Simplify AES-XTS implementation and remove AES-NI specific code from EVP.

Provide aes_xts_encrypt_internal() and call that from aes_xts_cipher(). Have amd64 and i386 provide their own versions that dispatch to aesni_xts_encrypt()/aesni_xts_decrypt() as appropriate. The AESNI_CAPABLE code and methods can then be removed. ok tb@
author: jsing <> 2025-07-13 06:01:33 +0000
committer: jsing <> 2025-07-13 06:01:33 +0000
commit: f0234f5a33ecf3b2784f3e73bdf1e937abe56599 (patch)
tree: a43688f8969e5bd862faf101152f51b1560e7731 /src/lib/libcrypto/evp
parent: 417b1213b262bbe6d34c708537dff4b062920bfa (diff)
download: openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.tar.gz
openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.tar.bz2
openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.zip
1 files changed, 15 insertions, 124 deletions
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 1779acec66..851da9ded6 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.78 2025/07/06 15:37:33 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.79 2025/07/13 06:01:33 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -84,10 +84,7 @@ typedef struct {
 typedef struct {
        AES_KEY ks1, ks2;       /* AES key schedules to use */
-        XTS128_CONTEXT xts;
+        XTS128_CONTEXT xts;     /* XXX - replace with flags. */
-        void (*stream)(const unsigned char *in, unsigned char *out,
-            size_t length, const AES_KEY *key1, const AES_KEY *key2,
-            const unsigned char iv[16]);
 } EVP_AES_XTS_CTX;
 typedef struct {
@@ -103,13 +100,6 @@ typedef struct {
 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
-#ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-#endif
 #if     defined(AES_ASM) &&                             (  \
        ((defined(__i386)       || defined(__i386__)    || \
          defined(_M_IX86)))|| \
@@ -137,14 +127,6 @@ void aesni_decrypt(const unsigned char *in, unsigned char *out,
 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
    size_t length, const AES_KEY *key, int enc);
-void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
 void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
    size_t blocks, const void *key, const unsigned char ivec[16],
    unsigned char cmac[16]);
@@ -166,44 +148,6 @@ aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 }
 static int
-aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                /* key_len is two AES keys */
-                if (enc) {
-                        aesni_set_encrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_encrypt;
-                        xctx->stream = aesni_xts_encrypt;
-                } else {
-                        aesni_set_decrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_decrypt;
-                        xctx->stream = aesni_xts_decrypt;
-                }
-                aesni_set_encrypt_key(key + ctx->key_len / 2,
-                    ctx->key_len * 4, &xctx->ks2);
-                xctx->xts.block2 = (block128_f)aesni_encrypt;
-                xctx->xts.key1 = &xctx->ks1;
-        }
-        if (iv) {
-                xctx->xts.key2 = &xctx->ks2;
-                memcpy(ctx->iv, iv, 16);
-        }
-        return 1;
-}
-static int
 aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
 {
@@ -1242,36 +1186,24 @@ aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 static int
 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+    const unsigned char *iv, int encrypt)
 {
        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!iv && !key)
+        if (key != NULL) {
-                return 1;
-        if (key) {
-#ifdef AES_XTS_ASM
-                xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
-#else
-                xctx->stream = NULL;
-#endif
                /* key_len is two AES keys */
-                if (enc) {
+                if (encrypt)
