crypto/evp/e_aes.c

   1 /* ====================================================================
   2  * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    openssl-core@openssl.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  *
  49  */
  50
  51 #define OPENSSL_FIPSAPI
  52
  53 #include <openssl/opensslconf.h>
  54 #ifndef OPENSSL_NO_AES
  55 #include <openssl/evp.h>
  56 #include <openssl/err.h>
  57 #include <string.h>
  58 #include <assert.h>
  59 #include <openssl/aes.h>
  60 #include "evp_locl.h"
  61 #include <openssl/modes.h>
  62
  63 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  64                                         const unsigned char *iv, int enc);
  65
  66 typedef struct
  67         {
  68         AES_KEY ks;
  69         } EVP_AES_KEY;
  70
  71 #define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
  72
  73 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
  74                        NID_aes_128, 16, 16, 16, 128,
  75                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
  76                        aes_init_key, NULL, NULL, NULL, NULL)
  77 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
  78                        NID_aes_192, 16, 24, 16, 128,
  79                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
  80                        aes_init_key, NULL, NULL, NULL, NULL)
  81 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
  82                        NID_aes_256, 16, 32, 16, 128,
  83                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
  84                        aes_init_key, NULL, NULL, NULL, NULL)
  85
  86 #define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,EVP_CIPH_FLAG_FIPS)
  87
  88 IMPLEMENT_AES_CFBR(128,1)
  89 IMPLEMENT_AES_CFBR(192,1)
  90 IMPLEMENT_AES_CFBR(256,1)
  91
  92 IMPLEMENT_AES_CFBR(128,8)
  93 IMPLEMENT_AES_CFBR(192,8)
  94 IMPLEMENT_AES_CFBR(256,8)
  95
  96 static int aes_counter (EVP_CIPHER_CTX *ctx, unsigned char *out,
  97                 const unsigned char *in, size_t len)
  98 {
  99         unsigned int num;
 100         num = ctx->num;
 101 #ifdef AES_CTR_ASM
 102         void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
 103                         size_t blocks, const AES_KEY *key,
 104                         const unsigned char ivec[AES_BLOCK_SIZE]);
 105
 106         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
 107                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
 108                 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
 109 #else
 110         CRYPTO_ctr128_encrypt(in,out,len,
 111                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
 112                 ctx->iv,ctx->buf,&num,(block128_f)AES_encrypt);
 113 #endif
 114         ctx->num = (size_t)num;
 115         return 1;
 116 }
 117
 118 static const EVP_CIPHER aes_128_ctr_cipher=
 119         {
 120         NID_aes_128_ctr,1,16,16,
 121         EVP_CIPH_CTR_MODE,
 122         aes_init_key,
 123         aes_counter,
 124         NULL,
 125         sizeof(EVP_AES_KEY),
 126         NULL,
 127         NULL,
 128         NULL,
 129         NULL
 130         };
 131
 132 const EVP_CIPHER *EVP_aes_128_ctr (void)
 133 {       return &aes_128_ctr_cipher;     }
 134
 135 static const EVP_CIPHER aes_192_ctr_cipher=
 136         {
 137         NID_aes_192_ctr,1,24,16,
 138         EVP_CIPH_CTR_MODE,
 139         aes_init_key,
 140         aes_counter,
 141         NULL,
 142         sizeof(EVP_AES_KEY),
 143         NULL,
 144         NULL,
 145         NULL,
 146         NULL
 147         };
 148
 149 const EVP_CIPHER *EVP_aes_192_ctr (void)
 150 {       return &aes_192_ctr_cipher;     }
 151
 152 static const EVP_CIPHER aes_256_ctr_cipher=
 153         {
 154         NID_aes_256_ctr,1,32,16,
 155         EVP_CIPH_CTR_MODE,
 156         aes_init_key,
 157         aes_counter,
 158         NULL,
 159         sizeof(EVP_AES_KEY),
 160         NULL,
 161         NULL,
 162         NULL,
 163         NULL
 164         };
 165
 166 const EVP_CIPHER *EVP_aes_256_ctr (void)
 167 {       return &aes_256_ctr_cipher;     }
 168
 169 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 170                    const unsigned char *iv, int enc)
 171         {
 172         int ret;
 173
 174         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
 175             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
 176             && !enc)
 177                 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
 178         else
 179                 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
 180
 181         if(ret < 0)
 182                 {
 183                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
 184                 return 0;
 185                 }
 186
 187         return 1;
 188         }
 189
 190 typedef struct
 191         {
 192         /* AES key schedule to use */
 193         AES_KEY ks;
 194         /* Set if key initialised */
 195         int key_set;
 196         /* Set if an iv is set */
 197         int iv_set;
 198         /* Pointer to GCM128_CTX: FIXME actual structure later */
 199         GCM128_CONTEXT *gcm;
 200         /* IV length */
 201         int ivlen;
 202         /* Tag to verify */
 203         unsigned char tag[16];
 204         int taglen;
 205         } EVP_AES_GCM_CTX;
 206
 207 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
 208         {
 209         EVP_AES_GCM_CTX *gctx = c->cipher_data;
 210         if (gctx->gcm)
 211                 CRYPTO_gcm128_release(gctx->gcm);
 212         return 1;
 213         }
 214
 215 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 216         {
 217         EVP_AES_GCM_CTX *gctx = c->cipher_data;
 218         switch (type)
 219                 {
 220         case EVP_CTRL_INIT:
 221                 gctx->gcm = NULL;
 222                 gctx->key_set = 0;
 223                 gctx->iv_set = 0;
 224                 gctx->ivlen = c->cipher->iv_len;
 225                 gctx->taglen = -1;
 226                 return 1;
 227
 228         case EVP_CTRL_GCM_SET_IVLEN:
 229                 if (arg <= 0)
 230                         return 0;
 231                 gctx->ivlen = arg;
 232                 return 1;
 233
 234         case EVP_CTRL_GCM_SET_TAG:
 235                 if (arg <= 0 || arg > 16 || c->encrypt)
 236                         return 0;
 237                 memcpy(gctx->tag, ptr, arg);
 238                 gctx->taglen = arg;
 239                 return 1;
 240
 241         case EVP_CTRL_GCM_GET_TAG:
 242                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
 243                         return 0;
 244                 memcpy(ptr, gctx->tag, arg);
 245                 return 1;
 246
 247         default:
 248                 return -1;
 249
 250                 }
 251         }
 252
 253 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 254                         const unsigned char *iv, int enc)
 255         {
 256         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
 257         if (!iv && !key)
 258                 return 1;
 259         if (key)
 260                 {
 261                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
 262                 if (!gctx->gcm)
 263                         {
 264                         gctx->gcm =
 265                                 CRYPTO_gcm128_new(&gctx->ks, (block128_f)AES_encrypt);
 266                         if (!gctx->gcm)
 267                                 return 0;
 268                         }
 269                 else
 270                         CRYPTO_gcm128_init(gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
 271                 /* If we have an iv can set it directly, otherwise use
 272                  * saved IV.
