Simplify EVP AES-GCM implementation and remove AES-NI specific code.

Like CTR, the mode implementation for GCM has two variants - rather than using multiple variants (one for AES-NI, another for non-AES-NI), consistently use CRYPTO_gcm128_{en,de}crypt_ctr32() with the aes_ctr32_encrypt_internal() function added for CTR mode. This lets us remove the AES-NI specific code, AES-NI specific EVP_CIPHER methods and the ctr function pointer from EVP_AES_GCM_CTX. ok tb@
author: jsing <> 2025-06-27 17:26:57 +0000
committer: jsing <> 2025-06-27 17:26:57 +0000
commit: 46423017b02650c68ef2ac67a7c84b1a34ce9679 (patch)
tree: 955af8de7f98e615430e58fe8d5bea70401f7892 /src
parent: 5cdc980054fcaa7078e29884d57b6a7e9e3e6731 (diff)
download: openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.tar.gz
openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.tar.bz2
openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.zip
3 files changed, 31 insertions, 175 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 3ad03831f8..a33a209ef7 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.237 2025/05/25 06:27:02 jsing Exp $
+# $OpenBSD: Makefile,v 1.238 2025/06/27 17:26:57 jsing Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -25,6 +25,7 @@ CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
 CFLAGS+= -DHAVE_FUNOPEN
 CFLAGS+= -I${LCRYPTO_SRC}
+CFLAGS+= -I${LCRYPTO_SRC}/aes
 CFLAGS+= -I${LCRYPTO_SRC}/arch/${MACHINE_CPU}
 CFLAGS+= -I${LCRYPTO_SRC}/asn1
 CFLAGS+= -I${LCRYPTO_SRC}/bio
diff --git a/src/lib/libcrypto/aes/aes_local.h b/src/lib/libcrypto/aes/aes_local.h
index dab12ed3f9..f9bd363802 100644
--- a/src/lib/libcrypto/aes/aes_local.h
+++ b/src/lib/libcrypto/aes/aes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_local.h,v 1.6 2025/06/27 16:43:54 jsing Exp $ */
+/* $OpenBSD: aes_local.h,v 1.7 2025/06/27 17:26:57 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -63,6 +63,9 @@ __BEGIN_HIDDEN_DECLS
 /* This controls loop-unrolling in aes_core.c */
 #undef FULL_UNROLL
+void aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[AES_BLOCK_SIZE]);
 __END_HIDDEN_DECLS
 #endif /* !HEADER_AES_LOCAL_H */
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index b00eb048e8..b9d673c978 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.76 2025/06/27 17:10:45 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.77 2025/06/27 17:26:57 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -61,6 +61,7 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
+#include "aes_local.h"
 #include "err_local.h"
 #include "evp_local.h"
 #include "modes_local.h"
@@ -79,7 +80,6 @@ typedef struct {
        int taglen;
        int iv_gen;             /* It is OK to generate IVs */
        int tls_aad_len;        /* TLS AAD length */
-        ctr128_f ctr;
 } EVP_AES_GCM_CTX;
 typedef struct {
@@ -140,9 +140,6 @@ void aesni_decrypt(const unsigned char *in, unsigned char *out,
 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
    size_t length, const AES_KEY *key, int enc);
-void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char *ivec);
 void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
    size_t length, const AES_KEY *key1, const AES_KEY *key2,
    const unsigned char iv[16]);
@@ -172,41 +169,6 @@ aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 }
 static int
-aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-        EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
-                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
-                    (block128_f)aesni_encrypt);
-                gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-                /* If we have an iv can set it directly, otherwise use
-                 * saved IV.
-                 */
-                if (iv == NULL && gctx->iv_set)
-                        iv = gctx->iv;
-                if (iv) {
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
-                        gctx->iv_set = 1;
-                }
-                gctx->key_set = 1;
-        } else {
-                /* If key set use IV, otherwise copy */
-                if (gctx->key_set)
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
-                else
-                        memcpy(gctx->iv, iv, gctx->ivlen);
-                gctx->iv_set = 1;
-                gctx->iv_gen = 0;
-        }
-        return 1;
-}
-static int
 aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
 {
@@ -1028,15 +990,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
        }
 }
-static ctr128_f
-aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
-    const unsigned char *key, size_t key_len)
-{
-        AES_set_encrypt_key(key, key_len * 8, aes_key);
-        CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
-        return NULL;
-}
 static int
 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
@@ -1046,8 +999,8 @@ aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
        if (!iv && !key)
                return 1;
        if (key) {
-                gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
+                AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
-                    key, ctx->key_len);
+                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
                /* If we have an iv can set it directly, otherwise use
                 * saved IV.
