2 * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * This file uses the low level AES functions (which are deprecated for
12 * non-internal use) in order to implement the EVP AES ciphers.
14 #include "internal/deprecated.h"
18 #include <openssl/opensslconf.h>
19 #include <openssl/crypto.h>
20 #include <openssl/evp.h>
21 #include <openssl/err.h>
22 #include <openssl/aes.h>
23 #include <openssl/rand.h>
24 #include <openssl/cmac.h>
25 #include "crypto/evp.h"
26 #include "internal/cryptlib.h"
27 #include "crypto/modes.h"
28 #include "crypto/siv.h"
29 #include "crypto/aes_platform.h"
30 #include "evp_local.h"
48 } ks; /* AES key schedule to use */
49 int key_set; /* Set if key initialised */
50 int iv_set; /* Set if an iv is set */
52 unsigned char *iv; /* Temporary IV store */
53 int ivlen; /* IV length */
55 int iv_gen; /* It is OK to generate IVs */
56 int iv_gen_rand; /* No IV was specified, so generate a rand IV */
57 int tls_aad_len; /* TLS AAD length */
58 uint64_t tls_enc_records; /* Number of TLS records encrypted */
66 } ks1, ks2; /* AES key schedules to use */
68 void (*stream) (const unsigned char *in,
69 unsigned char *out, size_t length,
70 const AES_KEY *key1, const AES_KEY *key2,
71 const unsigned char iv[16]);
75 static const int allow_insecure_decrypt = 0;
77 static const int allow_insecure_decrypt = 1;
84 } ks; /* AES key schedule to use */
85 int key_set; /* Set if key initialised */
86 int iv_set; /* Set if an iv is set */
87 int tag_set; /* Set if tag is valid */
88 int len_set; /* Set if message length set */
89 int L, M; /* L and M parameters from RFC3610 */
90 int tls_aad_len; /* TLS AAD length */
95 #ifndef OPENSSL_NO_OCB
100 } ksenc; /* AES key schedule to use for encryption */
104 } ksdec; /* AES key schedule to use for decryption */
105 int key_set; /* Set if key initialised */
106 int iv_set; /* Set if an iv is set */
108 unsigned char *iv; /* Temporary IV store */
109 unsigned char tag[16];
110 unsigned char data_buf[16]; /* Store partial data blocks */
111 unsigned char aad_buf[16]; /* Store partial AAD blocks */
114 int ivlen; /* IV length */
119 #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
121 /* increment counter (64-bit int) by 1 */
122 static void ctr64_inc(unsigned char *counter)
137 #if defined(AESNI_CAPABLE)
138 # if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
139 # define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
140 gctx->gcm.ghash==gcm_ghash_avx)
141 # undef AES_GCM_ASM2 /* minor size optimization */
144 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
145 const unsigned char *iv, int enc)
148 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
149 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
152 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
155 mode = EVP_CIPHER_CTX_get_mode(ctx);
156 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
158 ret = aesni_set_decrypt_key(key, keylen, &dat->ks.ks);
159 dat->block = (block128_f) aesni_decrypt;
160 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
161 (cbc128_f) aesni_cbc_encrypt : NULL;
163 ret = aesni_set_encrypt_key(key, keylen, &dat->ks.ks);
164 dat->block = (block128_f) aesni_encrypt;
165 if (mode == EVP_CIPH_CBC_MODE)
166 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
167 else if (mode == EVP_CIPH_CTR_MODE)
168 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
170 dat->stream.cbc = NULL;
174 ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
181 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
182 const unsigned char *in, size_t len)
184 aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
185 ctx->iv, EVP_CIPHER_CTX_is_encrypting(ctx));
190 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
191 const unsigned char *in, size_t len)
193 size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
198 aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
199 EVP_CIPHER_CTX_is_encrypting(ctx));
204 # define aesni_ofb_cipher aes_ofb_cipher
205 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
206 const unsigned char *in, size_t len);
208 # define aesni_cfb_cipher aes_cfb_cipher
209 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
210 const unsigned char *in, size_t len);
212 # define aesni_cfb8_cipher aes_cfb8_cipher
213 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
214 const unsigned char *in, size_t len);
216 # define aesni_cfb1_cipher aes_cfb1_cipher
217 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
218 const unsigned char *in, size_t len);
220 # define aesni_ctr_cipher aes_ctr_cipher
221 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
222 const unsigned char *in, size_t len);
224 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
225 const unsigned char *iv, int enc)
227 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx);
229 if (iv == NULL && key == NULL)
233 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
236 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
239 aesni_set_encrypt_key(key, keylen, &gctx->ks.ks);
240 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
241 gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
243 * If we have an iv can set it directly, otherwise use saved IV.
245 if (iv == NULL && gctx->iv_set)
248 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
253 /* If key set use IV, otherwise copy */
255 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
257 memcpy(gctx->iv, iv, gctx->ivlen);
264 # define aesni_gcm_cipher aes_gcm_cipher
265 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
266 const unsigned char *in, size_t len);
268 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
269 const unsigned char *iv, int enc)
271 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
273 if (iv == NULL && key == NULL)
277 /* The key is two half length keys in reality */
278 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
279 const int bytes = keylen / 2;
280 const int bits = bytes * 8;
283 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
287 * Verify that the two keys are different.
289 * This addresses Rogaway's vulnerability.
290 * See comment in aes_xts_init_key() below.
292 if ((!allow_insecure_decrypt || enc)
293 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
294 ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
298 /* key_len is two AES keys */
300 aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
301 xctx->xts.block1 = (block128_f) aesni_encrypt;
302 xctx->stream = aesni_xts_encrypt;
304 aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
305 xctx->xts.block1 = (block128_f) aesni_decrypt;
306 xctx->stream = aesni_xts_decrypt;
309 aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
310 xctx->xts.block2 = (block128_f) aesni_encrypt;
312 xctx->xts.key1 = &xctx->ks1;
316 xctx->xts.key2 = &xctx->ks2;
317 memcpy(ctx->iv, iv, 16);
323 # define aesni_xts_cipher aes_xts_cipher
324 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
325 const unsigned char *in, size_t len);
327 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
328 const unsigned char *iv, int enc)
330 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
332 if (iv == NULL && key == NULL)
336 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
339 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
342 aesni_set_encrypt_key(key, keylen, &cctx->ks.ks);
343 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
344 &cctx->ks, (block128_f) aesni_encrypt);
345 cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
346 (ccm128_f) aesni_ccm64_decrypt_blocks;
350 memcpy(ctx->iv, iv, 15 - cctx->L);
356 # define aesni_ccm_cipher aes_ccm_cipher
357 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
358 const unsigned char *in, size_t len);
360 # ifndef OPENSSL_NO_OCB
361 static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
362 const unsigned char *iv, int enc)
364 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
366 if (iv == NULL && key == NULL)
370 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
373 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
378 * We set both the encrypt and decrypt key here because decrypt
379 * needs both. We could possibly optimise to remove setting the
380 * decrypt for an encryption operation.
382 aesni_set_encrypt_key(key, keylen, &octx->ksenc.ks);
383 aesni_set_decrypt_key(key, keylen, &octx->ksdec.ks);
384 if (!CRYPTO_ocb128_init(&octx->ocb,
385 &octx->ksenc.ks, &octx->ksdec.ks,
386 (block128_f) aesni_encrypt,
387 (block128_f) aesni_decrypt,
388 enc ? aesni_ocb_encrypt
389 : aesni_ocb_decrypt))
395 * If we have an iv we can set it directly, otherwise use saved IV.
397 if (iv == NULL && octx->iv_set)
400 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
407 /* If key set use IV, otherwise copy */
409 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
411 memcpy(octx->iv, iv, octx->ivlen);
417 # define aesni_ocb_cipher aes_ocb_cipher
418 static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
419 const unsigned char *in, size_t len);
420 # endif /* OPENSSL_NO_OCB */
422 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
423 static const EVP_CIPHER aesni_##keylen##_##mode = { \
424 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
425 flags|EVP_CIPH_##MODE##_MODE, \
428 aesni_##mode##_cipher, \
430 sizeof(EVP_AES_KEY), \
431 NULL,NULL,NULL,NULL }; \
432 static const EVP_CIPHER aes_##keylen##_##mode = { \
433 nid##_##keylen##_##nmode,blocksize, \
435 flags|EVP_CIPH_##MODE##_MODE, \
438 aes_##mode##_cipher, \
440 sizeof(EVP_AES_KEY), \
441 NULL,NULL,NULL,NULL }; \
442 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
443 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
445 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
446 static const EVP_CIPHER aesni_##keylen##_##mode = { \
447 nid##_##keylen##_##mode,blocksize, \
448 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
450 flags|EVP_CIPH_##MODE##_MODE, \
452 aesni_##mode##_init_key, \
453 aesni_##mode##_cipher, \
454 aes_##mode##_cleanup, \
455 sizeof(EVP_AES_##MODE##_CTX), \
456 NULL,NULL,aes_##mode##_ctrl,NULL }; \
457 static const EVP_CIPHER aes_##keylen##_##mode = { \
458 nid##_##keylen##_##mode,blocksize, \
459 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
461 flags|EVP_CIPH_##MODE##_MODE, \
463 aes_##mode##_init_key, \
464 aes_##mode##_cipher, \
465 aes_##mode##_cleanup, \
466 sizeof(EVP_AES_##MODE##_CTX), \
467 NULL,NULL,aes_##mode##_ctrl,NULL }; \
468 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
469 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
471 #elif defined(SPARC_AES_CAPABLE)
473 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
474 const unsigned char *iv, int enc)
477 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
479 mode = EVP_CIPHER_CTX_get_mode(ctx);
480 bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
482 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
485 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
488 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
489 dat->block = (block128_f) aes_t4_decrypt;
492 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
493 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
496 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
497 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
500 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
501 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
508 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
509 dat->block = (block128_f) aes_t4_encrypt;
512 if (mode == EVP_CIPH_CBC_MODE)
513 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
514 else if (mode == EVP_CIPH_CTR_MODE)
515 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
517 dat->stream.cbc = NULL;
520 if (mode == EVP_CIPH_CBC_MODE)
521 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
522 else if (mode == EVP_CIPH_CTR_MODE)
523 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
525 dat->stream.cbc = NULL;
528 if (mode == EVP_CIPH_CBC_MODE)
529 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
530 else if (mode == EVP_CIPH_CTR_MODE)
531 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
533 dat->stream.cbc = NULL;
541 ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
548 # define aes_t4_cbc_cipher aes_cbc_cipher
549 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
550 const unsigned char *in, size_t len);
552 # define aes_t4_ecb_cipher aes_ecb_cipher
553 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
554 const unsigned char *in, size_t len);
556 # define aes_t4_ofb_cipher aes_ofb_cipher
557 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
558 const unsigned char *in, size_t len);
560 # define aes_t4_cfb_cipher aes_cfb_cipher
561 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
562 const unsigned char *in, size_t len);
564 # define aes_t4_cfb8_cipher aes_cfb8_cipher
565 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
566 const unsigned char *in, size_t len);
568 # define aes_t4_cfb1_cipher aes_cfb1_cipher
569 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
570 const unsigned char *in, size_t len);
572 # define aes_t4_ctr_cipher aes_ctr_cipher
573 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
574 const unsigned char *in, size_t len);
576 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
577 const unsigned char *iv, int enc)
579 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
581 if (iv == NULL && key == NULL)
584 const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
587 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
590 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
591 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
592 (block128_f) aes_t4_encrypt);
595 gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
598 gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
601 gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
607 * If we have an iv can set it directly, otherwise use saved IV.
