
996 |
|
|
EVP_AES_GCM_CTX *gctx = ctx->cipher_data; |
997 |
|
|
|
998 |
|
|
/* If not set up, return error */ |
999 |
|
|
if (!gctx->key_set) |
1000 |
|
|
return -1; |
1001 |
|
|
|
1002 |
|
|
if (gctx->tls_aad_len >= 0) |
1003 |
|
|
return aes_gcm_tls_cipher(ctx, out, in, len); |
1004 |
|
|
|
1005 |
|
|
if (!gctx->iv_set) |
1006 |
|
|
return -1; |
1007 |
|
|
|
1008 |
|
|
if (in) { |
1009 |
|
|
if (out == NULL) { |
1010 |
|
|
if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) |
1011 |
|
|
return -1; |
1012 |
|
|
} else if (ctx->encrypt) { |
1013 |
|
|
if (gctx->ctr) { |
1014 |
|
|
if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, |
1015 |
|
|
in, out, len, gctx->ctr)) |
1016 |
|
|
return -1; |
1017 |
|
|
} else { |
1018 |
|
|
if (CRYPTO_gcm128_encrypt(&gctx->gcm, |
1019 |
|
|
in, out, len)) |
1020 |
|
|
return -1; |
1021 |
|
|
} |
1022 |
|
|
} else { |
1023 |
|
|
if (gctx->ctr) { |
1024 |
|
|
if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, |
1025 |
|
|
in, out, len, gctx->ctr)) |
1026 |
|
|
return -1; |
1027 |
|
|
} else { |
1028 |
|
|
if (CRYPTO_gcm128_decrypt(&gctx->gcm, |
1029 |
|
|
in, out, len)) |
1030 |
|
|
return -1; |
1031 |
|
|
} |
1032 |
|
|
} |
1033 |
|
|
return len; |
1034 |
|
|
} else { |
1035 |
|
|
if (!ctx->encrypt) { |
1036 |
|
|
if (gctx->taglen < 0) |
1037 |
|
|
return -1; |
1038 |
|
|
if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, |
1039 |
|
|
gctx->taglen) != 0) |
1040 |
|
|
return -1; |
1041 |
|
|
gctx->iv_set = 0; |
1042 |
|
|
return 0; |
1043 |
|
|
} |
1044 |
|
|
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); |
1045 |
|
|
gctx->taglen = 16; |
1046 |
|
|
|
1047 |
|
|
/* Don't reuse the IV */ |
1048 |
|
|
gctx->iv_set = 0; |
1049 |
|
|
return 0; |
1050 |
|
|
} |
1051 |
|
|
|
1052 |
|
|
} |
1053 |
|
|
|
1054 |
|
|
#define CUSTOM_FLAGS \ |
1055 |
|
|
( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ |
1056 |
|
|
EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ |
1057 |
|
|
EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) |
1058 |
|
|
|
1059 |
|
8610 |
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, |
1060 |
|
|
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) |
1061 |
|
2856 |
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, |
1062 |
|
|
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) |
1063 |
|
8610 |
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, |
1064 |
|
|
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) |
1065 |
|
|
|
1066 |
|
|
static int |
1067 |
|
|
aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
1068 |
|
|
{ |
1069 |
|
|
EVP_AES_XTS_CTX *xctx = c->cipher_data; |
1070 |
|
|
|
1071 |
|
|
switch (type) { |
1072 |
|
|
case EVP_CTRL_INIT: |
1073 |
|
|
/* |
1074 |
|
|
* key1 and key2 are used as an indicator both key and IV |
1075 |
|
|
* are set |
1076 |
|
|
*/ |
1077 |
|
|
xctx->xts.key1 = NULL; |
1078 |
|
|
xctx->xts.key2 = NULL; |
1079 |
|
|
return 1; |
1080 |
|
|
|
1081 |
|
|
case EVP_CTRL_COPY: |
1082 |
|
|
{ |
1083 |
|
|
EVP_CIPHER_CTX *out = ptr; |
1084 |
|
|
EVP_AES_XTS_CTX *xctx_out = out->cipher_data; |
1085 |
|
|
|
1086 |
|
|
if (xctx->xts.key1) { |
1087 |
|
|
if (xctx->xts.key1 != &xctx->ks1) |
1088 |
|
|
return 0; |
1089 |
|
|