@@ -1107,14 +1060,9 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
        if (ctx->encrypt) {
                /* Encrypt payload */
-                if (gctx->ctr) {
+                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
-                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
+                    aes_ctr32_encrypt_ctr128f))
-                            len, gctx->ctr))
+                        goto err;
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
                out += len;
                /* Finally write tag */
@@ -1122,14 +1070,10 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
        } else {
                /* Decrypt */
-                if (gctx->ctr) {
+                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
-                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
+                    aes_ctr32_encrypt_ctr128f))
-                            len, gctx->ctr))
+                        goto err;
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
                /* Retrieve tag */
                CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
@@ -1168,25 +1112,13 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
                                return -1;
                } else if (ctx->encrypt) {
-                        if (gctx->ctr) {
+                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
-                                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
-                                    in, out, len, gctx->ctr))
+                                return -1;
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_encrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
                } else {
-                        if (gctx->ctr) {
+                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
-                                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
-                                    in, out, len, gctx->ctr))
+                                return -1;
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_decrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
                }
                return len;
        } else {
@@ -1215,22 +1147,6 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
      EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
      EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_gcm = {
-        .nid = NID_aes_128_gcm,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_128_gcm = {
        .nid = NID_aes_128_gcm,
        .block_size = 1,
@@ -1247,29 +1163,10 @@ static const EVP_CIPHER aes_128_gcm = {
 const EVP_CIPHER *
 EVP_aes_128_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
-#else
        return &aes_128_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_gcm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_gcm = {
-        .nid = NID_aes_192_gcm,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_192_gcm = {
        .nid = NID_aes_192_gcm,
        .block_size = 1,
@@ -1286,29 +1183,10 @@ static const EVP_CIPHER aes_192_gcm = {
 const EVP_CIPHER *
 EVP_aes_192_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
-#else
        return &aes_192_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_gcm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_gcm = {
-        .nid = NID_aes_256_gcm,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_256_gcm = {
        .nid = NID_aes_256_gcm,
        .block_size = 1,
@@ -1325,11 +1203,7 @@ static const EVP_CIPHER aes_256_gcm = {
 const EVP_CIPHER *
 EVP_aes_256_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
-#else
        return &aes_256_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_gcm);
@@ -1821,18 +1695,8 @@ aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
        if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
                return 0;
-#ifdef AESNI_CAPABLE
+        AES_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
-        if (AESNI_CAPABLE) {
+        CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, (block128_f)AES_encrypt);
-                aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
-                CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
-                    (block128_f)aesni_encrypt);
-                gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
-        } else
-#endif
-        {
-                gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
-                    key, key_len);
-        }
        gcm_ctx->tag_len = tag_len;
        ctx->aead_state = gcm_ctx;
@@ -1873,15 +1737,9 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
        if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                return 0;
-        if (gcm_ctx->ctr) {
+        if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
-                if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk, aes_ctr32_encrypt_ctr128f))
-                    in_len - bulk, gcm_ctx->ctr))
+                return 0;
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk))
-                        return 0;
-        }
        CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
        *out_len = in_len + gcm_ctx->tag_len;
