3b21ab9ccf4af8e40428e3e9eeb6b30d470499d8
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
65                                         const unsigned char *iv, int enc);
66
67 typedef struct
68         {
69         AES_KEY ks;
70         } EVP_AES_KEY;
71
72 #define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
73
74 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
75                        NID_aes_128, 16, 16, 16, 128,
76                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
77                        aes_init_key, NULL, NULL, NULL, NULL)
78 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
79                        NID_aes_192, 16, 24, 16, 128,
80                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
81                        aes_init_key, NULL, NULL, NULL, NULL)
82 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
83                        NID_aes_256, 16, 32, 16, 128,
84                        EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
85                        aes_init_key, NULL, NULL, NULL, NULL)
86
87 #define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,EVP_CIPH_FLAG_FIPS)
88
89 IMPLEMENT_AES_CFBR(128,1)
90 IMPLEMENT_AES_CFBR(192,1)
91 IMPLEMENT_AES_CFBR(256,1)
92
93 IMPLEMENT_AES_CFBR(128,8)
94 IMPLEMENT_AES_CFBR(192,8)
95 IMPLEMENT_AES_CFBR(256,8)
96
97 static int aes_counter (EVP_CIPHER_CTX *ctx, unsigned char *out,
98                 const unsigned char *in, size_t len)
99 {
100         unsigned int num;
101         num = ctx->num;
102 #ifdef AES_CTR_ASM
103         void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
104                         size_t blocks, const AES_KEY *key,
105                         const unsigned char ivec[AES_BLOCK_SIZE]);
106
107         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
108                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
109                 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
110 #else
111         CRYPTO_ctr128_encrypt(in,out,len,
112                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
113                 ctx->iv,ctx->buf,&num,(block128_f)AES_encrypt);
114 #endif
115         ctx->num = (size_t)num;
116         return 1;
117 }
118
119 static const EVP_CIPHER aes_128_ctr_cipher=
120         {
121         NID_aes_128_ctr,1,16,16,
122         EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
123         aes_init_key,
124         aes_counter,
125         NULL,
126         sizeof(EVP_AES_KEY),
127         NULL,
128         NULL,
129         NULL,
130         NULL
131         };
132
133 const EVP_CIPHER *EVP_aes_128_ctr (void)
134 {       return &aes_128_ctr_cipher;     }
135
136 static const EVP_CIPHER aes_192_ctr_cipher=
137         {
138         NID_aes_192_ctr,1,24,16,
139         EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
140         aes_init_key,
141         aes_counter,
142         NULL,
143         sizeof(EVP_AES_KEY),
144         NULL,
145         NULL,
146         NULL,
147         NULL
148         };
149
150 const EVP_CIPHER *EVP_aes_192_ctr (void)
151 {       return &aes_192_ctr_cipher;     }
152
153 static const EVP_CIPHER aes_256_ctr_cipher=
154         {
155         NID_aes_256_ctr,1,32,16,
156         EVP_CIPH_CTR_MODE|EVP_CIPH_FLAG_FIPS,
157         aes_init_key,
158         aes_counter,
159         NULL,
160         sizeof(EVP_AES_KEY),
161         NULL,
162         NULL,
163         NULL,
164         NULL
165         };
166
167 const EVP_CIPHER *EVP_aes_256_ctr (void)
168 {       return &aes_256_ctr_cipher;     }
169
170 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
171                    const unsigned char *iv, int enc)
172         {
173         int ret;
174
175         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
176             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
177             && !enc) 
178                 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
179         else
180                 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
181
182         if(ret < 0)
183                 {
184                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
185                 return 0;
186                 }
187
188         return 1;
189         }
190
191 typedef struct
192         {
193         /* AES key schedule to use */
194         AES_KEY ks;
195         /* Set if key initialised */
196         int key_set;
197         /* Set if an iv is set */
198         int iv_set;
199         GCM128_CONTEXT gcm;
200         /* Temporary IV store */
201         unsigned char *iv;
202         /* IV length */
203         int ivlen;
204         /* Tag to verify */
205         unsigned char tag[16];
206         int taglen;
207         /* It is OK to generate IVs */
208         int iv_gen;
209         } EVP_AES_GCM_CTX;
210
211 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
212         {
213         EVP_AES_GCM_CTX *gctx = c->cipher_data;
214         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
215         if (gctx->iv != c->iv)
216                 OPENSSL_free(gctx->iv);
217         return 1;
218         }
219
220 /* increment counter (64-bit int) by 1 */
221 static void ctr64_inc(unsigned char *counter) {
222         int n=8;
223         unsigned char  c;
224
225         do {
226                 --n;
227                 c = counter[n];
228                 ++c;
229                 counter[n] = c;
230                 if (c) return;
231         } while (n);
232 }
233
234 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
235         {
236         EVP_AES_GCM_CTX *gctx = c->cipher_data;
237         switch (type)
238                 {
239         case EVP_CTRL_INIT:
240                 gctx->key_set = 0;
241                 gctx->iv_set = 0;
242                 gctx->ivlen = c->cipher->iv_len;
243                 gctx->iv = c->iv;
244                 gctx->taglen = -1;
245                 gctx->iv_gen = 0;
246                 return 1;
