summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/evp/e_aes.c
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
committercvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
commiteb8dd9dca1228af0cd132f515509051ecfabf6f6 (patch)
treeedb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libcrypto/evp/e_aes.c
parent247f0352e0ed72a4f476db9dc91f4d982bc83eb2 (diff)
downloadopenbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414
Diffstat (limited to 'src/lib/libcrypto/evp/e_aes.c')
-rw-r--r--src/lib/libcrypto/evp/e_aes.c2639
1 files changed, 0 insertions, 2639 deletions
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
deleted file mode 100644
index 7753c18c15..0000000000
--- a/src/lib/libcrypto/evp/e_aes.c
+++ /dev/null
@@ -1,2639 +0,0 @@
1/* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <limits.h>
53#include <stdlib.h>
54#include <string.h>
55
56#include <openssl/opensslconf.h>
57
58#include "crypto_internal.h"
59
60#ifndef OPENSSL_NO_AES
61#include <openssl/aes.h>
62#include <openssl/err.h>
63#include <openssl/evp.h>
64
65#include "evp_local.h"
66#include "modes_local.h"
67
68typedef struct {
69 AES_KEY ks;
70 block128_f block;
71 union {
72 cbc128_f cbc;
73 ctr128_f ctr;
74 } stream;
75} EVP_AES_KEY;
76
77typedef struct {
78 AES_KEY ks; /* AES key schedule to use */
79 int key_set; /* Set if key initialised */
80 int iv_set; /* Set if an iv is set */
81 GCM128_CONTEXT gcm;
82 unsigned char *iv; /* Temporary IV store */
83 int ivlen; /* IV length */
84 int taglen;
85 int iv_gen; /* It is OK to generate IVs */
86 int tls_aad_len; /* TLS AAD length */
87 ctr128_f ctr;
88} EVP_AES_GCM_CTX;
89
90typedef struct {
91 AES_KEY ks1, ks2; /* AES key schedules to use */
92 XTS128_CONTEXT xts;
93 void (*stream)(const unsigned char *in, unsigned char *out,
94 size_t length, const AES_KEY *key1, const AES_KEY *key2,
95 const unsigned char iv[16]);
96} EVP_AES_XTS_CTX;
97
98typedef struct {
99 AES_KEY ks; /* AES key schedule to use */
100 int key_set; /* Set if key initialised */
101 int iv_set; /* Set if an iv is set */
102 int tag_set; /* Set if tag is valid */
103 int len_set; /* Set if message length set */
104 int L, M; /* L and M parameters from RFC3610 */
105 CCM128_CONTEXT ccm;
106 ccm128_f str;
107} EVP_AES_CCM_CTX;
108
109#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
110
111#ifdef VPAES_ASM
112int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113 AES_KEY *key);
114int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115 AES_KEY *key);
116
117void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118 const AES_KEY *key);
119void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120 const AES_KEY *key);
121
122void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
123 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
124#endif
125#ifdef BSAES_ASM
126void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
127 size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
128void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
129 size_t len, const AES_KEY *key, const unsigned char ivec[16]);
130void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
131 size_t len, const AES_KEY *key1, const AES_KEY *key2,
132 const unsigned char iv[16]);
133void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
134 size_t len, const AES_KEY *key1, const AES_KEY *key2,
135 const unsigned char iv[16]);
136#endif
137#ifdef AES_CTR_ASM
138void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
139 size_t blocks, const AES_KEY *key,
140 const unsigned char ivec[AES_BLOCK_SIZE]);
141#endif
142#ifdef AES_XTS_ASM
143void AES_xts_encrypt(const char *inp, char *out, size_t len,
144 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
145void AES_xts_decrypt(const char *inp, char *out, size_t len,
146 const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
147#endif
148
149#if defined(AES_ASM) && ( \
150 ((defined(__i386) || defined(__i386__) || \
151 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
152 defined(__x86_64) || defined(__x86_64__) || \
153 defined(_M_AMD64) || defined(_M_X64) || \
154 defined(__INTEL__) )
155
156#include "x86_arch.h"
157
158#ifdef VPAES_ASM
159#define VPAES_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3)
160#endif
161#ifdef BSAES_ASM
162#define BSAES_CAPABLE VPAES_CAPABLE
163#endif
164/*
165 * AES-NI section
166 */
167#define AESNI_CAPABLE (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
168
169int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
170 AES_KEY *key);
171int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
172 AES_KEY *key);
173
174void aesni_encrypt(const unsigned char *in, unsigned char *out,
175 const AES_KEY *key);
176void aesni_decrypt(const unsigned char *in, unsigned char *out,
177 const AES_KEY *key);
178
179void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
180 size_t length, const AES_KEY *key, int enc);
181void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
182 size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
183
184void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
185 size_t blocks, const void *key, const unsigned char *ivec);
186
187void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
188 size_t length, const AES_KEY *key1, const AES_KEY *key2,
189 const unsigned char iv[16]);
190
191void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
192 size_t length, const AES_KEY *key1, const AES_KEY *key2,
193 const unsigned char iv[16]);
194
195void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
196 size_t blocks, const void *key, const unsigned char ivec[16],
197 unsigned char cmac[16]);
198
199void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
200 size_t blocks, const void *key, const unsigned char ivec[16],
201 unsigned char cmac[16]);
202
203static int
204aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
205 const unsigned char *iv, int enc)
206{
207 int ret, mode;
208 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
209
210 mode = ctx->cipher->flags & EVP_CIPH_MODE;
211 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
212 !enc) {
213 ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
214 ctx->cipher_data);
215 dat->block = (block128_f)aesni_decrypt;
216 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
217 (cbc128_f)aesni_cbc_encrypt : NULL;
218 } else {
219 ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
220 ctx->cipher_data);
221 dat->block = (block128_f)aesni_encrypt;
222 if (mode == EVP_CIPH_CBC_MODE)
223 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
224 else if (mode == EVP_CIPH_CTR_MODE)
225 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
226 else
227 dat->stream.cbc = NULL;
228 }
229
230 if (ret < 0) {
231 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
232 return 0;
233 }
234
235 return 1;
236}
237
238static int
239aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
240 const unsigned char *in, size_t len)
241{
242 aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
243 ctx->encrypt);
244
245 return 1;
246}
247
248static int
249aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
250 const unsigned char *in, size_t len)
251{
252 size_t bl = ctx->cipher->block_size;
253
254 if (len < bl)
255 return 1;
256
257 aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
258
259 return 1;
260}
261
262static int
263aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
264 const unsigned char *iv, int enc)
265{
266 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
267
268 if (!iv && !key)
269 return 1;
270 if (key) {
271 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
272 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
273 (block128_f)aesni_encrypt);
274 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
275 /* If we have an iv can set it directly, otherwise use
276 * saved IV.
