• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ==================================================================== */
48 
49 #include <string.h>
50 
51 #include <openssl/aead.h>
52 #include <openssl/aes.h>
53 #include <openssl/cipher.h>
54 #include <openssl/cpu.h>
55 #include <openssl/err.h>
56 #include <openssl/mem.h>
57 #include <openssl/obj.h>
58 #include <openssl/rand.h>
59 #include <openssl/sha.h>
60 
61 #include "internal.h"
62 #include "../internal.h"
63 #include "../modes/internal.h"
64 
65 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
66 #include <openssl/arm_arch.h>
67 #endif
68 
69 
70 typedef struct {
71   union {
72     double align;
73     AES_KEY ks;
74   } ks;
75   block128_f block;
76   union {
77     cbc128_f cbc;
78     ctr128_f ctr;
79   } stream;
80 } EVP_AES_KEY;
81 
82 typedef struct {
83   union {
84     double align;
85     AES_KEY ks;
86   } ks;        /* AES key schedule to use */
87   int key_set; /* Set if key initialised */
88   int iv_set;  /* Set if an iv is set */
89   GCM128_CONTEXT gcm;
90   uint8_t *iv; /* Temporary IV store */
91   int ivlen;         /* IV length */
92   int taglen;
93   int iv_gen;      /* It is OK to generate IVs */
94   ctr128_f ctr;
95 } EVP_AES_GCM_CTX;
96 
97 #if !defined(OPENSSL_NO_ASM) && \
98     (defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
99 #define VPAES
vpaes_capable(void)100 static char vpaes_capable(void) {
101   return (OPENSSL_ia32cap_P[1] & (1 << (41 - 32))) != 0;
102 }
103 
104 #if defined(OPENSSL_X86_64)
105 #define BSAES
bsaes_capable(void)106 static char bsaes_capable(void) {
107   return vpaes_capable();
108 }
109 #endif
110 
111 #elif !defined(OPENSSL_NO_ASM) && \
112     (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
113 
114 #if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7
115 #define BSAES
bsaes_capable(void)116 static char bsaes_capable(void) {
117   return CRYPTO_is_NEON_capable();
118 }
119 #endif
120 
121 #define HWAES
hwaes_capable(void)122 static int hwaes_capable(void) {
123   return CRYPTO_is_ARMv8_AES_capable();
124 }
125 
126 int aes_v8_set_encrypt_key(const uint8_t *user_key, const int bits,
127                            AES_KEY *key);
128 int aes_v8_set_decrypt_key(const uint8_t *user_key, const int bits,
129                            AES_KEY *key);
130 void aes_v8_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
131 void aes_v8_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
132 void aes_v8_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
133                         const AES_KEY *key, uint8_t *ivec, const int enc);
134 void aes_v8_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,
135                                  const AES_KEY *key, const uint8_t ivec[16]);
136 
137 #endif  /* OPENSSL_ARM */
138 
139 #if defined(BSAES)
140 /* On platforms where BSAES gets defined (just above), then these functions are
141  * provided by asm. */
142 void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
143                        const AES_KEY *key, uint8_t ivec[16], int enc);
144 void bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,
145                                 const AES_KEY *key, const uint8_t ivec[16]);
146 #else
bsaes_capable(void)147 static char bsaes_capable(void) {
148   return 0;
149 }
150 
151 /* On other platforms, bsaes_capable() will always return false and so the
152  * following will never be called. */
bsaes_cbc_encrypt(const uint8_t * in,uint8_t * out,size_t length,const AES_KEY * key,uint8_t ivec[16],int enc)153 static void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
154                               const AES_KEY *key, uint8_t ivec[16], int enc) {
155   abort();
156 }
157 
bsaes_ctr32_encrypt_blocks(const uint8_t * in,uint8_t * out,size_t len,const AES_KEY * key,const uint8_t ivec[16])158 static void bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,
159                                        size_t len, const AES_KEY *key,
160                                        const uint8_t ivec[16]) {
161   abort();
162 }
163 #endif
164 
165 #if defined(VPAES)
166 /* On platforms where VPAES gets defined (just above), then these functions are
167  * provided by asm. */
168 int vpaes_set_encrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
169 int vpaes_set_decrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
170 
171 void vpaes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
172 void vpaes_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
173 
174 void vpaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
175                        const AES_KEY *key, uint8_t *ivec, int enc);
176 #else
vpaes_capable(void)177 static char vpaes_capable(void) {
178   return 0;
179 }
180 
181 /* On other platforms, vpaes_capable() will always return false and so the
182  * following will never be called. */
vpaes_set_encrypt_key(const uint8_t * userKey,int bits,AES_KEY * key)183 static int vpaes_set_encrypt_key(const uint8_t *userKey, int bits,
184                                  AES_KEY *key) {
185   abort();
186 }
vpaes_set_decrypt_key(const uint8_t * userKey,int bits,AES_KEY * key)187 static int vpaes_set_decrypt_key(const uint8_t *userKey, int bits,
188                                  AES_KEY *key) {
189   abort();
190 }
vpaes_encrypt(const uint8_t * in,uint8_t * out,const AES_KEY * key)191 static void vpaes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
192   abort();
193 }
vpaes_decrypt(const uint8_t * in,uint8_t * out,const AES_KEY * key)194 static void vpaes_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
195   abort();
196 }
vpaes_cbc_encrypt(const uint8_t * in,uint8_t * out,size_t length,const AES_KEY * key,uint8_t * ivec,int enc)197 static void vpaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
198                               const AES_KEY *key, uint8_t *ivec, int enc) {
199   abort();
200 }
201 #endif
202 
203 #if !defined(HWAES)
204 /* If HWAES isn't defined then we provide dummy functions for each of the hwaes
205  * functions. */
hwaes_capable(void)206 static int hwaes_capable(void) {
207   return 0;
208 }
209 
aes_v8_set_encrypt_key(const uint8_t * user_key,int bits,AES_KEY * key)210 static int aes_v8_set_encrypt_key(const uint8_t *user_key, int bits,
211                                   AES_KEY *key) {
212   abort();
213 }
214 
aes_v8_set_decrypt_key(const uint8_t * user_key,int bits,AES_KEY * key)215 static int aes_v8_set_decrypt_key(const uint8_t *user_key, int bits,
216                                   AES_KEY *key) {
217   abort();
218 }
219 
aes_v8_encrypt(const uint8_t * in,uint8_t * out,const AES_KEY * key)220 static void aes_v8_encrypt(const uint8_t *in, uint8_t *out,
221                            const AES_KEY *key) {
222   abort();
223 }
224 
aes_v8_decrypt(const uint8_t * in,uint8_t * out,const AES_KEY * key)225 static void aes_v8_decrypt(const uint8_t *in, uint8_t *out,
226                            const AES_KEY *key) {
227   abort();
228 }
229 
aes_v8_cbc_encrypt(const uint8_t * in,uint8_t * out,size_t length,const AES_KEY * key,uint8_t * ivec,int enc)230 static void aes_v8_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
231                                const AES_KEY *key, uint8_t *ivec, int enc) {
232   abort();
233 }
234 
aes_v8_ctr32_encrypt_blocks(const uint8_t * in,uint8_t * out,size_t len,const AES_KEY * key,const uint8_t ivec[16])235 static void aes_v8_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,
236                                         size_t len, const AES_KEY *key,
237                                         const uint8_t ivec[16]) {
238   abort();
239 }
240 #endif
241 
242 #if !defined(OPENSSL_NO_ASM) && \
243     (defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
244 int aesni_set_encrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
245 int aesni_set_decrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
246 
247 void aesni_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
248 void aesni_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
249 
250 void aesni_ecb_encrypt(const uint8_t *in, uint8_t *out, size_t length,