247
248         case EVP_CTRL_GCM_SET_IVLEN:
249                 if (arg <= 0)
250                         return 0;
251 #ifdef OPENSSL_FIPS
252                 if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
253                                                  && arg < 12)
254                         return 0;
255 #endif
256                 /* Allocate memory for IV if needed */
257                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
258                         {
259                         if (gctx->iv != c->iv)
260                                 OPENSSL_free(gctx->iv);
261                         gctx->iv = OPENSSL_malloc(arg);
262                         if (!gctx->iv)
263                                 return 0;
264                         }
265                 gctx->ivlen = arg;
266                 return 1;
267
268         case EVP_CTRL_GCM_SET_TAG:
269                 if (arg <= 0 || arg > 16 || c->encrypt)
270                         return 0;
271                 memcpy(gctx->tag, ptr, arg);
272                 gctx->taglen = arg;
273                 return 1;
274
275         case EVP_CTRL_GCM_GET_TAG:
276                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
277                         return 0;
278                 memcpy(ptr, gctx->tag, arg);
279                 return 1;
280
281         case EVP_CTRL_GCM_SET_IV_FIXED:
282                 /* Special case: -1 length restores whole IV */
283                 if (arg == -1)
284                         {
285                         memcpy(gctx->iv, ptr, gctx->ivlen);
286                         gctx->iv_gen = 1;
287                         return 1;
288                         }
289                 /* Fixed field must be at least 4 bytes and invocation field
290                  * at least 8.
291                  */
292                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
293                         return 0;
294                 if (arg)
295                         memcpy(gctx->iv, ptr, arg);
296                 if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
297                         return 0;
298                 gctx->iv_gen = 1;
299                 return 1;
300
301         case EVP_CTRL_GCM_IV_GEN:
302                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
303                         return 0;
304                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
305                 memcpy(ptr, gctx->iv, gctx->ivlen);
306                 /* Invocation field will be at least 8 bytes in size and
307                  * so no need to check wrap around or increment more than
308                  * last 8 bytes.
309                  */
310                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
311                 gctx->iv_set = 1;
312                 return 1;
313
314         default:
315                 return -1;
316
317                 }
318         }
319
320 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
321                         const unsigned char *iv, int enc)
322         {
323         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
324         if (!iv && !key)
325                 return 1;
326         if (key)
327                 {
328                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
329                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
330                 /* If we have an iv can set it directly, otherwise use
331                  * saved IV.
332                  */
333                 if (iv == NULL && gctx->iv_set)
334                         iv = gctx->iv;
335                 if (iv)
336                         {
337                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
338                         gctx->iv_set = 1;
339                         }
340                 gctx->key_set = 1;
341                 }
342         else
343                 {
344                 /* If key set use IV, otherwise copy */
345                 if (gctx->key_set)
346                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
347                 else
348                         memcpy(gctx->iv, iv, gctx->ivlen);
349                 gctx->iv_set = 1;
350                 gctx->iv_gen = 0;
351                 }
352         return 1;
353         }
354
355 static int aes_gcm(EVP_CIPHER_CTX *ctx, unsigned char *out,
356                 const unsigned char *in, size_t len)
357         {
358         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
359         /* If not set up, return error */
360         if (!gctx->iv_set && !gctx->key_set)
361                 return -1;
362         if (!ctx->encrypt && gctx->taglen < 0)
363                 return -1;
364         if (in)
365                 {
366                 if (out == NULL)
367                         {
368                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
369                                 return -1;
370                         }
371                 else if (ctx->encrypt)
372                         {
373                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
374                                 return -1;
375                         }
376                 else
377                         {
378                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
379                                 return -1;
380                         }
381                 return len;
382                 }
383         else
384                 {
385                 if (!ctx->encrypt)
386                         {
387                         if (CRYPTO_gcm128_finish(&gctx->gcm,
388                                         gctx->tag, gctx->taglen) != 0)
389                                 return -1;
390                         gctx->iv_set = 0;
391                         return 0;
392                         }
393                 CRYPTO_gcm128_tag(&gctx->gcm, gctx->tag, 16);
394                 gctx->taglen = 16;