277 */
278 if (iv == NULL && gctx->iv_set)
279 iv = gctx->iv;
280 if (iv) {
281 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
282 gctx->iv_set = 1;
283 }
284 gctx->key_set = 1;
285 } else {
286 /* If key set use IV, otherwise copy */
287 if (gctx->key_set)
288 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
289 else
290 memcpy(gctx->iv, iv, gctx->ivlen);
291 gctx->iv_set = 1;
292 gctx->iv_gen = 0;
293 }
294 return 1;
295}
296
297static int
298aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
299 const unsigned char *iv, int enc)
300{
301 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
302
303 if (!iv && !key)
304 return 1;
305
306 if (key) {
307 /* key_len is two AES keys */
308 if (enc) {
309 aesni_set_encrypt_key(key, ctx->key_len * 4,
310 &xctx->ks1);
311 xctx->xts.block1 = (block128_f)aesni_encrypt;
312 xctx->stream = aesni_xts_encrypt;
313 } else {
314 aesni_set_decrypt_key(key, ctx->key_len * 4,
315 &xctx->ks1);
316 xctx->xts.block1 = (block128_f)aesni_decrypt;
317 xctx->stream = aesni_xts_decrypt;
318 }
319
320 aesni_set_encrypt_key(key + ctx->key_len / 2,
321 ctx->key_len * 4, &xctx->ks2);
322 xctx->xts.block2 = (block128_f)aesni_encrypt;
323
324 xctx->xts.key1 = &xctx->ks1;
325 }
326
327 if (iv) {
328 xctx->xts.key2 = &xctx->ks2;
329 memcpy(ctx->iv, iv, 16);
330 }
331
332 return 1;
333}
334
335static int
336aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
337 const unsigned char *iv, int enc)
338{
339 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
340
341 if (!iv && !key)
342 return 1;
343 if (key) {
344 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
345 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
346 &cctx->ks, (block128_f)aesni_encrypt);
347 cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
348 (ccm128_f)aesni_ccm64_decrypt_blocks;
349 cctx->key_set = 1;
350 }
351 if (iv) {
352 memcpy(ctx->iv, iv, 15 - cctx->L);
353 cctx->iv_set = 1;
354 }
355 return 1;
356}
357
358#endif
359
360static int
361aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
362 const unsigned char *iv, int enc)
363{
364 int ret, mode;
365 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
366
367 mode = ctx->cipher->flags & EVP_CIPH_MODE;
368 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
369 !enc)
370#ifdef BSAES_CAPABLE
371 if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
372 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
373 &dat->ks);
374 dat->block = (block128_f)AES_decrypt;
375 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
376 } else
377#endif
378#ifdef VPAES_CAPABLE
379 if (VPAES_CAPABLE) {
380 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
381 &dat->ks);
382 dat->block = (block128_f)vpaes_decrypt;
383 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
384 (cbc128_f)vpaes_cbc_encrypt : NULL;
385 } else
386#endif
387 {
388 ret = AES_set_decrypt_key(key, ctx->key_len * 8,
389 &dat->ks);
390 dat->block = (block128_f)AES_decrypt;
391 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
392 (cbc128_f)AES_cbc_encrypt : NULL;
393 } else
394#ifdef BSAES_CAPABLE
395 if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
396 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
397 &dat->ks);
398 dat->block = (block128_f)AES_encrypt;
399 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
400 } else
401#endif
402#ifdef VPAES_CAPABLE
403 if (VPAES_CAPABLE) {
404 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
405 &dat->ks);
406 dat->block = (block128_f)vpaes_encrypt;
407 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
408 (cbc128_f)vpaes_cbc_encrypt : NULL;
409 } else
410#endif
411 {
412 ret = AES_set_encrypt_key(key, ctx->key_len * 8,
413 &dat->ks);
414 dat->block = (block128_f)AES_encrypt;
415 dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
416 (cbc128_f)AES_cbc_encrypt : NULL;
417#ifdef AES_CTR_ASM
418 if (mode == EVP_CIPH_CTR_MODE)
419 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
420#endif
421 }
422
423 if (ret < 0) {
424 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
425 return 0;
426 }
427
428 return 1;
429}
430
431static int
432aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
433 const unsigned char *in, size_t len)
434{
435 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
436
437 if (dat->stream.cbc)
438 (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
439 ctx->encrypt);
440 else if (ctx->encrypt)
441 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
442 dat->block);
443 else
444 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
445 dat->block);
446
447 return 1;
448}
449
450static int
451aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
452 const unsigned char *in, size_t len)
453{
454 size_t bl = ctx->cipher->block_size;
455 size_t i;
456 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
457
458 if (len < bl)
459 return 1;
460
461 for (i = 0, len -= bl; i <= len; i += bl)
462 (*dat->block)(in + i, out + i, &dat->ks);
463
464 return 1;
465}
466
467static int
468aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
469 const unsigned char *in, size_t len)
470{
471 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
472
473 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
474 dat->block);
475 return 1;
476}
477
478static int
479aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
480 const unsigned char *in, size_t len)
481{
482 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
483
484 CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
485 ctx->encrypt, dat->block);
486 return 1;
487}
488
489static int
490aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
491 const unsigned char *in, size_t len)
492{
493 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
494
495 CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
496 ctx->encrypt, dat->block);
497 return 1;
498}
499
500static int
501aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
502 const unsigned char *in, size_t len)
503{
504 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
505
506 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
507 CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
508 &ctx->num, ctx->encrypt, dat->block);
509 return 1;
510 }
511
512 while (len >= MAXBITCHUNK) {
513 CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
514 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
515 len -= MAXBITCHUNK;
516 in += MAXBITCHUNK;
517 out += MAXBITCHUNK;
518 }
519 if (len)
520 CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
521 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
522
523 return 1;
524}
525
526static int
527aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
528 const unsigned char *in, size_t len)
529{
530 unsigned int num = ctx->num;
531 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
532
533 if (dat->stream.ctr)
534 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
535 ctx->iv, ctx->buf, &num, dat->stream.ctr);
536 else
537 CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
538 ctx->iv, ctx->buf, &num, dat->block);
539 ctx->num = (size_t)num;
540 return 1;
541}
542
543
544#ifdef AESNI_CAPABLE
545static const EVP_CIPHER aesni_128_cbc = {
546 .nid = NID_aes_128_cbc,
547 .block_size = 16,
548 .key_len = 16,
549 .iv_len = 16,
550 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
551 .init = aesni_init_key,
552 .do_cipher = aesni_cbc_cipher,
553 .ctx_size = sizeof(EVP_AES_KEY),
554};
555#endif
556
557static const EVP_CIPHER aes_128_cbc = {
558 .nid = NID_aes_128_cbc,
559 .block_size = 16,
560 .key_len = 16,
561 .iv_len = 16,
562 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
563 .init = aes_init_key,
564 .do_cipher = aes_cbc_cipher,
565 .ctx_size = sizeof(EVP_AES_KEY),
566};
567
568const EVP_CIPHER *
569EVP_aes_128_cbc(void)
570{
571#ifdef AESNI_CAPABLE
572 return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
573#else
574 return &aes_128_cbc;
575#endif
576}
577LCRYPTO_ALIAS(EVP_aes_128_cbc);
578
579#ifdef AESNI_CAPABLE
580static const EVP_CIPHER aesni_128_ecb = {
581 .nid = NID_aes_128_ecb,
582 .block_size = 16,
583 .key_len = 16,
584 .iv_len = 0,
585 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
586 .init = aesni_init_key,
587 .do_cipher = aesni_ecb_cipher,
588 .ctx_size = sizeof(EVP_AES_KEY),
589};
590#endif
591
592static const EVP_CIPHER aes_128_ecb = {
593 .nid = NID_aes_128_ecb,
594 .block_size = 16,
595 .key_len = 16,
596 .iv_len = 0,
597 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
598 .init = aes_init_key,
599 .do_cipher = aes_ecb_cipher,
600 .ctx_size = sizeof(EVP_AES_KEY),
601};
602
603const EVP_CIPHER *
604EVP_aes_128_ecb(void)
605{
606#ifdef AESNI_CAPABLE
607 return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
608#else
609 return &aes_128_ecb;
610#endif
611}
612LCRYPTO_ALIAS(EVP_aes_128_ecb);
613
614#ifdef AESNI_CAPABLE
615static const EVP_CIPHER aesni_128_ofb = {
616 .nid = NID_aes_128_ofb128,
617 .block_size = 1,
618 .key_len = 16,
619 .iv_len = 16,