609 if (iv == NULL && gctx->iv_set)
612 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
617 /* If key set use IV, otherwise copy */
619 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
621 memcpy(gctx->iv, iv, gctx->ivlen);
628 # define aes_t4_gcm_cipher aes_gcm_cipher
629 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
630 const unsigned char *in, size_t len);
632 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
633 const unsigned char *iv, int enc)
635 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
641 /* The key is two half length keys in reality */
642 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
643 const int bytes = keylen / 2;
644 const int bits = bytes * 8;
647 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
651 * Verify that the two keys are different.
653 * This addresses Rogaway's vulnerability.
654 * See comment in aes_xts_init_key() below.
656 if ((!allow_insecure_decrypt || enc)
657 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
658 ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
663 /* key_len is two AES keys */
665 aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
666 xctx->xts.block1 = (block128_f) aes_t4_encrypt;
669 xctx->stream = aes128_t4_xts_encrypt;
672 xctx->stream = aes256_t4_xts_encrypt;
678 aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
679 xctx->xts.block1 = (block128_f) aes_t4_decrypt;
682 xctx->stream = aes128_t4_xts_decrypt;
685 xctx->stream = aes256_t4_xts_decrypt;
692 aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
693 xctx->xts.block2 = (block128_f) aes_t4_encrypt;
695 xctx->xts.key1 = &xctx->ks1;
699 xctx->xts.key2 = &xctx->ks2;
700 memcpy(ctx->iv, iv, 16);
706 # define aes_t4_xts_cipher aes_xts_cipher
707 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
708 const unsigned char *in, size_t len);
710 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
711 const unsigned char *iv, int enc)
713 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
715 if (iv == NULL && key == NULL)
719 const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
722 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
725 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
726 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
727 &cctx->ks, (block128_f) aes_t4_encrypt);
732 memcpy(ctx->iv, iv, 15 - cctx->L);
738 # define aes_t4_ccm_cipher aes_ccm_cipher
739 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
740 const unsigned char *in, size_t len);
742 # ifndef OPENSSL_NO_OCB
743 static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
744 const unsigned char *iv, int enc)
746 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
748 if (iv == NULL && key == NULL)
752 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
755 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
760 * We set both the encrypt and decrypt key here because decrypt
761 * needs both. We could possibly optimise to remove setting the
762 * decrypt for an encryption operation.
764 aes_t4_set_encrypt_key(key, keylen, &octx->ksenc.ks);
765 aes_t4_set_decrypt_key(key, keylen, &octx->ksdec.ks);
766 if (!CRYPTO_ocb128_init(&octx->ocb,
767 &octx->ksenc.ks, &octx->ksdec.ks,
768 (block128_f) aes_t4_encrypt,
769 (block128_f) aes_t4_decrypt,
776 * If we have an iv we can set it directly, otherwise use saved IV.
778 if (iv == NULL && octx->iv_set)
781 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
788 /* If key set use IV, otherwise copy */
790 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
792 memcpy(octx->iv, iv, octx->ivlen);
798 # define aes_t4_ocb_cipher aes_ocb_cipher
799 static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
800 const unsigned char *in, size_t len);
801 # endif /* OPENSSL_NO_OCB */
803 # ifndef OPENSSL_NO_SIV
804 # define aes_t4_siv_init_key aes_siv_init_key
805 # define aes_t4_siv_cipher aes_siv_cipher
806 # endif /* OPENSSL_NO_SIV */
808 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
809 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
810 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
811 flags|EVP_CIPH_##MODE##_MODE, \
814 aes_t4_##mode##_cipher, \
816 sizeof(EVP_AES_KEY), \
817 NULL,NULL,NULL,NULL }; \
818 static const EVP_CIPHER aes_##keylen##_##mode = { \
819 nid##_##keylen##_##nmode,blocksize, \
821 flags|EVP_CIPH_##MODE##_MODE, \
824 aes_##mode##_cipher, \
826 sizeof(EVP_AES_KEY), \
827 NULL,NULL,NULL,NULL }; \
828 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
829 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
831 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
832 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
833 nid##_##keylen##_##mode,blocksize, \
834 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
836 flags|EVP_CIPH_##MODE##_MODE, \
838 aes_t4_##mode##_init_key, \
839 aes_t4_##mode##_cipher, \
840 aes_##mode##_cleanup, \
841 sizeof(EVP_AES_##MODE##_CTX), \
842 NULL,NULL,aes_##mode##_ctrl,NULL }; \
843 static const EVP_CIPHER aes_##keylen##_##mode = { \
844 nid##_##keylen##_##mode,blocksize, \
845 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
847 flags|EVP_CIPH_##MODE##_MODE, \
849 aes_##mode##_init_key, \
850 aes_##mode##_cipher, \
851 aes_##mode##_cleanup, \
852 sizeof(EVP_AES_##MODE##_CTX), \
853 NULL,NULL,aes_##mode##_ctrl,NULL }; \
854 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
855 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
857 #elif defined(S390X_aes_128_CAPABLE)
858 /* IBM S390X support */
863 * KM-AES parameter block - begin
864 * (see z/Architecture Principles of Operation >= SA22-7832-06)
869 /* KM-AES parameter block - end */
878 * KMO-AES parameter block - begin
879 * (see z/Architecture Principles of Operation >= SA22-7832-08)
882 unsigned char cv[16];
885 /* KMO-AES parameter block - end */
896 * KMF-AES parameter block - begin
897 * (see z/Architecture Principles of Operation >= SA22-7832-08)
900 unsigned char cv[16];
903 /* KMF-AES parameter block - end */
914 * KMA-GCM-AES parameter block - begin
915 * (see z/Architecture Principles of Operation >= SA22-7832-11)
918 unsigned char reserved[12];
924 unsigned long long g[2];
928 unsigned long long taadl;
929 unsigned long long tpcl;
931 unsigned long long g[2];
936 /* KMA-GCM-AES parameter block - end */
948 unsigned char ares[16];
949 unsigned char mres[16];
950 unsigned char kres[16];
956 uint64_t tls_enc_records; /* Number of TLS records encrypted */
963 * Padding is chosen so that ccm.kmac_param.k overlaps with key.k and
964 * ccm.fc with key.k.rounds. Remember that on s390x, an AES_KEY's
965 * rounds field is used to store the function code and that the key
966 * schedule is not stored (if aes hardware support is detected).
969 unsigned char pad[16];
975 * KMAC-AES parameter block - begin
976 * (see z/Architecture Principles of Operation >= SA22-7832-08)
980 unsigned long long g[2];
985 /* KMAC-AES parameter block - end */
988 unsigned long long g[2];
992 unsigned long long g[2];
996 unsigned long long blocks;
1005 unsigned char pad[140];
1009 } S390X_AES_CCM_CTX;
1011 # define s390x_aes_init_key aes_init_key
1012 static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1013 const unsigned char *iv, int enc);
1015 # define S390X_AES_CBC_CTX EVP_AES_KEY
1017 # define s390x_aes_cbc_init_key aes_init_key
1019 # define s390x_aes_cbc_cipher aes_cbc_cipher
1020 static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1021 const unsigned char *in, size_t len);
1023 static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
1024 const unsigned char *key,
1025 const unsigned char *iv, int enc)
1027 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1028 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1031 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1034 cctx->fc = S390X_AES_FC(keylen);
1036 cctx->fc |= S390X_DECRYPT;
1038 memcpy(cctx->km.param.k, key, keylen);
1042 static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1043 const unsigned char *in, size_t len)
1045 S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
1047 s390x_km(in, len, out, cctx->fc, &cctx->km.param);
1051 static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
1052 const unsigned char *key,
1053 const unsigned char *ivec, int enc)
1055 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1056 const unsigned char *iv = ctx->oiv;
1057 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1058 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1061 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1065 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
1068 memcpy(cctx->kmo.param.cv, iv, ivlen);
1069 memcpy(cctx->kmo.param.k, key, keylen);
1070 cctx->fc = S390X_AES_FC(keylen);
1075 static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1076 const unsigned char *in, size_t len)
1078 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
1079 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1080 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
1084 memcpy(cctx->kmo.param.cv, iv, ivlen);
1086 *out = *in ^ cctx->kmo.param.cv[n];
1095 len &= ~(size_t)0xf;
1097 s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
1104 s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
1108 out[n] = in[n] ^ cctx->kmo.param.cv[n];
1113 memcpy(iv, cctx->kmo.param.cv, ivlen);
1118 static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
1119 const unsigned char *key,
1120 const unsigned char *ivec, int enc)
1122 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1123 const unsigned char *iv = ctx->oiv;
1124 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1125 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1128 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1132 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
1135 cctx->fc = S390X_AES_FC(keylen);
1136 cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
1138 cctx->fc |= S390X_DECRYPT;
1141 memcpy(cctx->kmf.param.cv, iv, ivlen);
1142 memcpy(cctx->kmf.param.k, key, keylen);
1146 static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1147 const unsigned char *in, size_t len)
1149 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1150 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1151 const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
1152 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1153 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
1159 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1163 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
1166 memcpy(cctx->kmf.param.cv, iv, ivlen);
1169 *out = cctx->kmf.param.cv[n] ^ tmp;
1170 cctx->kmf.param.cv[n] = enc ? *out : tmp;
1179 len &= ~(size_t)0xf;
1181 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1188 s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
1189 S390X_AES_FC(keylen), cctx->kmf.param.k);
1193 out[n] = cctx->kmf.param.cv[n] ^ tmp;
1194 cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
1199 memcpy(iv, cctx->kmf.param.cv, ivlen);
1204 static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
1205 const unsigned char *key,
1206 const unsigned char *ivec, int enc)
1208 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1209 const unsigned char *iv = ctx->oiv;
1210 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1211 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1214 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1218 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
1221 cctx->fc = S390X_AES_FC(keylen);
1222 cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
1224 cctx->fc |= S390X_DECRYPT;
1226 memcpy(cctx->kmf.param.cv, iv, ivlen);
1227 memcpy(cctx->kmf.param.k, key, keylen);
1231 static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1232 const unsigned char *in, size_t len)
1234 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
1235 const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
1236 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
1238 memcpy(cctx->kmf.param.cv, iv, ivlen);
1239 s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
1240 memcpy(iv, cctx->kmf.param.cv, ivlen);
1244 # define s390x_aes_cfb1_init_key aes_init_key
1246 # define s390x_aes_cfb1_cipher aes_cfb1_cipher
1247 static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1248 const unsigned char *in, size_t len);
1250 # define S390X_AES_CTR_CTX EVP_AES_KEY
1252 # define s390x_aes_ctr_init_key aes_init_key
1254 # define s390x_aes_ctr_cipher aes_ctr_cipher
1255 static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1256 const unsigned char *in, size_t len);
1258 /* iv + padding length for iv lengths != 12 */
1259 # define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
1262 * Process additional authenticated data. Returns 0 on success. Code is
1265 static int s390x_aes_gcm_aad(S390X_AES_GCM_CTX *ctx, const unsigned char *aad,
1268 unsigned long long alen;
1271 if (ctx->kma.param.tpcl)
1274 alen = ctx->kma.param.taadl + len;
1275 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
1277 ctx->kma.param.taadl = alen;
1282 ctx->ares[n] = *aad;
1287 /* ctx->ares contains a complete block if offset has wrapped around */
1289 s390x_kma(ctx->ares, 16, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1290 ctx->fc |= S390X_KMA_HS;
1297 len &= ~(size_t)0xf;
1299 s390x_kma(aad, len, NULL, 0, NULL, ctx->fc, &ctx->kma.param);
1301 ctx->fc |= S390X_KMA_HS;
1309 ctx->ares[rem] = aad[rem];
1316 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 0 for
1317 * success. Code is big-endian.