xctx_out->xts.key1 = &xctx_out->ks1; |
1090 |
|
|
} |
1091 |
|
|
if (xctx->xts.key2) { |
1092 |
|
|
if (xctx->xts.key2 != &xctx->ks2) |
1093 |
|
|
return 0; |
1094 |
|
|
xctx_out->xts.key2 = &xctx_out->ks2; |
1095 |
|
|
} |
1096 |
|
|
return 1; |
1097 |
|
|
} |
1098 |
|
|
} |
1099 |
|
|
return -1; |
1100 |
|
|
} |
1101 |
|
|
|
1102 |
|
|
static int |
1103 |
|
|
aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
1104 |
|
|
const unsigned char *iv, int enc) |
1105 |
|
|
{ |
1106 |
|
|
EVP_AES_XTS_CTX *xctx = ctx->cipher_data; |
1107 |
|
|
|
1108 |
|
|
if (!iv && !key) |
1109 |
|
|
return 1; |
1110 |
|
|
|
1111 |
|
|
if (key) do { |
1112 |
|
|
#ifdef AES_XTS_ASM |
1113 |
|
|
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; |
1114 |
|
|
#else |
1115 |
|
|
xctx->stream = NULL; |
1116 |
|
|
#endif |
1117 |
|
|
/* key_len is two AES keys */ |
1118 |
|
|
#ifdef BSAES_CAPABLE |
1119 |
|
|
if (BSAES_CAPABLE) |
1120 |
|
|
xctx->stream = enc ? bsaes_xts_encrypt : |
1121 |
|
|
bsaes_xts_decrypt; |
1122 |
|
|
else |
1123 |
|
|
#endif |
1124 |
|
|
#ifdef VPAES_CAPABLE |
1125 |
|
|
if (VPAES_CAPABLE) { |
1126 |
|
|
if (enc) { |
1127 |
|
|
vpaes_set_encrypt_key(key, ctx->key_len * 4, |
1128 |
|
|
&xctx->ks1); |
1129 |
|
|
xctx->xts.block1 = (block128_f)vpaes_encrypt; |
1130 |
|
|
} else { |
1131 |
|
|
vpaes_set_decrypt_key(key, ctx->key_len * 4, |
1132 |
|
|
&xctx->ks1); |
1133 |
|
|
xctx->xts.block1 = (block128_f)vpaes_decrypt; |
1134 |
|
|
} |
1135 |
|
|
|
1136 |
|
|
vpaes_set_encrypt_key(key + ctx->key_len / 2, |
1137 |
|
|
ctx->key_len * 4, &xctx->ks2); |
1138 |
|
|
xctx->xts.block2 = (block128_f)vpaes_encrypt; |
1139 |
|
|
|
1140 |
|
|
xctx->xts.key1 = &xctx->ks1; |
1141 |
|
|
break; |
1142 |
|
|
} else |
1143 |
|
|
#endif |
1144 |
|
|
(void)0; /* terminate potentially open 'else' */ |
1145 |
|
|
|
1146 |
|
|
if (enc) { |
1147 |
|
|
AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); |
1148 |
|
|
xctx->xts.block1 = (block128_f)AES_encrypt; |
1149 |
|
|
} else { |
1150 |
|
|
AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1); |
1151 |
|
|
xctx->xts.block1 = (block128_f)AES_decrypt; |
1152 |
|
|
} |
1153 |
|
|
|
1154 |
|
|
AES_set_encrypt_key(key + ctx->key_len / 2, |
1155 |
|
|
ctx->key_len * 4, &xctx->ks2); |
1156 |
|
|
xctx->xts.block2 = (block128_f)AES_encrypt; |
1157 |
|
|
|
1158 |
|
|
xctx->xts.key1 = &xctx->ks1; |
1159 |
|
|
} while (0); |
1160 |
|
|
|
1161 |
|
|
if (iv) { |
1162 |
|
|
xctx->xts.key2 = &xctx->ks2; |
1163 |
|
|
memcpy(ctx->iv, iv, 16); |
1164 |
|
|
} |
1165 |
|
|
|
1166 |
|
|
return 1; |
1167 |
|
|
} |
1168 |
|
|
|
1169 |
|
|
static int |
1170 |
|
|
aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1171 |
|
|
const unsigned char *in, size_t len) |
1172 |
|
|
{ |
1173 |
|
|
EVP_AES_XTS_CTX *xctx = ctx->cipher_data; |
1174 |
|
|
|
1175 |
|
|
if (!xctx->xts.key1 || !xctx->xts.key2) |
1176 |
|
|
return 0; |
1177 |
|
|
if (!out || !in || len < AES_BLOCK_SIZE) |
1178 |
|
|
return 0; |
1179 |
|
|
|
1180 |
|
|
if (xctx->stream) |
1181 |
|
|
(*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2, |
1182 |
|
|
ctx->iv); |
1183 |
|
|
else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, |
1184 |
|
|
ctx->encrypt)) |
1185 |
|
|
return 0; |
1186 |
|
|
return 1; |
