/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
+/*
+ * This file uses the low level AES functions (which are deprecated for
+ * non-internal use) in order to implement the EVP AES ciphers.
+ */
+#include "internal/deprecated.h"
+
#include <string.h>
#include <assert.h>
#include <openssl/opensslconf.h>
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/cmac.h>
-#include "internal/evp_int.h"
+#include "crypto/evp.h"
#include "internal/cryptlib.h"
-#include "internal/modes_int.h"
-#include "internal/siv_int.h"
-#include "internal/aes_platform.h"
-#include "evp_locl.h"
+#include "crypto/modes.h"
+#include "crypto/siv.h"
+#include "crypto/aes_platform.h"
+#include "evp_local.h"
typedef struct {
union {
const unsigned char iv[16]);
} EVP_AES_XTS_CTX;
-#ifdef FIPS_MODE
+#ifdef FIPS_MODULE
static const int allow_insecure_decrypt = 0;
#else
static const int allow_insecure_decrypt = 1;
#if defined(AESNI_CAPABLE)
# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
-# define AES_gcm_encrypt aesni_gcm_encrypt
-# define AES_gcm_decrypt aesni_gcm_decrypt
# define AES_GCM_ASM2(gctx) (gctx->gcm.block==(block128_f)aesni_encrypt && \
gctx->gcm.ghash==gcm_ghash_avx)
# undef AES_GCM_ASM2 /* minor size optimization */
/*
* Verify that the two keys are different.
- *
+ *
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
/*
* Verify that the two keys are different.
- *
+ *
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
} icv;
unsigned char k[32];
} kmac_param;
- /* KMAC-AES paramater block - end */
+ /* KMAC-AES parameter block - end */
union {
unsigned long long g[2];
static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
-# define S390X_AES_CBC_CTX EVP_AES_KEY
+# define S390X_AES_CBC_CTX EVP_AES_KEY
# define s390x_aes_cbc_init_key aes_init_key
static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len);
-# define S390X_AES_CTR_CTX EVP_AES_KEY
+# define S390X_AES_CTR_CTX EVP_AES_KEY
# define s390x_aes_ctr_init_key aes_init_key
const unsigned char *in, size_t len);
/* iv + padding length for iv lengths != 12 */
-# define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
+# define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
/*-
* Process additional authenticated data. Returns 0 on success. Code is
switch (type) {
case EVP_CTRL_INIT:
- ivlen = EVP_CIPHER_CTX_iv_length(c);
+ ivlen = EVP_CIPHER_iv_length(c->cipher);
iv = EVP_CIPHER_CTX_iv_noconst(c);
gctx->key_set = 0;
gctx->iv_set = 0;
gctx->tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = gctx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
return 1;
}
-# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
+# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
# define s390x_aes_xts_init_key aes_xts_init_key
static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
ctx->aes.ccm.nonce.b[15] = 1;
if (n != len)
- return -1; /* length mismatch */
+ return -1; /* length mismatch */
if (enc) {
/* Two operations per block plus one for tag encryption */
ctx->aes.ccm.blocks += (((len + 15) >> 4) << 1) + 1;
if (ctx->aes.ccm.blocks > (1ULL << 61))
- return -2; /* too much data */
+ return -2; /* too much data */
}
num = 0;
ctx->aes.ccm.kmac_param.icv.g[0] ^= ctx->aes.ccm.buf.g[0];
ctx->aes.ccm.kmac_param.icv.g[1] ^= ctx->aes.ccm.buf.g[1];
- ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
+ ctx->aes.ccm.nonce.b[0] = flags; /* restore flags field */
return 0;
}
cctx->aes.ccm.tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = 15 - cctx->aes.ccm.l;
+ return 1;
+
case EVP_CTRL_AEAD_TLS1_AAD:
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return 0;
# define s390x_aes_ccm_cleanup aes_ccm_cleanup
# ifndef OPENSSL_NO_OCB
-# define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
+# define S390X_AES_OCB_CTX EVP_AES_OCB_CTX
# define s390x_aes_ocb_init_key aes_ocb_init_key
static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
# define s390x_aes_siv_ctrl aes_siv_ctrl
# endif
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
- MODE,flags) \
-static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
- nid##_##keylen##_##nmode,blocksize, \
- keylen / 8, \
- ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
- s390x_aes_##mode##_init_key, \
- s390x_aes_##mode##_cipher, \
- NULL, \
- sizeof(S390X_AES_##MODE##_CTX), \
- NULL, \
- NULL, \
- NULL, \
- NULL \
-}; \
-static const EVP_CIPHER aes_##keylen##_##mode = { \
- nid##_##keylen##_##nmode, \
- blocksize, \
- keylen / 8, \
- ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
- aes_init_key, \
- aes_##mode##_cipher, \
- NULL, \
- sizeof(EVP_AES_KEY), \
- NULL, \
- NULL, \
- NULL, \
- NULL \
-}; \
-const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
-{ \
- return S390X_aes_##keylen##_##mode##_CAPABLE ? \
- &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \
+ MODE,flags) \
+static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