1319 static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in,
1320 unsigned char *out, size_t len)
1322 const unsigned char *inptr;
1323 unsigned long long mlen;
1326 unsigned char b[16];
1331 mlen = ctx->kma.param.tpcl + len;
1332 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1334 ctx->kma.param.tpcl = mlen;
1340 while (n && inlen) {
1341 ctx->mres[n] = *inptr;
1346 /* ctx->mres contains a complete block if offset has wrapped around */
1348 s390x_kma(ctx->ares, ctx->areslen, ctx->mres, 16, buf.b,
1349 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1350 ctx->fc |= S390X_KMA_HS;
1353 /* previous call already encrypted/decrypted its remainder,
1354 * see comment below */
1369 len &= ~(size_t)0xf;
1371 s390x_kma(ctx->ares, ctx->areslen, in, len, out,
1372 ctx->fc | S390X_KMA_LAAD, &ctx->kma.param);
1375 ctx->fc |= S390X_KMA_HS;
1380 * If there is a remainder, it has to be saved such that it can be
1381 * processed by kma later. However, we also have to do the for-now
1382 * unauthenticated encryption/decryption part here and now...
1385 if (!ctx->mreslen) {
1386 buf.w[0] = ctx->kma.param.j0.w[0];
1387 buf.w[1] = ctx->kma.param.j0.w[1];
1388 buf.w[2] = ctx->kma.param.j0.w[2];
1389 buf.w[3] = ctx->kma.param.cv.w + 1;
1390 s390x_km(buf.b, 16, ctx->kres, ctx->fc & 0x1f, &ctx->kma.param.k);
1394 for (i = 0; i < rem; i++) {
1395 ctx->mres[n + i] = in[i];
1396 out[i] = in[i] ^ ctx->kres[n + i];
1399 ctx->mreslen += rem;
1405 * Initialize context structure. Code is big-endian.
1407 static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
1408 const unsigned char *iv)
1410 ctx->kma.param.t.g[0] = 0;
1411 ctx->kma.param.t.g[1] = 0;
1412 ctx->kma.param.tpcl = 0;
1413 ctx->kma.param.taadl = 0;
1418 if (ctx->ivlen == 12) {
1419 memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
1420 ctx->kma.param.j0.w[3] = 1;
1421 ctx->kma.param.cv.w = 1;
1423 /* ctx->iv has the right size and is already padded. */
1424 memcpy(ctx->iv, iv, ctx->ivlen);
1425 s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
1426 ctx->fc, &ctx->kma.param);
1427 ctx->fc |= S390X_KMA_HS;
1429 ctx->kma.param.j0.g[0] = ctx->kma.param.t.g[0];
1430 ctx->kma.param.j0.g[1] = ctx->kma.param.t.g[1];
1431 ctx->kma.param.cv.w = ctx->kma.param.j0.w[3];
1432 ctx->kma.param.t.g[0] = 0;
1433 ctx->kma.param.t.g[1] = 0;
1438 * Performs various operations on the context structure depending on control
1439 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
1440 * Code is big-endian.
1442 static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1444 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1445 S390X_AES_GCM_CTX *gctx_out;
1446 EVP_CIPHER_CTX *out;
1448 int ivlen, enc, len;
1452 ivlen = EVP_CIPHER_get_iv_length(c->cipher);
1455 gctx->ivlen = ivlen;
1459 gctx->tls_aad_len = -1;
1462 case EVP_CTRL_GET_IVLEN:
1463 *(int *)ptr = gctx->ivlen;
1466 case EVP_CTRL_AEAD_SET_IVLEN:
1471 len = S390X_gcm_ivpadlen(arg);
1473 /* Allocate memory for iv if needed. */
1474 if (gctx->ivlen == 12 || len > S390X_gcm_ivpadlen(gctx->ivlen)) {
1475 if (gctx->iv != c->iv)
1476 OPENSSL_free(gctx->iv);
1478 if ((gctx->iv = OPENSSL_malloc(len)) == NULL) {
1479 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1484 memset(gctx->iv + arg, 0, len - arg - 8);
1485 *((unsigned long long *)(gctx->iv + len - 8)) = arg << 3;
1490 case EVP_CTRL_AEAD_SET_TAG:
1491 buf = EVP_CIPHER_CTX_buf_noconst(c);
1492 enc = EVP_CIPHER_CTX_is_encrypting(c);
1493 if (arg <= 0 || arg > 16 || enc)
1496 memcpy(buf, ptr, arg);
1500 case EVP_CTRL_AEAD_GET_TAG:
1501 enc = EVP_CIPHER_CTX_is_encrypting(c);
1502 if (arg <= 0 || arg > 16 || !enc || gctx->taglen < 0)
1505 memcpy(ptr, gctx->kma.param.t.b, arg);
1508 case EVP_CTRL_GCM_SET_IV_FIXED:
1509 /* Special case: -1 length restores whole iv */
1511 memcpy(gctx->iv, ptr, gctx->ivlen);
1516 * Fixed field must be at least 4 bytes and invocation field at least
1519 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1523 memcpy(gctx->iv, ptr, arg);
1525 enc = EVP_CIPHER_CTX_is_encrypting(c);
1526 if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1532 case EVP_CTRL_GCM_IV_GEN:
1533 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1536 s390x_aes_gcm_setiv(gctx, gctx->iv);
1538 if (arg <= 0 || arg > gctx->ivlen)
1541 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1543 * Invocation field will be at least 8 bytes in size and so no need
1544 * to check wrap around or increment more than last 8 bytes.
1546 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1550 case EVP_CTRL_GCM_SET_IV_INV:
1551 enc = EVP_CIPHER_CTX_is_encrypting(c);
1552 if (gctx->iv_gen == 0 || gctx->key_set == 0 || enc)
1555 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1556 s390x_aes_gcm_setiv(gctx, gctx->iv);
1560 case EVP_CTRL_AEAD_TLS1_AAD:
1561 /* Save the aad for later use. */
1562 if (arg != EVP_AEAD_TLS1_AAD_LEN)
1565 buf = EVP_CIPHER_CTX_buf_noconst(c);
1566 memcpy(buf, ptr, arg);
1567 gctx->tls_aad_len = arg;
1568 gctx->tls_enc_records = 0;
1570 len = buf[arg - 2] << 8 | buf[arg - 1];
1571 /* Correct length for explicit iv. */
1572 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1574 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1576 /* If decrypting correct for tag too. */
1577 enc = EVP_CIPHER_CTX_is_encrypting(c);
1579 if (len < EVP_GCM_TLS_TAG_LEN)
1581 len -= EVP_GCM_TLS_TAG_LEN;
1583 buf[arg - 2] = len >> 8;
1584 buf[arg - 1] = len & 0xff;
1585 /* Extra padding: tag appended to record. */
1586 return EVP_GCM_TLS_TAG_LEN;
1590 gctx_out = EVP_C_DATA(S390X_AES_GCM_CTX, out);
1592 if (gctx->iv == c->iv) {
1593 gctx_out->iv = out->iv;
1595 len = S390X_gcm_ivpadlen(gctx->ivlen);
1597 if ((gctx_out->iv = OPENSSL_malloc(len)) == NULL) {
1598 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1602 memcpy(gctx_out->iv, gctx->iv, len);
1612 * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
1614 static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
1615 const unsigned char *key,
1616 const unsigned char *iv, int enc)
1618 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1621 if (iv == NULL && key == NULL)
1625 keylen = EVP_CIPHER_CTX_get_key_length(ctx);
1627 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1631 memcpy(&gctx->kma.param.k, key, keylen);
1633 gctx->fc = S390X_AES_FC(keylen);
1635 gctx->fc |= S390X_DECRYPT;
1637 if (iv == NULL && gctx->iv_set)
1641 s390x_aes_gcm_setiv(gctx, iv);
1647 s390x_aes_gcm_setiv(gctx, iv);
1649 memcpy(gctx->iv, iv, gctx->ivlen);
1658 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1659 * if successful. Otherwise -1 is returned. Code is big-endian.
1661 static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1662 const unsigned char *in, size_t len)
1664 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1665 const unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1666 const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
1669 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1673 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
1674 * Requirements from SP 800-38D". The requirements is for one party to the
1675 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
1678 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
1679 ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
1683 if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN
1684 : EVP_CTRL_GCM_SET_IV_INV,
1685 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1688 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1689 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1690 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1692 gctx->kma.param.taadl = gctx->tls_aad_len << 3;
1693 gctx->kma.param.tpcl = len << 3;
1694 s390x_kma(buf, gctx->tls_aad_len, in, len, out,
1695 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1698 memcpy(out + len, gctx->kma.param.t.b, EVP_GCM_TLS_TAG_LEN);
1699 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1701 if (CRYPTO_memcmp(gctx->kma.param.t.b, in + len,
1702 EVP_GCM_TLS_TAG_LEN)) {
1703 OPENSSL_cleanse(out, len);
1710 gctx->tls_aad_len = -1;
1715 * Called from EVP layer to initialize context, process additional
1716 * authenticated data, en/de-crypt plain/cipher-text and authenticate
1717 * ciphertext or process a TLS packet, depending on context. Returns bytes
1718 * written on success. Otherwise -1 is returned. Code is big-endian.