1187 |
|
|
} |
1188 |
|
|
|
1189 |
|
|
#define aes_xts_cleanup NULL |
1190 |
|
|
|
1191 |
|
|
#define XTS_FLAGS \ |
1192 |
|
|
( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ |
1193 |
|
|
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) |
1194 |
|
|
|
1195 |
|
2856 |
BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) |
1196 |
|
2856 |
BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) |
1197 |
|
|
|
1198 |
|
|
static int |
1199 |
|
|
aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
1200 |
|
|
{ |
1201 |
|
|
EVP_AES_CCM_CTX *cctx = c->cipher_data; |
1202 |
|
|
|
1203 |
|
|
switch (type) { |
1204 |
|
|
case EVP_CTRL_INIT: |
1205 |
|
|
cctx->key_set = 0; |
1206 |
|
|
cctx->iv_set = 0; |
1207 |
|
|
cctx->L = 8; |
1208 |
|
|
cctx->M = 12; |
1209 |
|
|
cctx->tag_set = 0; |
1210 |
|
|
cctx->len_set = 0; |
1211 |
|
|
return 1; |
1212 |
|
|
|
1213 |
|
|
case EVP_CTRL_CCM_SET_IVLEN: |
1214 |
|
|
arg = 15 - arg; |
1215 |
|
|
|
1216 |
|
|
case EVP_CTRL_CCM_SET_L: |
1217 |
|
|
if (arg < 2 || arg > 8) |
1218 |
|
|
return 0; |
1219 |
|
|
cctx->L = arg; |
1220 |
|
|
return 1; |
1221 |
|
|
|
1222 |
|
|
case EVP_CTRL_CCM_SET_TAG: |
1223 |
|
|
if ((arg & 1) || arg < 4 || arg > 16) |
1224 |
|
|
return 0; |
1225 |
|
|
if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) |
1226 |
|
|
return 0; |
1227 |
|
|
if (ptr) { |
1228 |
|
|
cctx->tag_set = 1; |
1229 |
|
|
memcpy(c->buf, ptr, arg); |
1230 |
|
|
} |
1231 |
|
|
cctx->M = arg; |
1232 |
|
|
return 1; |
1233 |
|
|
|
1234 |
|
|
case EVP_CTRL_CCM_GET_TAG: |
1235 |
|
|
if (!c->encrypt || !cctx->tag_set) |
1236 |
|
|
return 0; |
1237 |
|
|
if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) |
1238 |
|
|
return 0; |
1239 |
|
|
cctx->tag_set = 0; |
1240 |
|
|
cctx->iv_set = 0; |
1241 |
|
|
cctx->len_set = 0; |
1242 |
|
|
return 1; |
1243 |
|
|
|
1244 |
|
|
case EVP_CTRL_COPY: |
1245 |
|
|
{ |
1246 |
|
|
EVP_CIPHER_CTX *out = ptr; |
1247 |
|
|
EVP_AES_CCM_CTX *cctx_out = out->cipher_data; |
1248 |
|
|
|
1249 |
|
|
if (cctx->ccm.key) { |
1250 |
|
|
if (cctx->ccm.key != &cctx->ks) |
1251 |
|
|
return 0; |
1252 |
|
|
cctx_out->ccm.key = &cctx_out->ks; |
1253 |
|
|
} |
1254 |
|
|
return 1; |
1255 |
|
|
} |
1256 |
|
|
|
1257 |
|
|
default: |
1258 |
|
|
return -1; |
1259 |
|
|
} |
1260 |
|
|
} |
1261 |
|
|
|
1262 |
|
|
static int |
1263 |
|
|
aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
1264 |
|
|
const unsigned char *iv, int enc) |
1265 |
|
|
{ |
1266 |
|
|
EVP_AES_CCM_CTX *cctx = ctx->cipher_data; |
1267 |
|
|
|
1268 |
|
|
if (!iv && !key) |
1269 |
|
|
return 1; |
1270 |
|
|
if (key) do { |
1271 |
|
|
#ifdef VPAES_CAPABLE |
1272 |
|
|
if (VPAES_CAPABLE) { |
1273 |
|
|
vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); |
1274 |
|
|
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
1275 |
|
|
&cctx->ks, (block128_f)vpaes_encrypt); |
1276 |
|
|
cctx->str = NULL; |
1277 |
|
|
cctx->key_set = 1; |
1278 |
|
|
break; |
1279 |
|
|
} |
1280 |
|
|
#endif |
1281 |
|
|
AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks); |
1282 |
|
|
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
1283 |
|
|
&cctx->ks, (block128_f)AES_encrypt); |
1284 |
|
|
cctx->str = NULL; |
1285 |
|
|
cctx->key_set = 1; |
1286 |
