34a350a8804873998b74b1bfeb745ee742cf528d
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include <openssl/modes.h>
62
63 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
64                                         const unsigned char *iv, int enc);
65
66 typedef struct
67         {
68         AES_KEY ks;
69         } EVP_AES_KEY;
70
71 #define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
72
73 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
74                        NID_aes_128, 16, 16, 16, 128,
75                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
76                        aes_init_key, NULL, NULL, NULL, NULL)
77 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
78                        NID_aes_192, 16, 24, 16, 128,
79                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
80                        aes_init_key, NULL, NULL, NULL, NULL)
81 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
82                        NID_aes_256, 16, 32, 16, 128,
83                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
84                        aes_init_key, NULL, NULL, NULL, NULL)
85
86 #define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,EVP_CIPH_FLAG_FIPS)
87
88 IMPLEMENT_AES_CFBR(128,1)
89 IMPLEMENT_AES_CFBR(192,1)
90 IMPLEMENT_AES_CFBR(256,1)
91
92 IMPLEMENT_AES_CFBR(128,8)
93 IMPLEMENT_AES_CFBR(192,8)
94 IMPLEMENT_AES_CFBR(256,8)
95
96 static int aes_counter (EVP_CIPHER_CTX *ctx, unsigned char *out,
97                 const unsigned char *in, size_t len)
98 {
99         unsigned int num;
100         num = ctx->num;
101 #ifdef AES_CTR_ASM
102         void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
103                         size_t blocks, const AES_KEY *key,
104                         const unsigned char ivec[AES_BLOCK_SIZE]);
105
106         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
107                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
108                 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
109 #else
110         CRYPTO_ctr128_encrypt(in,out,len,
111                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
112                 ctx->iv,ctx->buf,&num,(block128_f)AES_encrypt);
113 #endif
114         ctx->num = (size_t)num;
115         return 1;
116 }
117
118 static const EVP_CIPHER aes_128_ctr_cipher=
119         {
120         NID_aes_128_ctr,1,16,16,
121         EVP_CIPH_CTR_MODE,
122         aes_init_key,
123         aes_counter,
124         NULL,
125         sizeof(EVP_AES_KEY),
126         NULL,
127         NULL,
128         NULL,
129         NULL
130         };
131
132 const EVP_CIPHER *EVP_aes_128_ctr (void)
133 {       return &aes_128_ctr_cipher;     }
134
135 static const EVP_CIPHER aes_192_ctr_cipher=
136         {
137         NID_aes_192_ctr,1,24,16,
138         EVP_CIPH_CTR_MODE,
139         aes_init_key,
140         aes_counter,
141         NULL,
142         sizeof(EVP_AES_KEY),
143         NULL,
144         NULL,
145         NULL,
146         NULL
147         };
148
149 const EVP_CIPHER *EVP_aes_192_ctr (void)
150 {       return &aes_192_ctr_cipher;     }
151
152 static const EVP_CIPHER aes_256_ctr_cipher=
153         {
154         NID_aes_256_ctr,1,32,16,
155         EVP_CIPH_CTR_MODE,
156         aes_init_key,
157         aes_counter,
158         NULL,
159         sizeof(EVP_AES_KEY),
160         NULL,
161         NULL,
162         NULL,
163         NULL
164         };
165
166 const EVP_CIPHER *EVP_aes_256_ctr (void)
167 {       return &aes_256_ctr_cipher;     }
168
169 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
170                    const unsigned char *iv, int enc)
171         {
172         int ret;
173
174         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
175             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
176             && !enc) 
177                 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
178         else
179                 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
180
181         if(ret < 0)
182                 {
183                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
184                 return 0;
185                 }
186
187         return 1;
188         }
189
190 typedef struct
191         {
192         /* AES key schedule to use */
193         AES_KEY ks;
194         /* Set if key initialised */
195         int key_set;
196         /* Set if an iv is set */
197         int iv_set;
198         /* Pointer to GCM128_CTX: FIXME actual structure later */
199         GCM128_CONTEXT *gcm;
200         /* IV length */
201         int ivlen;
202         /* Tag to verify */
203         unsigned char tag[16];
204         int taglen;
205         } EVP_AES_GCM_CTX;
206
207 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
208         {
209         EVP_AES_GCM_CTX *gctx = c->cipher_data;
210         if (gctx->gcm)
211                 CRYPTO_gcm128_release(gctx->gcm);
212         return 1;
213         }
214
215 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
216         {
217         EVP_AES_GCM_CTX *gctx = c->cipher_data;
218         switch (type)
219                 {
220         case EVP_CTRL_INIT:
221                 gctx->gcm = NULL;
222                 gctx->key_set = 0;
223                 gctx->iv_set = 0;
224                 gctx->ivlen = c->cipher->iv_len;
225                 gctx->taglen = -1;
226                 return 1;
227
228         case EVP_CTRL_GCM_SET_IVLEN:
229                 if (arg <= 0)
230                         return 0;
231                 gctx->ivlen = arg;
232                 return 1;
233
234         case EVP_CTRL_GCM_SET_TAG:
235                 if (arg <= 0 || arg > 16 || c->encrypt)
236                         return 0;
237                 memcpy(gctx->tag, ptr, arg);
238                 gctx->taglen = arg;
239                 return 1;
240
241         case EVP_CTRL_GCM_GET_TAG:
242                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
243                         return 0;
244                 memcpy(ptr, gctx->tag, arg);
245                 return 1;
246
247         default:
248                 return -1;
249
250                 }
251         }
252
253 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
254                         const unsigned char *iv, int enc)
255         {
256         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
257         if (!iv && !key)
258                 return 1;
259         if (key)
260                 {
261                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
262                 if (!gctx->gcm)
263                         {
264                         gctx->gcm =
265                                 CRYPTO_gcm128_new(&gctx->ks, (block128_f)AES_encrypt);
266                         if (!gctx->gcm)
267                                 return 0;
268                         }
269                 else
270                         CRYPTO_gcm128_init(gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
271                 /* If we have an iv can set it directly, otherwise use
272                  * saved IV.