1720 static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1721 const unsigned char *in, size_t len)
1723 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
1724 unsigned char *buf, tmp[16];
1730 if (gctx->tls_aad_len >= 0)
1731 return s390x_aes_gcm_tls_cipher(ctx, out, in, len);
1738 if (s390x_aes_gcm_aad(gctx, in, len))
1741 if (s390x_aes_gcm(gctx, in, out, len))
1746 gctx->kma.param.taadl <<= 3;
1747 gctx->kma.param.tpcl <<= 3;
1748 s390x_kma(gctx->ares, gctx->areslen, gctx->mres, gctx->mreslen, tmp,
1749 gctx->fc | S390X_KMA_LAAD | S390X_KMA_LPC, &gctx->kma.param);
1750 /* recall that we already did en-/decrypt gctx->mres
1751 * and returned it to caller... */
1752 OPENSSL_cleanse(tmp, gctx->mreslen);
1755 enc = EVP_CIPHER_CTX_is_encrypting(ctx);
1759 if (gctx->taglen < 0)
1762 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1763 if (CRYPTO_memcmp(buf, gctx->kma.param.t.b, gctx->taglen))
1770 static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1772 S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, c);
1777 if (gctx->iv != c->iv)
1778 OPENSSL_free(gctx->iv);
1780 OPENSSL_cleanse(gctx, sizeof(*gctx));
1784 # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
1786 # define s390x_aes_xts_init_key aes_xts_init_key
1787 static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
1788 const unsigned char *key,
1789 const unsigned char *iv, int enc);
1790 # define s390x_aes_xts_cipher aes_xts_cipher
1791 static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1792 const unsigned char *in, size_t len);
1793 # define s390x_aes_xts_ctrl aes_xts_ctrl
1794 static int s390x_aes_xts_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
1795 # define s390x_aes_xts_cleanup aes_xts_cleanup
1798 * Set nonce and length fields. Code is big-endian.
1800 static inline void s390x_aes_ccm_setiv(S390X_AES_CCM_CTX *ctx,
1801 const unsigned char *nonce,
1804 ctx->aes.ccm.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
1805 ctx->aes.ccm.nonce.g[1] = mlen;
1806 memcpy(ctx->aes.ccm.nonce.b + 1, nonce, 15 - ctx->aes.ccm.l);
1810 * Process additional authenticated data. Code is big-endian.
1812 static void s390x_aes_ccm_aad(S390X_AES_CCM_CTX *ctx, const unsigned char *aad,
1821 ctx->aes.ccm.nonce.b[0] |= S390X_CCM_AAD_FLAG;
1823 /* Suppress 'type-punned pointer dereference' warning. */
1824 ptr = ctx->aes.ccm.buf.b;
1826 if (alen < ((1 << 16) - (1 << 8))) {
1827 *(uint16_t *)ptr = alen;
1829 } else if (sizeof(alen) == 8
1830 && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
1831 *(uint16_t *)ptr = 0xffff;
1832 *(uint64_t *)(ptr + 2) = alen;
1835 *(uint16_t *)ptr = 0xfffe;
1836 *(uint32_t *)(ptr + 2) = alen;
1840 while (i < 16 && alen) {
1841 ctx->aes.ccm.buf.b[i] = *aad;
1847 ctx->aes.ccm.buf.b[i] = 0;
1851 ctx->aes.ccm.kmac_param.icv.g[0] = 0;
1852 ctx->aes.ccm.kmac_param.icv.g[1] = 0;
1853 s390x_kmac(ctx->aes.ccm.nonce.b, 32, ctx->aes.ccm.fc,
1854 &ctx->aes.ccm.kmac_param);
1855 ctx->aes.ccm.blocks += 2;
1858 alen &= ~(size_t)0xf;
1860 s390x_kmac(aad, alen, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1861 ctx->aes.ccm.blocks += alen >> 4;
1865 for (i = 0; i < rem; i++)
1866 ctx->aes.ccm.kmac_param.icv.b[i] ^= aad[i];
1868 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1869 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1870 ctx->aes.ccm.kmac_param.k);
1871 ctx->aes.ccm.blocks++;
1876 * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 0 for
1879 static int s390x_aes_ccm(S390X_AES_CCM_CTX *ctx, const unsigned char *in,
1880 unsigned char *out, size_t len, int enc)
1883 unsigned int i, l, num;
1884 unsigned char flags;
1886 flags = ctx->aes.ccm.nonce.b[0];
1887 if (!(flags & S390X_CCM_AAD_FLAG)) {
1888 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.kmac_param.icv.b,
1889 ctx->aes.ccm.fc, ctx->aes.ccm.kmac_param.k);
1890 ctx->aes.ccm.blocks++;
1893 ctx->aes.ccm.nonce.b[0] = l;
1896 * Reconstruct length from encoded length field
1897 * and initialize it with counter value.
1900 for (i = 15 - l; i < 15; i++) {
1901 n |= ctx->aes.ccm.nonce.b[i];
1902 ctx->aes.ccm.nonce.b[i] = 0;
1905 n |= ctx->aes.ccm.nonce.b[15];
1906 ctx->aes.ccm.nonce.b[15] = 1;
1909 return -1; /* length mismatch */
1912 /* Two operations per block plus one for tag encryption */
1913 ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
1914 if (ctx->aes.ccm.blocks > (1ULL << 61))
1915 return -2; /* too much data */
1920 len &= ~(size_t)0xf;
1923 /* mac-then-encrypt */
1925 s390x_kmac(in, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1927 for (i = 0; i < rem; i++)
1928 ctx->aes.ccm.kmac_param.icv.b[i] ^= in[len + i];
1930 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1931 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1932 ctx->aes.ccm.kmac_param.k);
1935 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
1936 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
1937 &num, (ctr128_f)AES_ctr32_encrypt);
1939 /* decrypt-then-mac */
1940 CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &ctx->aes.key.k,
1941 ctx->aes.ccm.nonce.b, ctx->aes.ccm.buf.b,
1942 &num, (ctr128_f)AES_ctr32_encrypt);
1945 s390x_kmac(out, len, ctx->aes.ccm.fc, &ctx->aes.ccm.kmac_param);
1947 for (i = 0; i < rem; i++)
1948 ctx->aes.ccm.kmac_param.icv.b[i] ^= out[len + i];
1950 s390x_km(ctx->aes.ccm.kmac_param.icv.b, 16,
1951 ctx->aes.ccm.kmac_param.icv.b, ctx->aes.ccm.fc,
1952 ctx->aes.ccm.kmac_param.k);
1956 for (i = 15 - l; i < 16; i++)
1957 ctx->aes.ccm.nonce.b[i] = 0;
1959 s390x_km(ctx->aes.ccm.nonce.b, 16, ctx->aes.ccm.buf.b, ctx->aes.ccm.fc,
1960 ctx->aes.ccm.kmac_param.k);
1961 ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
1962 ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
1964 ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
1969 * En/de-crypt and authenticate TLS packet. Returns the number of bytes written
1970 * if successful. Otherwise -1 is returned.
1972 static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1973 const unsigned char *in, size_t len)
1975 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
1976 unsigned char *ivec = ctx->iv;
1977 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
1978 const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
1981 || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
1985 /* Set explicit iv (sequence number). */
1986 memcpy(out, buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
1989 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
1991 * Get explicit iv (sequence number). We already have fixed iv
1992 * (server/client_write_iv) here.
1994 memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
1995 s390x_aes_ccm_setiv(cctx, ivec, len);
1997 /* Process aad (sequence number|type|version|length) */
1998 s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
2000 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2001 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
2004 if (s390x_aes_ccm(cctx, in, out, len, enc))
2007 memcpy(out + len, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2008 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->aes.ccm.m;
2010 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2011 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, in + len,
2016 OPENSSL_cleanse(out, len);
2022 * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
2025 static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
2026 const unsigned char *key,
2027 const unsigned char *iv, int enc)
2029 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2032 if (iv == NULL && key == NULL)
2036 keylen = EVP_CIPHER_CTX_get_key_length(ctx);
2038 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
2042 cctx->aes.ccm.fc = S390X_AES_FC(keylen);
2043 memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
2045 /* Store encoded m and l. */
2046 cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
2047 | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
2048 memset(cctx->aes.ccm.nonce.b + 1, 0,
2049 sizeof(cctx->aes.ccm.nonce.b));
2050 cctx->aes.ccm.blocks = 0;
2052 cctx->aes.ccm.key_set = 1;
2056 memcpy(ctx->iv, iv, 15 - cctx->aes.ccm.l);
2058 cctx->aes.ccm.iv_set = 1;
2065 * Called from EVP layer to initialize context, process additional
2066 * authenticated data, en/de-crypt plain/cipher-text and authenticate
2067 * plaintext or process a TLS packet, depending on context. Returns bytes
2068 * written on success. Otherwise -1 is returned.
2070 static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2071 const unsigned char *in, size_t len)
2073 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
2074 const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
2078 if (!cctx->aes.ccm.key_set)
2081 if (cctx->aes.ccm.tls_aad_len >= 0)
2082 return s390x_aes_ccm_tls_cipher(ctx, out, in, len);
2085 * Final(): Does not return any data. Recall that ccm is mac-then-encrypt
2086 * so integrity must be checked already at Update() i.e., before
2087 * potentially corrupted data is output.
2089 if (in == NULL && out != NULL)
2092 if (!cctx->aes.ccm.iv_set)
2096 /* Update(): Pass message length. */
2098 s390x_aes_ccm_setiv(cctx, ctx->iv, len);
2100 cctx->aes.ccm.len_set = 1;
2104 /* Update(): Process aad. */
2105 if (!cctx->aes.ccm.len_set && len)
2108 s390x_aes_ccm_aad(cctx, in, len);
2112 /* The tag must be set before actually decrypting data */
2113 if (!enc && !cctx->aes.ccm.tag_set)
2116 /* Update(): Process message. */
2118 if (!cctx->aes.ccm.len_set) {
2120 * In case message length was not previously set explicitly via
2121 * Update(), set it now.