|
|
} while (0); |
1287 |
|
|
if (iv) { |
1288 |
|
|
memcpy(ctx->iv, iv, 15 - cctx->L); |
1289 |
|
|
cctx->iv_set = 1; |
1290 |
|
|
} |
1291 |
|
|
return 1; |
1292 |
|
|
} |
1293 |
|
|
|
1294 |
|
|
static int |
1295 |
|
|
aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
1296 |
|
|
const unsigned char *in, size_t len) |
1297 |
|
|
{ |
1298 |
|
|
EVP_AES_CCM_CTX *cctx = ctx->cipher_data; |
1299 |
|
|
CCM128_CONTEXT *ccm = &cctx->ccm; |
1300 |
|
|
|
1301 |
|
|
/* If not set up, return error */ |
1302 |
|
|
if (!cctx->iv_set && !cctx->key_set) |
1303 |
|
|
return -1; |
1304 |
|
|
if (!ctx->encrypt && !cctx->tag_set) |
1305 |
|
|
return -1; |
1306 |
|
|
|
1307 |
|
|
if (!out) { |
1308 |
|
|
if (!in) { |
1309 |
|
|
if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, |
1310 |
|
|
len)) |
1311 |
|
|
return -1; |
1312 |
|
|
cctx->len_set = 1; |
1313 |
|
|
return len; |
1314 |
|
|
} |
1315 |
|
|
/* If have AAD need message length */ |
1316 |
|
|
if (!cctx->len_set && len) |
1317 |
|
|
return -1; |
1318 |
|
|
CRYPTO_ccm128_aad(ccm, in, len); |
1319 |
|
|
return len; |
1320 |
|
|
} |
1321 |
|
|
/* EVP_*Final() doesn't return any data */ |
1322 |
|
|
if (!in) |
1323 |
|
|
return 0; |
1324 |
|
|
/* If not set length yet do it */ |
1325 |
|
|
if (!cctx->len_set) { |
1326 |
|
|
if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) |
1327 |
|
|
return -1; |
1328 |
|
|
cctx->len_set = 1; |
1329 |
|
|
} |
1330 |
|
|
if (ctx->encrypt) { |
1331 |
|
|
if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, |
1332 |
|
|
cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len)) |
1333 |
|
|
return -1; |
1334 |
|
|
cctx->tag_set = 1; |
1335 |
|
|
return len; |
1336 |
|
|
} else { |
1337 |
|
|
int rv = -1; |
1338 |
|
|
if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, |
1339 |
|
|
cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { |
1340 |
|
|
unsigned char tag[16]; |
1341 |
|
|
if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { |
1342 |
|
|
if (!memcmp(tag, ctx->buf, cctx->M)) |
1343 |
|
|
rv = len; |
1344 |
|
|
} |
1345 |
|
|
} |
1346 |
|
|
if (rv == -1) |
1347 |
|
|
explicit_bzero(out, len); |
1348 |
|
|
cctx->iv_set = 0; |
1349 |
|
|
cctx->tag_set = 0; |
1350 |
|
|
cctx->len_set = 0; |
1351 |
|
|
return rv; |
1352 |
|
|
} |
1353 |
|
|
|
1354 |
|
|
} |
1355 |
|
|
|
1356 |
|
|
#define aes_ccm_cleanup NULL |
1357 |
|
|
|
1358 |
|
|
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, |
1359 |
|
|
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
1360 |
|
|
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, |
1361 |
|
|
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
1362 |
|
|
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, |
1363 |
|
|
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
1364 |
|
|
|
1365 |
|
|
#define EVP_AEAD_AES_GCM_TAG_LEN 16 |
1366 |
|
|
|
1367 |
|
|
struct aead_aes_gcm_ctx { |
1368 |
|
|
union { |
1369 |
|
|
double align; |
1370 |
|
|
AES_KEY ks; |
1371 |
|
|
} ks; |
1372 |
|
|
GCM128_CONTEXT gcm; |
1373 |
|
|
ctr128_f ctr; |
1374 |
|
|
unsigned char tag_len; |
1375 |
|
|
}; |
1376 |
|
|
|
1377 |
|
|
static int |
1378 |
|
|
aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, |
1379 |
|
|
size_t tag_len) |
1380 |
|
|
