2 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/opensslconf.h>
12 #include <openssl/crypto.h>
13 #include <openssl/err.h>
14 #include <openssl/aes.h>
15 #include <openssl/rand.h>
16 #include <openssl/cmac.h>
17 #include "ciphers_locl.h"
18 #include "internal/evp_int.h"
19 #include "internal/providercommonerr.h"
20 #include "internal/aes_platform.h"
22 #define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
24 #if defined(AESNI_CAPABLE)
28 static int aesni_init_key(PROV_AES_KEY *dat, const unsigned char *key,
33 if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
35 ret = aesni_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
36 dat->block = (block128_f) aesni_decrypt;
37 dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
38 (cbc128_f) aesni_cbc_encrypt : NULL;
40 ret = aesni_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
41 dat->block = (block128_f) aesni_encrypt;
42 if (dat->mode == EVP_CIPH_CBC_MODE)
43 dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
44 else if (dat->mode == EVP_CIPH_CTR_MODE)
45 dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
47 dat->stream.cbc = NULL;
51 ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
58 static int aesni_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
59 const unsigned char *in, size_t len)
61 aesni_cbc_encrypt(in, out, len, &ctx->ks.ks, ctx->iv, ctx->enc);
66 static int aesni_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
67 const unsigned char *in, size_t len)
69 if (len < AES_BLOCK_SIZE)
72 aesni_ecb_encrypt(in, out, len, &ctx->ks.ks, ctx->enc);
77 # define aesni_ofb_cipher aes_ofb_cipher
78 static int aesni_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
79 const unsigned char *in, size_t len);
81 # define aesni_cfb_cipher aes_cfb_cipher
82 static int aesni_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
83 const unsigned char *in, size_t len);
85 # define aesni_cfb8_cipher aes_cfb8_cipher
86 static int aesni_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
87 const unsigned char *in, size_t len);
89 # define aesni_cfb1_cipher aes_cfb1_cipher
90 static int aesni_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
91 const unsigned char *in, size_t len);
93 # define aesni_ctr_cipher aes_ctr_cipher
94 static int aesni_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
95 const unsigned char *in, size_t len);
97 # define BLOCK_CIPHER_generic_prov(mode) \
98 static const PROV_AES_CIPHER aesni_##mode = { \
100 aesni_##mode##_cipher}; \
101 static const PROV_AES_CIPHER aes_##mode = { \
103 aes_##mode##_cipher}; \
104 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
105 { return AESNI_CAPABLE?&aesni_##mode:&aes_##mode; }
108 #elif defined(SPARC_AES_CAPABLE)
110 static int aes_t4_init_key(PROV_AES_KEY *dat, const unsigned char *key,
116 if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
119 aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
120 dat->block = (block128_f) aes_t4_decrypt;
123 dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
124 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
127 dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
128 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
131 dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
132 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
139 aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
140 dat->block = (block128_f)aes_t4_encrypt;
143 if (dat->mode == EVP_CIPH_CBC_MODE)
144 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
145 else if (dat->mode == EVP_CIPH_CTR_MODE)
146 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
148 dat->stream.cbc = NULL;
151 if (dat->mode == EVP_CIPH_CBC_MODE)
152 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
153 else if (dat->mode == EVP_CIPH_CTR_MODE)
154 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
156 dat->stream.cbc = NULL;
159 if (dat->mode == EVP_CIPH_CBC_MODE)
160 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
161 else if (dat->mode == EVP_CIPH_CTR_MODE)
162 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
164 dat->stream.cbc = NULL;
172 ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
179 # define aes_t4_cbc_cipher aes_cbc_cipher
180 static int aes_t4_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
181 const unsigned char *in, size_t len);
183 # define aes_t4_ecb_cipher aes_ecb_cipher
184 static int aes_t4_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
185 const unsigned char *in, size_t len);
187 # define aes_t4_ofb_cipher aes_ofb_cipher
188 static int aes_t4_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
189 const unsigned char *in, size_t len);
191 # define aes_t4_cfb_cipher aes_cfb_cipher
192 static int aes_t4_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
193 const unsigned char *in, size_t len);
195 # define aes_t4_cfb8_cipher aes_cfb8_cipher