2123 s390x_aes_ccm_setiv(cctx, ctx->iv, len);
2125 cctx->aes.ccm.len_set = 1;
2129 if (s390x_aes_ccm(cctx, in, out, len, enc))
2132 cctx->aes.ccm.tag_set = 1;
2137 if (!s390x_aes_ccm(cctx, in, out, len, enc)) {
2138 buf = EVP_CIPHER_CTX_buf_noconst(ctx);
2139 if (!CRYPTO_memcmp(cctx->aes.ccm.kmac_param.icv.b, buf,
2145 OPENSSL_cleanse(out, len);
2147 cctx->aes.ccm.iv_set = 0;
2148 cctx->aes.ccm.tag_set = 0;
2149 cctx->aes.ccm.len_set = 0;
2155 * Performs various operations on the context structure depending on control
2156 * type. Returns 1 for success, 0 for failure and -1 for unknown control type.
2157 * Code is big-endian.
2159 static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2161 S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, c);
2167 cctx->aes.ccm.key_set = 0;
2168 cctx->aes.ccm.iv_set = 0;
2169 cctx->aes.ccm.l = 8;
2170 cctx->aes.ccm.m = 12;
2171 cctx->aes.ccm.tag_set = 0;
2172 cctx->aes.ccm.len_set = 0;
2173 cctx->aes.ccm.tls_aad_len = -1;
2176 case EVP_CTRL_GET_IVLEN:
2177 *(int *)ptr = 15 - cctx->aes.ccm.l;
2180 case EVP_CTRL_AEAD_TLS1_AAD:
2181 if (arg != EVP_AEAD_TLS1_AAD_LEN)
2184 /* Save the aad for later use. */
2185 buf = EVP_CIPHER_CTX_buf_noconst(c);
2186 memcpy(buf, ptr, arg);
2187 cctx->aes.ccm.tls_aad_len = arg;
2189 len = buf[arg - 2] << 8 | buf[arg - 1];
2190 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
2193 /* Correct length for explicit iv. */
2194 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
2196 enc = EVP_CIPHER_CTX_is_encrypting(c);
2198 if (len < cctx->aes.ccm.m)
2201 /* Correct length for tag. */
2202 len -= cctx->aes.ccm.m;
2205 buf[arg - 2] = len >> 8;
2206 buf[arg - 1] = len & 0xff;
2208 /* Extra padding: tag appended to record. */
2209 return cctx->aes.ccm.m;
2211 case EVP_CTRL_CCM_SET_IV_FIXED:
2212 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
2215 /* Copy to first part of the iv. */
2216 memcpy(c->iv, ptr, arg);
2219 case EVP_CTRL_AEAD_SET_IVLEN:
2223 case EVP_CTRL_CCM_SET_L:
2224 if (arg < 2 || arg > 8)
2227 cctx->aes.ccm.l = arg;
2230 case EVP_CTRL_AEAD_SET_TAG:
2231 if ((arg & 1) || arg < 4 || arg > 16)
2234 enc = EVP_CIPHER_CTX_is_encrypting(c);
2239 cctx->aes.ccm.tag_set = 1;
2240 buf = EVP_CIPHER_CTX_buf_noconst(c);
2241 memcpy(buf, ptr, arg);
2244 cctx->aes.ccm.m = arg;
2247 case EVP_CTRL_AEAD_GET_TAG:
2248 enc = EVP_CIPHER_CTX_is_encrypting(c);
2249 if (!enc || !cctx->aes.ccm.tag_set)
2252 if (arg < cctx->aes.ccm.m)
2255 memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
2256 cctx->aes.ccm.tag_set = 0;
2257 cctx->aes.ccm.iv_set = 0;
2258 cctx->aes.ccm.len_set = 0;
2269 # define s390x_aes_ccm_cleanup aes_ccm_cleanup
2271 # ifndef OPENSSL_NO_OCB
2272 # define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
2274 # define s390x_aes_ocb_init_key aes_ocb_init_key
2275 static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2276 const unsigned char *iv, int enc);
2277 # define s390x_aes_ocb_cipher aes_ocb_cipher
2278 static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2279 const unsigned char *in, size_t len);
2280 # define s390x_aes_ocb_cleanup aes_ocb_cleanup
2281 static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *);
2282 # define s390x_aes_ocb_ctrl aes_ocb_ctrl
2283 static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
2286 # ifndef OPENSSL_NO_SIV
2287 # define S390X_AES_SIV_CTX EVP_AES_SIV_CTX
2289 # define s390x_aes_siv_init_key aes_siv_init_key
2290 # define s390x_aes_siv_cipher aes_siv_cipher
2291 # define s390x_aes_siv_cleanup aes_siv_cleanup
2292 # define s390x_aes_siv_ctrl aes_siv_ctrl
2295 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
2297 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2298 nid##_##keylen##_##nmode,blocksize, \
2301 flags | EVP_CIPH_##MODE##_MODE, \
2303 s390x_aes_##mode##_init_key, \
2304 s390x_aes_##mode##_cipher, \
2306 sizeof(S390X_AES_##MODE##_CTX), \
2312 static const EVP_CIPHER aes_##keylen##_##mode = { \
2313 nid##_##keylen##_##nmode, \
2317 flags | EVP_CIPH_##MODE##_MODE, \
2320 aes_##mode##_cipher, \
2322 sizeof(EVP_AES_KEY), \
2328 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2330 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2331 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2334 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
2335 static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
2336 nid##_##keylen##_##mode, \
2338 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2340 flags | EVP_CIPH_##MODE##_MODE, \
2342 s390x_aes_##mode##_init_key, \
2343 s390x_aes_##mode##_cipher, \
2344 s390x_aes_##mode##_cleanup, \
2345 sizeof(S390X_AES_##MODE##_CTX), \
2348 s390x_aes_##mode##_ctrl, \
2351 static const EVP_CIPHER aes_##keylen##_##mode = { \
2352 nid##_##keylen##_##mode,blocksize, \
2353 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
2355 flags | EVP_CIPH_##MODE##_MODE, \
2357 aes_##mode##_init_key, \
2358 aes_##mode##_cipher, \
2359 aes_##mode##_cleanup, \
2360 sizeof(EVP_AES_##MODE##_CTX), \
2363 aes_##mode##_ctrl, \
2366 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2368 return S390X_aes_##keylen##_##mode##_CAPABLE ? \
2369 &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
2374 # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
2375 static const EVP_CIPHER aes_##keylen##_##mode = { \
2376 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
2377 flags|EVP_CIPH_##MODE##_MODE, \
2380 aes_##mode##_cipher, \
2382 sizeof(EVP_AES_KEY), \
2383 NULL,NULL,NULL,NULL }; \
2384 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2385 { return &aes_##keylen##_##mode; }
2387 # define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
2388 static const EVP_CIPHER aes_##keylen##_##mode = { \
2389 nid##_##keylen##_##mode,blocksize, \
2390 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
2392 flags|EVP_CIPH_##MODE##_MODE, \
2394 aes_##mode##_init_key, \
2395 aes_##mode##_cipher, \
2396 aes_##mode##_cleanup, \
2397 sizeof(EVP_AES_##MODE##_CTX), \
2398 NULL,NULL,aes_##mode##_ctrl,NULL }; \
2399 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
2400 { return &aes_##keylen##_##mode; }
2404 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
2405 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2406 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2407 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2408 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
2409 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
2410 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
2411 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
2413 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2414 const unsigned char *iv, int enc)
2417 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2418 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
2421 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
2425 mode = EVP_CIPHER_CTX_get_mode(ctx);
2426 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
2428 #ifdef HWAES_CAPABLE
2429 if (HWAES_CAPABLE) {
2430 ret = HWAES_set_decrypt_key(key, keylen, &dat->ks.ks);
2431 dat->block = (block128_f) HWAES_decrypt;
2432 dat->stream.cbc = NULL;
2433 # ifdef HWAES_cbc_encrypt
2434 if (mode == EVP_CIPH_CBC_MODE)
2435 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
2439 #ifdef BSAES_CAPABLE
2440 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
2441 ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
2442 dat->block = (block128_f) AES_decrypt;
2443 dat->stream.cbc = (cbc128_f) ossl_bsaes_cbc_encrypt;
2446 #ifdef VPAES_CAPABLE
2447 if (VPAES_CAPABLE) {
2448 ret = vpaes_set_decrypt_key(key, keylen, &dat->ks.ks);
2449 dat->block = (block128_f) vpaes_decrypt;
2450 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2451 (cbc128_f) vpaes_cbc_encrypt : NULL;
2455 ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks);
2456 dat->block = (block128_f) AES_decrypt;
2457 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2458 (cbc128_f) AES_cbc_encrypt : NULL;
2461 #ifdef HWAES_CAPABLE
2462 if (HWAES_CAPABLE) {
2463 ret = HWAES_set_encrypt_key(key, keylen, &dat->ks.ks);
2464 dat->block = (block128_f) HWAES_encrypt;
2465 dat->stream.cbc = NULL;
2466 # ifdef HWAES_cbc_encrypt
2467 if (mode == EVP_CIPH_CBC_MODE)
2468 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
2471 # ifdef HWAES_ctr32_encrypt_blocks
2472 if (mode == EVP_CIPH_CTR_MODE)
2473 dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
2476 (void)0; /* terminate potentially open 'else' */
2479 #ifdef BSAES_CAPABLE
2480 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
2481 ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
2482 dat->block = (block128_f) AES_encrypt;
2483 dat->stream.ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
2486 #ifdef VPAES_CAPABLE
2487 if (VPAES_CAPABLE) {
2488 ret = vpaes_set_encrypt_key(key, keylen, &dat->ks.ks);
2489 dat->block = (block128_f) vpaes_encrypt;
2490 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2491 (cbc128_f) vpaes_cbc_encrypt : NULL;
2495 ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks);
2496 dat->block = (block128_f) AES_encrypt;
2497 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
2498 (cbc128_f) AES_cbc_encrypt : NULL;
2500 if (mode == EVP_CIPH_CTR_MODE)
2501 dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
2506 ERR_raise(ERR_LIB_EVP, EVP_R_AES_KEY_SETUP_FAILED);
2513 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2514 const unsigned char *in, size_t len)
2516 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2518 if (dat->stream.cbc)
2519 (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv,
2520 EVP_CIPHER_CTX_is_encrypting(ctx));
2521 else if (EVP_CIPHER_CTX_is_encrypting(ctx))
2522 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
2525 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
2526 ctx->iv, dat->block);
2531 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2532 const unsigned char *in, size_t len)
2534 size_t bl = EVP_CIPHER_CTX_get_block_size(ctx);
2536 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2541 for (i = 0, len -= bl; i <= len; i += bl)
2542 (*dat->block) (in + i, out + i, &dat->ks);
2547 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2548 const unsigned char *in, size_t len)
2550 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2552 int num = EVP_CIPHER_CTX_get_num(ctx);
2553 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
2554 ctx->iv, &num, dat->block);
2555 EVP_CIPHER_CTX_set_num(ctx, num);
2559 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2560 const unsigned char *in, size_t len)
2562 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2564 int num = EVP_CIPHER_CTX_get_num(ctx);
2565 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
2567 EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
2568 EVP_CIPHER_CTX_set_num(ctx, num);
2572 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2573 const unsigned char *in, size_t len)
