1 files changed, 285 insertions, 11 deletions
diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index d36a006360..693badcd66 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.4 2024/08/11 13:02:39 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.14 2025/07/22 09:13:49 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -46,21 +46,72 @@
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
- *
 */
 #include <string.h>
 #include <openssl/aes.h>
 #include <openssl/bio.h>
+#include <openssl/crypto.h>
 #include <openssl/modes.h>
 #include "crypto_arch.h"
+#include "crypto_internal.h"
+#include "modes_local.h"
 static const unsigned char aes_wrap_default_iv[] = {
        0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
 };
+int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+void aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+int
+AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+{
+        return aes_set_encrypt_key_internal(userKey, bits, key);
+}
+LCRYPTO_ALIAS(AES_set_encrypt_key);
+int
+AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+{
+        return aes_set_decrypt_key_internal(userKey, bits, key);
+}
+LCRYPTO_ALIAS(AES_set_decrypt_key);
+void
+AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+{
+        aes_encrypt_internal(in, out, key);
+}
+LCRYPTO_ALIAS(AES_encrypt);
+void
+AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+{
+        aes_decrypt_internal(in, out, key);
+}
+LCRYPTO_ALIAS(AES_decrypt);
+void
+aes_encrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_encrypt_internal(in, out, key);
+}
+void
+aes_decrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_decrypt_internal(in, out, key);
+}
 #ifdef HAVE_AES_CBC_ENCRYPT_INTERNAL
 void aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
@@ -72,10 +123,10 @@ aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
 {
        if (enc)
                CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
-                    (block128_f)AES_encrypt);
+                    aes_encrypt_block128);
        else
                CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
-                    (block128_f)AES_decrypt);
+                    aes_decrypt_block128);
 }
 #endif
@@ -98,7 +149,7 @@ AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb128_encrypt);
@@ -108,7 +159,7 @@ AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb1_encrypt);
@@ -117,17 +168,134 @@ AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb8_encrypt);
 void
+aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint8_t in_mask;
+        uint64_t ctr;
+        int i;
+        in_mask = 0 - (encrypt != 0);
+        memcpy(iv, ivec, sizeof(iv));
+        ctr = crypto_load_be64toh(&iv[8]);
+        while (blocks > 0) {
+                crypto_store_htobe64(&iv[8], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+                for (i = 0; i < 16; i++) {
+                        out[i] = in[i] ^ buf[i];
+                        cmac[i] ^= (in[i] & in_mask) | (out[i] & ~in_mask);
+                }
+                aes_encrypt_internal(cmac, cmac, key);
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+#ifdef HAVE_AES_CCM64_ENCRYPT_INTERNAL
+void aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+#else
+static inline void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+#endif
+void
+aes_ccm64_encrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 1);
+}
+void
+aes_ccm64_decrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 0);
+}
+void
+aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint32_t ctr;
+        int i;
+        memcpy(iv, ivec, sizeof(iv));
+        ctr = crypto_load_be32toh(&iv[12]);
+        while (blocks > 0) {
+                crypto_store_htobe32(&iv[12], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+                for (i = 0; i < AES_BLOCK_SIZE; i++)
+                        out[i] = in[i] ^ buf[i];
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+#ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
+void aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+#else
+static inline void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+#endif
+void
+aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out, size_t blocks,
+    const void *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_internal(in, out, blocks, key, ivec);
+}