251                        const AES_KEY *key, int enc);
252 void aesni_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
253                        const AES_KEY *key, uint8_t *ivec, int enc);
254 
255 void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
256                                 const void *key, const uint8_t *ivec);
257 
258 #if defined(OPENSSL_X86_64)
259 size_t aesni_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
260                          const void *key, uint8_t ivec[16], uint64_t *Xi);
261 #define AES_gcm_encrypt aesni_gcm_encrypt
262 size_t aesni_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
263                          const void *key, uint8_t ivec[16], uint64_t *Xi);
264 #define AES_gcm_decrypt aesni_gcm_decrypt
265 void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in,
266                    size_t len);
267 #define AES_GCM_ASM(gctx) \
268   (gctx->ctr == aesni_ctr32_encrypt_blocks && gctx->gcm.ghash == gcm_ghash_avx)
269 #endif  /* OPENSSL_X86_64 */
270 
271 #else
272 
273 /* On other platforms, aesni_capable() will always return false and so the
274  * following will never be called. */
aesni_encrypt(const uint8_t * in,uint8_t * out,const AES_KEY * key)275 static void aesni_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
276   abort();
277 }
aesni_set_encrypt_key(const uint8_t * userKey,int bits,AES_KEY * key)278 static int aesni_set_encrypt_key(const uint8_t *userKey, int bits,
279                                  AES_KEY *key) {
280   abort();
281 }
aesni_ctr32_encrypt_blocks(const uint8_t * in,uint8_t * out,size_t blocks,const void * key,const uint8_t * ivec)282 static void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,
283                                        size_t blocks, const void *key,
284                                        const uint8_t *ivec) {
285   abort();
286 }
287 
288 #endif
289 
aes_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)290 static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
291                         const uint8_t *iv, int enc)
292                         OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
293   int ret, mode;
294   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
295 
296   mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
297   if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
298     if (hwaes_capable()) {
299       ret = aes_v8_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
300       dat->block = (block128_f)aes_v8_decrypt;
301       dat->stream.cbc = NULL;
302       if (mode == EVP_CIPH_CBC_MODE) {
303         dat->stream.cbc = (cbc128_f)aes_v8_cbc_encrypt;
304       }
305     } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {
306       ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
307       dat->block = (block128_f)AES_decrypt;
308       dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
309     } else if (vpaes_capable()) {
310       ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
311       dat->block = (block128_f)vpaes_decrypt;
312       dat->stream.cbc =
313           mode == EVP_CIPH_CBC_MODE ? (cbc128_f)vpaes_cbc_encrypt : NULL;
314     } else {
315       ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
316       dat->block = (block128_f)AES_decrypt;
317       dat->stream.cbc =
318           mode == EVP_CIPH_CBC_MODE ? (cbc128_f)AES_cbc_encrypt : NULL;
319     }
320   } else if (hwaes_capable()) {
321     ret = aes_v8_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
322     dat->block = (block128_f)aes_v8_encrypt;
323     dat->stream.cbc = NULL;
324     if (mode == EVP_CIPH_CBC_MODE) {
325       dat->stream.cbc = (cbc128_f)aes_v8_cbc_encrypt;
326     } else if (mode == EVP_CIPH_CTR_MODE) {
327       dat->stream.ctr = (ctr128_f)aes_v8_ctr32_encrypt_blocks;
328     }
329   } else if (bsaes_capable() && mode == EVP_CIPH_CTR_MODE) {
330     ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
331     dat->block = (block128_f)AES_encrypt;
332     dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
333   } else if (vpaes_capable()) {
334     ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
335     dat->block = (block128_f)vpaes_encrypt;
336     dat->stream.cbc =
337         mode == EVP_CIPH_CBC_MODE ? (cbc128_f)vpaes_cbc_encrypt : NULL;
338   } else {
339     ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
340     dat->block = (block128_f)AES_encrypt;
341     dat->stream.cbc =
342         mode == EVP_CIPH_CBC_MODE ? (cbc128_f)AES_cbc_encrypt : NULL;
343   }
344 
345   if (ret < 0) {
346     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
347     return 0;
348   }
349 
350   return 1;
351 }
352 
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)353 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
354                           size_t len) {
355   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
356 
357   if (dat->stream.cbc) {
358     (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
359   } else if (ctx->encrypt) {
360     CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
361   } else {
362     CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
363   }
364 
365   return 1;
366 }
367 
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)368 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
369                           size_t len) {
370   size_t bl = ctx->cipher->block_size;
371   size_t i;
372   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
373 
374   if (len < bl) {
375     return 1;
376   }
377 
378   for (i = 0, len -= bl; i <= len; i += bl) {
379     (*dat->block)(in + i, out + i, &dat->ks);
380   }
381 
382   return 1;
383 }
384 
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)385 static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
386                           size_t len) {
387   unsigned int num = ctx->num;
388   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
389 
390   if (dat->stream.ctr) {
391     CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, ctx->iv, ctx->buf, &num,
392                                 dat->stream.ctr);
393   } else {
394     CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv, ctx->buf, &num,
395                           dat->block);
396   }
397   ctx->num = (size_t)num;
398   return 1;
399 }
400 
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)401 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
402                           size_t len) {
403   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
404 
405   CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, dat->block);
406   return 1;
407 }
408 
409 static char aesni_capable(void);
410 
aes_ctr_set_key(AES_KEY * aes_key,GCM128_CONTEXT * gcm_ctx,block128_f * out_block,const uint8_t * key,size_t key_len)411 static ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
412                                 block128_f *out_block, const uint8_t *key,
413                                 size_t key_len)
414                                 OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
415   if (aesni_capable()) {
416     aesni_set_encrypt_key(key, key_len * 8, aes_key);
417     if (gcm_ctx != NULL) {
418       CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aesni_encrypt);
419     }
420     if (out_block) {
421       *out_block = (block128_f) aesni_encrypt;
422     }
423     return (ctr128_f)aesni_ctr32_encrypt_blocks;
424   }
425 
426   if (hwaes_capable()) {
427     aes_v8_set_encrypt_key(key, key_len * 8, aes_key);
428     if (gcm_ctx != NULL) {
429       CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_v8_encrypt);
430     }
431     if (out_block) {
432       *out_block = (block128_f) aes_v8_encrypt;
433     }
434     return (ctr128_f)aes_v8_ctr32_encrypt_blocks;
435   }
436 
437   if (bsaes_capable()) {
438     AES_set_encrypt_key(key, key_len * 8, aes_key);
439     if (gcm_ctx != NULL) {
440       CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
441     }
442     if (out_block) {
443       *out_block = (block128_f) AES_encrypt;