@@ -1924,15 +1782,9 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
        if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                return 0;
-        if (gcm_ctx->ctr) {
+        if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
-                if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk - gcm_ctx->tag_len, aes_ctr32_encrypt_ctr128f))
-                    in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
+                return 0;
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk - gcm_ctx->tag_len))
-                        return 0;
-        }
        CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
        if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
author	jsing <>	2025-06-27 17:26:57 +0000
committer	jsing <>	2025-06-27 17:26:57 +0000
commit	46423017b02650c68ef2ac67a7c84b1a34ce9679 (patch)
tree	955af8de7f98e615430e58fe8d5bea70401f7892 /src
parent	5cdc980054fcaa7078e29884d57b6a7e9e3e6731 (diff)
download	openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.tar.gz openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.tar.bz2 openbsd-46423017b02650c68ef2ac67a7c84b1a34ce9679.zip

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile index 3ad03831f8..a33a209ef7 100644 --- a/src/lib/libcrypto/Makefile +++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.237 2025/05/25 06:27:02 jsing Exp $	1	# $OpenBSD: Makefile,v 1.238 2025/06/27 17:26:57 jsing Exp $
2		2
3	LIB= crypto	3	LIB= crypto
4	LIBREBUILD=y	4	LIBREBUILD=y
@@ -25,6 +25,7 @@ CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
25	CFLAGS+= -DHAVE_FUNOPEN	25	CFLAGS+= -DHAVE_FUNOPEN
26		26
27	CFLAGS+= -I${LCRYPTO_SRC}	27	CFLAGS+= -I${LCRYPTO_SRC}
		28	CFLAGS+= -I${LCRYPTO_SRC}/aes
28	CFLAGS+= -I${LCRYPTO_SRC}/arch/${MACHINE_CPU}	29	CFLAGS+= -I${LCRYPTO_SRC}/arch/${MACHINE_CPU}
29	CFLAGS+= -I${LCRYPTO_SRC}/asn1	30	CFLAGS+= -I${LCRYPTO_SRC}/asn1
30	CFLAGS+= -I${LCRYPTO_SRC}/bio	31	CFLAGS+= -I${LCRYPTO_SRC}/bio


diff --git a/src/lib/libcrypto/aes/aes_local.h b/src/lib/libcrypto/aes/aes_local.h index dab12ed3f9..f9bd363802 100644 --- a/src/lib/libcrypto/aes/aes_local.h +++ b/src/lib/libcrypto/aes/aes_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: aes_local.h,v 1.6 2025/06/27 16:43:54 jsing Exp $ */	1	/* $OpenBSD: aes_local.h,v 1.7 2025/06/27 17:26:57 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -63,6 +63,9 @@ __BEGIN_HIDDEN_DECLS
63	/* This controls loop-unrolling in aes_core.c */	63	/* This controls loop-unrolling in aes_core.c */
64	#undef FULL_UNROLL	64	#undef FULL_UNROLL
65		65
		66	void aes_ctr32_encrypt_ctr128f(const unsigned char in, unsigned char out,
		67	size_t blocks, const void *key, const unsigned char ivec[AES_BLOCK_SIZE]);
		68
66	__END_HIDDEN_DECLS	69	__END_HIDDEN_DECLS
67		70
68	#endif /* !HEADER_AES_LOCAL_H */	71	#endif /* !HEADER_AES_LOCAL_H */


diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index b00eb048e8..b9d673c978 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: e_aes.c,v 1.76 2025/06/27 17:10:45 jsing Exp $ */	1	/* $OpenBSD: e_aes.c,v 1.77 2025/06/27 17:26:57 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -61,6 +61,7 @@
61	#include <openssl/aes.h>	61	#include <openssl/aes.h>
62	#include <openssl/evp.h>	62	#include <openssl/evp.h>
63		63
		64	#include "aes_local.h"
64	#include "err_local.h"	65	#include "err_local.h"
65	#include "evp_local.h"	66	#include "evp_local.h"
66	#include "modes_local.h"	67	#include "modes_local.h"
@@ -79,7 +80,6 @@ typedef struct {
79	int taglen;	80	int taglen;
80	int iv_gen; /* It is OK to generate IVs */	81	int iv_gen; /* It is OK to generate IVs */
81	int tls_aad_len; /* TLS AAD length */	82	int tls_aad_len; /* TLS AAD length */
82	ctr128_f ctr;
83	} EVP_AES_GCM_CTX;	83	} EVP_AES_GCM_CTX;
84		84
85	typedef struct {	85	typedef struct {
@@ -140,9 +140,6 @@ void aesni_decrypt(const unsigned char in, unsigned char out,
140	void aesni_ecb_encrypt(const unsigned char in, unsigned char out,	140	void aesni_ecb_encrypt(const unsigned char in, unsigned char out,
141	size_t length, const AES_KEY *key, int enc);	141	size_t length, const AES_KEY *key, int enc);
142		142
143	void aesni_ctr32_encrypt_blocks(const unsigned char in, unsigned char out,
144	size_t blocks, const void key, const unsigned char ivec);
145
146	void aesni_xts_encrypt(const unsigned char in, unsigned char out,	143	void aesni_xts_encrypt(const unsigned char in, unsigned char out,
147	size_t length, const AES_KEY key1, const AES_KEY key2,	144	size_t length, const AES_KEY key1, const AES_KEY key2,
148	const unsigned char iv[16]);	145	const unsigned char iv[16]);
@@ -172,41 +169,6 @@ aesni_ecb_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
172	}	169	}
173		170
174	static int	171	static int
175	aesni_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
176	const unsigned char *iv, int enc)
177	{
178	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
179
180	if (!iv && !key)
181	return 1;
182	if (key) {
183	aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
184	CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
185	(block128_f)aesni_encrypt);
186	gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
187	/* If we have an iv can set it directly, otherwise use
188	* saved IV.