620 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
621 .init = aesni_init_key,
622 .do_cipher = aes_ofb_cipher,
623 .ctx_size = sizeof(EVP_AES_KEY),
624};
625#endif
626
627static const EVP_CIPHER aes_128_ofb = {
628 .nid = NID_aes_128_ofb128,
629 .block_size = 1,
630 .key_len = 16,
631 .iv_len = 16,
632 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
633 .init = aes_init_key,
634 .do_cipher = aes_ofb_cipher,
635 .ctx_size = sizeof(EVP_AES_KEY),
636};
637
638const EVP_CIPHER *
639EVP_aes_128_ofb(void)
640{
641#ifdef AESNI_CAPABLE
642 return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
643#else
644 return &aes_128_ofb;
645#endif
646}
647LCRYPTO_ALIAS(EVP_aes_128_ofb);
648
649#ifdef AESNI_CAPABLE
650static const EVP_CIPHER aesni_128_cfb = {
651 .nid = NID_aes_128_cfb128,
652 .block_size = 1,
653 .key_len = 16,
654 .iv_len = 16,
655 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
656 .init = aesni_init_key,
657 .do_cipher = aes_cfb_cipher,
658 .ctx_size = sizeof(EVP_AES_KEY),
659};
660#endif
661
662static const EVP_CIPHER aes_128_cfb = {
663 .nid = NID_aes_128_cfb128,
664 .block_size = 1,
665 .key_len = 16,
666 .iv_len = 16,
667 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
668 .init = aes_init_key,
669 .do_cipher = aes_cfb_cipher,
670 .ctx_size = sizeof(EVP_AES_KEY),
671};
672
673const EVP_CIPHER *
674EVP_aes_128_cfb128(void)
675{
676#ifdef AESNI_CAPABLE
677 return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
678#else
679 return &aes_128_cfb;
680#endif
681}
682LCRYPTO_ALIAS(EVP_aes_128_cfb128);
683
684#ifdef AESNI_CAPABLE
685static const EVP_CIPHER aesni_128_cfb1 = {
686 .nid = NID_aes_128_cfb1,
687 .block_size = 1,
688 .key_len = 16,
689 .iv_len = 16,
690 .flags = EVP_CIPH_CFB_MODE,
691 .init = aesni_init_key,
692 .do_cipher = aes_cfb1_cipher,
693 .ctx_size = sizeof(EVP_AES_KEY),
694};
695#endif
696
697static const EVP_CIPHER aes_128_cfb1 = {
698 .nid = NID_aes_128_cfb1,
699 .block_size = 1,
700 .key_len = 16,
701 .iv_len = 16,
702 .flags = EVP_CIPH_CFB_MODE,
703 .init = aes_init_key,
704 .do_cipher = aes_cfb1_cipher,
705 .ctx_size = sizeof(EVP_AES_KEY),
706};
707
708const EVP_CIPHER *
709EVP_aes_128_cfb1(void)
710{
711#ifdef AESNI_CAPABLE
712 return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
713#else
714 return &aes_128_cfb1;
715#endif
716}
717LCRYPTO_ALIAS(EVP_aes_128_cfb1);
718
719#ifdef AESNI_CAPABLE
720static const EVP_CIPHER aesni_128_cfb8 = {
721 .nid = NID_aes_128_cfb8,
722 .block_size = 1,
723 .key_len = 16,
724 .iv_len = 16,
725 .flags = EVP_CIPH_CFB_MODE,
726 .init = aesni_init_key,
727 .do_cipher = aes_cfb8_cipher,
728 .ctx_size = sizeof(EVP_AES_KEY),
729};
730#endif
731
732static const EVP_CIPHER aes_128_cfb8 = {
733 .nid = NID_aes_128_cfb8,
734 .block_size = 1,
735 .key_len = 16,
736 .iv_len = 16,
737 .flags = EVP_CIPH_CFB_MODE,
738 .init = aes_init_key,
739 .do_cipher = aes_cfb8_cipher,
740 .ctx_size = sizeof(EVP_AES_KEY),
741};
742
743const EVP_CIPHER *
744EVP_aes_128_cfb8(void)
745{
746#ifdef AESNI_CAPABLE
747 return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
748#else
749 return &aes_128_cfb8;
750#endif
751}
752LCRYPTO_ALIAS(EVP_aes_128_cfb8);
753
754#ifdef AESNI_CAPABLE
755static const EVP_CIPHER aesni_128_ctr = {
756 .nid = NID_aes_128_ctr,
757 .block_size = 1,
758 .key_len = 16,
759 .iv_len = 16,
760 .flags = EVP_CIPH_CTR_MODE,
761 .init = aesni_init_key,
762 .do_cipher = aes_ctr_cipher,
763 .ctx_size = sizeof(EVP_AES_KEY),
764};
765#endif
766
767static const EVP_CIPHER aes_128_ctr = {
768 .nid = NID_aes_128_ctr,
769 .block_size = 1,
770 .key_len = 16,
771 .iv_len = 16,
772 .flags = EVP_CIPH_CTR_MODE,
773 .init = aes_init_key,
774 .do_cipher = aes_ctr_cipher,
775 .ctx_size = sizeof(EVP_AES_KEY),
776};
777
778const EVP_CIPHER *
779EVP_aes_128_ctr(void)
780{
781#ifdef AESNI_CAPABLE
782 return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
783#else
784 return &aes_128_ctr;
785#endif
786}
787LCRYPTO_ALIAS(EVP_aes_128_ctr);
788
789
790#ifdef AESNI_CAPABLE
791static const EVP_CIPHER aesni_192_cbc = {
792 .nid = NID_aes_192_cbc,
793 .block_size = 16,
794 .key_len = 24,
795 .iv_len = 16,
796 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
797 .init = aesni_init_key,
798 .do_cipher = aesni_cbc_cipher,
799 .ctx_size = sizeof(EVP_AES_KEY),
800};
801#endif
802
803static const EVP_CIPHER aes_192_cbc = {
804 .nid = NID_aes_192_cbc,
805 .block_size = 16,
806 .key_len = 24,
807 .iv_len = 16,
808 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
809 .init = aes_init_key,
810 .do_cipher = aes_cbc_cipher,
811 .ctx_size = sizeof(EVP_AES_KEY),
812};
813
814const EVP_CIPHER *
815EVP_aes_192_cbc(void)
816{
817#ifdef AESNI_CAPABLE
818 return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
819#else
820 return &aes_192_cbc;
821#endif
822}
823LCRYPTO_ALIAS(EVP_aes_192_cbc);
824
825#ifdef AESNI_CAPABLE
826static const EVP_CIPHER aesni_192_ecb = {
827 .nid = NID_aes_192_ecb,
828 .block_size = 16,
829 .key_len = 24,
830 .iv_len = 0,
831 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
832 .init = aesni_init_key,
833 .do_cipher = aesni_ecb_cipher,
834 .ctx_size = sizeof(EVP_AES_KEY),
835};
836#endif
837
838static const EVP_CIPHER aes_192_ecb = {
839 .nid = NID_aes_192_ecb,
840 .block_size = 16,
841 .key_len = 24,
842 .iv_len = 0,
843 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
844 .init = aes_init_key,
845 .do_cipher = aes_ecb_cipher,
846 .ctx_size = sizeof(EVP_AES_KEY),
847};
848
849const EVP_CIPHER *
850EVP_aes_192_ecb(void)
851{
852#ifdef AESNI_CAPABLE
853 return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
854#else
855 return &aes_192_ecb;
856#endif
857}
858LCRYPTO_ALIAS(EVP_aes_192_ecb);
859
860#ifdef AESNI_CAPABLE
861static const EVP_CIPHER aesni_192_ofb = {
862 .nid = NID_aes_192_ofb128,
863 .block_size = 1,
864 .key_len = 24,
865 .iv_len = 16,
866 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
867 .init = aesni_init_key,
868 .do_cipher = aes_ofb_cipher,
869 .ctx_size = sizeof(EVP_AES_KEY),
870};
871#endif
872
873static const EVP_CIPHER aes_192_ofb = {
874 .nid = NID_aes_192_ofb128,
875 .block_size = 1,
876 .key_len = 24,
877 .iv_len = 16,
878 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
879 .init = aes_init_key,
880 .do_cipher = aes_ofb_cipher,
881 .ctx_size = sizeof(EVP_AES_KEY),
882};
883
884const EVP_CIPHER *
885EVP_aes_192_ofb(void)
886{
887#ifdef AESNI_CAPABLE
888 return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
889#else
890 return &aes_192_ofb;
891#endif
892}
893LCRYPTO_ALIAS(EVP_aes_192_ofb);
894
895#ifdef AESNI_CAPABLE
896static const EVP_CIPHER aesni_192_cfb = {
897 .nid = NID_aes_192_cfb128,
898 .block_size = 1,
899 .key_len = 24,
900 .iv_len = 16,
901 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
902 .init = aesni_init_key,
903 .do_cipher = aes_cfb_cipher,
904 .ctx_size = sizeof(EVP_AES_KEY),
905};
906#endif
907
908static const EVP_CIPHER aes_192_cfb = {
909 .nid = NID_aes_192_cfb128,
910 .block_size = 1,
911 .key_len = 24,
912 .iv_len = 16,
913 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
914 .init = aes_init_key,
915 .do_cipher = aes_cfb_cipher,
916 .ctx_size = sizeof(EVP_AES_KEY),
917};
918
919const EVP_CIPHER *
920EVP_aes_192_cfb128(void)
921{
922#ifdef AESNI_CAPABLE
923 return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
924#else
925 return &aes_192_cfb;
926#endif
927}
928LCRYPTO_ALIAS(EVP_aes_192_cfb128);
929
930#ifdef AESNI_CAPABLE
931static const EVP_CIPHER aesni_192_cfb1 = {
932 .nid = NID_aes_192_cfb1,
933 .block_size = 1,
934 .key_len = 24,
935 .iv_len = 16,
936 .flags = EVP_CIPH_CFB_MODE,
937 .init = aesni_init_key,
938 .do_cipher = aes_cfb1_cipher,
939 .ctx_size = sizeof(EVP_AES_KEY),
940};
941#endif
942
943static const EVP_CIPHER aes_192_cfb1 = {
944 .nid = NID_aes_192_cfb1,
945 .block_size = 1,
946 .key_len = 24,
947 .iv_len = 16,
948 .flags = EVP_CIPH_CFB_MODE,
949 .init = aes_init_key,
950 .do_cipher = aes_cfb1_cipher,
951 .ctx_size = sizeof(EVP_AES_KEY),
952};
953
954const EVP_CIPHER *
955EVP_aes_192_cfb1(void)
956{
957#ifdef AESNI_CAPABLE
958 return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
959#else
960 return &aes_192_cfb1;
961#endif
962}
963LCRYPTO_ALIAS(EVP_aes_192_cfb1);
964
965#ifdef AESNI_CAPABLE
966static const EVP_CIPHER aesni_192_cfb8 = {
967 .nid = NID_aes_192_cfb8,
968 .block_size = 1,
969 .key_len = 24,
970 .iv_len = 16,
971 .flags = EVP_CIPH_CFB_MODE,
972 .init = aesni_init_key,
973 .do_cipher = aes_cfb8_cipher,
974 .ctx_size = sizeof(EVP_AES_KEY),
975};
976#endif
977
978static const EVP_CIPHER aes_192_cfb8 = {
979 .nid = NID_aes_192_cfb8,
980 .block_size = 1,
981 .key_len = 24,
982 .iv_len = 16,
983 .flags = EVP_CIPH_CFB_MODE,
984 .init = aes_init_key,
985 .do_cipher = aes_cfb8_cipher,
986 .ctx_size = sizeof(EVP_AES_KEY),
987};
988
989const EVP_CIPHER *
990EVP_aes_192_cfb8(void)
991{
992#ifdef AESNI_CAPABLE
993 return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
994#else
995 return &aes_192_cfb8;
996#endif
997}
998LCRYPTO_ALIAS(EVP_aes_192_cfb8);