444     }
445     return (ctr128_f)bsaes_ctr32_encrypt_blocks;
446   }
447 
448   if (vpaes_capable()) {
449     vpaes_set_encrypt_key(key, key_len * 8, aes_key);
450     if (out_block) {
451       *out_block = (block128_f) vpaes_encrypt;
452     }
453     if (gcm_ctx != NULL) {
454       CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
455     }
456     return NULL;
457   }
458 
459   AES_set_encrypt_key(key, key_len * 8, aes_key);
460   if (gcm_ctx != NULL) {
461     CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
462   }
463   if (out_block) {
464     *out_block = (block128_f) AES_encrypt;
465   }
466   return NULL;
467 }
468 
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)469 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
470                             const uint8_t *iv, int enc) {
471   EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
472   if (!iv && !key) {
473     return 1;
474   }
475   if (key) {
476     gctx->ctr =
477         aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm, NULL, key, ctx->key_len);
478     /* If we have an iv can set it directly, otherwise use saved IV. */
479     if (iv == NULL && gctx->iv_set) {
480       iv = gctx->iv;
481     }
482     if (iv) {
483       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
484       gctx->iv_set = 1;
485     }
486     gctx->key_set = 1;
487   } else {
488     /* If key set use IV, otherwise copy */
489     if (gctx->key_set) {
490       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
491     } else {
492       memcpy(gctx->iv, iv, gctx->ivlen);
493     }
494     gctx->iv_set = 1;
495     gctx->iv_gen = 0;
496   }
497   return 1;
498 }
499 
aes_gcm_cleanup(EVP_CIPHER_CTX * c)500 static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
501   EVP_AES_GCM_CTX *gctx = c->cipher_data;
502   OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
503   if (gctx->iv != c->iv) {
504     OPENSSL_free(gctx->iv);
505   }
506 }
507 
508 /* increment counter (64-bit int) by 1 */
ctr64_inc(uint8_t * counter)509 static void ctr64_inc(uint8_t *counter) {
510   int n = 8;
511   uint8_t c;
512 
513   do {
514     --n;
515     c = counter[n];
516     ++c;
517     counter[n] = c;
518     if (c) {
519       return;
520     }
521   } while (n);
522 }
523 
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)524 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
525   EVP_AES_GCM_CTX *gctx = c->cipher_data;
526   switch (type) {
527     case EVP_CTRL_INIT:
528       gctx->key_set = 0;
529       gctx->iv_set = 0;
530       gctx->ivlen = c->cipher->iv_len;
531       gctx->iv = c->iv;
532       gctx->taglen = -1;
533       gctx->iv_gen = 0;
534       return 1;
535 
536     case EVP_CTRL_GCM_SET_IVLEN:
537       if (arg <= 0) {
538         return 0;
539       }
540 
541       /* Allocate memory for IV if needed */
542       if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {
543         if (gctx->iv != c->iv) {
544           OPENSSL_free(gctx->iv);
545         }
546         gctx->iv = OPENSSL_malloc(arg);
547         if (!gctx->iv) {
548           return 0;
549         }
550       }
551       gctx->ivlen = arg;
552       return 1;
553 
554     case EVP_CTRL_GCM_SET_TAG:
555       if (arg <= 0 || arg > 16 || c->encrypt) {
556         return 0;
557       }
558       memcpy(c->buf, ptr, arg);
559       gctx->taglen = arg;
560       return 1;
561 
562     case EVP_CTRL_GCM_GET_TAG:
563       if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) {
564         return 0;
565       }
566       memcpy(ptr, c->buf, arg);
567       return 1;
568 
569     case EVP_CTRL_GCM_SET_IV_FIXED:
570       /* Special case: -1 length restores whole IV */
571       if (arg == -1) {
572         memcpy(gctx->iv, ptr, gctx->ivlen);
573         gctx->iv_gen = 1;
574         return 1;
575       }
576       /* Fixed field must be at least 4 bytes and invocation field
577        * at least 8. */
578       if (arg < 4 || (gctx->ivlen - arg) < 8) {
579         return 0;
580       }
581       if (arg) {
582         memcpy(gctx->iv, ptr, arg);
583       }
584       if (c->encrypt && !RAND_bytes(gctx->iv + arg, gctx->ivlen - arg)) {
585         return 0;
586       }
587       gctx->iv_gen = 1;
588       return 1;
589 
590     case EVP_CTRL_GCM_IV_GEN:
591       if (gctx->iv_gen == 0 || gctx->key_set == 0) {
592         return 0;
593       }
594       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
595       if (arg <= 0 || arg > gctx->ivlen) {
596         arg = gctx->ivlen;
597       }
598       memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
599       /* Invocation field will be at least 8 bytes in size and
600        * so no need to check wrap around or increment more than
601        * last 8 bytes. */
602       ctr64_inc(gctx->iv + gctx->ivlen - 8);
603       gctx->iv_set = 1;
604       return 1;
605 
606     case EVP_CTRL_GCM_SET_IV_INV:
607       if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) {
608         return 0;
609       }
610       memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
611       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
612       gctx->iv_set = 1;
613       return 1;
614 
615     case EVP_CTRL_COPY: {
616       EVP_CIPHER_CTX *out = ptr;
617       EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
618       if (gctx->iv == c->iv) {
619         gctx_out->iv = out->iv;
620       } else {
621         gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
622         if (!gctx_out->iv) {
623           return 0;
624         }
625         memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
626       }
627       return 1;
628     }
629 
630     default:
631       return -1;
632   }
633 }
634 
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)635 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
636                           size_t len) {
637   EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
638 
639   /* If not set up, return error */
640   if (!gctx->key_set) {
641     return -1;
642   }
643   if (!gctx->iv_set) {
644     return -1;
645   }
646 
647   if (in) {
648     if (out == NULL) {
649       if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) {
650         return -1;
651       }
652     } else if (ctx->encrypt) {
653       if (gctx->ctr) {
654         size_t bulk = 0;
655 #if defined(AES_GCM_ASM)
656         if (len >= 32 && AES_GCM_ASM(gctx)) {
657           size_t res = (16 - gctx->gcm.mres) % 16;
658 
659           if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
660             return -1;
661           }
662 
663           bulk = AES_gcm_encrypt(in + res, out + res, len - res, &gctx->ks.ks,
664                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
665           gctx->gcm.len.u[1] += bulk;
666           bulk += res;
667         }
668 #endif
669         if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
670                                          out + bulk, len - bulk, gctx->ctr)) {
671           return -1;
672         }
673       } else {
674         size_t bulk = 0;
675         if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
676                                    out + bulk, len - bulk)) {
677           return -1;
678         }
679       }
680     } else {
681       if (gctx->ctr) {
682         size_t bulk = 0;
683 #if defined(AES_GCM_ASM)
684         if (len >= 16 && AES_GCM_ASM(gctx)) {
685           size_t res = (16 - gctx->gcm.mres) % 16;
686 
687           if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
688             return -1;
689           }
690 
691           bulk = AES_gcm_decrypt(in + res, out + res, len - res, &gctx->ks.ks,
692                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
693           gctx->gcm.len.u[1] += bulk;
694           bulk += res;
695         }
696 #endif
697         if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
698                                          out + bulk, len - bulk, gctx->ctr)) {
699           return -1;
700         }
701       } else {
702         size_t bulk = 0;
703         if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