2575 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2577 int num = EVP_CIPHER_CTX_get_num(ctx);
2578 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
2580 EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
2581 EVP_CIPHER_CTX_set_num(ctx, num);
2585 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2586 const unsigned char *in, size_t len)
2588 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2590 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
2591 int num = EVP_CIPHER_CTX_get_num(ctx);
2592 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
2594 EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
2595 EVP_CIPHER_CTX_set_num(ctx, num);
2599 while (len >= MAXBITCHUNK) {
2600 int num = EVP_CIPHER_CTX_get_num(ctx);
2601 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
2603 EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
2604 EVP_CIPHER_CTX_set_num(ctx, num);
2610 int num = EVP_CIPHER_CTX_get_num(ctx);
2611 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
2613 EVP_CIPHER_CTX_is_encrypting(ctx), dat->block);
2614 EVP_CIPHER_CTX_set_num(ctx, num);
2620 static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2621 const unsigned char *in, size_t len)
2623 int n = EVP_CIPHER_CTX_get_num(ctx);
2625 EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
2629 num = (unsigned int)n;
2631 if (dat->stream.ctr)
2632 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
2634 EVP_CIPHER_CTX_buf_noconst(ctx),
2635 &num, dat->stream.ctr);
2637 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
2639 EVP_CIPHER_CTX_buf_noconst(ctx), &num,
2641 EVP_CIPHER_CTX_set_num(ctx, num);
2645 BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
2646 BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
2647 BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
2649 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
2651 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
2654 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
2655 if (gctx->iv != c->iv)
2656 OPENSSL_free(gctx->iv);
2660 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2662 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
2667 gctx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
2671 gctx->tls_aad_len = -1;
2674 case EVP_CTRL_GET_IVLEN:
2675 *(int *)ptr = gctx->ivlen;
2678 case EVP_CTRL_AEAD_SET_IVLEN:
2681 /* Allocate memory for IV if needed */
2682 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
2683 if (gctx->iv != c->iv)
2684 OPENSSL_free(gctx->iv);
2685 if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) {
2686 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
2693 case EVP_CTRL_AEAD_SET_TAG:
2694 if (arg <= 0 || arg > 16 || c->encrypt)
2696 memcpy(c->buf, ptr, arg);
2700 case EVP_CTRL_AEAD_GET_TAG:
2701 if (arg <= 0 || arg > 16 || !c->encrypt
2702 || gctx->taglen < 0)
2704 memcpy(ptr, c->buf, arg);
2707 case EVP_CTRL_GCM_SET_IV_FIXED:
2708 /* Special case: -1 length restores whole IV */
2710 memcpy(gctx->iv, ptr, gctx->ivlen);
2715 * Fixed field must be at least 4 bytes and invocation field at least
2718 if ((arg < 4) || (gctx->ivlen - arg) < 8)
2721 memcpy(gctx->iv, ptr, arg);
2722 if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
2727 case EVP_CTRL_GCM_IV_GEN:
2728 if (gctx->iv_gen == 0 || gctx->key_set == 0)
2730 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2731 if (arg <= 0 || arg > gctx->ivlen)
2733 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
2735 * Invocation field will be at least 8 bytes in size and so no need
2736 * to check wrap around or increment more than last 8 bytes.
2738 ctr64_inc(gctx->iv + gctx->ivlen - 8);
2742 case EVP_CTRL_GCM_SET_IV_INV:
2743 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
2745 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
2746 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
2750 case EVP_CTRL_AEAD_TLS1_AAD:
2751 /* Save the AAD for later use */
2752 if (arg != EVP_AEAD_TLS1_AAD_LEN)
2754 memcpy(c->buf, ptr, arg);
2755 gctx->tls_aad_len = arg;
2756 gctx->tls_enc_records = 0;
2758 unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
2759 /* Correct length for explicit IV */
2760 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
2762 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
2763 /* If decrypting correct for tag too */
2765 if (len < EVP_GCM_TLS_TAG_LEN)
2767 len -= EVP_GCM_TLS_TAG_LEN;
2769 c->buf[arg - 2] = len >> 8;
2770 c->buf[arg - 1] = len & 0xff;
2772 /* Extra padding: tag appended to record */
2773 return EVP_GCM_TLS_TAG_LEN;
2777 EVP_CIPHER_CTX *out = ptr;
2778 EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
2779 if (gctx->gcm.key) {
2780 if (gctx->gcm.key != &gctx->ks)
2782 gctx_out->gcm.key = &gctx_out->ks;
2784 if (gctx->iv == c->iv)
2785 gctx_out->iv = out->iv;
2787 if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) {
2788 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
2791 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
2802 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2803 const unsigned char *iv, int enc)
2805 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
2807 if (iv == NULL && key == NULL)
2811 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
2814 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
2818 #ifdef HWAES_CAPABLE
2819 if (HWAES_CAPABLE) {
2820 HWAES_set_encrypt_key(key, keylen, &gctx->ks.ks);
2821 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2822 (block128_f) HWAES_encrypt);
2823 # ifdef HWAES_ctr32_encrypt_blocks
2824 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
2831 #ifdef BSAES_CAPABLE
2832 if (BSAES_CAPABLE) {
2833 AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
2834 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2835 (block128_f) AES_encrypt);
2836 gctx->ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks;
2840 #ifdef VPAES_CAPABLE
2841 if (VPAES_CAPABLE) {
2842 vpaes_set_encrypt_key(key, keylen, &gctx->ks.ks);
2843 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2844 (block128_f) vpaes_encrypt);
2849 (void)0; /* terminate potentially open 'else' */
2851 AES_set_encrypt_key(key, keylen, &gctx->ks.ks);
2852 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
2853 (block128_f) AES_encrypt);
2855 gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
2862 * If we have an iv can set it directly, otherwise use saved IV.
2864 if (iv == NULL && gctx->iv_set)
2867 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
2872 /* If key set use IV, otherwise copy */
2874 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
2876 memcpy(gctx->iv, iv, gctx->ivlen);
2884 * Handle TLS GCM packet format. This consists of the last portion of the IV
2885 * followed by the payload and finally the tag. On encrypt generate IV,
2886 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
2890 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2891 const unsigned char *in, size_t len)
2893 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
2895 /* Encrypt/decrypt must be performed in place */
2897 || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
2901 * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
2902 * Requirements from SP 800-38D". The requirements is for one party to the
2903 * communication to fail after 2^64 - 1 keys. We do this on the encrypting
2906 if (ctx->encrypt && ++gctx->tls_enc_records == 0) {
2907 ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS);
2912 * Set IV from start of buffer or generate IV and write to start of
2915 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ? EVP_CTRL_GCM_IV_GEN
2916 : EVP_CTRL_GCM_SET_IV_INV,
2917 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
2920 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
2922 /* Fix buffer and length to point to payload */
2923 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
2924 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
2925 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
2927 /* Encrypt payload */
2930 #if defined(AES_GCM_ASM)
2931 if (len >= 32 && AES_GCM_ASM(gctx)) {
2932 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
2935 bulk = AES_gcm_encrypt(in, out, len,
2937 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2938 gctx->gcm.len.u[1] += bulk;
2941 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
2944 len - bulk, gctx->ctr))
2948 #if defined(AES_GCM_ASM2)
2949 if (len >= 32 && AES_GCM_ASM2(gctx)) {
2950 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
2953 bulk = AES_gcm_encrypt(in, out, len,
2955 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2956 gctx->gcm.len.u[1] += bulk;
2959 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
2960 in + bulk, out + bulk, len - bulk))
2964 /* Finally write tag */
2965 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
2966 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
2971 #if defined(AES_GCM_ASM)
2972 if (len >= 16 && AES_GCM_ASM(gctx)) {
2973 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
2976 bulk = AES_gcm_decrypt(in, out, len,
2978 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2979 gctx->gcm.len.u[1] += bulk;
2982 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
2985 len - bulk, gctx->ctr))
2989 #if defined(AES_GCM_ASM2)
2990 if (len >= 16 && AES_GCM_ASM2(gctx)) {
2991 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
2994 bulk = AES_gcm_decrypt(in, out, len,
2996 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
2997 gctx->gcm.len.u[1] += bulk;
3000 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3001 in + bulk, out + bulk, len - bulk))
3005 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
3006 /* If tag mismatch wipe buffer */
3007 if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
3008 OPENSSL_cleanse(out, len);
3016 gctx->tls_aad_len = -1;
3022 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
3024 * See also 8.2.2 RBG-based construction.
3025 * Random construction consists of a free field (which can be NULL) and a
3026 * random field which will use a DRBG that can return at least 96 bits of
3027 * entropy strength. (The DRBG must be seeded by the FIPS module).
3029 static int aes_gcm_iv_generate(EVP_AES_GCM_CTX *gctx, int offset)
3031 int sz = gctx->ivlen - offset;
3033 /* Must be at least 96 bits */
3034 if (sz <= 0 || gctx->ivlen < 12)
3037 /* Use DRBG to generate random iv */
3038 if (RAND_bytes(gctx->iv + offset, sz) <= 0)
3042 #endif /* FIPS_MODULE */
3044 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3045 const unsigned char *in, size_t len)
3047 EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
3049 /* If not set up, return error */
3053 if (gctx->tls_aad_len >= 0)
3054 return aes_gcm_tls_cipher(ctx, out, in, len);
3058 * FIPS requires generation of AES-GCM IV's inside the FIPS module.
3059 * The IV can still be set externally (the security policy will state that
3060 * this is not FIPS compliant). There are some applications
3061 * where setting the IV externally is the only option available.