999
1000#ifdef AESNI_CAPABLE
1001static const EVP_CIPHER aesni_192_ctr = {
1002 .nid = NID_aes_192_ctr,
1003 .block_size = 1,
1004 .key_len = 24,
1005 .iv_len = 16,
1006 .flags = EVP_CIPH_CTR_MODE,
1007 .init = aesni_init_key,
1008 .do_cipher = aes_ctr_cipher,
1009 .ctx_size = sizeof(EVP_AES_KEY),
1010};
1011#endif
1012
1013static const EVP_CIPHER aes_192_ctr = {
1014 .nid = NID_aes_192_ctr,
1015 .block_size = 1,
1016 .key_len = 24,
1017 .iv_len = 16,
1018 .flags = EVP_CIPH_CTR_MODE,
1019 .init = aes_init_key,
1020 .do_cipher = aes_ctr_cipher,
1021 .ctx_size = sizeof(EVP_AES_KEY),
1022};
1023
1024const EVP_CIPHER *
1025EVP_aes_192_ctr(void)
1026{
1027#ifdef AESNI_CAPABLE
1028 return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
1029#else
1030 return &aes_192_ctr;
1031#endif
1032}
1033LCRYPTO_ALIAS(EVP_aes_192_ctr);
1034
1035
1036#ifdef AESNI_CAPABLE
1037static const EVP_CIPHER aesni_256_cbc = {
1038 .nid = NID_aes_256_cbc,
1039 .block_size = 16,
1040 .key_len = 32,
1041 .iv_len = 16,
1042 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1043 .init = aesni_init_key,
1044 .do_cipher = aesni_cbc_cipher,
1045 .ctx_size = sizeof(EVP_AES_KEY),
1046};
1047#endif
1048
1049static const EVP_CIPHER aes_256_cbc = {
1050 .nid = NID_aes_256_cbc,
1051 .block_size = 16,
1052 .key_len = 32,
1053 .iv_len = 16,
1054 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
1055 .init = aes_init_key,
1056 .do_cipher = aes_cbc_cipher,
1057 .ctx_size = sizeof(EVP_AES_KEY),
1058};
1059
1060const EVP_CIPHER *
1061EVP_aes_256_cbc(void)
1062{
1063#ifdef AESNI_CAPABLE
1064 return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
1065#else
1066 return &aes_256_cbc;
1067#endif
1068}
1069LCRYPTO_ALIAS(EVP_aes_256_cbc);
1070
1071#ifdef AESNI_CAPABLE
1072static const EVP_CIPHER aesni_256_ecb = {
1073 .nid = NID_aes_256_ecb,
1074 .block_size = 16,
1075 .key_len = 32,
1076 .iv_len = 0,
1077 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1078 .init = aesni_init_key,
1079 .do_cipher = aesni_ecb_cipher,
1080 .ctx_size = sizeof(EVP_AES_KEY),
1081};
1082#endif
1083
1084static const EVP_CIPHER aes_256_ecb = {
1085 .nid = NID_aes_256_ecb,
1086 .block_size = 16,
1087 .key_len = 32,
1088 .iv_len = 0,
1089 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
1090 .init = aes_init_key,
1091 .do_cipher = aes_ecb_cipher,
1092 .ctx_size = sizeof(EVP_AES_KEY),
1093};
1094
1095const EVP_CIPHER *
1096EVP_aes_256_ecb(void)
1097{
1098#ifdef AESNI_CAPABLE
1099 return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
1100#else
1101 return &aes_256_ecb;
1102#endif
1103}
1104LCRYPTO_ALIAS(EVP_aes_256_ecb);
1105
1106#ifdef AESNI_CAPABLE
1107static const EVP_CIPHER aesni_256_ofb = {
1108 .nid = NID_aes_256_ofb128,
1109 .block_size = 1,
1110 .key_len = 32,
1111 .iv_len = 16,
1112 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1113 .init = aesni_init_key,
1114 .do_cipher = aes_ofb_cipher,
1115 .ctx_size = sizeof(EVP_AES_KEY),
1116};
1117#endif
1118
1119static const EVP_CIPHER aes_256_ofb = {
1120 .nid = NID_aes_256_ofb128,
1121 .block_size = 1,
1122 .key_len = 32,
1123 .iv_len = 16,
1124 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
1125 .init = aes_init_key,
1126 .do_cipher = aes_ofb_cipher,
1127 .ctx_size = sizeof(EVP_AES_KEY),
1128};
1129
1130const EVP_CIPHER *
1131EVP_aes_256_ofb(void)
1132{
1133#ifdef AESNI_CAPABLE
1134 return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
1135#else
1136 return &aes_256_ofb;
1137#endif
1138}
1139LCRYPTO_ALIAS(EVP_aes_256_ofb);
1140
1141#ifdef AESNI_CAPABLE
1142static const EVP_CIPHER aesni_256_cfb = {
1143 .nid = NID_aes_256_cfb128,
1144 .block_size = 1,
1145 .key_len = 32,
1146 .iv_len = 16,
1147 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1148 .init = aesni_init_key,
1149 .do_cipher = aes_cfb_cipher,
1150 .ctx_size = sizeof(EVP_AES_KEY),
1151};
1152#endif
1153
1154static const EVP_CIPHER aes_256_cfb = {
1155 .nid = NID_aes_256_cfb128,
1156 .block_size = 1,
1157 .key_len = 32,
1158 .iv_len = 16,
1159 .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
1160 .init = aes_init_key,
1161 .do_cipher = aes_cfb_cipher,
1162 .ctx_size = sizeof(EVP_AES_KEY),
1163};
1164
1165const EVP_CIPHER *
1166EVP_aes_256_cfb128(void)
1167{
1168#ifdef AESNI_CAPABLE
1169 return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
1170#else
1171 return &aes_256_cfb;
1172#endif
1173}
1174LCRYPTO_ALIAS(EVP_aes_256_cfb128);
1175
1176#ifdef AESNI_CAPABLE
1177static const EVP_CIPHER aesni_256_cfb1 = {
1178 .nid = NID_aes_256_cfb1,
1179 .block_size = 1,
1180 .key_len = 32,
1181 .iv_len = 16,
1182 .flags = EVP_CIPH_CFB_MODE,
1183 .init = aesni_init_key,
1184 .do_cipher = aes_cfb1_cipher,
1185 .ctx_size = sizeof(EVP_AES_KEY),
1186};
1187#endif
1188
1189static const EVP_CIPHER aes_256_cfb1 = {
1190 .nid = NID_aes_256_cfb1,
1191 .block_size = 1,
1192 .key_len = 32,
1193 .iv_len = 16,
1194 .flags = EVP_CIPH_CFB_MODE,
1195 .init = aes_init_key,
1196 .do_cipher = aes_cfb1_cipher,
1197 .ctx_size = sizeof(EVP_AES_KEY),
1198};
1199
1200const EVP_CIPHER *
1201EVP_aes_256_cfb1(void)
1202{
1203#ifdef AESNI_CAPABLE
1204 return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
1205#else
1206 return &aes_256_cfb1;
1207#endif
1208}
1209LCRYPTO_ALIAS(EVP_aes_256_cfb1);
1210
1211#ifdef AESNI_CAPABLE
1212static const EVP_CIPHER aesni_256_cfb8 = {
1213 .nid = NID_aes_256_cfb8,
1214 .block_size = 1,
1215 .key_len = 32,
1216 .iv_len = 16,
1217 .flags = EVP_CIPH_CFB_MODE,
1218 .init = aesni_init_key,
1219 .do_cipher = aes_cfb8_cipher,
1220 .ctx_size = sizeof(EVP_AES_KEY),
1221};
1222#endif
1223
1224static const EVP_CIPHER aes_256_cfb8 = {
1225 .nid = NID_aes_256_cfb8,
1226 .block_size = 1,
1227 .key_len = 32,
1228 .iv_len = 16,
1229 .flags = EVP_CIPH_CFB_MODE,
1230 .init = aes_init_key,
1231 .do_cipher = aes_cfb8_cipher,
1232 .ctx_size = sizeof(EVP_AES_KEY),
1233};
1234
1235const EVP_CIPHER *
1236EVP_aes_256_cfb8(void)
1237{
1238#ifdef AESNI_CAPABLE
1239 return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
1240#else
1241 return &aes_256_cfb8;
1242#endif
1243}
1244LCRYPTO_ALIAS(EVP_aes_256_cfb8);
1245
1246#ifdef AESNI_CAPABLE
1247static const EVP_CIPHER aesni_256_ctr = {
1248 .nid = NID_aes_256_ctr,
1249 .block_size = 1,
1250 .key_len = 32,
1251 .iv_len = 16,
1252 .flags = EVP_CIPH_CTR_MODE,
1253 .init = aesni_init_key,
1254 .do_cipher = aes_ctr_cipher,
1255 .ctx_size = sizeof(EVP_AES_KEY),
1256};
1257#endif
1258
1259static const EVP_CIPHER aes_256_ctr = {
1260 .nid = NID_aes_256_ctr,
1261 .block_size = 1,
1262 .key_len = 32,
1263 .iv_len = 16,
1264 .flags = EVP_CIPH_CTR_MODE,
1265 .init = aes_init_key,
1266 .do_cipher = aes_ctr_cipher,
1267 .ctx_size = sizeof(EVP_AES_KEY),
1268};
1269
1270const EVP_CIPHER *
1271EVP_aes_256_ctr(void)
1272{
1273#ifdef AESNI_CAPABLE
1274 return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
1275#else
1276 return &aes_256_ctr;
1277#endif
1278}
1279LCRYPTO_ALIAS(EVP_aes_256_ctr);
1280
1281static int
1282aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1283{
1284 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1285
1286 if (gctx->iv != c->iv)
1287 free(gctx->iv);
1288
1289 explicit_bzero(gctx, sizeof(*gctx));
1290
1291 return 1;
1292}
1293
1294/* increment counter (64-bit int) by 1 */
1295static void
1296ctr64_inc(unsigned char *counter)
1297{
1298 int n = 8;
1299 unsigned char c;
1300
1301 do {
1302 --n;
1303 c = counter[n];
1304 ++c;
1305 counter[n] = c;
1306 if (c)
1307 return;
1308 } while (n);
1309}
1310
1311static int
1312aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1313{
1314 EVP_AES_GCM_CTX *gctx = c->cipher_data;
1315
1316 switch (type) {
1317 case EVP_CTRL_INIT:
1318 gctx->key_set = 0;
1319 gctx->iv_set = 0;
1320 if (c->cipher->iv_len == 0) {
1321 EVPerror(EVP_R_INVALID_IV_LENGTH);
1322 return 0;
1323 }
1324 gctx->ivlen = c->cipher->iv_len;
1325 gctx->iv = c->iv;
1326 gctx->taglen = -1;
1327 gctx->iv_gen = 0;
1328 gctx->tls_aad_len = -1;
1329 return 1;
1330
1331 case EVP_CTRL_AEAD_GET_IVLEN:
1332 *(int *)ptr = gctx->ivlen;
1333 return 1;
1334
1335 case EVP_CTRL_AEAD_SET_IVLEN:
1336 if (arg <= 0)
1337 return 0;
1338 /* Allocate memory for IV if needed */
1339 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1340 if (gctx->iv != c->iv)
1341 free(gctx->iv);
1342 gctx->iv = malloc(arg);
1343 if (!gctx->iv)
1344 return 0;
1345 }
1346 gctx->ivlen = arg;
1347 return 1;
1348
1349 case EVP_CTRL_GCM_SET_TAG:
1350 if (arg <= 0 || arg > 16 || c->encrypt)
1351 return 0;
1352 memcpy(c->buf, ptr, arg);
1353 gctx->taglen = arg;
1354 return 1;
1355
1356 case EVP_CTRL_GCM_GET_TAG:
1357 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1358 return 0;
1359 memcpy(ptr, c->buf, arg);
1360 return 1;
1361
1362 case EVP_CTRL_GCM_SET_IV_FIXED:
1363 /* Special case: -1 length restores whole IV */
1364 if (arg == -1) {
1365 memcpy(gctx->iv, ptr, gctx->ivlen);
1366 gctx->iv_gen = 1;
1367 return 1;
1368 }
1369 /* Fixed field must be at least 4 bytes and invocation field
1370 * at least 8.