+void
 AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
    size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],
    unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)
 {
-        CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
+        CRYPTO_ctr128_encrypt_ctr32(in, out, length, key, ivec, ecount_buf,
-            (block128_f)AES_encrypt);
+            num, aes_ctr32_encrypt_ctr128f);
 }
 LCRYPTO_ALIAS(AES_ctr128_encrypt);
@@ -142,15 +310,121 @@ AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
 }
 LCRYPTO_ALIAS(AES_ecb_encrypt);
+#ifndef HAVE_AES_ECB_ENCRYPT_INTERNAL
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        while (len >= AES_BLOCK_SIZE) {
+                AES_ecb_encrypt(in, out, key, encrypt);
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+#endif
+#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
+typedef struct {
+        unsigned long data[N_WORDS];
+} aes_block_t;
+void
+AES_ige_encrypt(const unsigned char *in, unsigned char *out, size_t length,
+    const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        aes_block_t tmp, tmp2;
+        aes_block_t iv;
+        aes_block_t iv2;
+        size_t n;
+        size_t len;
+        /* N.B. The IV for this mode is _twice_ the block size */
+        OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
+        len = length / AES_BLOCK_SIZE;
+        memcpy(iv.data, ivec, AES_BLOCK_SIZE);
+        memcpy(iv2.data, ivec + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        if (AES_ENCRYPT == enc) {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] = tmp.data[n] ^ iv.data[n];
+                        AES_encrypt((unsigned char *)tmp2.data,
+                            (unsigned char *)tmp2.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] ^= iv2.data[n];
+                        memcpy(out, tmp2.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        } else {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        tmp2 = tmp;
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv2.data[n];
+                        AES_decrypt((unsigned char *)tmp.data,
+                            (unsigned char *)tmp.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv.data[n];
+                        memcpy(out, tmp.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        }
+        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
+        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
+}
+LCRYPTO_ALIAS(AES_ige_encrypt);
 void
 AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num)
 {
        CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_ofb128_encrypt);
+void
+aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        XTS128_CONTEXT xctx;
+        if (encrypt)
+                xctx.block1 = aes_encrypt_block128;
+        else 
+                xctx.block1 = aes_decrypt_block128;
+        xctx.block2 = aes_encrypt_block128;
+        xctx.key1 = key1;
+        xctx.key2 = key2;
+        CRYPTO_xts128_encrypt(&xctx, iv, in, out, len, encrypt);
+}
+#ifndef HAVE_AES_XTS_ENCRYPT_INTERNAL
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
+#endif
 int
 AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
    const unsigned char *in, unsigned int inlen)
@@ -217,7 +491,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
        }
        if (!iv)
                iv = aes_wrap_default_iv;
-        if (memcmp(A, iv, 8)) {
+        if (timingsafe_memcmp(A, iv, 8) != 0) {
                explicit_bzero(out, inlen);
                return 0;
        }

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c index d36a006360..693badcd66 100644 --- a/src/lib/libcrypto/aes/aes.c +++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: aes.c,v 1.4 2024/08/11 13:02:39 jsing Exp $ */	1	/* $OpenBSD: aes.c,v 1.14 2025/07/22 09:13:49 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -46,21 +46,72 @@
46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47	* OF THE POSSIBILITY OF SUCH DAMAGE.	47	* OF THE POSSIBILITY OF SUCH DAMAGE.
48	* ====================================================================	48	* ====================================================================
49	*
50	*/	49	*/
51		50
52	#include <string.h>	51	#include <string.h>
53		52
54	#include <openssl/aes.h>	53	#include <openssl/aes.h>
55	#include <openssl/bio.h>	54	#include <openssl/bio.h>