704                                    out + bulk, len - bulk)) {
705           return -1;
706         }
707       }
708     }
709     return len;
710   } else {
711     if (!ctx->encrypt) {
712       if (gctx->taglen < 0 ||
713           !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) {
714         return -1;
715       }
716       gctx->iv_set = 0;
717       return 0;
718     }
719     CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
720     gctx->taglen = 16;
721     /* Don't reuse the IV */
722     gctx->iv_set = 0;
723     return 0;
724   }
725 }
726 
727 static const EVP_CIPHER aes_128_cbc = {
728     NID_aes_128_cbc,     16 /* block_size */, 16 /* key_size */,
729     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
730     NULL /* app_data */, aes_init_key,        aes_cbc_cipher,
731     NULL /* cleanup */,  NULL /* ctrl */};
732 
733 static const EVP_CIPHER aes_128_ctr = {
734     NID_aes_128_ctr,     1 /* block_size */,  16 /* key_size */,
735     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
736     NULL /* app_data */, aes_init_key,        aes_ctr_cipher,
737     NULL /* cleanup */,  NULL /* ctrl */};
738 
739 static const EVP_CIPHER aes_128_ecb = {
740     NID_aes_128_ecb,     16 /* block_size */, 16 /* key_size */,
741     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
742     NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
743     NULL /* cleanup */,  NULL /* ctrl */};
744 
745 static const EVP_CIPHER aes_128_ofb = {
746     NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
747     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
748     NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
749     NULL /* cleanup */,  NULL /* ctrl */};
750 
751 static const EVP_CIPHER aes_128_gcm = {
752     NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
753     sizeof(EVP_AES_GCM_CTX),
754     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
755         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
756         EVP_CIPH_FLAG_AEAD_CIPHER,
757     NULL /* app_data */, aes_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
758     aes_gcm_ctrl};
759 
760 
761 static const EVP_CIPHER aes_192_cbc = {
762     NID_aes_192_cbc,     16 /* block_size */, 24 /* key_size */,
763     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
764     NULL /* app_data */, aes_init_key,        aes_cbc_cipher,
765     NULL /* cleanup */,  NULL /* ctrl */};
766 
767 static const EVP_CIPHER aes_192_ctr = {
768     NID_aes_192_ctr,     1 /* block_size */,  24 /* key_size */,
769     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
770     NULL /* app_data */, aes_init_key,        aes_ctr_cipher,
771     NULL /* cleanup */,  NULL /* ctrl */};
772 
773 static const EVP_CIPHER aes_192_ecb = {
774     NID_aes_192_ecb,     16 /* block_size */, 24 /* key_size */,
775     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
776     NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
777     NULL /* cleanup */,  NULL /* ctrl */};
778 
779 static const EVP_CIPHER aes_192_gcm = {
780     NID_aes_192_gcm, 1 /* block_size */, 24 /* key_size */, 12 /* iv_len */,
781     sizeof(EVP_AES_GCM_CTX),
782     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
783         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
784         EVP_CIPH_FLAG_AEAD_CIPHER,
785     NULL /* app_data */, aes_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
786     aes_gcm_ctrl};
787 
788 
789 static const EVP_CIPHER aes_256_cbc = {
790     NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
791     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
792     NULL /* app_data */, aes_init_key,        aes_cbc_cipher,
793     NULL /* cleanup */,  NULL /* ctrl */};
794 
795 static const EVP_CIPHER aes_256_ctr = {
796     NID_aes_256_ctr,     1 /* block_size */,  32 /* key_size */,
797     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
798     NULL /* app_data */, aes_init_key,        aes_ctr_cipher,
799     NULL /* cleanup */,  NULL /* ctrl */};
800 
801 static const EVP_CIPHER aes_256_ecb = {
802     NID_aes_256_ecb,     16 /* block_size */, 32 /* key_size */,
803     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
804     NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
805     NULL /* cleanup */,  NULL /* ctrl */};
806 
807 static const EVP_CIPHER aes_256_ofb = {
808     NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
809     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
810     NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
811     NULL /* cleanup */,  NULL /* ctrl */};
812 
813 static const EVP_CIPHER aes_256_gcm = {
814     NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
815     sizeof(EVP_AES_GCM_CTX),
816     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
817         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
818         EVP_CIPH_FLAG_AEAD_CIPHER,
819     NULL /* app_data */, aes_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
820     aes_gcm_ctrl};
821 
822 #if !defined(OPENSSL_NO_ASM) && \
823     (defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
824 
825 /* AES-NI section. */
826 
aesni_capable(void)827 static char aesni_capable(void) {
828   return (OPENSSL_ia32cap_P[1] & (1 << (57 - 32))) != 0;
829 }
830 
aesni_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)831 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
832                           const uint8_t *iv, int enc) {
833   int ret, mode;
834   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
835 
836   mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
837   if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
838     ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
839     dat->block = (block128_f)aesni_decrypt;
840     dat->stream.cbc =
841         mode == EVP_CIPH_CBC_MODE ? (cbc128_f)aesni_cbc_encrypt : NULL;
842   } else {
843     ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
844     dat->block = (block128_f)aesni_encrypt;
845     if (mode == EVP_CIPH_CBC_MODE) {
846       dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
847     } else if (mode == EVP_CIPH_CTR_MODE) {
848       dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
849     } else {
850       dat->stream.cbc = NULL;
851     }
852   }
853 
854   if (ret < 0) {
855     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
856     return 0;
857   }
858 
859   return 1;
860 }
861 
aesni_cbc_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)862 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
863                             const uint8_t *in, size_t len) {
864   aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt);
865 
866   return 1;
867 }
868 
aesni_ecb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)869 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
870                             const uint8_t *in, size_t len) {
871   size_t bl = ctx->cipher->block_size;
872 
873   if (len < bl) {
874     return 1;
875   }
876 
877   aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
878 
879   return 1;
880 }
881 
aesni_gcm_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)882 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
883                               const uint8_t *iv, int enc) {
884   EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
885   if (!iv && !key) {
886     return 1;
887   }
888   if (key) {
889     aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
890     CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)aesni_encrypt);
891     gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
892     /* If we have an iv can set it directly, otherwise use
893      * saved IV. */
894     if (iv == NULL && gctx->iv_set) {
895       iv = gctx->iv;
896     }
897     if (iv) {
898       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
899       gctx->iv_set = 1;
900     }
901     gctx->key_set = 1;
902   } else {
903     /* If key set use IV, otherwise copy */
904     if (gctx->key_set) {