                        AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_encrypt;
+                else
-                } else {
                        AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_decrypt;
-                }
-                AES_set_encrypt_key(key + ctx->key_len / 2,
+                AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4,
-                    ctx->key_len * 4, &xctx->ks2);
+                    &xctx->ks2);
-                xctx->xts.block2 = (block128_f)AES_encrypt;
                xctx->xts.key1 = &xctx->ks1;
        }
-        if (iv) {
+        if (iv != NULL) {
                xctx->xts.key2 = &xctx->ks2;
                memcpy(ctx->iv, iv, 16);
        }
@@ -1285,17 +1217,15 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!xctx->xts.key1 || !xctx->xts.key2)
+        if (xctx->xts.key1 == NULL || xctx->xts.key2 == NULL)
-                return 0;
-        if (!out || !in || len < AES_BLOCK_SIZE)
                return 0;
-        if (xctx->stream)
+        if (out == NULL || in == NULL || len < AES_BLOCK_SIZE)
-                (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
-                    ctx->iv);
-        else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
-            ctx->encrypt))
                return 0;
+        aes_xts_encrypt_internal(in, out, len, xctx->xts.key1, xctx->xts.key2,
+            ctx->iv, ctx->encrypt);
        return 1;
 }
@@ -1303,22 +1233,6 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
      EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_xts = {
-        .nid = NID_aes_128_xts,
-        .block_size = 1,
-        .key_len = 2 * 16,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_128_xts = {
        .nid = NID_aes_128_xts,
        .block_size = 1,
@@ -1335,29 +1249,10 @@ static const EVP_CIPHER aes_128_xts = {
 const EVP_CIPHER *
 EVP_aes_128_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
-#else
        return &aes_128_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_xts);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_xts = {
-        .nid = NID_aes_256_xts,
-        .block_size = 1,
-        .key_len = 2 * 32,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_256_xts = {
        .nid = NID_aes_256_xts,
        .block_size = 1,
@@ -1374,11 +1269,7 @@ static const EVP_CIPHER aes_256_xts = {
 const EVP_CIPHER *
 EVP_aes_256_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
-#else
        return &aes_256_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_xts);
author	jsing <>	2025-07-13 06:01:33 +0000
committer	jsing <>	2025-07-13 06:01:33 +0000
commit	f0234f5a33ecf3b2784f3e73bdf1e937abe56599 (patch)
tree	a43688f8969e5bd862faf101152f51b1560e7731 /src/lib/libcrypto/evp
parent	417b1213b262bbe6d34c708537dff4b062920bfa (diff)
download	openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.tar.gz openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.tar.bz2 openbsd-f0234f5a33ecf3b2784f3e73bdf1e937abe56599.zip

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index 1779acec66..851da9ded6 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: e_aes.c,v 1.78 2025/07/06 15:37:33 jsing Exp $ */	1	/* $OpenBSD: e_aes.c,v 1.79 2025/07/13 06:01:33 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -84,10 +84,7 @@ typedef struct {
84		84
85	typedef struct {	85	typedef struct {
86	AES_KEY ks1, ks2; /* AES key schedules to use */	86	AES_KEY ks1, ks2; /* AES key schedules to use */
87	XTS128_CONTEXT xts;	87	XTS128_CONTEXT xts; /* XXX - replace with flags. */
88	void (stream)(const unsigned char in, unsigned char *out,
89	size_t length, const AES_KEY key1, const AES_KEY key2,
90	const unsigned char iv[16]);
91	} EVP_AES_XTS_CTX;	88	} EVP_AES_XTS_CTX;
92		89
93	typedef struct {	90	typedef struct {
@@ -103,13 +100,6 @@ typedef struct {
103		100
104	#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))	101	#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