3063 if (!gctx->iv_set) {
3064 if (!ctx->encrypt || !aes_gcm_iv_generate(gctx, 0))
3066 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
3068 gctx->iv_gen_rand = 1;
3073 #endif /* FIPS_MODULE */
3077 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
3079 } else if (ctx->encrypt) {
3082 #if defined(AES_GCM_ASM)
3083 if (len >= 32 && AES_GCM_ASM(gctx)) {
3084 size_t res = (16 - gctx->gcm.mres) % 16;
3086 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3089 bulk = AES_gcm_encrypt(in + res,
3090 out + res, len - res,
3091 gctx->gcm.key, gctx->gcm.Yi.c,
3093 gctx->gcm.len.u[1] += bulk;
3097 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
3100 len - bulk, gctx->ctr))
3104 #if defined(AES_GCM_ASM2)
3105 if (len >= 32 && AES_GCM_ASM2(gctx)) {
3106 size_t res = (16 - gctx->gcm.mres) % 16;
3108 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
3111 bulk = AES_gcm_encrypt(in + res,
3112 out + res, len - res,
3113 gctx->gcm.key, gctx->gcm.Yi.c,
3115 gctx->gcm.len.u[1] += bulk;
3119 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
3120 in + bulk, out + bulk, len - bulk))
3126 #if defined(AES_GCM_ASM)
3127 if (len >= 16 && AES_GCM_ASM(gctx)) {
3128 size_t res = (16 - gctx->gcm.mres) % 16;
3130 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3133 bulk = AES_gcm_decrypt(in + res,
3134 out + res, len - res,
3136 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3137 gctx->gcm.len.u[1] += bulk;
3141 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
3144 len - bulk, gctx->ctr))
3148 #if defined(AES_GCM_ASM2)
3149 if (len >= 16 && AES_GCM_ASM2(gctx)) {
3150 size_t res = (16 - gctx->gcm.mres) % 16;
3152 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
3155 bulk = AES_gcm_decrypt(in + res,
3156 out + res, len - res,
3158 gctx->gcm.Yi.c, gctx->gcm.Xi.u);
3159 gctx->gcm.len.u[1] += bulk;
3163 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
3164 in + bulk, out + bulk, len - bulk))
3170 if (!ctx->encrypt) {
3171 if (gctx->taglen < 0)
3173 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
3178 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
3180 /* Don't reuse the IV */
3187 #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
3188 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3189 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3190 | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
3192 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
3193 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3194 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
3195 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3196 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
3197 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3199 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
3201 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
3203 if (type == EVP_CTRL_COPY) {
3204 EVP_CIPHER_CTX *out = ptr;
3205 EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
3207 if (xctx->xts.key1) {
3208 if (xctx->xts.key1 != &xctx->ks1)
3210 xctx_out->xts.key1 = &xctx_out->ks1;
3212 if (xctx->xts.key2) {
3213 if (xctx->xts.key2 != &xctx->ks2)
3215 xctx_out->xts.key2 = &xctx_out->ks2;
3218 } else if (type != EVP_CTRL_INIT)
3220 /* key1 and key2 are used as an indicator both key and IV are set */
3221 xctx->xts.key1 = NULL;
3222 xctx->xts.key2 = NULL;
3226 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
3227 const unsigned char *iv, int enc)
3229 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
3231 if (iv == NULL && key == NULL)
3236 /* The key is two half length keys in reality */
3237 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
3238 const int bytes = keylen / 2;
3239 const int bits = bytes * 8;
3242 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
3246 * Verify that the two keys are different.
3248 * This addresses the vulnerability described in Rogaway's
3249 * September 2004 paper:
3251 * "Efficient Instantiations of Tweakable Blockciphers and
3252 * Refinements to Modes OCB and PMAC".
3253 * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
3255 * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
3257 * "The check for Key_1 != Key_2 shall be done at any place
3258 * BEFORE using the keys in the XTS-AES algorithm to process
3261 if ((!allow_insecure_decrypt || enc)
3262 && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
3263 ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DUPLICATED_KEYS);
3268 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
3270 xctx->stream = NULL;
3272 /* key_len is two AES keys */
3273 #ifdef HWAES_CAPABLE
3274 if (HWAES_CAPABLE) {
3276 HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
3277 xctx->xts.block1 = (block128_f) HWAES_encrypt;
3278 # ifdef HWAES_xts_encrypt
3279 xctx->stream = HWAES_xts_encrypt;
3282 HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
3283 xctx->xts.block1 = (block128_f) HWAES_decrypt;
3284 # ifdef HWAES_xts_decrypt
3285 xctx->stream = HWAES_xts_decrypt;
3289 HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
3290 xctx->xts.block2 = (block128_f) HWAES_encrypt;
3292 xctx->xts.key1 = &xctx->ks1;
3296 #ifdef BSAES_CAPABLE
3298 xctx->stream = enc ? ossl_bsaes_xts_encrypt : ossl_bsaes_xts_decrypt;
3301 #ifdef VPAES_CAPABLE
3302 if (VPAES_CAPABLE) {
3304 vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
3305 xctx->xts.block1 = (block128_f) vpaes_encrypt;
3307 vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
3308 xctx->xts.block1 = (block128_f) vpaes_decrypt;
3311 vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
3312 xctx->xts.block2 = (block128_f) vpaes_encrypt;
3314 xctx->xts.key1 = &xctx->ks1;
3318 (void)0; /* terminate potentially open 'else' */
3321 AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
3322 xctx->xts.block1 = (block128_f) AES_encrypt;
3324 AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
3325 xctx->xts.block1 = (block128_f) AES_decrypt;
3328 AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
3329 xctx->xts.block2 = (block128_f) AES_encrypt;
3331 xctx->xts.key1 = &xctx->ks1;
3336 xctx->xts.key2 = &xctx->ks2;
3337 memcpy(ctx->iv, iv, 16);
3343 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3344 const unsigned char *in, size_t len)
3346 EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
3348 if (xctx->xts.key1 == NULL
3349 || xctx->xts.key2 == NULL
3352 || len < AES_BLOCK_SIZE)
3356 * Impose a limit of 2^20 blocks per data unit as specified by
3357 * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
3358 * indicated that this was a SHOULD NOT rather than a MUST NOT.
3359 * NIST SP 800-38E mandates the same limit.
3361 if (len > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
3362 ERR_raise(ERR_LIB_EVP, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE);
3367 (*xctx->stream) (in, out, len,
3368 xctx->xts.key1, xctx->xts.key2,
3370 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
3371 EVP_CIPHER_CTX_is_encrypting(ctx)))
3376 #define aes_xts_cleanup NULL
3378 #define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
3379 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
3380 | EVP_CIPH_CUSTOM_COPY)
3382 BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
3383 BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
3385 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
3387 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
3396 cctx->tls_aad_len = -1;
3399 case EVP_CTRL_GET_IVLEN:
3400 *(int *)ptr = 15 - cctx->L;
3403 case EVP_CTRL_AEAD_TLS1_AAD:
3404 /* Save the AAD for later use */
3405 if (arg != EVP_AEAD_TLS1_AAD_LEN)
3407 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
3408 cctx->tls_aad_len = arg;
3411 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
3412 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
3413 /* Correct length for explicit IV */
3414 if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
3416 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
3417 /* If decrypting correct for tag too */
3418 if (!EVP_CIPHER_CTX_is_encrypting(c)) {
3423 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
3424 EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
3426 /* Extra padding: tag appended to record */
3429 case EVP_CTRL_CCM_SET_IV_FIXED:
3430 /* Sanity check length */
3431 if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
3433 /* Just copy to first part of IV */
3434 memcpy(c->iv, ptr, arg);
3437 case EVP_CTRL_AEAD_SET_IVLEN:
3440 case EVP_CTRL_CCM_SET_L:
3441 if (arg < 2 || arg > 8)
3446 case EVP_CTRL_AEAD_SET_TAG:
3447 if ((arg & 1) || arg < 4 || arg > 16)
3449 if (EVP_CIPHER_CTX_is_encrypting(c) && ptr)
3453 memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
3458 case EVP_CTRL_AEAD_GET_TAG:
3459 if (!EVP_CIPHER_CTX_is_encrypting(c) || !cctx->tag_set)
3461 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
3470 EVP_CIPHER_CTX *out = ptr;
3471 EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
3472 if (cctx->ccm.key) {
3473 if (cctx->ccm.key != &cctx->ks)
3475 cctx_out->ccm.key = &cctx_out->ks;
3486 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
3487 const unsigned char *iv, int enc)
3489 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
3491 if (iv == NULL && key == NULL)
3495 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
3498 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
3502 #ifdef HWAES_CAPABLE
3503 if (HWAES_CAPABLE) {
3504 HWAES_set_encrypt_key(key, keylen, &cctx->ks.ks);
3506 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3507 &cctx->ks, (block128_f) HWAES_encrypt);
3513 #ifdef VPAES_CAPABLE
3514 if (VPAES_CAPABLE) {
3515 vpaes_set_encrypt_key(key, keylen, &cctx->ks.ks);
3516 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3517 &cctx->ks, (block128_f) vpaes_encrypt);
3523 AES_set_encrypt_key(key, keylen, &cctx->ks.ks);
3524 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
3525 &cctx->ks, (block128_f) AES_encrypt);
3531 memcpy(ctx->iv, iv, 15 - cctx->L);
3537 static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3538 const unsigned char *in, size_t len)
3540 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
3541 CCM128_CONTEXT *ccm = &cctx->ccm;
3542 /* Encrypt/decrypt must be performed in place */
3543 if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
3545 /* If encrypting set explicit IV from sequence number (start of AAD) */
3546 if (EVP_CIPHER_CTX_is_encrypting(ctx))
3547 memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
3548 EVP_CCM_TLS_EXPLICIT_IV_LEN);
3549 /* Get rest of IV from explicit IV */
3550 memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in,
3551 EVP_CCM_TLS_EXPLICIT_IV_LEN);
3552 /* Correct length value */
3553 len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
3554 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
3558 CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx),
3560 /* Fix buffer to point to payload */
3561 in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
3562 out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
3563 if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
3564 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3566 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3568 if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
3570 return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
3572 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3574 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3575 unsigned char tag[16];
3576 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
3577 if (!CRYPTO_memcmp(tag, in + len, cctx->M))
3581 OPENSSL_cleanse(out, len);
3586 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3587 const unsigned char *in, size_t len)
3589 EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
3590 CCM128_CONTEXT *ccm = &cctx->ccm;
3591 /* If not set up, return error */
3595 if (cctx->tls_aad_len >= 0)
3596 return aes_ccm_tls_cipher(ctx, out, in, len);
3598 /* EVP_*Final() doesn't return any data */
3599 if (in == NULL && out != NULL)
3607 if (CRYPTO_ccm128_setiv(ccm, ctx->iv,
3613 /* If have AAD need message length */
3614 if (!cctx->len_set && len)
3616 CRYPTO_ccm128_aad(ccm, in, len);
3620 /* The tag must be set before actually decrypting data */
3621 if (!EVP_CIPHER_CTX_is_encrypting(ctx) && !cctx->tag_set)
3624 /* If not set length yet do it */
3625 if (!cctx->len_set) {
3626 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
3630 if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
3631 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
3633 CRYPTO_ccm128_encrypt(ccm, in, out, len))
3639 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
3641 !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
3642 unsigned char tag[16];
3643 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
3644 if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
3650 OPENSSL_cleanse(out, len);
3658 #define aes_ccm_cleanup NULL
3660 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
3661 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3662 BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
3663 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3664 BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
3665 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
3672 /* Indicates if IV has been set */
3676 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
3677 const unsigned char *iv, int enc)
3680 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
3682 if (iv == NULL && key == NULL)
3685 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
3688 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
3691 if (EVP_CIPHER_CTX_is_encrypting(ctx))
3692 AES_set_encrypt_key(key, keylen, &wctx->ks.ks);
3694 AES_set_decrypt_key(key, keylen, &wctx->ks.ks);
3699 if ((len = EVP_CIPHER_CTX_get_iv_length(ctx)) < 0)
3701 memcpy(ctx->iv, iv, len);
3707 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
3708 const unsigned char *in, size_t inlen)
3710 EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
3712 /* AES wrap with padding has IV length of 4, without padding 8 */
3713 int pad = EVP_CIPHER_CTX_get_iv_length(ctx) == 4;
3714 /* No final operation so always return zero length */
3717 /* Input length must always be non-zero */
3720 /* If decrypting need at least 16 bytes and multiple of 8 */
3721 if (!EVP_CIPHER_CTX_is_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
3723 /* If not padding input must be multiple of 8 */
3724 if (!pad && inlen & 0x7)
3726 if (ossl_is_partially_overlapping(out, in, inlen)) {
3727 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
3731 if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
3732 /* If padding round up to multiple of 8 */
3734 inlen = (inlen + 7) / 8 * 8;
3739 * If not padding output will be exactly 8 bytes smaller than
3740 * input. If padding it will be at least 8 bytes smaller but we
3741 * don't know how much.