+ nid##_##keylen##_##nmode,blocksize, \
+ keylen / 8, \
+ ivlen, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ s390x_aes_##mode##_init_key, \
+ s390x_aes_##mode##_cipher, \
+ NULL, \
+ sizeof(S390X_AES_##MODE##_CTX), \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL \
+}; \
+static const EVP_CIPHER aes_##keylen##_##mode = { \
+ nid##_##keylen##_##nmode, \
+ blocksize, \
+ keylen / 8, \
+ ivlen, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ aes_init_key, \
+ aes_##mode##_cipher, \
+ NULL, \
+ sizeof(EVP_AES_KEY), \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL \
+}; \
+const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
+{ \
+ return S390X_aes_##keylen##_##mode##_CAPABLE ? \
+ &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
}
# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
-static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
- nid##_##keylen##_##mode, \
- blocksize, \
- (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
- ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
- s390x_aes_##mode##_init_key, \
- s390x_aes_##mode##_cipher, \
- s390x_aes_##mode##_cleanup, \
- sizeof(S390X_AES_##MODE##_CTX), \
- NULL, \
- NULL, \
- s390x_aes_##mode##_ctrl, \
- NULL \
-}; \
-static const EVP_CIPHER aes_##keylen##_##mode = { \
- nid##_##keylen##_##mode,blocksize, \
- (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
- ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
- aes_##mode##_init_key, \
- aes_##mode##_cipher, \
- aes_##mode##_cleanup, \
- sizeof(EVP_AES_##MODE##_CTX), \
- NULL, \
- NULL, \
- aes_##mode##_ctrl, \
- NULL \
-}; \
-const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
-{ \
- return S390X_aes_##keylen##_##mode##_CAPABLE ? \
- &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
+static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \
+ nid##_##keylen##_##mode, \
+ blocksize, \
+ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
+ ivlen, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ s390x_aes_##mode##_init_key, \
+ s390x_aes_##mode##_cipher, \
+ s390x_aes_##mode##_cleanup, \
+ sizeof(S390X_AES_##MODE##_CTX), \
+ NULL, \
+ NULL, \
+ s390x_aes_##mode##_ctrl, \
+ NULL \
+}; \
+static const EVP_CIPHER aes_##keylen##_##mode = { \
+ nid##_##keylen##_##mode,blocksize, \
+ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \
+ ivlen, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ aes_##mode##_init_key, \
+ aes_##mode##_cipher, \
+ aes_##mode##_cleanup, \
+ sizeof(EVP_AES_##MODE##_CTX), \
+ NULL, \
+ NULL, \
+ aes_##mode##_ctrl, \
+ NULL \
+}; \
+const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
+{ \
+ return S390X_aes_##keylen##_##mode##_CAPABLE ? \
+ &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode; \
}
#else
case EVP_CTRL_INIT:
gctx->key_set = 0;
gctx->iv_set = 0;
- gctx->ivlen = c->cipher->iv_len;
+ gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
gctx->iv = c->iv;
gctx->taglen = -1;
gctx->iv_gen = 0;
gctx->tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = gctx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
return rv;
}
-#ifdef FIPS_MODE
+#ifdef FIPS_MODULE
/*
* See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
*
return 0;
return 1;
}
-#endif /* FIPS_MODE */
+#endif /* FIPS_MODULE */
static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
if (gctx->tls_aad_len >= 0)
return aes_gcm_tls_cipher(ctx, out, in, len);
-#ifdef FIPS_MODE
+#ifdef FIPS_MODULE
/*
* FIPS requires generation of AES-GCM IV's inside the FIPS module.
* The IV can still be set externally (the security policy will state that
#else
if (!gctx->iv_set)
return -1;
-#endif /* FIPS_MODE */
+#endif /* FIPS_MODULE */
if (in) {
if (out == NULL) {
#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY)
+ | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
return 0;
/*
- * Impose a limit of 2^20 blocks per data unit as specifed by
+ * Impose a limit of 2^20 blocks per data unit as specified by
* IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
* indicated that this was a SHOULD NOT rather than a MUST NOT.
* NIST SP 800-38E mandates the same limit.
cctx->tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = 15 - cctx->L;
+ return 1;
+
case EVP_CTRL_AEAD_TLS1_AAD:
/* Save the AAD for later use */
if (arg != EVP_AEAD_TLS1_AAD_LEN)
case EVP_CTRL_INIT:
octx->key_set = 0;
octx->iv_set = 0;
- octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
+ octx->ivlen = EVP_CIPHER_iv_length(c->cipher);
octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
octx->taglen = 16;
octx->data_buf_len = 0;
octx->aad_buf_len = 0;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = octx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
/* IV len must be 1 to 15 */
if (arg <= 0 || arg > 15)
return 1;
case EVP_CTRL_AEAD_SET_TAG:
- if (!ptr) {
+ if (ptr == NULL) {
/* Tag len must be 0 to 16 */
if (arg < 0 || arg > 16)
return 0;