 273                  */
 274                 if (iv == NULL && gctx->iv_set)
 275                         iv = ctx->iv;
 276                 if (iv)
 277                         {
 278                         CRYPTO_gcm128_setiv(gctx->gcm, iv, gctx->ivlen);
 279                         gctx->iv_set = 1;
 280                         }
 281                 gctx->key_set = 1;
 282                 }
 283         else
 284                 {
 285                 /* If key set use IV, otherwise copy */
 286                 if (gctx->key_set)
 287                         CRYPTO_gcm128_setiv(gctx->gcm, iv, gctx->ivlen);
 288                 else
 289                         {
 290                         /* If IV is too large for EVP_CIPHER_CTX buffer
 291                          * return an error. This can be avoided by either
 292                          * setting the key first or key and iv simultaneously.
 293                          */
 294                         if (gctx->ivlen > EVP_MAX_IV_LENGTH)
 295                                 return 0;
 296                         memcpy(ctx->iv, iv, gctx->ivlen);
 297                         }
 298                 gctx->iv_set = 1;
 299                 }
 300         return 1;
 301         }
 302
 303 static int aes_gcm(EVP_CIPHER_CTX *ctx, unsigned char *out,
 304                 const unsigned char *in, size_t len)
 305         {
 306         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
 307         /* If not set up, return error */
 308         if (!gctx->iv_set && !gctx->key_set)
 309                 return -1;
 310         if (!ctx->encrypt && gctx->taglen < 0)
 311                 return -1;
 312         if (in)
 313                 {
 314                 if (out == NULL)
 315                         CRYPTO_gcm128_aad(gctx->gcm, in, len);
 316                 else if (ctx->encrypt)
 317                         CRYPTO_gcm128_encrypt(gctx->gcm, in, out, len);
 318                 else
 319                         CRYPTO_gcm128_decrypt(gctx->gcm, in, out, len);
 320                 return len;
 321                 }
 322         else
 323                 {
 324                 if (!ctx->encrypt)
 325                         {
 326                         if (CRYPTO_gcm128_finish(gctx->gcm,
 327                                         gctx->tag, gctx->taglen) != 0)
 328                                 return -1;
 329                         gctx->iv_set = 0;
 330                         return 0;
 331                         }
 332                 CRYPTO_gcm128_tag(gctx->gcm, gctx->tag, 16);
 333                 gctx->taglen = 16;
 334                 /* Don't reuse the IV */
 335                 gctx->iv_set = 0;
 336                 return 0;
 337                 }
 338
 339         }
 340
 341 static const EVP_CIPHER aes_128_gcm_cipher=
 342         {
 343         NID_aes_128_gcm,1,16,12,
 344         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
 345                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
 346                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
 347         aes_gcm_init_key,
 348         aes_gcm,
 349         aes_gcm_cleanup,
 350         sizeof(EVP_AES_GCM_CTX),
 351         NULL,
 352         NULL,
 353         aes_gcm_ctrl,
 354         NULL
 355         };
 356
 357 const EVP_CIPHER *EVP_aes_128_gcm (void)
 358 {       return &aes_128_gcm_cipher;     }
 359
 360 static const EVP_CIPHER aes_192_gcm_cipher=
 361         {
 362         NID_aes_128_gcm,1,24,12,
 363         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
 364                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
 365                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
 366         aes_gcm_init_key,
 367         aes_gcm,
 368         aes_gcm_cleanup,
 369         sizeof(EVP_AES_GCM_CTX),
 370         NULL,
 371         NULL,
 372         aes_gcm_ctrl,
 373         NULL
 374         };
 375
 376 const EVP_CIPHER *EVP_aes_192_gcm (void)
 377 {       return &aes_192_gcm_cipher;     }
 378
 379 static const EVP_CIPHER aes_256_gcm_cipher=
 380         {
 381         NID_aes_128_gcm,1,32,12,
 382         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
 383                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
 384                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
 385         aes_gcm_init_key,
 386         aes_gcm,
 387         aes_gcm_cleanup,
 388         sizeof(EVP_AES_GCM_CTX),
 389         NULL,
 390         NULL,
 391         aes_gcm_ctrl,
 392         NULL
 393         };
 394
 395 const EVP_CIPHER *EVP_aes_256_gcm (void)
 396 {       return &aes_256_gcm_cipher;     }
 397
 398 #endif