905       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
906     } else {
907       memcpy(gctx->iv, iv, gctx->ivlen);
908     }
909     gctx->iv_set = 1;
910     gctx->iv_gen = 0;
911   }
912   return 1;
913 }
914 
915 static const EVP_CIPHER aesni_128_cbc = {
916     NID_aes_128_cbc,     16 /* block_size */, 16 /* key_size */,
917     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
918     NULL /* app_data */, aesni_init_key,      aesni_cbc_cipher,
919     NULL /* cleanup */,  NULL /* ctrl */};
920 
921 static const EVP_CIPHER aesni_128_ctr = {
922     NID_aes_128_ctr,     1 /* block_size */,  16 /* key_size */,
923     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
924     NULL /* app_data */, aesni_init_key,      aes_ctr_cipher,
925     NULL /* cleanup */,  NULL /* ctrl */};
926 
927 static const EVP_CIPHER aesni_128_ecb = {
928     NID_aes_128_ecb,     16 /* block_size */, 16 /* key_size */,
929     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
930     NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
931     NULL /* cleanup */,  NULL /* ctrl */};
932 
933 static const EVP_CIPHER aesni_128_ofb = {
934     NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
935     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
936     NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
937     NULL /* cleanup */,  NULL /* ctrl */};
938 
939 static const EVP_CIPHER aesni_128_gcm = {
940     NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
941     sizeof(EVP_AES_GCM_CTX),
942     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
943         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
944         EVP_CIPH_FLAG_AEAD_CIPHER,
945     NULL /* app_data */, aesni_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
946     aes_gcm_ctrl};
947 
948 
949 static const EVP_CIPHER aesni_192_cbc = {
950     NID_aes_192_cbc,     16 /* block_size */, 24 /* key_size */,
951     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
952     NULL /* app_data */, aesni_init_key,      aesni_cbc_cipher,
953     NULL /* cleanup */,  NULL /* ctrl */};
954 
955 static const EVP_CIPHER aesni_192_ctr = {
956     NID_aes_192_ctr,     1 /* block_size */,  24 /* key_size */,
957     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
958     NULL /* app_data */, aesni_init_key,      aes_ctr_cipher,
959     NULL /* cleanup */,  NULL /* ctrl */};
960 
961 static const EVP_CIPHER aesni_192_ecb = {
962     NID_aes_192_ecb,     16 /* block_size */, 24 /* key_size */,
963     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
964     NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
965     NULL /* cleanup */,  NULL /* ctrl */};
966 
967 static const EVP_CIPHER aesni_192_gcm = {
968     NID_aes_192_gcm, 1 /* block_size */, 24 /* key_size */, 12 /* iv_len */,
969     sizeof(EVP_AES_GCM_CTX),
970     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
971         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
972         EVP_CIPH_FLAG_AEAD_CIPHER,
973     NULL /* app_data */, aesni_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
974     aes_gcm_ctrl};
975 
976 
977 static const EVP_CIPHER aesni_256_cbc = {
978     NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
979     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
980     NULL /* app_data */, aesni_init_key,      aesni_cbc_cipher,
981     NULL /* cleanup */,  NULL /* ctrl */};
982 
983 static const EVP_CIPHER aesni_256_ctr = {
984     NID_aes_256_ctr,     1 /* block_size */,  32 /* key_size */,
985     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
986     NULL /* app_data */, aesni_init_key,      aes_ctr_cipher,
987     NULL /* cleanup */,  NULL /* ctrl */};
988 
989 static const EVP_CIPHER aesni_256_ecb = {
990     NID_aes_256_ecb,     16 /* block_size */, 32 /* key_size */,
991     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
992     NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
993     NULL /* cleanup */,  NULL /* ctrl */};
994 
995 static const EVP_CIPHER aesni_256_ofb = {
996     NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
997     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
998     NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
999     NULL /* cleanup */,  NULL /* ctrl */};
1000 
1001 static const EVP_CIPHER aesni_256_gcm = {
1002     NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
1003     sizeof(EVP_AES_GCM_CTX),
1004     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
1005         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY |
1006         EVP_CIPH_FLAG_AEAD_CIPHER,
1007     NULL /* app_data */, aesni_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
1008     aes_gcm_ctrl};
1009 
1010 #define EVP_CIPHER_FUNCTION(keybits, mode)             \
1011   const EVP_CIPHER *EVP_aes_##keybits##_##mode(void) { \
1012     if (aesni_capable()) {                             \
1013       return &aesni_##keybits##_##mode;                \
1014     } else {                                           \
1015       return &aes_##keybits##_##mode;                  \
1016     }                                                  \
1017   }
1018 
1019 #else  /* ^^^  OPENSSL_X86_64 || OPENSSL_X86 */
1020 
aesni_capable(void)1021 static char aesni_capable(void) {
1022   return 0;
1023 }
1024 
1025 #define EVP_CIPHER_FUNCTION(keybits, mode)             \
1026   const EVP_CIPHER *EVP_aes_##keybits##_##mode(void) { \
1027     return &aes_##keybits##_##mode;                    \
1028   }
1029 
1030 #endif
1031 
1032 EVP_CIPHER_FUNCTION(128, cbc)
1033 EVP_CIPHER_FUNCTION(128, ctr)
1034 EVP_CIPHER_FUNCTION(128, ecb)
1035 EVP_CIPHER_FUNCTION(128, ofb)
1036 EVP_CIPHER_FUNCTION(128, gcm)
1037 
1038 EVP_CIPHER_FUNCTION(192, cbc)
1039 EVP_CIPHER_FUNCTION(192, ctr)
1040 EVP_CIPHER_FUNCTION(192, ecb)
1041 EVP_CIPHER_FUNCTION(192, gcm)
1042 
1043 EVP_CIPHER_FUNCTION(256, cbc)
1044 EVP_CIPHER_FUNCTION(256, ctr)
1045 EVP_CIPHER_FUNCTION(256, ecb)
1046 EVP_CIPHER_FUNCTION(256, ofb)
1047 EVP_CIPHER_FUNCTION(256, gcm)
1048 
1049 
1050 #define EVP_AEAD_AES_GCM_TAG_LEN 16
1051 
1052 struct aead_aes_gcm_ctx {
1053   union {
1054     double align;
1055     AES_KEY ks;
1056   } ks;
1057   GCM128_CONTEXT gcm;
1058   ctr128_f ctr;
1059   uint8_t tag_len;
1060 };
1061 
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)1062 static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1063                              size_t key_len, size_t tag_len) {
1064   struct aead_aes_gcm_ctx *gcm_ctx;
1065   const size_t key_bits = key_len * 8;
1066 
1067   if (key_bits != 128 && key_bits != 256) {
1068     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
1069     return 0; /* EVP_AEAD_CTX_init should catch this. */
1070   }
1071 
1072   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
1073     tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1074   }
1075 
1076   if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
1077     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
1078     return 0;
1079   }
1080 
1081   gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_ctx));
1082   if (gcm_ctx == NULL) {
1083     return 0;
1084   }
1085 
1086   gcm_ctx->ctr =
1087       aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
1088   gcm_ctx->tag_len = tag_len;
1089   ctx->aead_state = gcm_ctx;
1090 
1091   return 1;
1092 }
1093 
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)1094 static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {
1095   struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
1096   OPENSSL_cleanse(gcm_ctx, sizeof(struct aead_aes_gcm_ctx));
1097   OPENSSL_free(gcm_ctx);
1098 }
1099 
aead_aes_gcm_seal(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1100 static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
1101                              size_t *out_len, size_t max_out_len,
1102                              const uint8_t *nonce, size_t nonce_len,
1103                              const uint8_t *in, size_t in_len,
1104                              const uint8_t *ad, size_t ad_len) {