		55	#include <openssl/crypto.h>
56	#include <openssl/modes.h>	56	#include <openssl/modes.h>
57		57
58	#include "crypto_arch.h"	58	#include "crypto_arch.h"
		59	#include "crypto_internal.h"
		60	#include "modes_local.h"
59		61
60	static const unsigned char aes_wrap_default_iv[] = {	62	static const unsigned char aes_wrap_default_iv[] = {
61	0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,	63	0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
62	};	64	};
63		65
		66	int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
		67	AES_KEY *key);
		68	int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
		69	AES_KEY *key);
		70	void aes_encrypt_internal(const unsigned char in, unsigned char out,
		71	const AES_KEY *key);
		72	void aes_decrypt_internal(const unsigned char in, unsigned char out,
		73	const AES_KEY *key);
		74
		75	int
		76	AES_set_encrypt_key(const unsigned char userKey, const int bits, AES_KEY key)
		77	{
		78	return aes_set_encrypt_key_internal(userKey, bits, key);
		79	}
		80	LCRYPTO_ALIAS(AES_set_encrypt_key);
		81
		82	int
		83	AES_set_decrypt_key(const unsigned char userKey, const int bits, AES_KEY key)
		84	{
		85	return aes_set_decrypt_key_internal(userKey, bits, key);
		86	}
		87	LCRYPTO_ALIAS(AES_set_decrypt_key);
		88
		89	void
		90	AES_encrypt(const unsigned char in, unsigned char out, const AES_KEY *key)
		91	{
		92	aes_encrypt_internal(in, out, key);
		93	}
		94	LCRYPTO_ALIAS(AES_encrypt);
		95
		96	void
		97	AES_decrypt(const unsigned char in, unsigned char out, const AES_KEY *key)
		98	{
		99	aes_decrypt_internal(in, out, key);
		100	}
		101	LCRYPTO_ALIAS(AES_decrypt);
		102
		103	void
		104	aes_encrypt_block128(const unsigned char in, unsigned char out, const void *key)
		105	{
		106	aes_encrypt_internal(in, out, key);
		107	}
		108
		109	void
		110	aes_decrypt_block128(const unsigned char in, unsigned char out, const void *key)
		111	{
		112	aes_decrypt_internal(in, out, key);
		113	}
		114
64	#ifdef HAVE_AES_CBC_ENCRYPT_INTERNAL	115	#ifdef HAVE_AES_CBC_ENCRYPT_INTERNAL
65	void aes_cbc_encrypt_internal(const unsigned char in, unsigned char out,	116	void aes_cbc_encrypt_internal(const unsigned char in, unsigned char out,
66	size_t len, const AES_KEY key, unsigned char ivec, const int enc);	117	size_t len, const AES_KEY key, unsigned char ivec, const int enc);
@@ -72,10 +123,10 @@ aes_cbc_encrypt_internal(const unsigned char in, unsigned char out,
72	{	123	{
73	if (enc)	124	if (enc)
74	CRYPTO_cbc128_encrypt(in, out, len, key, ivec,	125	CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
75	(block128_f)AES_encrypt);	126	aes_encrypt_block128);
76	else	127	else
77	CRYPTO_cbc128_decrypt(in, out, len, key, ivec,	128	CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
78	(block128_f)AES_decrypt);	129	aes_decrypt_block128);
79	}	130	}
80	#endif	131	#endif
81		132
@@ -98,7 +149,7 @@ AES_cfb128_encrypt(const unsigned char in, unsigned char out, size_t length,
98	const AES_KEY key, unsigned char ivec, int *num, const int enc)	149	const AES_KEY key, unsigned char ivec, int *num, const int enc)
99	{	150	{
100	CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,	151	CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
101	(block128_f)AES_encrypt);	152	aes_encrypt_block128);
102	}	153	}
103	LCRYPTO_ALIAS(AES_cfb128_encrypt);	154	LCRYPTO_ALIAS(AES_cfb128_encrypt);
104		155
@@ -108,7 +159,7 @@ AES_cfb1_encrypt(const unsigned char in, unsigned char out, size_t length,
108	const AES_KEY key, unsigned char ivec, int *num, const int enc)	159	const AES_KEY key, unsigned char ivec, int *num, const int enc)
109	{	160	{
110	CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,	161	CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
111	(block128_f)AES_encrypt);	162	aes_encrypt_block128);
112	}	163	}
113	LCRYPTO_ALIAS(AES_cfb1_encrypt);	164	LCRYPTO_ALIAS(AES_cfb1_encrypt);
114		165
@@ -117,17 +168,134 @@ AES_cfb8_encrypt(const unsigned char in, unsigned char out, size_t length,
117	const AES_KEY key, unsigned char ivec, int *num, const int enc)	168	const AES_KEY key, unsigned char ivec, int *num, const int enc)
118	{	169	{
119	CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,	170	CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
120	(block128_f)AES_encrypt);	171	aes_encrypt_block128);
121	}	172	}