1371 */
1372 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1373 return 0;
1374 if (arg)
1375 memcpy(gctx->iv, ptr, arg);
1376 if (c->encrypt)
1377 arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
1378 gctx->iv_gen = 1;
1379 return 1;
1380
1381 case EVP_CTRL_GCM_IV_GEN:
1382 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1383 return 0;
1384 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1385 if (arg <= 0 || arg > gctx->ivlen)
1386 arg = gctx->ivlen;
1387 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1388 /* Invocation field will be at least 8 bytes in size and
1389 * so no need to check wrap around or increment more than
1390 * last 8 bytes.
1391 */
1392 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1393 gctx->iv_set = 1;
1394 return 1;
1395
1396 case EVP_CTRL_GCM_SET_IV_INV:
1397 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1398 return 0;
1399 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1400 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1401 gctx->iv_set = 1;
1402 return 1;
1403
1404 case EVP_CTRL_AEAD_TLS1_AAD:
1405 /* Save the AAD for later use */
1406 if (arg != 13)
1407 return 0;
1408 memcpy(c->buf, ptr, arg);
1409 gctx->tls_aad_len = arg;
1410 {
1411 unsigned int len = c->buf[arg - 2] << 8 |
1412 c->buf[arg - 1];
1413
1414 /* Correct length for explicit IV */
1415 if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
1416 return 0;
1417 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1418
1419 /* If decrypting correct for tag too */
1420 if (!c->encrypt) {
1421 if (len < EVP_GCM_TLS_TAG_LEN)
1422 return 0;
1423 len -= EVP_GCM_TLS_TAG_LEN;
1424 }
1425 c->buf[arg - 2] = len >> 8;
1426 c->buf[arg - 1] = len & 0xff;
1427 }
1428 /* Extra padding: tag appended to record */
1429 return EVP_GCM_TLS_TAG_LEN;
1430
1431 case EVP_CTRL_COPY:
1432 {
1433 EVP_CIPHER_CTX *out = ptr;
1434 EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1435
1436 if (gctx->gcm.key) {
1437 if (gctx->gcm.key != &gctx->ks)
1438 return 0;
1439 gctx_out->gcm.key = &gctx_out->ks;
1440 }
1441
1442 if (gctx->iv == c->iv) {
1443 gctx_out->iv = out->iv;
1444 } else {
1445 if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL)
1446 return 0;
1447 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1448 }
1449 return 1;
1450 }
1451
1452 default:
1453 return -1;
1454
1455 }
1456}
1457
1458static ctr128_f
1459aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
1460 const unsigned char *key, size_t key_len)
1461{
1462#ifdef BSAES_CAPABLE
1463 if (BSAES_CAPABLE) {
1464 AES_set_encrypt_key(key, key_len * 8, aes_key);
1465 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1466 return (ctr128_f)bsaes_ctr32_encrypt_blocks;
1467 } else
1468#endif
1469#ifdef VPAES_CAPABLE
1470 if (VPAES_CAPABLE) {
1471 vpaes_set_encrypt_key(key, key_len * 8, aes_key);
1472 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
1473 return NULL;
1474 } else
1475#endif
1476 (void)0; /* terminate potentially open 'else' */
1477
1478 AES_set_encrypt_key(key, key_len * 8, aes_key);
1479 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1480#ifdef AES_CTR_ASM
1481 return (ctr128_f)AES_ctr32_encrypt;
1482#else
1483 return NULL;
1484#endif
1485}
1486
1487static int
1488aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1489 const unsigned char *iv, int enc)
1490{
1491 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1492
1493 if (!iv && !key)
1494 return 1;
1495 if (key) {
1496 gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
1497 key, ctx->key_len);
1498
1499 /* If we have an iv can set it directly, otherwise use
1500 * saved IV.
1501 */
1502 if (iv == NULL && gctx->iv_set)
1503 iv = gctx->iv;
1504 if (iv) {
1505 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1506 gctx->iv_set = 1;
1507 }
1508 gctx->key_set = 1;
1509 } else {
1510 /* If key set use IV, otherwise copy */
1511 if (gctx->key_set)
1512 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1513 else
1514 memcpy(gctx->iv, iv, gctx->ivlen);
1515 gctx->iv_set = 1;
1516 gctx->iv_gen = 0;
1517 }
1518 return 1;
1519}
1520
1521/* Handle TLS GCM packet format. This consists of the last portion of the IV
1522 * followed by the payload and finally the tag. On encrypt generate IV,
1523 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1524 * and verify tag.
1525 */
1526
1527static int
1528aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1529 const unsigned char *in, size_t len)
1530{
1531 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1532 int rv = -1;
1533
1534 /* Encrypt/decrypt must be performed in place */
1535 if (out != in ||
1536 len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1537 return -1;
1538
1539 /* Set IV from start of buffer or generate IV and write to start
1540 * of buffer.
1541 */
1542 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1543 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1544 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1545 goto err;
1546
1547 /* Use saved AAD */
1548 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1549 goto err;
1550
1551 /* Fix buffer and length to point to payload */
1552 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1553 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1554 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1555 if (ctx->encrypt) {
1556 /* Encrypt payload */
1557 if (gctx->ctr) {
1558 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
1559 len, gctx->ctr))
1560 goto err;
1561 } else {
1562 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1563 goto err;
1564 }
1565 out += len;
1566
1567 /* Finally write tag */
1568 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1569 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1570 } else {
1571 /* Decrypt */
1572 if (gctx->ctr) {
1573 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
1574 len, gctx->ctr))
1575 goto err;
1576 } else {
1577 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1578 goto err;
1579 }
1580 /* Retrieve tag */
1581 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1582
1583 /* If tag mismatch wipe buffer */
1584 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1585 explicit_bzero(out, len);
1586 goto err;
1587 }
1588 rv = len;
1589 }
1590
1591err:
1592 gctx->iv_set = 0;
1593 gctx->tls_aad_len = -1;
1594 return rv;
1595}
1596
1597static int
1598aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1599 const unsigned char *in, size_t len)
1600{
1601 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1602
1603 /* If not set up, return error */
1604 if (!gctx->key_set)
1605 return -1;
1606
1607 if (gctx->tls_aad_len >= 0)
1608 return aes_gcm_tls_cipher(ctx, out, in, len);
1609
1610 if (!gctx->iv_set)
1611 return -1;
1612
1613 if (in) {
1614 if (out == NULL) {
1615 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1616 return -1;
1617 } else if (ctx->encrypt) {
1618 if (gctx->ctr) {
1619 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1620 in, out, len, gctx->ctr))
1621 return -1;
1622 } else {
1623 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1624 in, out, len))
1625 return -1;
1626 }
1627 } else {
1628 if (gctx->ctr) {
1629 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1630 in, out, len, gctx->ctr))
1631 return -1;
1632 } else {
1633 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1634 in, out, len))
1635 return -1;
1636 }
1637 }
1638 return len;
1639 } else {
1640 if (!ctx->encrypt) {
1641 if (gctx->taglen < 0)
1642 return -1;
1643 if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf,
1644 gctx->taglen) != 0)
1645 return -1;
1646 gctx->iv_set = 0;
1647 return 0;
1648 }
1649 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1650 gctx->taglen = 16;
1651
1652 /* Don't reuse the IV */
1653 gctx->iv_set = 0;
1654 return 0;
1655 }
1656
1657}
1658
1659#define CUSTOM_FLAGS \
1660 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1661 EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \
1662 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
1663 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1664
1665
1666#ifdef AESNI_CAPABLE
1667static const EVP_CIPHER aesni_128_gcm = {
1668 .nid = NID_aes_128_gcm,