196 static int aes_t4_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
197 const unsigned char *in, size_t len);
199 # define aes_t4_cfb1_cipher aes_cfb1_cipher
200 static int aes_t4_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
201 const unsigned char *in, size_t len);
203 # define aes_t4_ctr_cipher aes_ctr_cipher
204 static int aes_t4_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
205 const unsigned char *in, size_t len);
207 # define BLOCK_CIPHER_generic_prov(mode) \
208 static const PROV_AES_CIPHER aes_t4_##mode = { \
210 aes_t4_##mode##_cipher}; \
211 static const PROV_AES_CIPHER aes_##mode = { \
213 aes_##mode##_cipher}; \
214 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
215 { return SPARC_AES_CAPABLE?&aes_t4_##mode:&aes_##mode; }
218 #elif defined(S390X_aes_128_CAPABLE)
222 # include "s390x_arch.h"
224 # define s390x_aes_init_key aes_init_key
225 static int s390x_aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
227 # define S390X_AES_CBC_CTX PROV_AES_KEY
229 # define s390x_aes_cbc_init_key aes_init_key
231 # define s390x_aes_cbc_cipher aes_cbc_cipher
232 static int s390x_aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
233 const unsigned char *in, size_t len);
235 static int s390x_aes_ecb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
238 dat->plat.s390x.fc = S390X_AES_FC(keylen);
240 dat->plat.s390x.fc |= S390X_DECRYPT;
242 memcpy(dat->plat.s390x.param.km.k, key, keylen);
246 static int s390x_aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
247 const unsigned char *in, size_t len)
249 s390x_km(in, len, out, dat->plat.s390x.fc,
250 &dat->plat.s390x.param.km);
254 static int s390x_aes_ofb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
257 memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
258 memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
259 dat->plat.s390x.fc = S390X_AES_FC(keylen);
260 dat->plat.s390x.res = 0;
264 static int s390x_aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
265 const unsigned char *in, size_t len)
267 int n = dat->plat.s390x.res;
271 *out = *in ^ dat->plat.s390x.param.kmo_kmf.cv[n];
282 s390x_kmo(in, len, out, dat->plat.s390x.fc,
283 &dat->plat.s390x.param.kmo_kmf);
290 s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
291 dat->plat.s390x.param.kmo_kmf.cv, dat->plat.s390x.fc,
292 dat->plat.s390x.param.kmo_kmf.k);
295 out[n] = in[n] ^ dat->plat.s390x.param.kmo_kmf.cv[n];
300 dat->plat.s390x.res = n;
304 static int s390x_aes_cfb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
307 dat->plat.s390x.fc = S390X_AES_FC(keylen);
308 dat->plat.s390x.fc |= 16 << 24; /* 16 bytes cipher feedback */
310 dat->plat.s390x.fc |= S390X_DECRYPT;
312 dat->plat.s390x.res = 0;
313 memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
314 memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
318 static int s390x_aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
319 const unsigned char *in, size_t len)
321 int n = dat->plat.s390x.res;
327 *out = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
328 dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? *out : tmp;
339 s390x_kmf(in, len, out, dat->plat.s390x.fc,
340 &dat->plat.s390x.param.kmo_kmf);
347 s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
348 dat->plat.s390x.param.kmo_kmf.cv,
349 S390X_AES_FC(dat->keylen), dat->plat.s390x.param.kmo_kmf.k);
353 out[n] = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
354 dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? out[n] : tmp;
359 dat->plat.s390x.res = n;
363 static int s390x_aes_cfb8_init_key(PROV_AES_KEY *dat, const unsigned char *key,
366 dat->plat.s390x.fc = S390X_AES_FC(keylen);
367 dat->plat.s390x.fc |= 1 << 24; /* 1 byte cipher feedback */
369 dat->plat.s390x.fc |= S390X_DECRYPT;
371 memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
372 memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
376 static int s390x_aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
377 const unsigned char *in, size_t len)
379 s390x_kmf(in, len, out, dat->plat.s390x.fc,
380 &dat->plat.s390x.param.kmo_kmf);
384 # define s390x_aes_cfb1_init_key aes_init_key
386 # define s390x_aes_cfb1_cipher aes_cfb1_cipher
387 static int s390x_aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
388 const unsigned char *in, size_t len);
389 # define S390X_AES_CTR_CTX PROV_AES_KEY
391 # define s390x_aes_ctr_init_key aes_init_key
393 # define s390x_aes_ctr_cipher aes_ctr_cipher
394 static int s390x_aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
395 const unsigned char *in, size_t len);
397 # define BLOCK_CIPHER_generic_prov(mode) \
398 static const PROV_AES_CIPHER s390x_aes_##mode = { \
399 s390x_aes_##mode##_init_key, \
400 s390x_aes_##mode##_cipher \
402 static const PROV_AES_CIPHER aes_##mode = { \
404 aes_##mode##_cipher \
406 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
408 if ((keylen == 16 && S390X_aes_128_##mode##_CAPABLE) \