189	*/
190	if (iv == NULL && gctx->iv_set)
191	iv = gctx->iv;
192	if (iv) {
193	CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
194	gctx->iv_set = 1;
195	}
196	gctx->key_set = 1;
197	} else {
198	/* If key set use IV, otherwise copy */
199	if (gctx->key_set)
200	CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
201	else
202	memcpy(gctx->iv, iv, gctx->ivlen);
203	gctx->iv_set = 1;
204	gctx->iv_gen = 0;
205	}
206	return 1;
207	}
208
209	static int
210	aesni_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,	172	aesni_xts_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
211	const unsigned char *iv, int enc)	173	const unsigned char *iv, int enc)
212	{	174	{
@@ -1028,15 +990,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX c, int type, int arg, void ptr)
1028	}	990	}
1029	}	991	}
1030		992
1031	static ctr128_f
1032	aes_gcm_set_key(AES_KEY aes_key, GCM128_CONTEXT gcm_ctx,
1033	const unsigned char *key, size_t key_len)
1034	{
1035	AES_set_encrypt_key(key, key_len * 8, aes_key);
1036	CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
1037	return NULL;
1038	}
1039
1040	static int	993	static int
1041	aes_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,	994	aes_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
1042	const unsigned char *iv, int enc)	995	const unsigned char *iv, int enc)
@@ -1046,8 +999,8 @@ aes_gcm_init_key(EVP_CIPHER_CTX ctx, const unsigned char key,
1046	if (!iv && !key)	999	if (!iv && !key)
1047	return 1;	1000	return 1;
1048	if (key) {	1001	if (key) {
1049	gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,	1002	AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
1050	key, ctx->key_len);	1003	CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1051		1004
1052	/* If we have an iv can set it directly, otherwise use	1005	/* If we have an iv can set it directly, otherwise use
1053	* saved IV.	1006	* saved IV.
@@ -1107,14 +1060,9 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1107	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;	1060	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1108	if (ctx->encrypt) {	1061	if (ctx->encrypt) {
1109	/* Encrypt payload */	1062	/* Encrypt payload */
1110	if (gctx->ctr) {	1063	if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
1111	if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,	1064	aes_ctr32_encrypt_ctr128f))
1112	len, gctx->ctr))	1065	goto err;
1113	goto err;
1114	} else {
1115	if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1116	goto err;
1117	}
1118	out += len;	1066	out += len;
1119		1067
1120	/* Finally write tag */	1068	/* Finally write tag */
@@ -1122,14 +1070,10 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1122	rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;	1070	rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1123	} else {	1071	} else {
1124	/* Decrypt */	1072	/* Decrypt */
1125	if (gctx->ctr) {	1073	if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
1126	if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,	1074	aes_ctr32_encrypt_ctr128f))
1127	len, gctx->ctr))	1075	goto err;
1128	goto err;	1076
1129	} else {
1130	if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1131	goto err;
1132	}
1133	/* Retrieve tag */	1077	/* Retrieve tag */
1134	CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);	1078	CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1135		1079
@@ -1168,25 +1112,13 @@ aes_gcm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1168	if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))	1112	if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1169	return -1;	1113	return -1;