1669 .block_size = 1,
1670 .key_len = 16,
1671 .iv_len = 12,
1672 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1673 .init = aesni_gcm_init_key,
1674 .do_cipher = aes_gcm_cipher,
1675 .cleanup = aes_gcm_cleanup,
1676 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1677 .ctrl = aes_gcm_ctrl,
1678};
1679#endif
1680
1681static const EVP_CIPHER aes_128_gcm = {
1682 .nid = NID_aes_128_gcm,
1683 .block_size = 1,
1684 .key_len = 16,
1685 .iv_len = 12,
1686 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1687 .init = aes_gcm_init_key,
1688 .do_cipher = aes_gcm_cipher,
1689 .cleanup = aes_gcm_cleanup,
1690 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1691 .ctrl = aes_gcm_ctrl,
1692};
1693
1694const EVP_CIPHER *
1695EVP_aes_128_gcm(void)
1696{
1697#ifdef AESNI_CAPABLE
1698 return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1699#else
1700 return &aes_128_gcm;
1701#endif
1702}
1703LCRYPTO_ALIAS(EVP_aes_128_gcm);
1704
1705#ifdef AESNI_CAPABLE
1706static const EVP_CIPHER aesni_192_gcm = {
1707 .nid = NID_aes_192_gcm,
1708 .block_size = 1,
1709 .key_len = 24,
1710 .iv_len = 12,
1711 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1712 .init = aesni_gcm_init_key,
1713 .do_cipher = aes_gcm_cipher,
1714 .cleanup = aes_gcm_cleanup,
1715 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1716 .ctrl = aes_gcm_ctrl,
1717};
1718#endif
1719
1720static const EVP_CIPHER aes_192_gcm = {
1721 .nid = NID_aes_192_gcm,
1722 .block_size = 1,
1723 .key_len = 24,
1724 .iv_len = 12,
1725 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1726 .init = aes_gcm_init_key,
1727 .do_cipher = aes_gcm_cipher,
1728 .cleanup = aes_gcm_cleanup,
1729 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1730 .ctrl = aes_gcm_ctrl,
1731};
1732
1733const EVP_CIPHER *
1734EVP_aes_192_gcm(void)
1735{
1736#ifdef AESNI_CAPABLE
1737 return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1738#else
1739 return &aes_192_gcm;
1740#endif
1741}
1742LCRYPTO_ALIAS(EVP_aes_192_gcm);
1743
1744#ifdef AESNI_CAPABLE
1745static const EVP_CIPHER aesni_256_gcm = {
1746 .nid = NID_aes_256_gcm,
1747 .block_size = 1,
1748 .key_len = 32,
1749 .iv_len = 12,
1750 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1751 .init = aesni_gcm_init_key,
1752 .do_cipher = aes_gcm_cipher,
1753 .cleanup = aes_gcm_cleanup,
1754 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1755 .ctrl = aes_gcm_ctrl,
1756};
1757#endif
1758
1759static const EVP_CIPHER aes_256_gcm = {
1760 .nid = NID_aes_256_gcm,
1761 .block_size = 1,
1762 .key_len = 32,
1763 .iv_len = 12,
1764 .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
1765 .init = aes_gcm_init_key,
1766 .do_cipher = aes_gcm_cipher,
1767 .cleanup = aes_gcm_cleanup,
1768 .ctx_size = sizeof(EVP_AES_GCM_CTX),
1769 .ctrl = aes_gcm_ctrl,
1770};
1771
1772const EVP_CIPHER *
1773EVP_aes_256_gcm(void)
1774{
1775#ifdef AESNI_CAPABLE
1776 return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1777#else
1778 return &aes_256_gcm;
1779#endif
1780}
1781LCRYPTO_ALIAS(EVP_aes_256_gcm);
1782
1783static int
1784aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1785{
1786 EVP_AES_XTS_CTX *xctx = c->cipher_data;
1787
1788 switch (type) {
1789 case EVP_CTRL_INIT:
1790 /*
1791 * key1 and key2 are used as an indicator both key and IV
1792 * are set
1793 */
1794 xctx->xts.key1 = NULL;
1795 xctx->xts.key2 = NULL;
1796 return 1;
1797
1798 case EVP_CTRL_COPY:
1799 {
1800 EVP_CIPHER_CTX *out = ptr;
1801 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1802
1803 if (xctx->xts.key1) {
1804 if (xctx->xts.key1 != &xctx->ks1)
1805 return 0;
1806 xctx_out->xts.key1 = &xctx_out->ks1;
1807 }
1808 if (xctx->xts.key2) {
1809 if (xctx->xts.key2 != &xctx->ks2)
1810 return 0;
1811 xctx_out->xts.key2 = &xctx_out->ks2;
1812 }
1813 return 1;
1814 }
1815 }
1816 return -1;
1817}
1818
1819static int
1820aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1821 const unsigned char *iv, int enc)
1822{
1823 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1824
1825 if (!iv && !key)
1826 return 1;
1827
1828 if (key) do {
1829#ifdef AES_XTS_ASM
1830 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1831#else
1832 xctx->stream = NULL;
1833#endif
1834 /* key_len is two AES keys */
1835#ifdef BSAES_CAPABLE
1836 if (BSAES_CAPABLE)
1837 xctx->stream = enc ? bsaes_xts_encrypt :
1838 bsaes_xts_decrypt;
1839 else
1840#endif
1841#ifdef VPAES_CAPABLE
1842 if (VPAES_CAPABLE) {
1843 if (enc) {
1844 vpaes_set_encrypt_key(key, ctx->key_len * 4,
1845 &xctx->ks1);
1846 xctx->xts.block1 = (block128_f)vpaes_encrypt;
1847 } else {
1848 vpaes_set_decrypt_key(key, ctx->key_len * 4,
1849 &xctx->ks1);
1850 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1851 }
1852
1853 vpaes_set_encrypt_key(key + ctx->key_len / 2,
1854 ctx->key_len * 4, &xctx->ks2);
1855 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1856
1857 xctx->xts.key1 = &xctx->ks1;
1858 break;
1859 } else
1860#endif
1861 (void)0; /* terminate potentially open 'else' */
1862
1863 if (enc) {
1864 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1865 xctx->xts.block1 = (block128_f)AES_encrypt;
1866 } else {
1867 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1868 xctx->xts.block1 = (block128_f)AES_decrypt;
1869 }
1870
1871 AES_set_encrypt_key(key + ctx->key_len / 2,
1872 ctx->key_len * 4, &xctx->ks2);
1873 xctx->xts.block2 = (block128_f)AES_encrypt;
1874
1875 xctx->xts.key1 = &xctx->ks1;
1876 } while (0);
1877
1878 if (iv) {
1879 xctx->xts.key2 = &xctx->ks2;
1880 memcpy(ctx->iv, iv, 16);
1881 }
1882
1883 return 1;
1884}
1885
1886static int
1887aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1888 const unsigned char *in, size_t len)
1889{
1890 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1891
1892 if (!xctx->xts.key1 || !xctx->xts.key2)
1893 return 0;
1894 if (!out || !in || len < AES_BLOCK_SIZE)
1895 return 0;
1896
1897 if (xctx->stream)
1898 (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1899 ctx->iv);
1900 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1901 ctx->encrypt))
1902 return 0;
1903 return 1;
1904}
1905
1906#define XTS_FLAGS \
1907 ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
1908 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
1909
1910
1911#ifdef AESNI_CAPABLE
1912static const EVP_CIPHER aesni_128_xts = {
1913 .nid = NID_aes_128_xts,
1914 .block_size = 1,
1915 .key_len = 2 * 16,
1916 .iv_len = 16,
1917 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1918 .init = aesni_xts_init_key,
1919 .do_cipher = aes_xts_cipher,
1920 .cleanup = NULL,
1921 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1922 .ctrl = aes_xts_ctrl,
1923};
1924#endif
1925
1926static const EVP_CIPHER aes_128_xts = {
1927 .nid = NID_aes_128_xts,
1928 .block_size = 1,
1929 .key_len = 2 * 16,
1930 .iv_len = 16,
1931 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1932 .init = aes_xts_init_key,
1933 .do_cipher = aes_xts_cipher,
1934 .cleanup = NULL,
1935 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1936 .ctrl = aes_xts_ctrl,
1937};
1938
1939const EVP_CIPHER *
1940EVP_aes_128_xts(void)
1941{
1942#ifdef AESNI_CAPABLE
1943 return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1944#else
1945 return &aes_128_xts;
1946#endif
1947}
1948LCRYPTO_ALIAS(EVP_aes_128_xts);
1949
1950#ifdef AESNI_CAPABLE
1951static const EVP_CIPHER aesni_256_xts = {
1952 .nid = NID_aes_256_xts,
1953 .block_size = 1,
1954 .key_len = 2 * 32,
1955 .iv_len = 16,
1956 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1957 .init = aesni_xts_init_key,
1958 .do_cipher = aes_xts_cipher,
1959 .cleanup = NULL,
1960 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1961 .ctrl = aes_xts_ctrl,
1962};
1963#endif
1964
1965static const EVP_CIPHER aes_256_xts = {
1966 .nid = NID_aes_256_xts,
1967 .block_size = 1,
1968 .key_len = 2 * 32,
1969 .iv_len = 16,
1970 .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
1971 .init = aes_xts_init_key,
1972 .do_cipher = aes_xts_cipher,
1973 .cleanup = NULL,
1974 .ctx_size = sizeof(EVP_AES_XTS_CTX),
1975 .ctrl = aes_xts_ctrl,
1976};
1977
1978const EVP_CIPHER *
1979EVP_aes_256_xts(void)
1980{
1981#ifdef AESNI_CAPABLE
1982 return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1983#else