273                  */
274                 if (iv == NULL && gctx->iv_set)
275                         iv = ctx->iv;
276                 if (iv)
277                         {
278                         CRYPTO_gcm128_setiv(gctx->gcm, iv, gctx->ivlen);
279                         gctx->iv_set = 1;
280                         }
281                 gctx->key_set = 1;
282                 }
283         else
284                 {
285                 /* If key set use IV, otherwise copy */
286                 if (gctx->key_set)
287                         CRYPTO_gcm128_setiv(gctx->gcm, iv, gctx->ivlen);
288                 else
289                         {
290                         /* If IV is too large for EVP_CIPHER_CTX buffer
291                          * return an error. This can be avoided by either
292                          * setting the key first or key and iv simultaneously.
293                          */
294                         if (gctx->ivlen > EVP_MAX_IV_LENGTH)
295                                 return 0;
296                         memcpy(ctx->iv, iv, gctx->ivlen);
297                         }
298                 gctx->iv_set = 1;
299                 }
300         return 1;
301         }
302
303 static int aes_gcm(EVP_CIPHER_CTX *ctx, unsigned char *out,
304                 const unsigned char *in, size_t len)
305         {
306         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
307         /* If not set up, return error */
308         if (!gctx->iv_set && !gctx->key_set)
309                 return -1;
310         if (!ctx->encrypt && gctx->taglen < 0)
311                 return -1;
312         if (in)
313                 {
314                 if (out == NULL)
315                         CRYPTO_gcm128_aad(gctx->gcm, in, len);
316                 else if (ctx->encrypt)
317                         CRYPTO_gcm128_encrypt(gctx->gcm, in, out, len);
318                 else
319                         CRYPTO_gcm128_decrypt(gctx->gcm, in, out, len);
320                 return len;
321                 }
322         else
323                 {
324                 if (!ctx->encrypt)
325                         {
326                         if (CRYPTO_gcm128_finish(gctx->gcm,
327                                         gctx->tag, gctx->taglen) != 0)
328                                 return -1;
329                         gctx->iv_set = 0;
330                         return 0;
331                         }
332                 CRYPTO_gcm128_tag(gctx->gcm, gctx->tag, 16);
333                 gctx->taglen = 16;
334                 /* Don't reuse the IV */
335                 gctx->iv_set = 0;
336                 return 0;
337                 }
338
339         }
340
341 static const EVP_CIPHER aes_128_gcm_cipher=
342         {
343         NID_aes_128_gcm,1,16,12,
344         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
345                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
346                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
347         aes_gcm_init_key,
348         aes_gcm,
349         aes_gcm_cleanup,
350         sizeof(EVP_AES_GCM_CTX),
351         NULL,
352         NULL,
353         aes_gcm_ctrl,
354         NULL
355         };
356
357 const EVP_CIPHER *EVP_aes_128_gcm (void)
358 {       return &aes_128_gcm_cipher;     }
359
360 static const EVP_CIPHER aes_192_gcm_cipher=
361         {
362         NID_aes_128_gcm,1,24,12,
363         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
364                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
365                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
366         aes_gcm_init_key,
367         aes_gcm,
368         aes_gcm_cleanup,
369         sizeof(EVP_AES_GCM_CTX),
370         NULL,
371         NULL,
372         aes_gcm_ctrl,
373         NULL
374         };
375
376 const EVP_CIPHER *EVP_aes_192_gcm (void)
377 {       return &aes_192_gcm_cipher;     }
378
379 static const EVP_CIPHER aes_256_gcm_cipher=
380         {
381         NID_aes_128_gcm,1,32,12,
382         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
383                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
384                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
385         aes_gcm_init_key,
386         aes_gcm,
387         aes_gcm_cleanup,
388         sizeof(EVP_AES_GCM_CTX),
389         NULL,
390         NULL,
391         aes_gcm_ctrl,
392         NULL
393         };
394
395 const EVP_CIPHER *EVP_aes_256_gcm (void)
396 {       return &aes_256_gcm_cipher;     }
397                 
398 #endif