{ |
1381 |
|
|
struct aead_aes_gcm_ctx *gcm_ctx; |
1382 |
|
63244 |
const size_t key_bits = key_len * 8; |
1383 |
|
|
|
1384 |
|
|
/* EVP_AEAD_CTX_init should catch this. */ |
1385 |
✗✓ |
31622 |
if (key_bits != 128 && key_bits != 256) { |
1386 |
|
|
EVPerror(EVP_R_BAD_KEY_LENGTH); |
1387 |
|
|
return 0; |
1388 |
|
|
} |
1389 |
|
|
|
1390 |
✓✓ |
31622 |
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) |
1391 |
|
31610 |
tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1392 |
|
|
|
1393 |
✗✓ |
31622 |
if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { |
1394 |
|
|
EVPerror(EVP_R_TAG_TOO_LARGE); |
1395 |
|
|
return 0; |
1396 |
|
|
} |
1397 |
|
|
|
1398 |
|
31622 |
gcm_ctx = malloc(sizeof(struct aead_aes_gcm_ctx)); |
1399 |
✗✓ |
31622 |
if (gcm_ctx == NULL) |
1400 |
|
|
return 0; |
1401 |
|
|
|
1402 |
|
|
#ifdef AESNI_CAPABLE |
1403 |
✓✗ |
31622 |
if (AESNI_CAPABLE) { |
1404 |
|
31622 |
aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks); |
1405 |
|
31622 |
CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, |
1406 |
|
|
(block128_f)aesni_encrypt); |
1407 |
|
|
gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; |
1408 |
|
31622 |
} else |
1409 |
|
|
#endif |
1410 |
|
|
{ |
1411 |
|
|
gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, |
1412 |
|
|
key, key_len); |
1413 |
|
|
} |
1414 |
|
31622 |
gcm_ctx->tag_len = tag_len; |
1415 |
|
31622 |
ctx->aead_state = gcm_ctx; |
1416 |
|
|
|
1417 |
|
31622 |
return 1; |
1418 |
|
31622 |
} |
1419 |
|
|
|
1420 |
|
|
static void |
1421 |
|
|
aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) |
1422 |
|
|
{ |
1423 |
|
63244 |
struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; |
1424 |
|
|
|
1425 |
|
31622 |
freezero(gcm_ctx, sizeof(*gcm_ctx)); |
1426 |
|
31622 |
} |
1427 |
|
|
|
1428 |
|
|
static int |
1429 |
|
|
aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, |
1430 |
|
|
size_t max_out_len, const unsigned char *nonce, size_t nonce_len, |
1431 |
|
|
const unsigned char *in, size_t in_len, const unsigned char *ad, |
1432 |
|
|
size_t ad_len) |
1433 |
|
|
{ |
1434 |
|
32094 |
const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; |
1435 |
|
16047 |
GCM128_CONTEXT gcm; |
1436 |
|
|
size_t bulk = 0; |
1437 |
|
|
|
1438 |
✗✓ |
16047 |
if (max_out_len < in_len + gcm_ctx->tag_len) { |
1439 |
|
|
EVPerror(EVP_R_BUFFER_TOO_SMALL); |
1440 |
|
|
return 0; |
1441 |
|
|
} |
1442 |
|
|
|
1443 |
|
16047 |
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
1444 |
|
16047 |
CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
1445 |
|
|
|
1446 |
✓✗✗✓
|
32094 |
if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
1447 |
|
|
return 0; |
1448 |
|
|
|
1449 |
✓✗ |
16047 |
if (gcm_ctx->ctr) { |
1450 |
✗✓ |
16047 |
if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, |
1451 |
|
|
in_len - bulk, gcm_ctx->ctr)) |
1452 |
|
|
return 0; |
1453 |
|
|
} else { |
1454 |
|
|
if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, |
1455 |
|
|
in_len - bulk)) |
1456 |
|
|
return 0; |
1457 |
|
|
} |
1458 |
|
|
|
1459 |
|
16047 |
CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); |
1460 |
|
16047 |
*out_len = in_len + gcm_ctx->tag_len; |
1461 |
|
|
|
1462 |
|
16047 |
return 1; |
1463 |
|
16047 |
} |