1105   const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
1106   GCM128_CONTEXT gcm;
1107 
1108   if (in_len + gcm_ctx->tag_len < in_len) {
1109     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
1110     return 0;
1111   }
1112 
1113   if (max_out_len < in_len + gcm_ctx->tag_len) {
1114     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1115     return 0;
1116   }
1117 
1118   const AES_KEY *key = &gcm_ctx->ks.ks;
1119 
1120   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
1121   CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
1122 
1123   if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
1124     return 0;
1125   }
1126 
1127   if (gcm_ctx->ctr) {
1128     if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
1129                                      gcm_ctx->ctr)) {
1130       return 0;
1131     }
1132   } else {
1133     if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
1134       return 0;
1135     }
1136   }
1137 
1138   CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
1139   *out_len = in_len + gcm_ctx->tag_len;
1140   return 1;
1141 }
1142 
aead_aes_gcm_open(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1143 static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
1144                              size_t *out_len, size_t max_out_len,
1145                              const uint8_t *nonce, size_t nonce_len,
1146                              const uint8_t *in, size_t in_len,
1147                              const uint8_t *ad, size_t ad_len) {
1148   const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
1149   uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN];
1150   size_t plaintext_len;
1151   GCM128_CONTEXT gcm;
1152 
1153   if (in_len < gcm_ctx->tag_len) {
1154     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1155     return 0;
1156   }
1157 
1158   plaintext_len = in_len - gcm_ctx->tag_len;
1159 
1160   if (max_out_len < plaintext_len) {
1161     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1162     return 0;
1163   }
1164 
1165   const AES_KEY *key = &gcm_ctx->ks.ks;
1166 
1167   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
1168   CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
1169 
1170   if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
1171     return 0;
1172   }
1173 
1174   if (gcm_ctx->ctr) {
1175     if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out,
1176                                      in_len - gcm_ctx->tag_len, gcm_ctx->ctr)) {
1177       return 0;
1178     }
1179   } else {
1180     if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len - gcm_ctx->tag_len)) {
1181       return 0;
1182     }
1183   }
1184 
1185   CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
1186   if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
1187     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1188     return 0;
1189   }
1190 
1191   *out_len = plaintext_len;
1192   return 1;
1193 }
1194 
1195 static const EVP_AEAD aead_aes_128_gcm = {
1196     16,                       /* key len */
1197     12,                       /* nonce len */
1198     EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
1199     EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
1200     aead_aes_gcm_init,
1201     NULL, /* init_with_direction */
1202     aead_aes_gcm_cleanup,
1203     aead_aes_gcm_seal,
1204     aead_aes_gcm_open,
1205     NULL,                     /* get_rc4_state */
1206     NULL,                     /* get_iv */
1207 };
1208 
1209 static const EVP_AEAD aead_aes_256_gcm = {
1210     32,                       /* key len */
1211     12,                       /* nonce len */
1212     EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
1213     EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
1214     aead_aes_gcm_init,
1215     NULL, /* init_with_direction */
1216     aead_aes_gcm_cleanup,
1217     aead_aes_gcm_seal,
1218     aead_aes_gcm_open,
1219     NULL,                     /* get_rc4_state */
1220     NULL,                     /* get_iv */
1221 };
1222 
EVP_aead_aes_128_gcm(void)1223 const EVP_AEAD *EVP_aead_aes_128_gcm(void) { return &aead_aes_128_gcm; }
1224 
EVP_aead_aes_256_gcm(void)1225 const EVP_AEAD *EVP_aead_aes_256_gcm(void) { return &aead_aes_256_gcm; }
1226 
1227 
1228 /* AES Key Wrap is specified in
1229  * http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
1230  * or https://tools.ietf.org/html/rfc3394 */
1231 
1232 struct aead_aes_key_wrap_ctx {
1233   uint8_t key[32];
1234   unsigned key_bits;
1235 };
1236 
aead_aes_key_wrap_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)1237 static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1238                                   size_t key_len, size_t tag_len) {
1239   struct aead_aes_key_wrap_ctx *kw_ctx;
1240   const size_t key_bits = key_len * 8;
1241 
1242   if (key_bits != 128 && key_bits != 256) {
1243     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
1244     return 0; /* EVP_AEAD_CTX_init should catch this. */
1245   }
1246 
1247   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
1248     tag_len = 8;
1249   }
1250 
1251   if (tag_len != 8) {
1252     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
1253     return 0;
1254   }
1255 
1256   kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx));
1257   if (kw_ctx == NULL) {
1258     OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
1259     return 0;
1260   }
1261 
1262   memcpy(kw_ctx->key, key, key_len);
1263   kw_ctx->key_bits = key_bits;
1264 
1265   ctx->aead_state = kw_ctx;
1266   return 1;
1267 }
1268 
aead_aes_key_wrap_cleanup(EVP_AEAD_CTX * ctx)1269 static void aead_aes_key_wrap_cleanup(EVP_AEAD_CTX *ctx) {
1270   struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
1271   OPENSSL_cleanse(kw_ctx, sizeof(struct aead_aes_key_wrap_ctx));
1272   OPENSSL_free(kw_ctx);
1273 }
1274 
1275 /* kDefaultAESKeyWrapNonce is the default nonce value given in 2.2.3.1. */
1276 static const uint8_t kDefaultAESKeyWrapNonce[8] = {0xa6, 0xa6, 0xa6, 0xa6,
1277                                                    0xa6, 0xa6, 0xa6, 0xa6};
1278 
1279 
aead_aes_key_wrap_seal(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1280 static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
1281                                   size_t *out_len, size_t max_out_len,
1282                                   const uint8_t *nonce, size_t nonce_len,
1283                                   const uint8_t *in, size_t in_len,
1284                                   const uint8_t *ad, size_t ad_len) {
1285   const struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
1286   union {
1287     double align;
1288     AES_KEY ks;
1289   } ks;
1290   /* Variables in this function match up with the variables in the second half
1291    * of section 2.2.1. */
1292   unsigned i, j, n;
1293   uint8_t A[AES_BLOCK_SIZE];
1294 
1295   if (ad_len != 0) {
1296     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
1297     return 0;
1298   }
1299 
1300   if (nonce_len == 0) {
1301     nonce = kDefaultAESKeyWrapNonce;
1302     nonce_len = sizeof(kDefaultAESKeyWrapNonce);
1303   }
1304 
1305   if (nonce_len != 8) {
1306     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1307     return 0;
1308   }
1309 
1310   if (in_len % 8 != 0) {
1311     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
1312     return 0;
1313   }
1314 
1315   /* The code below only handles a 32-bit |t| thus 6*|n| must be less than
1316    * 2^32, where |n| is |in_len| / 8. So in_len < 4/3 * 2^32 and we
1317    * conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that
1318    * a comparison is always true. */
1319   if (in_len > 0xfffffff0) {
1320     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
1321     return 0;
1322   }
1323 
1324   n = in_len / 8;
1325 
1326   if (n < 2) {
1327     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
1328     return 0;
1329   }
1330 
1331   if (in_len + 8 < in_len) {
1332     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
1333     return 0;
1334   }
1335 
1336   if (max_out_len < in_len + 8) {