105		102
106	#ifdef AES_XTS_ASM
107	void AES_xts_encrypt(const char inp, char out, size_t len,
108	const AES_KEY key1, const AES_KEY key2, const unsigned char iv[16]);
109	void AES_xts_decrypt(const char inp, char out, size_t len,
110	const AES_KEY key1, const AES_KEY key2, const unsigned char iv[16]);
111	#endif
112
113	#if defined(AES_ASM) && ( \	103	#if defined(AES_ASM) && ( \
114	((defined(__i386) \|\| defined(__i386__) \|\| \	104	((defined(__i386) \|\| defined(__i386__) \|\| \
115	defined(_M_IX86)))\|\| \	105	defined(_M_IX86)))\|\| \
@@ -137,14 +127,6 @@ void aesni_decrypt(const unsigned char in, unsigned char out,
137	void aesni_ecb_encrypt(const unsigned char in, unsigned char out,	127	void aesni_ecb_encrypt(const unsigned char in, unsigned char out,
138	size_t length, const AES_KEY *key, int enc);	128	size_t length, const AES_KEY *key, int enc);
139		129
140	void aesni_xts_encrypt(const unsigned char in, unsigned char out,
141	size_t length, const AES_KEY key1, const AES_KEY key2,
142	const unsigned char iv[16]);
143
144	void aesni_xts_decrypt(const unsigned char in, unsigned char out,
145	size_t length, const AES_KEY key1, const AES_KEY key2,
146	const unsigned char iv[16]);
147
148	void aesni_ccm64_encrypt_blocks (const unsigned char in, unsigned char out,	130	void aesni_ccm64_encrypt_blocks (const unsigned char in, unsigned char out,
149	size_t blocks, const void *key, const unsigned char ivec[16],	131	size_t blocks, const void *key, const unsigned char ivec[16],
150	unsigned char cmac[16]);	132	unsigned char cmac[16]);
@@ -166,44 +148,6 @@ aesni_ecb_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
166	}	148	}
167		149
168	static int	150	static int
169	aesni_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
170	const unsigned char *iv, int enc)
171	{
172	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
173
174	if (!iv && !key)
175	return 1;
176
177	if (key) {
178	/* key_len is two AES keys */
179	if (enc) {
180	aesni_set_encrypt_key(key, ctx->key_len * 4,
181	&xctx->ks1);
182	xctx->xts.block1 = (block128_f)aesni_encrypt;
183	xctx->stream = aesni_xts_encrypt;
184	} else {
185	aesni_set_decrypt_key(key, ctx->key_len * 4,
186	&xctx->ks1);
187	xctx->xts.block1 = (block128_f)aesni_decrypt;
188	xctx->stream = aesni_xts_decrypt;
189	}
190
191	aesni_set_encrypt_key(key + ctx->key_len / 2,
192	ctx->key_len * 4, &xctx->ks2);
193	xctx->xts.block2 = (block128_f)aesni_encrypt;
194
195	xctx->xts.key1 = &xctx->ks1;
196	}
197
198	if (iv) {
199	xctx->xts.key2 = &xctx->ks2;
200	memcpy(ctx->iv, iv, 16);
201	}
202
203	return 1;
204	}
205
206	static int
207	aesni_ccm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,	151	aesni_ccm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
208	const unsigned char *iv, int enc)	152	const unsigned char *iv, int enc)
209	{	153	{
@@ -1242,36 +1186,24 @@ aes_xts_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)
1242		1186
1243	static int	1187	static int
1244	aes_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,	1188	aes_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
1245	const unsigned char *iv, int enc)	1189	const unsigned char *iv, int encrypt)
1246	{	1190	{
1247	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;	1191	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1248		1192
1249	if (!iv && !key)	1193	if (key != NULL) {
1250	return 1;
1251
1252	if (key) {
1253	#ifdef AES_XTS_ASM
1254	xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1255	#else
1256	xctx->stream = NULL;
1257	#endif
1258	/* key_len is two AES keys */	1194	/* key_len is two AES keys */
1259	if (enc) {	1195	if (encrypt)
1260	AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);	1196	AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1261	xctx->xts.block1 = (block128_f)AES_encrypt;	1197	else
1262	} else {
1263	AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);	1198	AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1264	xctx->xts.block1 = (block128_f)AES_decrypt;