409 || (keylen == 24 && S390X_aes_192_##mode##_CAPABLE) \
410 || (keylen == 32 && S390X_aes_256_##mode##_CAPABLE)) \
411 return &s390x_aes_##mode; \
413 return &aes_##mode; \
417 /* The generic case */
418 # define BLOCK_CIPHER_generic_prov(mode) \
419 static const PROV_AES_CIPHER aes_##mode = { \
421 aes_##mode##_cipher}; \
422 const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
423 { return &aes_##mode; }
427 static int aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
432 if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
436 ret = HWAES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
437 dat->block = (block128_f)HWAES_decrypt;
438 dat->stream.cbc = NULL;
439 # ifdef HWAES_cbc_encrypt
440 if (dat->mode == EVP_CIPH_CBC_MODE)
441 dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
446 if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
447 ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
448 dat->block = (block128_f)AES_decrypt;
449 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
454 ret = vpaes_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
455 dat->block = (block128_f)vpaes_decrypt;
456 dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
457 ?(cbc128_f)vpaes_cbc_encrypt : NULL;
461 ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
462 dat->block = (block128_f)AES_decrypt;
463 dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
464 ? (cbc128_f)AES_cbc_encrypt : NULL;
469 ret = HWAES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
470 dat->block = (block128_f)HWAES_encrypt;
471 dat->stream.cbc = NULL;
472 # ifdef HWAES_cbc_encrypt
473 if (dat->mode == EVP_CIPH_CBC_MODE)
474 dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
477 # ifdef HWAES_ctr32_encrypt_blocks
478 if (dat->mode == EVP_CIPH_CTR_MODE)
479 dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
482 (void)0; /* terminate potentially open 'else' */
486 if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
487 ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
488 dat->block = (block128_f)AES_encrypt;
489 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
494 ret = vpaes_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
495 dat->block = (block128_f)vpaes_encrypt;
496 dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
497 ? (cbc128_f)vpaes_cbc_encrypt : NULL;
501 ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
502 dat->block = (block128_f)AES_encrypt;
503 dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
504 ? (cbc128_f)AES_cbc_encrypt : NULL;
506 if (dat->mode == EVP_CIPH_CTR_MODE)
507 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
512 ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
519 static int aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
520 const unsigned char *in, size_t len)
523 (*dat->stream.cbc) (in, out, len, &dat->ks, dat->iv, dat->enc);
525 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, dat->iv, dat->block);
527 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, dat->iv, dat->block);
532 static int aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
533 const unsigned char *in, size_t len)
537 if (len < AES_BLOCK_SIZE)
540 for (i = 0, len -= AES_BLOCK_SIZE; i <= len; i += AES_BLOCK_SIZE)
541 (*dat->block) (in + i, out + i, &dat->ks);
546 static int aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
547 const unsigned char *in, size_t len)
550 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->block);
556 static int aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
557 const unsigned char *in, size_t len)
560 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
567 static int aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
568 const unsigned char *in, size_t len)
571 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
578 static int aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
579 const unsigned char *in, size_t len)
583 if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
584 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, dat->iv, &num,
585 dat->enc, dat->block);
590 while (len >= MAXBITCHUNK) {
591 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
592 dat->iv, &num, dat->enc, dat->block);
598 CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, dat->iv, &num,
599 dat->enc, dat->block);
606 static int aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
607 const unsigned char *in, size_t len)
609 unsigned int num = dat->num;
612 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, dat->iv, dat->buf,
613 &num, dat->stream.ctr);
615 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, dat->iv, dat->buf,
622 BLOCK_CIPHER_generic_prov(cbc)
623 BLOCK_CIPHER_generic_prov(ecb)
624 BLOCK_CIPHER_generic_prov(ofb)
625 BLOCK_CIPHER_generic_prov(cfb)
626 BLOCK_CIPHER_generic_prov(cfb1)
627 BLOCK_CIPHER_generic_prov(cfb8)
628 BLOCK_CIPHER_generic_prov(ctr)