1337     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1338     return 0;
1339   }
1340 
1341   if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
1342     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
1343     return 0;
1344   }
1345 
1346   memmove(out + 8, in, in_len);
1347   memcpy(A, nonce, 8);
1348 
1349   for (j = 0; j < 6; j++) {
1350     for (i = 1; i <= n; i++) {
1351       uint32_t t;
1352 
1353       memcpy(A + 8, out + 8 * i, 8);
1354       AES_encrypt(A, A, &ks.ks);
1355       t = n * j + i;
1356       A[7] ^= t & 0xff;
1357       A[6] ^= (t >> 8) & 0xff;
1358       A[5] ^= (t >> 16) & 0xff;
1359       A[4] ^= (t >> 24) & 0xff;
1360       memcpy(out + 8 * i, A + 8, 8);
1361     }
1362   }
1363 
1364   memcpy(out, A, 8);
1365   *out_len = in_len + 8;
1366   return 1;
1367 }
1368 
aead_aes_key_wrap_open(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1369 static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
1370                                   size_t *out_len, size_t max_out_len,
1371                                   const uint8_t *nonce, size_t nonce_len,
1372                                   const uint8_t *in, size_t in_len,
1373                                   const uint8_t *ad, size_t ad_len) {
1374   const struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
1375   union {
1376     double align;
1377     AES_KEY ks;
1378   } ks;
1379   /* Variables in this function match up with the variables in the second half
1380    * of section 2.2.1. */
1381   unsigned i, j, n;
1382   uint8_t A[AES_BLOCK_SIZE];
1383 
1384   if (ad_len != 0) {
1385     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
1386     return 0;
1387   }
1388 
1389   if (nonce_len == 0) {
1390     nonce = kDefaultAESKeyWrapNonce;
1391     nonce_len = sizeof(kDefaultAESKeyWrapNonce);
1392   }
1393 
1394   if (nonce_len != 8) {
1395     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1396     return 0;
1397   }
1398 
1399   if (in_len % 8 != 0) {
1400     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
1401     return 0;
1402   }
1403 
1404   /* The code below only handles a 32-bit |t| thus 6*|n| must be less than
1405    * 2^32, where |n| is |in_len| / 8. So in_len < 4/3 * 2^32 and we
1406    * conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that
1407    * a comparison is always true. */
1408   if (in_len > 0xfffffff8) {
1409     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
1410     return 0;
1411   }
1412 
1413   if (in_len < 24) {
1414     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1415     return 0;
1416   }
1417 
1418   n = (in_len / 8) - 1;
1419 
1420   if (max_out_len < in_len - 8) {
1421     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1422     return 0;
1423   }
1424 
1425   if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
1426     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
1427     return 0;
1428   }
1429 
1430   memcpy(A, in, 8);
1431   memmove(out, in + 8, in_len - 8);
1432 
1433   for (j = 5; j < 6; j--) {
1434     for (i = n; i > 0; i--) {
1435       uint32_t t;
1436 
1437       t = n * j + i;
1438       A[7] ^= t & 0xff;
1439       A[6] ^= (t >> 8) & 0xff;
1440       A[5] ^= (t >> 16) & 0xff;
1441       A[4] ^= (t >> 24) & 0xff;
1442       memcpy(A + 8, out + 8 * (i - 1), 8);
1443       AES_decrypt(A, A, &ks.ks);
1444       memcpy(out + 8 * (i - 1), A + 8, 8);
1445     }
1446   }
1447 
1448   if (CRYPTO_memcmp(A, nonce, 8) != 0) {
1449     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1450     return 0;
1451   }
1452 
1453   *out_len = in_len - 8;
1454   return 1;
1455 }
1456 
1457 static const EVP_AEAD aead_aes_128_key_wrap = {
1458     16, /* key len */
1459     8,  /* nonce len */
1460     8,  /* overhead */
1461     8,  /* max tag length */
1462     aead_aes_key_wrap_init,
1463     NULL, /* init_with_direction */
1464     aead_aes_key_wrap_cleanup,
1465     aead_aes_key_wrap_seal,
1466     aead_aes_key_wrap_open,
1467     NULL, /* get_rc4_state */
1468     NULL, /* get_iv */
1469 };
1470 
1471 static const EVP_AEAD aead_aes_256_key_wrap = {
1472     32, /* key len */
1473     8,  /* nonce len */
1474     8,  /* overhead */
1475     8,  /* max tag length */
1476     aead_aes_key_wrap_init,
1477     NULL, /* init_with_direction */
1478     aead_aes_key_wrap_cleanup,
1479     aead_aes_key_wrap_seal,
1480     aead_aes_key_wrap_open,
1481     NULL, /* get_rc4_state */
1482     NULL, /* get_iv */
1483 };
1484 
EVP_aead_aes_128_key_wrap(void)1485 const EVP_AEAD *EVP_aead_aes_128_key_wrap(void) { return &aead_aes_128_key_wrap; }
1486 
EVP_aead_aes_256_key_wrap(void)1487 const EVP_AEAD *EVP_aead_aes_256_key_wrap(void) { return &aead_aes_256_key_wrap; }
1488 
1489 
1490 #define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH
1491 #define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12
1492 
1493 struct aead_aes_ctr_hmac_sha256_ctx {
1494   union {
1495     double align;
1496     AES_KEY ks;
1497   } ks;
1498   ctr128_f ctr;
1499   block128_f block;
1500   SHA256_CTX inner_init_state;
1501   SHA256_CTX outer_init_state;
1502   uint8_t tag_len;
1503 };
1504 
hmac_init(SHA256_CTX * out_inner,SHA256_CTX * out_outer,const uint8_t hmac_key[32])1505 static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
1506                       const uint8_t hmac_key[32]) {
1507   static const size_t hmac_key_len = 32;
1508   uint8_t block[SHA256_CBLOCK];
1509   memcpy(block, hmac_key, hmac_key_len);
1510   memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
1511 
1512   unsigned i;
1513   for (i = 0; i < hmac_key_len; i++) {
1514     block[i] ^= 0x36;
1515   }
1516 
1517   SHA256_Init(out_inner);
1518   SHA256_Update(out_inner, block, sizeof(block));
1519 
1520   memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
1521   for (i = 0; i < hmac_key_len; i++) {
1522     block[i] ^= (0x36 ^ 0x5c);
1523   }
1524 
1525   SHA256_Init(out_outer);
1526   SHA256_Update(out_outer, block, sizeof(block));
1527 }
1528 
aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)1529 static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1530                                          size_t key_len, size_t tag_len) {
1531   struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx;
1532   static const size_t hmac_key_len = 32;
1533 
1534   if (key_len < hmac_key_len) {
1535     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
1536     return 0; /* EVP_AEAD_CTX_init should catch this. */
1537   }
1538 
1539   const size_t aes_key_len = key_len - hmac_key_len;
1540   if (aes_key_len != 16 && aes_key_len != 32) {
1541     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
1542     return 0; /* EVP_AEAD_CTX_init should catch this. */
1543   }
1544 
1545   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
1546     tag_len = EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN;
1547   }
1548 
1549   if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {
1550     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
1551     return 0;
1552   }
1553 
1554   aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
1555   if (aes_ctx == NULL) {
1556     OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
1557     return 0;
1558   }
1559 
1560   aes_ctx->ctr =
1561       aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
1562   aes_ctx->tag_len = tag_len;
1563   hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
1564             key + aes_key_len);
1565 
1566   ctx->aead_state = aes_ctx;
1567 
1568   return 1;
1569 }
1570 
aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX * ctx)1571 static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
1572   struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
1573   OPENSSL_cleanse(aes_ctx, sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
1574   OPENSSL_free(aes_ctx);
1575 }
1576 
hmac_update_uint64(SHA256_CTX * sha256,uint64_t value)1577 static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
1578   unsigned i;
1579   uint8_t bytes[8];
1580 
1581   for (i = 0; i < sizeof(bytes); i++) {
1582     bytes[i] = value & 0xff;