395                 /* Don't reuse the IV */
396                 gctx->iv_set = 0;
397                 return 0;
398                 }
399
400         }
401
402 static const EVP_CIPHER aes_128_gcm_cipher=
403         {
404         NID_aes_128_gcm,1,16,12,
405         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
406                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
407                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
408         aes_gcm_init_key,
409         aes_gcm,
410         aes_gcm_cleanup,
411         sizeof(EVP_AES_GCM_CTX),
412         NULL,
413         NULL,
414         aes_gcm_ctrl,
415         NULL
416         };
417
418 const EVP_CIPHER *EVP_aes_128_gcm (void)
419 {       return &aes_128_gcm_cipher;     }
420
421 static const EVP_CIPHER aes_192_gcm_cipher=
422         {
423         NID_aes_128_gcm,1,24,12,
424         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
425                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
426                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
427         aes_gcm_init_key,
428         aes_gcm,
429         aes_gcm_cleanup,
430         sizeof(EVP_AES_GCM_CTX),
431         NULL,
432         NULL,
433         aes_gcm_ctrl,
434         NULL
435         };
436
437 const EVP_CIPHER *EVP_aes_192_gcm (void)
438 {       return &aes_192_gcm_cipher;     }
439
440 static const EVP_CIPHER aes_256_gcm_cipher=
441         {
442         NID_aes_128_gcm,1,32,12,
443         EVP_CIPH_GCM_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
444                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
445                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
446         aes_gcm_init_key,
447         aes_gcm,
448         aes_gcm_cleanup,
449         sizeof(EVP_AES_GCM_CTX),
450         NULL,
451         NULL,
452         aes_gcm_ctrl,
453         NULL
454         };
455
456 const EVP_CIPHER *EVP_aes_256_gcm (void)
457 {       return &aes_256_gcm_cipher;     }
458
459 typedef struct
460         {
461         /* AES key schedules to use */
462         AES_KEY ks1, ks2;
463         XTS128_CONTEXT xts;
464         } EVP_AES_XTS_CTX;
465
466 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
467         {
468         EVP_AES_XTS_CTX *xctx = c->cipher_data;
469         if (type != EVP_CTRL_INIT)
470                 return -1;
471         /* key1 and key2 are used as an indicator both key and IV are set */
472         xctx->xts.key1 = NULL;
473         xctx->xts.key2 = NULL;
474         return 1;
475         }
476
477 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
478                         const unsigned char *iv, int enc)
479         {
480         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
481         if (!iv && !key)
482                 return 1;
483
484         if (key)
485                 {
486                 /* key_len is two AES keys */
487                 if (ctx->encrypt)
488                         {
489                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
490                         xctx->xts.block1 = (block128_f)AES_encrypt;
491                         }
492                 else
493                         {
494                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
495                         xctx->xts.block1 = (block128_f)AES_decrypt;
496                         }
497
498                 AES_set_encrypt_key(key + ctx->key_len/2,
499                                                 ctx->key_len * 4, &xctx->ks2);
500                 xctx->xts.block2 = (block128_f)AES_encrypt;
501
502                 xctx->xts.key1 = &xctx->ks1;
503                 }
504
505         if (iv)
506                 {
507                 xctx->xts.key2 = &xctx->ks2;
508                 memcpy(ctx->iv, iv, 16);
509                 }
510
511         return 1;
512         }
513
514 static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out,
515                 const unsigned char *in, size_t len)
516         {
517         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
518         if (!xctx->xts.key1 || !xctx->xts.key2)
519                 return -1;
520         if (!out || !in)
521                 return -1;
522 #ifdef OPENSSL_FIPS
523         /* Requirement of SP800-38E */
524         if (FIPS_mode() && len > (1L<<20)*16)
525                 {
526                 EVPerr(EVP_F_AES_XTS, EVP_R_TOO_LARGE);
527                 return -1;
528                 }
529 #endif
530         if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
531                                                                 ctx->encrypt))
532                 return -1;
533         return len;
534         }
535
536 static const EVP_CIPHER aes_128_xts_cipher=
537         {
538         NID_aes_128_xts,16,32,16,
539         EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
540                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
541                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
542         aes_xts_init_key,
543         aes_xts,
544         0,
545         sizeof(EVP_AES_XTS_CTX),
546         NULL,
547         NULL,
548         aes_xts_ctrl,
549         NULL
550         };
551
552 const EVP_CIPHER *EVP_aes_128_xts (void)
553 {       return &aes_128_xts_cipher;     }
554         
555 static const EVP_CIPHER aes_256_xts_cipher=
556         {
557         NID_aes_256_xts,16,64,16,
558         EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
559                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
560                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
561         aes_xts_init_key,
562         aes_xts,
563         0,
564         sizeof(EVP_AES_XTS_CTX),
565         NULL,
566         NULL,
567         aes_xts_ctrl,
568         NULL
569         };
570
571 const EVP_CIPHER *EVP_aes_256_xts (void)
572 {       return &aes_256_xts_cipher;     }
573                 
574 #endif