1170	} else if (ctx->encrypt) {	1114	} else if (ctx->encrypt) {
1171	if (gctx->ctr) {	1115	if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1172	if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,	1116	in, out, len, aes_ctr32_encrypt_ctr128f))
1173	in, out, len, gctx->ctr))	1117	return -1;
1174	return -1;
1175	} else {
1176	if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1177	in, out, len))
1178	return -1;
1179	}
1180	} else {	1118	} else {
1181	if (gctx->ctr) {	1119	if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1182	if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,	1120	in, out, len, aes_ctr32_encrypt_ctr128f))
1183	in, out, len, gctx->ctr))	1121	return -1;
1184	return -1;
1185	} else {
1186	if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1187	in, out, len))
1188	return -1;
1189	}
1190	}	1122	}
1191	return len;	1123	return len;
1192	} else {	1124	} else {
@@ -1215,22 +1147,6 @@ aes_gcm_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
1215	EVP_CIPH_FLAG_CUSTOM_CIPHER \| EVP_CIPH_ALWAYS_CALL_INIT \| \	1147	EVP_CIPH_FLAG_CUSTOM_CIPHER \| EVP_CIPH_ALWAYS_CALL_INIT \| \
1216	EVP_CIPH_CTRL_INIT \| EVP_CIPH_CUSTOM_COPY )	1148	EVP_CIPH_CTRL_INIT \| EVP_CIPH_CUSTOM_COPY )
1217		1149
1218
1219	#ifdef AESNI_CAPABLE
1220	static const EVP_CIPHER aesni_128_gcm = {
1221	.nid = NID_aes_128_gcm,
1222	.block_size = 1,
1223	.key_len = 16,
1224	.iv_len = 12,
1225	.flags = EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS \| EVP_CIPH_GCM_MODE,
1226	.init = aesni_gcm_init_key,
1227	.do_cipher = aes_gcm_cipher,
1228	.cleanup = aes_gcm_cleanup,
1229	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1230	.ctrl = aes_gcm_ctrl,
1231	};
1232	#endif
1233
1234	static const EVP_CIPHER aes_128_gcm = {	1150	static const EVP_CIPHER aes_128_gcm = {
1235	.nid = NID_aes_128_gcm,	1151	.nid = NID_aes_128_gcm,
1236	.block_size = 1,	1152	.block_size = 1,
@@ -1247,29 +1163,10 @@ static const EVP_CIPHER aes_128_gcm = {
1247	const EVP_CIPHER *	1163	const EVP_CIPHER *
1248	EVP_aes_128_gcm(void)	1164	EVP_aes_128_gcm(void)
1249	{	1165	{
1250	#ifdef AESNI_CAPABLE
1251	return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
1252	#else
1253	return &aes_128_gcm;	1166	return &aes_128_gcm;
1254	#endif
1255	}	1167	}
1256	LCRYPTO_ALIAS(EVP_aes_128_gcm);	1168	LCRYPTO_ALIAS(EVP_aes_128_gcm);
1257		1169
1258	#ifdef AESNI_CAPABLE
1259	static const EVP_CIPHER aesni_192_gcm = {
1260	.nid = NID_aes_192_gcm,
1261	.block_size = 1,
1262	.key_len = 24,
1263	.iv_len = 12,
1264	.flags = EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS \| EVP_CIPH_GCM_MODE,
1265	.init = aesni_gcm_init_key,
1266	.do_cipher = aes_gcm_cipher,
1267	.cleanup = aes_gcm_cleanup,
1268	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1269	.ctrl = aes_gcm_ctrl,
1270	};
1271	#endif
1272
1273	static const EVP_CIPHER aes_192_gcm = {	1170	static const EVP_CIPHER aes_192_gcm = {
1274	.nid = NID_aes_192_gcm,	1171	.nid = NID_aes_192_gcm,
1275	.block_size = 1,	1172	.block_size = 1,
@@ -1286,29 +1183,10 @@ static const EVP_CIPHER aes_192_gcm = {
1286	const EVP_CIPHER *	1183	const EVP_CIPHER *
1287	EVP_aes_192_gcm(void)	1184	EVP_aes_192_gcm(void)
1288	{	1185	{
1289	#ifdef AESNI_CAPABLE
1290	return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
1291	#else
1292	return &aes_192_gcm;	1186	return &aes_192_gcm;
1293	#endif
1294	}	1187	}
1295	LCRYPTO_ALIAS(EVP_aes_192_gcm);	1188	LCRYPTO_ALIAS(EVP_aes_192_gcm);
1296		1189
1297	#ifdef AESNI_CAPABLE
1298	static const EVP_CIPHER aesni_256_gcm = {
1299	.nid = NID_aes_256_gcm,
1300	.block_size = 1,
1301	.key_len = 32,
1302	.iv_len = 12,
1303	.flags = EVP_CIPH_FLAG_AEAD_CIPHER\|CUSTOM_FLAGS \| EVP_CIPH_GCM_MODE,