1583     value >>= 8;
1584   }
1585   SHA256_Update(sha256, bytes, sizeof(bytes));
1586 }
1587 
hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],const SHA256_CTX * inner_init_state,const SHA256_CTX * outer_init_state,const uint8_t * ad,size_t ad_len,const uint8_t * nonce,const uint8_t * ciphertext,size_t ciphertext_len)1588 static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
1589                            const SHA256_CTX *inner_init_state,
1590                            const SHA256_CTX *outer_init_state,
1591                            const uint8_t *ad, size_t ad_len,
1592                            const uint8_t *nonce, const uint8_t *ciphertext,
1593                            size_t ciphertext_len) {
1594   SHA256_CTX sha256;
1595   memcpy(&sha256, inner_init_state, sizeof(sha256));
1596   hmac_update_uint64(&sha256, ad_len);
1597   hmac_update_uint64(&sha256, ciphertext_len);
1598   SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
1599   SHA256_Update(&sha256, ad, ad_len);
1600 
1601   /* Pad with zeros to the end of the SHA-256 block. */
1602   const unsigned num_padding =
1603       (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
1604                          EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
1605                         SHA256_CBLOCK)) %
1606       SHA256_CBLOCK;
1607   uint8_t padding[SHA256_CBLOCK];
1608   memset(padding, 0, num_padding);
1609   SHA256_Update(&sha256, padding, num_padding);
1610 
1611   SHA256_Update(&sha256, ciphertext, ciphertext_len);
1612 
1613   uint8_t inner_digest[SHA256_DIGEST_LENGTH];
1614   SHA256_Final(inner_digest, &sha256);
1615 
1616   memcpy(&sha256, outer_init_state, sizeof(sha256));
1617   SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));
1618   SHA256_Final(out, &sha256);
1619 }
1620 
aead_aes_ctr_hmac_sha256_crypt(const struct aead_aes_ctr_hmac_sha256_ctx * aes_ctx,uint8_t * out,const uint8_t * in,size_t len,const uint8_t * nonce)1621 static void aead_aes_ctr_hmac_sha256_crypt(
1622     const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
1623     const uint8_t *in, size_t len, const uint8_t *nonce) {
1624   /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
1625    * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
1626   uint8_t partial_block_buffer[AES_BLOCK_SIZE];
1627   unsigned partial_block_offset = 0;
1628   memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
1629 
1630   uint8_t counter[AES_BLOCK_SIZE];
1631   memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
1632   memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
1633 
1634   if (aes_ctx->ctr) {
1635     CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,
1636                                 partial_block_buffer, &partial_block_offset,
1637                                 aes_ctx->ctr);
1638   } else {
1639     CRYPTO_ctr128_encrypt(in, out, len, &aes_ctx->ks.ks, counter,
1640                           partial_block_buffer, &partial_block_offset,
1641                           aes_ctx->block);
1642   }
1643 }
1644 
aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1645 static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
1646                                          size_t *out_len, size_t max_out_len,
1647                                          const uint8_t *nonce, size_t nonce_len,
1648                                          const uint8_t *in, size_t in_len,
1649                                          const uint8_t *ad, size_t ad_len) {
1650   const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
1651   const uint64_t in_len_64 = in_len;
1652 
1653   if (in_len + aes_ctx->tag_len < in_len ||
1654       /* This input is so large it would overflow the 32-bit block counter. */
1655       in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
1656     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
1657     return 0;
1658   }
1659 
1660   if (max_out_len < in_len + aes_ctx->tag_len) {
1661     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1662     return 0;
1663   }
1664 
1665   if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
1666     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1667     return 0;
1668   }
1669 
1670   aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);
1671 
1672   uint8_t hmac_result[SHA256_DIGEST_LENGTH];
1673   hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
1674                  &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
1675   memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
1676   *out_len = in_len + aes_ctx->tag_len;
1677 
1678   return 1;
1679 }
1680 
aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)1681 static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
1682                                          size_t *out_len, size_t max_out_len,
1683                                          const uint8_t *nonce, size_t nonce_len,
1684                                          const uint8_t *in, size_t in_len,
1685                                          const uint8_t *ad, size_t ad_len) {
1686   const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
1687   size_t plaintext_len;
1688 
1689   if (in_len < aes_ctx->tag_len) {
1690     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1691     return 0;
1692   }
1693 
1694   plaintext_len = in_len - aes_ctx->tag_len;
1695 
1696   if (max_out_len < plaintext_len) {
1697     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1698     return 0;
1699   }
1700 
1701   if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
1702     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1703     return 0;
1704   }
1705 
1706   uint8_t hmac_result[SHA256_DIGEST_LENGTH];
1707   hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
1708                  &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
1709                  plaintext_len);
1710   if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) {
1711     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1712     return 0;
1713   }
1714 
1715   aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, plaintext_len, nonce);
1716 
1717   *out_len = plaintext_len;
1718   return 1;
1719 }
1720 
1721 static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
1722     16 /* AES key */ + 32 /* HMAC key */,
1723     12,                                       /* nonce length */
1724     EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
1725     EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
1726 
1727     aead_aes_ctr_hmac_sha256_init,
1728     NULL /* init_with_direction */,
1729     aead_aes_ctr_hmac_sha256_cleanup,
1730     aead_aes_ctr_hmac_sha256_seal,
1731     aead_aes_ctr_hmac_sha256_open,
1732     NULL /* get_rc4_state */,
1733     NULL /* get_iv */,
1734 };
1735 
1736 static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
1737     32 /* AES key */ + 32 /* HMAC key */,
1738     12,                                       /* nonce length */
1739     EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
1740     EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
1741 
1742     aead_aes_ctr_hmac_sha256_init,
1743     NULL /* init_with_direction */,
1744     aead_aes_ctr_hmac_sha256_cleanup,
1745     aead_aes_ctr_hmac_sha256_seal,
1746     aead_aes_ctr_hmac_sha256_open,
1747     NULL /* get_rc4_state */,
1748     NULL /* get_iv */,
1749 };
1750 
EVP_aead_aes_128_ctr_hmac_sha256(void)1751 const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
1752   return &aead_aes_128_ctr_hmac_sha256;
1753 }
1754 
EVP_aead_aes_256_ctr_hmac_sha256(void)1755 const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {
1756   return &aead_aes_256_ctr_hmac_sha256;
1757 }
1758 
EVP_has_aes_hardware(void)1759 int EVP_has_aes_hardware(void) {
1760 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
1761   return aesni_capable() && crypto_gcm_clmul_enabled();
1762 #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
1763   return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable();
1764 #else
1765   return 0;
1766 #endif
1767 }
1768