3747 if (EVP_CIPHER_CTX_is_encrypting(ctx))
3748 rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
3750 (block128_f) AES_encrypt);
3752 rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
3754 (block128_f) AES_decrypt);
3756 if (EVP_CIPHER_CTX_is_encrypting(ctx))
3757 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
3758 out, in, inlen, (block128_f) AES_encrypt);
3760 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
3761 out, in, inlen, (block128_f) AES_decrypt);
3763 return rv ? (int)rv : -1;
3766 #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
3767 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
3768 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
3770 static const EVP_CIPHER aes_128_wrap = {
3772 8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3773 aes_wrap_init_key, aes_wrap_cipher,
3775 sizeof(EVP_AES_WRAP_CTX),
3776 NULL, NULL, NULL, NULL
3779 const EVP_CIPHER *EVP_aes_128_wrap(void)
3781 return &aes_128_wrap;
3784 static const EVP_CIPHER aes_192_wrap = {
3786 8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3787 aes_wrap_init_key, aes_wrap_cipher,
3789 sizeof(EVP_AES_WRAP_CTX),
3790 NULL, NULL, NULL, NULL
3793 const EVP_CIPHER *EVP_aes_192_wrap(void)
3795 return &aes_192_wrap;
3798 static const EVP_CIPHER aes_256_wrap = {
3800 8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3801 aes_wrap_init_key, aes_wrap_cipher,
3803 sizeof(EVP_AES_WRAP_CTX),
3804 NULL, NULL, NULL, NULL
3807 const EVP_CIPHER *EVP_aes_256_wrap(void)
3809 return &aes_256_wrap;
3812 static const EVP_CIPHER aes_128_wrap_pad = {
3813 NID_id_aes128_wrap_pad,
3814 8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3815 aes_wrap_init_key, aes_wrap_cipher,
3817 sizeof(EVP_AES_WRAP_CTX),
3818 NULL, NULL, NULL, NULL
3821 const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
3823 return &aes_128_wrap_pad;
3826 static const EVP_CIPHER aes_192_wrap_pad = {
3827 NID_id_aes192_wrap_pad,
3828 8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3829 aes_wrap_init_key, aes_wrap_cipher,
3831 sizeof(EVP_AES_WRAP_CTX),
3832 NULL, NULL, NULL, NULL
3835 const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
3837 return &aes_192_wrap_pad;
3840 static const EVP_CIPHER aes_256_wrap_pad = {
3841 NID_id_aes256_wrap_pad,
3842 8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
3843 aes_wrap_init_key, aes_wrap_cipher,
3845 sizeof(EVP_AES_WRAP_CTX),
3846 NULL, NULL, NULL, NULL
3849 const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
3851 return &aes_256_wrap_pad;
3854 #ifndef OPENSSL_NO_OCB
3855 static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
3857 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
3858 EVP_CIPHER_CTX *newc;
3859 EVP_AES_OCB_CTX *new_octx;
3865 octx->ivlen = EVP_CIPHER_get_iv_length(c->cipher);
3868 octx->data_buf_len = 0;
3869 octx->aad_buf_len = 0;
3872 case EVP_CTRL_GET_IVLEN:
3873 *(int *)ptr = octx->ivlen;
3876 case EVP_CTRL_AEAD_SET_IVLEN:
3877 /* IV len must be 1 to 15 */
3878 if (arg <= 0 || arg > 15)
3884 case EVP_CTRL_AEAD_SET_TAG:
3886 /* Tag len must be 0 to 16 */
3887 if (arg < 0 || arg > 16)
3893 if (arg != octx->taglen || EVP_CIPHER_CTX_is_encrypting(c))
3895 memcpy(octx->tag, ptr, arg);
3898 case EVP_CTRL_AEAD_GET_TAG:
3899 if (arg != octx->taglen || !EVP_CIPHER_CTX_is_encrypting(c))
3902 memcpy(ptr, octx->tag, arg);
3906 newc = (EVP_CIPHER_CTX *)ptr;
3907 new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
3908 return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
3909 &new_octx->ksenc.ks,
3910 &new_octx->ksdec.ks);
3918 static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
3919 const unsigned char *iv, int enc)
3921 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
3923 if (iv == NULL && key == NULL)
3927 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8;
3930 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
3935 * We set both the encrypt and decrypt key here because decrypt
3936 * needs both. We could possibly optimise to remove setting the
3937 * decrypt for an encryption operation.
3939 # ifdef HWAES_CAPABLE
3940 if (HWAES_CAPABLE) {
3941 HWAES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
3942 HWAES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
3943 if (!CRYPTO_ocb128_init(&octx->ocb,
3944 &octx->ksenc.ks, &octx->ksdec.ks,
3945 (block128_f) HWAES_encrypt,
3946 (block128_f) HWAES_decrypt,
3947 enc ? HWAES_ocb_encrypt
3948 : HWAES_ocb_decrypt))
3953 # ifdef VPAES_CAPABLE
3954 if (VPAES_CAPABLE) {
3955 vpaes_set_encrypt_key(key, keylen, &octx->ksenc.ks);
3956 vpaes_set_decrypt_key(key, keylen, &octx->ksdec.ks);
3957 if (!CRYPTO_ocb128_init(&octx->ocb,
3958 &octx->ksenc.ks, &octx->ksdec.ks,
3959 (block128_f) vpaes_encrypt,
3960 (block128_f) vpaes_decrypt,
3966 AES_set_encrypt_key(key, keylen, &octx->ksenc.ks);
3967 AES_set_decrypt_key(key, keylen, &octx->ksdec.ks);
3968 if (!CRYPTO_ocb128_init(&octx->ocb,
3969 &octx->ksenc.ks, &octx->ksdec.ks,
3970 (block128_f) AES_encrypt,
3971 (block128_f) AES_decrypt,
3978 * If we have an iv we can set it directly, otherwise use saved IV.
3980 if (iv == NULL && octx->iv_set)
3983 if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
3990 /* If key set use IV, otherwise copy */
3992 CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
3994 memcpy(octx->iv, iv, octx->ivlen);
4000 static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
4001 const unsigned char *in, size_t len)
4005 int written_len = 0;
4006 size_t trailing_len;
4007 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
4009 /* If IV or Key not set then return error */
4018 * Need to ensure we are only passing full blocks to low level OCB
4019 * routines. We do it here rather than in EVP_EncryptUpdate/
4020 * EVP_DecryptUpdate because we need to pass full blocks of AAD too
4021 * and those routines don't support that
4024 /* Are we dealing with AAD or normal data here? */
4026 buf = octx->aad_buf;
4027 buf_len = &(octx->aad_buf_len);
4029 buf = octx->data_buf;
4030 buf_len = &(octx->data_buf_len);
4032 if (ossl_is_partially_overlapping(out + *buf_len, in, len)) {
4033 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
4039 * If we've got a partially filled buffer from a previous call then
4040 * use that data first
4043 unsigned int remaining;
4045 remaining = AES_BLOCK_SIZE - (*buf_len);
4046 if (remaining > len) {
4047 memcpy(buf + (*buf_len), in, len);
4051 memcpy(buf + (*buf_len), in, remaining);
4054 * If we get here we've filled the buffer, so process it
4059 if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
4061 } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
4062 if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
4066 if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
4070 written_len = AES_BLOCK_SIZE;
4073 out += AES_BLOCK_SIZE;
4076 /* Do we have a partial block to handle at the end? */
4077 trailing_len = len % AES_BLOCK_SIZE;
4080 * If we've got some full blocks to handle, then process these first
4082 if (len != trailing_len) {
4084 if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
4086 } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
4087 if (!CRYPTO_ocb128_encrypt
4088 (&octx->ocb, in, out, len - trailing_len))
4091 if (!CRYPTO_ocb128_decrypt
4092 (&octx->ocb, in, out, len - trailing_len))
4095 written_len += len - trailing_len;
4096 in += len - trailing_len;
4099 /* Handle any trailing partial block */
4100 if (trailing_len > 0) {
4101 memcpy(buf, in, trailing_len);
4102 *buf_len = trailing_len;
4108 * First of all empty the buffer of any partial block that we might
4109 * have been provided - both for data and AAD
4111 if (octx->data_buf_len > 0) {
4112 if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
4113 if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
4114 octx->data_buf_len))
4117 if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
4118 octx->data_buf_len))
4121 written_len = octx->data_buf_len;
4122 octx->data_buf_len = 0;
4124 if (octx->aad_buf_len > 0) {
4125 if (!CRYPTO_ocb128_aad
4126 (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
4128 octx->aad_buf_len = 0;
4130 /* If decrypting then verify */
4131 if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
4132 if (octx->taglen < 0)
4134 if (CRYPTO_ocb128_finish(&octx->ocb,
4135 octx->tag, octx->taglen) != 0)
4140 /* If encrypting then just get the tag */
4141 if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
4143 /* Don't reuse the IV */
4149 static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
4151 EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
4152 CRYPTO_ocb128_cleanup(&octx->ocb);
4156 BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
4157 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4158 BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
4159 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4160 BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
4161 EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
4162 #endif /* OPENSSL_NO_OCB */