1464 |
|
|
|
1465 |
|
|
static int |
1466 |
|
|
aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, |
1467 |
|
|
size_t max_out_len, const unsigned char *nonce, size_t nonce_len, |
1468 |
|
|
const unsigned char *in, size_t in_len, const unsigned char *ad, |
1469 |
|
|
size_t ad_len) |
1470 |
|
|
{ |
1471 |
|
31862 |
const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state; |
1472 |
|
15931 |
unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN]; |
1473 |
|
15931 |
GCM128_CONTEXT gcm; |
1474 |
|
|
size_t plaintext_len; |
1475 |
|
|
size_t bulk = 0; |
1476 |
|
|
|
1477 |
✗✓ |
15931 |
if (in_len < gcm_ctx->tag_len) { |
1478 |
|
|
EVPerror(EVP_R_BAD_DECRYPT); |
1479 |
|
|
return 0; |
1480 |
|
|
} |
1481 |
|
|
|
1482 |
|
15931 |
plaintext_len = in_len - gcm_ctx->tag_len; |
1483 |
|
|
|
1484 |
✗✓ |
15931 |
if (max_out_len < plaintext_len) { |
1485 |
|
|
EVPerror(EVP_R_BUFFER_TOO_SMALL); |
1486 |
|
|
return 0; |
1487 |
|
|
} |
1488 |
|
|
|
1489 |
|
15931 |
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
1490 |
|
15931 |
CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
1491 |
|
|
|
1492 |
✗✓ |
15931 |
if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
1493 |
|
|
return 0; |
1494 |
|
|
|
1495 |
✓✗ |
15931 |
if (gcm_ctx->ctr) { |
1496 |
✗✓ |
15931 |
if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, |
1497 |
|
|
in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr)) |
1498 |
|
|
return 0; |
1499 |
|
|
} else { |
1500 |
|
|
if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, |
1501 |
|
|
in_len - bulk - gcm_ctx->tag_len)) |
1502 |
|
|
return 0; |
1503 |
|
|
} |
1504 |
|
|
|
1505 |
|
15931 |
CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); |
1506 |
✓✓ |
15931 |
if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { |
1507 |
|
12 |
EVPerror(EVP_R_BAD_DECRYPT); |
1508 |
|
12 |
return 0; |
1509 |
|
|
} |
1510 |
|
|
|
1511 |
|
15919 |
*out_len = plaintext_len; |
1512 |
|
|
|
1513 |
|
15919 |
return 1; |
1514 |
|
15931 |
} |
1515 |
|
|
|
1516 |
|
|
static const EVP_AEAD aead_aes_128_gcm = { |
1517 |
|
|
.key_len = 16, |
1518 |
|
|
.nonce_len = 12, |
1519 |
|
|
.overhead = EVP_AEAD_AES_GCM_TAG_LEN, |
1520 |
|
|
.max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, |
1521 |
|
|
|
1522 |
|
|
.init = aead_aes_gcm_init, |
1523 |
|
|
.cleanup = aead_aes_gcm_cleanup, |
1524 |
|
|
.seal = aead_aes_gcm_seal, |
1525 |
|
|
.open = aead_aes_gcm_open, |
1526 |
|
|
}; |
1527 |
|
|
|
1528 |
|
|
static const EVP_AEAD aead_aes_256_gcm = { |
1529 |
|
|
.key_len = 32, |
1530 |
|
|
.nonce_len = 12, |
1531 |
|
|
.overhead = EVP_AEAD_AES_GCM_TAG_LEN, |
1532 |
|
|
.max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN, |
1533 |
|
|
|
1534 |
|
|
.init = aead_aes_gcm_init, |
1535 |
|
|
.cleanup = aead_aes_gcm_cleanup, |
1536 |
|
|
.seal = aead_aes_gcm_seal, |
1537 |
|
|
.open = aead_aes_gcm_open, |
1538 |
|
|
}; |
1539 |
|
|
|
1540 |
|
|
const EVP_AEAD * |
1541 |
|
|
EVP_aead_aes_128_gcm(void) |
1542 |
|
|
{ |
1543 |
|
48 |
return &aead_aes_128_gcm; |
1544 |
|
|
} |
1545 |
|
|
|
1546 |
|
|
const EVP_AEAD * |
1547 |
|
|
EVP_aead_aes_256_gcm(void) |
1548 |
|
|
{ |
1549 |
|
31586 |
return &aead_aes_256_gcm; |
1550 |
|
|
} |
1551 |
|
|
|
1552 |
|
|
#endif |