1984 return &aes_256_xts;
1985#endif
1986}
1987LCRYPTO_ALIAS(EVP_aes_256_xts);
1988
1989static int
1990aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1991{
1992 EVP_AES_CCM_CTX *cctx = c->cipher_data;
1993
1994 switch (type) {
1995 case EVP_CTRL_INIT:
1996 cctx->key_set = 0;
1997 cctx->iv_set = 0;
1998 cctx->L = 8;
1999 cctx->M = 12;
2000 cctx->tag_set = 0;
2001 cctx->len_set = 0;
2002 return 1;
2003
2004 case EVP_CTRL_AEAD_GET_IVLEN:
2005 *(int *)ptr = 15 - cctx->L;
2006 return 1;
2007
2008 case EVP_CTRL_AEAD_SET_IVLEN:
2009 arg = 15 - arg;
2010
2011 case EVP_CTRL_CCM_SET_L:
2012 if (arg < 2 || arg > 8)
2013 return 0;
2014 cctx->L = arg;
2015 return 1;
2016
2017 case EVP_CTRL_CCM_SET_TAG:
2018 if ((arg & 1) || arg < 4 || arg > 16)
2019 return 0;
2020 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
2021 return 0;
2022 if (ptr) {
2023 cctx->tag_set = 1;
2024 memcpy(c->buf, ptr, arg);
2025 }
2026 cctx->M = arg;
2027 return 1;
2028
2029 case EVP_CTRL_CCM_GET_TAG:
2030 if (!c->encrypt || !cctx->tag_set)
2031 return 0;
2032 if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
2033 return 0;
2034 cctx->tag_set = 0;
2035 cctx->iv_set = 0;
2036 cctx->len_set = 0;
2037 return 1;
2038
2039 case EVP_CTRL_COPY:
2040 {
2041 EVP_CIPHER_CTX *out = ptr;
2042 EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
2043
2044 if (cctx->ccm.key) {
2045 if (cctx->ccm.key != &cctx->ks)
2046 return 0;
2047 cctx_out->ccm.key = &cctx_out->ks;
2048 }
2049 return 1;
2050 }
2051
2052 default:
2053 return -1;
2054 }
2055}
2056
2057static int
2058aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2059 const unsigned char *iv, int enc)
2060{
2061 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2062
2063 if (!iv && !key)
2064 return 1;
2065 if (key) do {
2066#ifdef VPAES_CAPABLE
2067 if (VPAES_CAPABLE) {
2068 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
2069 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2070 &cctx->ks, (block128_f)vpaes_encrypt);
2071 cctx->str = NULL;
2072 cctx->key_set = 1;
2073 break;
2074 }
2075#endif
2076 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
2077 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
2078 &cctx->ks, (block128_f)AES_encrypt);
2079 cctx->str = NULL;
2080 cctx->key_set = 1;
2081 } while (0);
2082 if (iv) {
2083 memcpy(ctx->iv, iv, 15 - cctx->L);
2084 cctx->iv_set = 1;
2085 }
2086 return 1;
2087}
2088
2089static int
2090aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2091 const unsigned char *in, size_t len)
2092{
2093 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
2094 CCM128_CONTEXT *ccm = &cctx->ccm;
2095
2096 /* If not set up, return error */
2097 if (!cctx->iv_set && !cctx->key_set)
2098 return -1;
2099 if (!ctx->encrypt && !cctx->tag_set)
2100 return -1;
2101
2102 if (!out) {
2103 if (!in) {
2104 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,
2105 len))
2106 return -1;
2107 cctx->len_set = 1;
2108 return len;
2109 }
2110 /* If have AAD need message length */
2111 if (!cctx->len_set && len)
2112 return -1;
2113 CRYPTO_ccm128_aad(ccm, in, len);
2114 return len;
2115 }
2116 /* EVP_*Final() doesn't return any data */
2117 if (!in)
2118 return 0;
2119 /* If not set length yet do it */
2120 if (!cctx->len_set) {
2121 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2122 return -1;
2123 cctx->len_set = 1;
2124 }
2125 if (ctx->encrypt) {
2126 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2127 cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
2128 return -1;
2129 cctx->tag_set = 1;
2130 return len;
2131 } else {
2132 int rv = -1;
2133 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2134 cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
2135 unsigned char tag[16];
2136 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
2137 if (!memcmp(tag, ctx->buf, cctx->M))
2138 rv = len;
2139 }
2140 }
2141 if (rv == -1)
2142 explicit_bzero(out, len);
2143 cctx->iv_set = 0;
2144 cctx->tag_set = 0;
2145 cctx->len_set = 0;
2146 return rv;
2147 }
2148
2149}
2150
2151#ifdef AESNI_CAPABLE
2152static const EVP_CIPHER aesni_128_ccm = {
2153 .nid = NID_aes_128_ccm,
2154 .block_size = 1,
2155 .key_len = 16,
2156 .iv_len = 12,
2157 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2158 .init = aesni_ccm_init_key,
2159 .do_cipher = aes_ccm_cipher,
2160 .cleanup = NULL,
2161 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2162 .ctrl = aes_ccm_ctrl,
2163};
2164#endif
2165
2166static const EVP_CIPHER aes_128_ccm = {
2167 .nid = NID_aes_128_ccm,
2168 .block_size = 1,
2169 .key_len = 16,
2170 .iv_len = 12,
2171 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2172 .init = aes_ccm_init_key,
2173 .do_cipher = aes_ccm_cipher,
2174 .cleanup = NULL,
2175 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2176 .ctrl = aes_ccm_ctrl,
2177};
2178
2179const EVP_CIPHER *
2180EVP_aes_128_ccm(void)
2181{
2182#ifdef AESNI_CAPABLE
2183 return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
2184#else
2185 return &aes_128_ccm;
2186#endif
2187}
2188LCRYPTO_ALIAS(EVP_aes_128_ccm);
2189
2190#ifdef AESNI_CAPABLE
2191static const EVP_CIPHER aesni_192_ccm = {
2192 .nid = NID_aes_192_ccm,
2193 .block_size = 1,
2194 .key_len = 24,
2195 .iv_len = 12,
2196 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2197 .init = aesni_ccm_init_key,
2198 .do_cipher = aes_ccm_cipher,
2199 .cleanup = NULL,
2200 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2201 .ctrl = aes_ccm_ctrl,
2202};
2203#endif
2204
2205static const EVP_CIPHER aes_192_ccm = {
2206 .nid = NID_aes_192_ccm,
2207 .block_size = 1,
2208 .key_len = 24,
2209 .iv_len = 12,
2210 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2211 .init = aes_ccm_init_key,
2212 .do_cipher = aes_ccm_cipher,
2213 .cleanup = NULL,
2214 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2215 .ctrl = aes_ccm_ctrl,
2216};
2217
2218const EVP_CIPHER *
2219EVP_aes_192_ccm(void)
2220{
2221#ifdef AESNI_CAPABLE
2222 return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
2223#else
2224 return &aes_192_ccm;
2225#endif
2226}
2227LCRYPTO_ALIAS(EVP_aes_192_ccm);
2228
2229#ifdef AESNI_CAPABLE
2230static const EVP_CIPHER aesni_256_ccm = {
2231 .nid = NID_aes_256_ccm,
2232 .block_size = 1,
2233 .key_len = 32,
2234 .iv_len = 12,
2235 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2236 .init = aesni_ccm_init_key,
2237 .do_cipher = aes_ccm_cipher,
2238 .cleanup = NULL,
2239 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2240 .ctrl = aes_ccm_ctrl,
2241};
2242#endif
2243
2244static const EVP_CIPHER aes_256_ccm = {
2245 .nid = NID_aes_256_ccm,
2246 .block_size = 1,
2247 .key_len = 32,
2248 .iv_len = 12,
2249 .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
2250 .init = aes_ccm_init_key,
2251 .do_cipher = aes_ccm_cipher,
2252 .cleanup = NULL,
2253 .ctx_size = sizeof(EVP_AES_CCM_CTX),
2254 .ctrl = aes_ccm_ctrl,
2255};
2256
2257const EVP_CIPHER *
2258EVP_aes_256_ccm(void)
2259{
2260#ifdef AESNI_CAPABLE
2261 return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
2262#else
2263 return &aes_256_ccm;
2264#endif
2265}
2266LCRYPTO_ALIAS(EVP_aes_256_ccm);
2267
2268#define EVP_AEAD_AES_GCM_TAG_LEN 16
2269
2270struct aead_aes_gcm_ctx {
2271 union {
2272 double align;
2273 AES_KEY ks;
2274 } ks;
2275 GCM128_CONTEXT gcm;
2276 ctr128_f ctr;
2277 unsigned char tag_len;
2278};
2279
2280static int
2281aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
2282 size_t tag_len)
2283{
2284 struct aead_aes_gcm_ctx *gcm_ctx;
2285 const size_t key_bits = key_len * 8;
2286
2287 /* EVP_AEAD_CTX_init should catch this. */
2288 if (key_bits != 128 && key_bits != 256) {
2289 EVPerror(EVP_R_BAD_KEY_LENGTH);
2290 return 0;
2291 }
2292
2293 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
2294 tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
2295
2296 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
2297 EVPerror(EVP_R_TAG_TOO_LARGE);
2298 return 0;
2299 }
2300
2301 if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
2302 return 0;
2303
2304#ifdef AESNI_CAPABLE
2305 if (AESNI_CAPABLE) {
2306 aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
2307 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