122	LCRYPTO_ALIAS(AES_cfb8_encrypt);	173	LCRYPTO_ALIAS(AES_cfb8_encrypt);
123		174
124	void	175	void
		176	aes_ccm64_encrypt_generic(const unsigned char in, unsigned char out,
		177	size_t blocks, const void *key, const unsigned char ivec[16],
		178	unsigned char cmac[16], int encrypt)
		179	{
		180	uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
		181	uint8_t in_mask;
		182	uint64_t ctr;
		183	int i;
		184
		185	in_mask = 0 - (encrypt != 0);
		186
		187	memcpy(iv, ivec, sizeof(iv));
		188
		189	ctr = crypto_load_be64toh(&iv[8]);
		190
		191	while (blocks > 0) {
		192	crypto_store_htobe64(&iv[8], ctr);
		193	aes_encrypt_internal(iv, buf, key);
		194	ctr++;
		195
		196	for (i = 0; i < 16; i++) {
		197	out[i] = in[i] ^ buf[i];
		198	cmac[i] ^= (in[i] & in_mask) \| (out[i] & ~in_mask);
		199	}
		200
		201	aes_encrypt_internal(cmac, cmac, key);
		202
		203	in += 16;
		204	out += 16;
		205	blocks--;
		206	}
		207
		208	explicit_bzero(buf, sizeof(buf));
		209	explicit_bzero(iv, sizeof(iv));
		210	}
		211
		212	#ifdef HAVE_AES_CCM64_ENCRYPT_INTERNAL
		213	void aes_ccm64_encrypt_internal(const unsigned char in, unsigned char out,
		214	size_t blocks, const void *key, const unsigned char ivec[16],
		215	unsigned char cmac[16], int encrypt);
		216
		217	#else
		218	static inline void
		219	aes_ccm64_encrypt_internal(const unsigned char in, unsigned char out,
		220	size_t blocks, const void *key, const unsigned char ivec[16],
		221	unsigned char cmac[16], int encrypt)
		222	{
		223	aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
		224	}
		225	#endif
		226
		227	void
		228	aes_ccm64_encrypt_ccm128f(const unsigned char in, unsigned char out,
		229	size_t blocks, const void *key, const unsigned char ivec[16],
		230	unsigned char cmac[16])
		231	{
		232	aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 1);
		233	}
		234
		235	void
		236	aes_ccm64_decrypt_ccm128f(const unsigned char in, unsigned char out,
		237	size_t blocks, const void *key, const unsigned char ivec[16],
		238	unsigned char cmac[16])
		239	{
		240	aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 0);
		241	}
		242
		243	void
		244	aes_ctr32_encrypt_generic(const unsigned char in, unsigned char out,
		245	size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
		246	{
		247	uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
		248	uint32_t ctr;
		249	int i;
		250
		251	memcpy(iv, ivec, sizeof(iv));
		252
		253	ctr = crypto_load_be32toh(&iv[12]);
		254
		255	while (blocks > 0) {
		256	crypto_store_htobe32(&iv[12], ctr);
		257	aes_encrypt_internal(iv, buf, key);
		258	ctr++;
		259
		260	for (i = 0; i < AES_BLOCK_SIZE; i++)
		261	out[i] = in[i] ^ buf[i];
		262
		263	in += 16;
		264	out += 16;
		265	blocks--;
		266	}
		267
		268	explicit_bzero(buf, sizeof(buf));
		269	explicit_bzero(iv, sizeof(iv));
		270	}
		271
		272	#ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
		273	void aes_ctr32_encrypt_internal(const unsigned char in, unsigned char out,
		274	size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
		275
		276	#else
		277	static inline void
		278	aes_ctr32_encrypt_internal(const unsigned char in, unsigned char out,
		279	size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
		280	{
		281	aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
		282	}
		283	#endif
		284
		285	void
		286	aes_ctr32_encrypt_ctr128f(const unsigned char in, unsigned char out, size_t blocks,
		287	const void *key, const unsigned char ivec[AES_BLOCK_SIZE])
		288	{
		289	aes_ctr32_encrypt_internal(in, out, blocks, key, ivec);
		290	}
		291
		292	void
125	AES_ctr128_encrypt(const unsigned char in, unsigned char out,	293	AES_ctr128_encrypt(const unsigned char in, unsigned char out,
126	size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],	294	size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],
127	unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)	295	unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)
128	{	296	{
129	CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,	297	CRYPTO_ctr128_encrypt_ctr32(in, out, length, key, ivec, ecount_buf,
130	(block128_f)AES_encrypt);	298	num, aes_ctr32_encrypt_ctr128f);
131	}	299	}
132	LCRYPTO_ALIAS(AES_ctr128_encrypt);	300	LCRYPTO_ALIAS(AES_ctr128_encrypt);
133		301
@@ -142,15 +310,121 @@ AES_ecb_encrypt(const unsigned char in, unsigned char out,
142	}	310	}