1265	}
1266		1199
1267	AES_set_encrypt_key(key + ctx->key_len / 2,	1200	AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4,
1268	ctx->key_len * 4, &xctx->ks2);	1201	&xctx->ks2);
1269	xctx->xts.block2 = (block128_f)AES_encrypt;
1270		1202
1271	xctx->xts.key1 = &xctx->ks1;	1203	xctx->xts.key1 = &xctx->ks1;
1272	}	1204	}
1273		1205
1274	if (iv) {	1206	if (iv != NULL) {
1275	xctx->xts.key2 = &xctx->ks2;	1207	xctx->xts.key2 = &xctx->ks2;
1276	memcpy(ctx->iv, iv, 16);	1208	memcpy(ctx->iv, iv, 16);
1277	}	1209	}
@@ -1285,17 +1217,15 @@ aes_xts_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1285	{	1217	{
1286	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;	1218	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1287		1219
1288	if (!xctx->xts.key1 \|\| !xctx->xts.key2)	1220	if (xctx->xts.key1 == NULL \|\| xctx->xts.key2 == NULL)
1289	return 0;
1290	if (!out \|\| !in \|\| len < AES_BLOCK_SIZE)
1291	return 0;	1221	return 0;
1292		1222
1293	if (xctx->stream)	1223	if (out == NULL \|\| in == NULL \|\| len < AES_BLOCK_SIZE)
1294	(*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
1295	ctx->iv);
1296	else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1297	ctx->encrypt))
1298	return 0;	1224	return 0;
		1225
		1226	aes_xts_encrypt_internal(in, out, len, xctx->xts.key1, xctx->xts.key2,
		1227	ctx->iv, ctx->encrypt);
		1228
1299	return 1;	1229	return 1;
1300	}	1230	}
1301		1231
@@ -1303,22 +1233,6 @@ aes_xts_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1303	( EVP_CIPH_FLAG_DEFAULT_ASN1 \| EVP_CIPH_CUSTOM_IV \| \	1233	( EVP_CIPH_FLAG_DEFAULT_ASN1 \| EVP_CIPH_CUSTOM_IV \| \
1304	EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT \| EVP_CIPH_CUSTOM_COPY )	1234	EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT \| EVP_CIPH_CUSTOM_COPY )
1305		1235
1306
1307	#ifdef AESNI_CAPABLE
1308	static const EVP_CIPHER aesni_128_xts = {
1309	.nid = NID_aes_128_xts,
1310	.block_size = 1,
1311	.key_len = 2 * 16,
1312	.iv_len = 16,
1313	.flags = XTS_FLAGS \| EVP_CIPH_XTS_MODE,
1314	.init = aesni_xts_init_key,
1315	.do_cipher = aes_xts_cipher,
1316	.cleanup = NULL,
1317	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1318	.ctrl = aes_xts_ctrl,
1319	};
1320	#endif
1321
1322	static const EVP_CIPHER aes_128_xts = {	1236	static const EVP_CIPHER aes_128_xts = {
1323	.nid = NID_aes_128_xts,	1237	.nid = NID_aes_128_xts,
1324	.block_size = 1,	1238	.block_size = 1,
@@ -1335,29 +1249,10 @@ static const EVP_CIPHER aes_128_xts = {
1335	const EVP_CIPHER *	1249	const EVP_CIPHER *
1336	EVP_aes_128_xts(void)	1250	EVP_aes_128_xts(void)
1337	{	1251	{
1338	#ifdef AESNI_CAPABLE
1339	return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
1340	#else
1341	return &aes_128_xts;	1252	return &aes_128_xts;
1342	#endif
1343	}	1253	}
1344	LCRYPTO_ALIAS(EVP_aes_128_xts);	1254	LCRYPTO_ALIAS(EVP_aes_128_xts);
1345		1255
1346	#ifdef AESNI_CAPABLE
1347	static const EVP_CIPHER aesni_256_xts = {
1348	.nid = NID_aes_256_xts,
1349	.block_size = 1,
1350	.key_len = 2 * 32,
1351	.iv_len = 16,
1352	.flags = XTS_FLAGS \| EVP_CIPH_XTS_MODE,
1353	.init = aesni_xts_init_key,
1354	.do_cipher = aes_xts_cipher,
1355	.cleanup = NULL,
1356	.ctx_size = sizeof(EVP_AES_XTS_CTX),
1357	.ctrl = aes_xts_ctrl,
1358	};
1359	#endif
1360
1361	static const EVP_CIPHER aes_256_xts = {	1256	static const EVP_CIPHER aes_256_xts = {
1362	.nid = NID_aes_256_xts,	1257	.nid = NID_aes_256_xts,
1363	.block_size = 1,	1258	.block_size = 1,
@@ -1374,11 +1269,7 @@ static const EVP_CIPHER aes_256_xts = {
1374	const EVP_CIPHER *	1269	const EVP_CIPHER *
1375	EVP_aes_256_xts(void)	1270	EVP_aes_256_xts(void)
1376	{	1271	{
1377	#ifdef AESNI_CAPABLE
1378	return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
1379	#else
1380	return &aes_256_xts;	1272	return &aes_256_xts;
1381	#endif
1382	}	1273	}
1383	LCRYPTO_ALIAS(EVP_aes_256_xts);	1274	LCRYPTO_ALIAS(EVP_aes_256_xts);
1384		1275