2308 (block128_f)aesni_encrypt);
2309 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
2310 } else
2311#endif
2312 {
2313 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
2314 key, key_len);
2315 }
2316 gcm_ctx->tag_len = tag_len;
2317 ctx->aead_state = gcm_ctx;
2318
2319 return 1;
2320}
2321
2322static void
2323aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
2324{
2325 struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2326
2327 freezero(gcm_ctx, sizeof(*gcm_ctx));
2328}
2329
2330static int
2331aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2332 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2333 const unsigned char *in, size_t in_len, const unsigned char *ad,
2334 size_t ad_len)
2335{
2336 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2337 GCM128_CONTEXT gcm;
2338 size_t bulk = 0;
2339
2340 if (max_out_len < in_len + gcm_ctx->tag_len) {
2341 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2342 return 0;
2343 }
2344
2345 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2346
2347 if (nonce_len == 0) {
2348 EVPerror(EVP_R_INVALID_IV_LENGTH);
2349 return 0;
2350 }
2351 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2352
2353 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2354 return 0;
2355
2356 if (gcm_ctx->ctr) {
2357 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
2358 in_len - bulk, gcm_ctx->ctr))
2359 return 0;
2360 } else {
2361 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
2362 in_len - bulk))
2363 return 0;
2364 }
2365
2366 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
2367 *out_len = in_len + gcm_ctx->tag_len;
2368
2369 return 1;
2370}
2371
2372static int
2373aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
2374 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
2375 const unsigned char *in, size_t in_len, const unsigned char *ad,
2376 size_t ad_len)
2377{
2378 const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
2379 unsigned char tag[EVP_AEAD_AES_GCM_TAG_LEN];
2380 GCM128_CONTEXT gcm;
2381 size_t plaintext_len;
2382 size_t bulk = 0;
2383
2384 if (in_len < gcm_ctx->tag_len) {
2385 EVPerror(EVP_R_BAD_DECRYPT);
2386 return 0;
2387 }
2388
2389 plaintext_len = in_len - gcm_ctx->tag_len;
2390
2391 if (max_out_len < plaintext_len) {
2392 EVPerror(EVP_R_BUFFER_TOO_SMALL);
2393 return 0;
2394 }
2395
2396 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
2397
2398 if (nonce_len == 0) {
2399 EVPerror(EVP_R_INVALID_IV_LENGTH);
2400 return 0;
2401 }
2402 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
2403
2404 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
2405 return 0;
2406
2407 if (gcm_ctx->ctr) {
2408 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
2409 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
2410 return 0;
2411 } else {
2412 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
2413 in_len - bulk - gcm_ctx->tag_len))
2414 return 0;
2415 }
2416
2417 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
2418 if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
2419 EVPerror(EVP_R_BAD_DECRYPT);
2420 return 0;
2421 }
2422
2423 *out_len = plaintext_len;
2424
2425 return 1;
2426}
2427
2428static const EVP_AEAD aead_aes_128_gcm = {
2429 .key_len = 16,
2430 .nonce_len = 12,
2431 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2432 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2433
2434 .init = aead_aes_gcm_init,
2435 .cleanup = aead_aes_gcm_cleanup,
2436 .seal = aead_aes_gcm_seal,
2437 .open = aead_aes_gcm_open,
2438};
2439
2440static const EVP_AEAD aead_aes_256_gcm = {
2441 .key_len = 32,
2442 .nonce_len = 12,
2443 .overhead = EVP_AEAD_AES_GCM_TAG_LEN,
2444 .max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN,
2445
2446 .init = aead_aes_gcm_init,
2447 .cleanup = aead_aes_gcm_cleanup,
2448 .seal = aead_aes_gcm_seal,
2449 .open = aead_aes_gcm_open,
2450};
2451
2452const EVP_AEAD *
2453EVP_aead_aes_128_gcm(void)
2454{
2455 return &aead_aes_128_gcm;
2456}
2457LCRYPTO_ALIAS(EVP_aead_aes_128_gcm);
2458
2459const EVP_AEAD *
2460EVP_aead_aes_256_gcm(void)
2461{
2462 return &aead_aes_256_gcm;
2463}
2464LCRYPTO_ALIAS(EVP_aead_aes_256_gcm);
2465
2466typedef struct {
2467 union {
2468 double align;
2469 AES_KEY ks;
2470 } ks;
2471 unsigned char *iv;
2472} EVP_AES_WRAP_CTX;
2473
2474static int
2475aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2476 const unsigned char *iv, int enc)
2477{
2478 EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data;
2479
2480 if (iv == NULL && key == NULL)
2481 return 1;
2482
2483 if (key != NULL) {
2484 if (ctx->encrypt)
2485 AES_set_encrypt_key(key, 8 * ctx->key_len,
2486 &wctx->ks.ks);
2487 else
2488 AES_set_decrypt_key(key, 8 * ctx->key_len,
2489 &wctx->ks.ks);
2490
2491 if (iv == NULL)
2492 wctx->iv = NULL;
2493 }
2494
2495 if (iv != NULL) {
2496 int iv_len = EVP_CIPHER_CTX_iv_length(ctx);
2497
2498 if (iv_len < 0 || iv_len > sizeof(ctx->iv))
2499 return 0;
2500 memcpy(ctx->iv, iv, iv_len);
2501 wctx->iv = ctx->iv;
2502 }
2503
2504 return 1;
2505}
2506
2507static int
2508aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2509 const unsigned char *in, size_t inlen)
2510{
2511 EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2512 int ret;
2513
2514 if (in == NULL)
2515 return 0;
2516
2517 if (inlen % 8 != 0)
2518 return -1;
2519 if (ctx->encrypt && inlen < 8)
2520 return -1;
2521 if (!ctx->encrypt && inlen < 16)
2522 return -1;
2523 if (inlen > INT_MAX)
2524 return -1;
2525
2526 if (out == NULL) {
2527 if (ctx->encrypt)
2528 return inlen + 8;
2529 else
2530 return inlen - 8;
2531 }
2532
2533 if (ctx->encrypt)
2534 ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in,
2535 (unsigned int)inlen);
2536 else
2537 ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in,
2538 (unsigned int)inlen);
2539
2540 return ret != 0 ? ret : -1;
2541}
2542
2543static int
2544aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
2545{
2546 EVP_AES_WRAP_CTX *wctx = c->cipher_data;
2547
2548 switch (type) {
2549 case EVP_CTRL_COPY:
2550 {
2551 EVP_CIPHER_CTX *out = ptr;
2552 EVP_AES_WRAP_CTX *wctx_out = out->cipher_data;
2553
2554 if (wctx->iv != NULL) {
2555 if (c->iv != wctx->iv)
2556 return 0;
2557
2558 wctx_out->iv = out->iv;
2559 }
2560
2561 return 1;
2562 }
2563 }
2564
2565 return -1;
2566}
2567
2568#define WRAP_FLAGS \
2569 ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \
2570 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \
2571 EVP_CIPH_CUSTOM_COPY )
2572
2573static const EVP_CIPHER aes_128_wrap = {
2574 .nid = NID_id_aes128_wrap,
2575 .block_size = 8,
2576 .key_len = 16,
2577 .iv_len = 8,
2578 .flags = WRAP_FLAGS,
2579 .init = aes_wrap_init_key,
2580 .do_cipher = aes_wrap_cipher,
2581 .cleanup = NULL,
2582 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2583 .set_asn1_parameters = NULL,
2584 .get_asn1_parameters = NULL,
2585 .ctrl = aes_wrap_ctrl,
2586};
2587
2588const EVP_CIPHER *
2589EVP_aes_128_wrap(void)
2590{
2591 return &aes_128_wrap;
2592}
2593LCRYPTO_ALIAS(EVP_aes_128_wrap);
2594
2595static const EVP_CIPHER aes_192_wrap = {
2596 .nid = NID_id_aes192_wrap,
2597 .block_size = 8,
2598 .key_len = 24,
2599 .iv_len = 8,
2600 .flags = WRAP_FLAGS,
2601 .init = aes_wrap_init_key,
2602 .do_cipher = aes_wrap_cipher,
2603 .cleanup = NULL,
2604 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2605 .set_asn1_parameters = NULL,
2606 .get_asn1_parameters = NULL,
2607 .ctrl = aes_wrap_ctrl,
2608};
2609
2610const EVP_CIPHER *
2611EVP_aes_192_wrap(void)
2612{
2613 return &aes_192_wrap;
2614}
2615LCRYPTO_ALIAS(EVP_aes_192_wrap);
2616
2617static const EVP_CIPHER aes_256_wrap = {
2618 .nid = NID_id_aes256_wrap,
2619 .block_size = 8,
2620 .key_len = 32,
2621 .iv_len = 8,
2622 .flags = WRAP_FLAGS,
2623 .init = aes_wrap_init_key,
2624 .do_cipher = aes_wrap_cipher,
2625 .cleanup = NULL,
2626 .ctx_size = sizeof(EVP_AES_WRAP_CTX),
2627 .set_asn1_parameters = NULL,
2628 .get_asn1_parameters = NULL,
2629 .ctrl = aes_wrap_ctrl,
2630};
2631
2632const EVP_CIPHER *
2633EVP_aes_256_wrap(void)
2634{
2635 return &aes_256_wrap;
2636}
2637LCRYPTO_ALIAS(EVP_aes_256_wrap);
2638
2639#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 20:20:21 +0000