143	LCRYPTO_ALIAS(AES_ecb_encrypt);	311	LCRYPTO_ALIAS(AES_ecb_encrypt);
144		312
		313	#ifndef HAVE_AES_ECB_ENCRYPT_INTERNAL
		314	void
		315	aes_ecb_encrypt_internal(const unsigned char in, unsigned char out,
		316	size_t len, const AES_KEY *key, int encrypt)
		317	{
		318	while (len >= AES_BLOCK_SIZE) {
		319	AES_ecb_encrypt(in, out, key, encrypt);
		320	in += AES_BLOCK_SIZE;
		321	out += AES_BLOCK_SIZE;
		322	len -= AES_BLOCK_SIZE;
		323	}
		324	}
		325	#endif
		326
		327	#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
		328	typedef struct {
		329	unsigned long data[N_WORDS];
		330	} aes_block_t;
		331
		332	void
		333	AES_ige_encrypt(const unsigned char in, unsigned char out, size_t length,
		334	const AES_KEY key, unsigned char ivec, const int enc)
		335	{
		336	aes_block_t tmp, tmp2;
		337	aes_block_t iv;
		338	aes_block_t iv2;
		339	size_t n;
		340	size_t len;
		341
		342	/* N.B. The IV for this mode is _twice_ the block size */
		343
		344	OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
		345
		346	len = length / AES_BLOCK_SIZE;
		347
		348	memcpy(iv.data, ivec, AES_BLOCK_SIZE);
		349	memcpy(iv2.data, ivec + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
		350
		351	if (AES_ENCRYPT == enc) {
		352	while (len) {
		353	memcpy(tmp.data, in, AES_BLOCK_SIZE);
		354	for (n = 0; n < N_WORDS; ++n)
		355	tmp2.data[n] = tmp.data[n] ^ iv.data[n];
		356	AES_encrypt((unsigned char *)tmp2.data,
		357	(unsigned char *)tmp2.data, key);
		358	for (n = 0; n < N_WORDS; ++n)
		359	tmp2.data[n] ^= iv2.data[n];
		360	memcpy(out, tmp2.data, AES_BLOCK_SIZE);
		361	iv = tmp2;
		362	iv2 = tmp;
		363	--len;
		364	in += AES_BLOCK_SIZE;
		365	out += AES_BLOCK_SIZE;
		366	}
		367	} else {
		368	while (len) {
		369	memcpy(tmp.data, in, AES_BLOCK_SIZE);
		370	tmp2 = tmp;
		371	for (n = 0; n < N_WORDS; ++n)
		372	tmp.data[n] ^= iv2.data[n];
		373	AES_decrypt((unsigned char *)tmp.data,
		374	(unsigned char *)tmp.data, key);
		375	for (n = 0; n < N_WORDS; ++n)
		376	tmp.data[n] ^= iv.data[n];
		377	memcpy(out, tmp.data, AES_BLOCK_SIZE);
		378	iv = tmp2;
		379	iv2 = tmp;
		380	--len;
		381	in += AES_BLOCK_SIZE;
		382	out += AES_BLOCK_SIZE;
		383	}
		384	}
		385	memcpy(ivec, iv.data, AES_BLOCK_SIZE);
		386	memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
		387	}
		388	LCRYPTO_ALIAS(AES_ige_encrypt);
		389
145	void	390	void
146	AES_ofb128_encrypt(const unsigned char in, unsigned char out, size_t length,	391	AES_ofb128_encrypt(const unsigned char in, unsigned char out, size_t length,
147	const AES_KEY key, unsigned char ivec, int *num)	392	const AES_KEY key, unsigned char ivec, int *num)
148	{	393	{
149	CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,	394	CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,
150	(block128_f)AES_encrypt);	395	aes_encrypt_block128);
151	}	396	}
152	LCRYPTO_ALIAS(AES_ofb128_encrypt);	397	LCRYPTO_ALIAS(AES_ofb128_encrypt);
153		398
		399	void
		400	aes_xts_encrypt_generic(const unsigned char in, unsigned char out, size_t len,
		401	const AES_KEY key1, const AES_KEY key2, const unsigned char iv[16],
		402	int encrypt)
		403	{
		404	XTS128_CONTEXT xctx;
		405
		406	if (encrypt)
		407	xctx.block1 = aes_encrypt_block128;
		408	else
		409	xctx.block1 = aes_decrypt_block128;
		410
		411	xctx.block2 = aes_encrypt_block128;
		412	xctx.key1 = key1;
		413	xctx.key2 = key2;
		414
		415	CRYPTO_xts128_encrypt(&xctx, iv, in, out, len, encrypt);
		416	}
		417
		418	#ifndef HAVE_AES_XTS_ENCRYPT_INTERNAL
		419	void
		420	aes_xts_encrypt_internal(const unsigned char in, unsigned char out, size_t len,
		421	const AES_KEY key1, const AES_KEY key2, const unsigned char iv[16],
		422	int encrypt)
		423	{
		424	aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
		425	}
		426	#endif
		427
154	int	428	int
155	AES_wrap_key(AES_KEY key, const unsigned char iv, unsigned char *out,	429	AES_wrap_key(AES_KEY key, const unsigned char iv, unsigned char *out,
156	const unsigned char *in, unsigned int inlen)	430	const unsigned char *in, unsigned int inlen)
@@ -217,7 +491,7 @@ AES_unwrap_key(AES_KEY key, const unsigned char iv, unsigned char *out,
217	}	491	}
218	if (!iv)	492	if (!iv)
219	iv = aes_wrap_default_iv;	493	iv = aes_wrap_default_iv;
220	if (memcmp(A, iv, 8)) {	494	if (timingsafe_memcmp(A, iv, 8) != 0) {
221	explicit_bzero(out, inlen);	495	explicit_bzero(out, inlen);
222	return 0;	496	return 0;
223	}	497	}