1304	.init = aesni_gcm_init_key,
1305	.do_cipher = aes_gcm_cipher,
1306	.cleanup = aes_gcm_cleanup,
1307	.ctx_size = sizeof(EVP_AES_GCM_CTX),
1308	.ctrl = aes_gcm_ctrl,
1309	};
1310	#endif
1311
1312	static const EVP_CIPHER aes_256_gcm = {	1190	static const EVP_CIPHER aes_256_gcm = {
1313	.nid = NID_aes_256_gcm,	1191	.nid = NID_aes_256_gcm,
1314	.block_size = 1,	1192	.block_size = 1,
@@ -1325,11 +1203,7 @@ static const EVP_CIPHER aes_256_gcm = {
1325	const EVP_CIPHER *	1203	const EVP_CIPHER *
1326	EVP_aes_256_gcm(void)	1204	EVP_aes_256_gcm(void)
1327	{	1205	{
1328	#ifdef AESNI_CAPABLE
1329	return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
1330	#else
1331	return &aes_256_gcm;	1206	return &aes_256_gcm;
1332	#endif
1333	}	1207	}
1334	LCRYPTO_ALIAS(EVP_aes_256_gcm);	1208	LCRYPTO_ALIAS(EVP_aes_256_gcm);
1335		1209
@@ -1821,18 +1695,8 @@ aead_aes_gcm_init(EVP_AEAD_CTX ctx, const unsigned char key, size_t key_len,
1821	if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)	1695	if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
1822	return 0;	1696	return 0;
1823		1697
1824	#ifdef AESNI_CAPABLE	1698	AES_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
1825	if (AESNI_CAPABLE) {	1699	CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, (block128_f)AES_encrypt);
1826	aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
1827	CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
1828	(block128_f)aesni_encrypt);
1829	gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
1830	} else
1831	#endif
1832	{
1833	gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
1834	key, key_len);
1835	}
1836	gcm_ctx->tag_len = tag_len;	1700	gcm_ctx->tag_len = tag_len;
1837	ctx->aead_state = gcm_ctx;	1701	ctx->aead_state = gcm_ctx;
1838		1702
@@ -1873,15 +1737,9 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX ctx, unsigned char out, size_t *out_len,
1873	if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))	1737	if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
1874	return 0;	1738	return 0;
1875		1739
1876	if (gcm_ctx->ctr) {	1740	if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
1877	if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,	1741	in_len - bulk, aes_ctr32_encrypt_ctr128f))
1878	in_len - bulk, gcm_ctx->ctr))	1742	return 0;
1879	return 0;
1880	} else {
1881	if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
1882	in_len - bulk))
1883	return 0;
1884	}
1885		1743
1886	CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);	1744	CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
1887	*out_len = in_len + gcm_ctx->tag_len;	1745	*out_len = in_len + gcm_ctx->tag_len;
@@ -1924,15 +1782,9 @@ aead_aes_gcm_open(const EVP_AEAD_CTX ctx, unsigned char out, size_t *out_len,
1924	if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))	1782	if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
1925	return 0;	1783	return 0;
1926		1784
1927	if (gcm_ctx->ctr) {	1785	if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
1928	if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,	1786	in_len - bulk - gcm_ctx->tag_len, aes_ctr32_encrypt_ctr128f))
1929	in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))	1787	return 0;
1930	return 0;
1931	} else {
1932	if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
1933	in_len - bulk - gcm_ctx->tag_len))
1934	return 0;
1935	}
1936		1788
1937	CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);	1789	CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
1938	if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {	1790	if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {