1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ==================================================================== */
48 
49 #include <assert.h>
50 #include <string.h>
51 
52 #include <openssl/aead.h>
53 #include <openssl/aes.h>
54 #include <openssl/cipher.h>
55 #include <openssl/cpu.h>
56 #include <openssl/err.h>
57 #include <openssl/mem.h>
58 #include <openssl/nid.h>
59 #include <openssl/rand.h>
60 
61 #include "internal.h"
62 #include "../../internal.h"
63 #include "../aes/internal.h"
64 #include "../modes/internal.h"
65 #include "../delocate.h"
66 
67 
68 OPENSSL_MSVC_PRAGMA(warning(push))
69 OPENSSL_MSVC_PRAGMA(warning(disable: 4702))  // Unreachable code.
70 
71 typedef struct {
72   union {
73     double align;
74     AES_KEY ks;
75   } ks;
76   block128_f block;
77   union {
78     cbc128_f cbc;
79     ctr128_f ctr;
80   } stream;
81 } EVP_AES_KEY;
82 
83 typedef struct {
84   GCM128_CONTEXT gcm;
85   union {
86     double align;
87     AES_KEY ks;
88   } ks;         // AES key schedule to use
89   int key_set;  // Set if key initialised
90   int iv_set;   // Set if an iv is set
91   uint8_t *iv;  // Temporary IV store
92   int ivlen;         // IV length
93   int taglen;
94   int iv_gen;      // It is OK to generate IVs
95   ctr128_f ctr;
96 } EVP_AES_GCM_CTX;
97 
aes_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)98 static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
99                         const uint8_t *iv, int enc) {
100   int ret, mode;
101   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
102 
103   mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
104   if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
105     if (hwaes_capable()) {
106       ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
107       dat->block = aes_hw_decrypt;
108       dat->stream.cbc = NULL;
109       if (mode == EVP_CIPH_CBC_MODE) {
110         dat->stream.cbc = aes_hw_cbc_encrypt;
111       }
112     } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {
113       ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
114       // If |dat->stream.cbc| is provided, |dat->block| is never used.
115       dat->block = NULL;
116       dat->stream.cbc = bsaes_cbc_encrypt;
117     } else if (vpaes_capable()) {
118       ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
119       dat->block = vpaes_decrypt;
120       dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? vpaes_cbc_encrypt : NULL;
121     } else {
122       ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
123       dat->block = aes_nohw_decrypt;
124       dat->stream.cbc = NULL;
125 #if defined(AES_NOHW_CBC)
126       if (mode == EVP_CIPH_CBC_MODE) {
127         dat->stream.cbc = aes_nohw_cbc_encrypt;
128       }
129 #endif
130     }
131   } else if (hwaes_capable()) {
132     ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
133     dat->block = aes_hw_encrypt;
134     dat->stream.cbc = NULL;
135     if (mode == EVP_CIPH_CBC_MODE) {
136       dat->stream.cbc = aes_hw_cbc_encrypt;
137     } else if (mode == EVP_CIPH_CTR_MODE) {
138       dat->stream.ctr = aes_hw_ctr32_encrypt_blocks;
139     }
140   } else if (bsaes_capable() && mode == EVP_CIPH_CTR_MODE) {
141     ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
142     // If |dat->stream.ctr| is provided, |dat->block| is never used.
143     dat->block = NULL;
144     dat->stream.ctr = bsaes_ctr32_encrypt_blocks;
145   } else if (vpaes_capable()) {
146     ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
147     dat->block = vpaes_encrypt;
148     dat->stream.cbc = NULL;
149     if (mode == EVP_CIPH_CBC_MODE) {
150       dat->stream.cbc = vpaes_cbc_encrypt;
151     }
152 #if defined(VPAES_CTR32)
153     if (mode == EVP_CIPH_CTR_MODE) {
154       dat->stream.ctr = vpaes_ctr32_encrypt_blocks;
155     }
156 #endif
157   } else {
158     ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
159     dat->block = aes_nohw_encrypt;
160     dat->stream.cbc = NULL;
161 #if defined(AES_NOHW_CBC)
162     if (mode == EVP_CIPH_CBC_MODE) {
163       dat->stream.cbc = aes_nohw_cbc_encrypt;
164     }
165 #endif
166   }
167 
168   if (ret < 0) {
169     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
170     return 0;
171   }
172 
173   return 1;
174 }
175 
aes_cbc_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)176 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
177                           size_t len) {
178   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
179 
180   if (dat->stream.cbc) {
181     (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt);
182   } else if (ctx->encrypt) {
183     CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);
184   } else {
185     CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);
186   }
187 
188   return 1;
189 }
190 
aes_ecb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)191 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
192                           size_t len) {
193   size_t bl = ctx->cipher->block_size;
194   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
195 
196   if (len < bl) {
197     return 1;
198   }
199 
200   len -= bl;
201   for (size_t i = 0; i <= len; i += bl) {
202     (*dat->block)(in + i, out + i, &dat->ks.ks);
203   }
204 
205   return 1;
206 }
207 
aes_ctr_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)208 static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
209                           size_t len) {
210   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
211 
212   if (dat->stream.ctr) {
213     CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf,
214                                 &ctx->num, dat->stream.ctr);
215   } else {
216     CRYPTO_ctr128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf,
217                           &ctx->num, dat->block);
218   }
219   return 1;
220 }
221 
aes_ofb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)222 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
223                           size_t len) {
224   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
225 
226   CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num,
227                         dat->block);
228   return 1;
229 }
230 
aes_ctr_set_key(AES_KEY * aes_key,GCM128_KEY * gcm_key,block128_f * out_block,const uint8_t * key,size_t key_bytes)231 ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
232                          block128_f *out_block, const uint8_t *key,
233                          size_t key_bytes) {
234   if (hwaes_capable()) {
235     aes_hw_set_encrypt_key(key, key_bytes * 8, aes_key);
236     if (gcm_key != NULL) {
237       CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_hw_encrypt, 1);
238     }
239     if (out_block) {
240       *out_block = aes_hw_encrypt;
241     }
242     return aes_hw_ctr32_encrypt_blocks;
243   }
244 
245   if (bsaes_capable()) {
246     aes_nohw_set_encrypt_key(key, key_bytes * 8, aes_key);
247     if (gcm_key != NULL) {
248       CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0);
249     }
250     if (out_block) {
251       *out_block = aes_nohw_encrypt;
252     }
253     return bsaes_ctr32_encrypt_blocks;
254   }
255 
256   if (vpaes_capable()) {
257     vpaes_set_encrypt_key(key, key_bytes * 8, aes_key);
258     if (out_block) {
259       *out_block = vpaes_encrypt;
260     }
261     if (gcm_key != NULL) {
262       CRYPTO_gcm128_init_key(gcm_key, aes_key, vpaes_encrypt, 0);
263     }
264 #if defined(VPAES_CTR32)
265     return vpaes_ctr32_encrypt_blocks;
266 #else
267     return NULL;
268 #endif
269   }
270 
271   aes_nohw_set_encrypt_key(key, key_bytes * 8, aes_key);
272   if (gcm_key != NULL) {
273     CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0);
274   }
275   if (out_block) {
276     *out_block = aes_nohw_encrypt;
277   }
278   return NULL;
279 }
280 
281 #if defined(OPENSSL_32_BIT)
282 #define EVP_AES_GCM_CTX_PADDING (4+8)
283 #else
284 #define EVP_AES_GCM_CTX_PADDING 8
285 #endif
286 
aes_gcm_from_cipher_ctx(EVP_CIPHER_CTX * ctx)287 static EVP_AES_GCM_CTX *aes_gcm_from_cipher_ctx(EVP_CIPHER_CTX *ctx) {
288 #if defined(__GNUC__) || defined(__clang__)
289   OPENSSL_STATIC_ASSERT(
290       alignof(EVP_AES_GCM_CTX) <= 16,
291       "EVP_AES_GCM_CTX needs more alignment than this function provides");
292 #endif
293 
294   // |malloc| guarantees up to 4-byte alignment on 32-bit and 8-byte alignment
295   // on 64-bit systems, so we need to adjust to reach 16-byte alignment.
296   assert(ctx->cipher->ctx_size ==
297          sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING);
298 
299   char *ptr = ctx->cipher_data;
300 #if defined(OPENSSL_32_BIT)
301   assert((uintptr_t)ptr % 4 == 0);
302   ptr += (uintptr_t)ptr & 4;
303 #endif
304   assert((uintptr_t)ptr % 8 == 0);
305   ptr += (uintptr_t)ptr & 8;
306   return (EVP_AES_GCM_CTX *)ptr;
307 }
308 
aes_gcm_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)309 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
310                             const uint8_t *iv, int enc) {
311   EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx);
312   if (!iv && !key) {
313     return 1;
314   }
315   if (key) {
316     OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm));
317     gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key,
318                                 ctx->key_len);
319     // If we have an iv can set it directly, otherwise use saved IV.
320     if (iv == NULL && gctx->iv_set) {
321       iv = gctx->iv;
322     }
323     if (iv) {
324       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
325       gctx->iv_set = 1;
326     }
327     gctx->key_set = 1;
328   } else {
329     // If key set use IV, otherwise copy
330     if (gctx->key_set) {
331       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
332     } else {
333       OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen);
334     }
335     gctx->iv_set = 1;
336     gctx->iv_gen = 0;
337   }
338   return 1;
339 }
340 
aes_gcm_cleanup(EVP_CIPHER_CTX * c)341 static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
342   EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c);
343   OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
344   if (gctx->iv != c->iv) {
345     OPENSSL_free(gctx->iv);
346   }
347 }
348 
349 // increment counter (64-bit int) by 1
ctr64_inc(uint8_t * counter)350 static void ctr64_inc(uint8_t *counter) {
351   int n = 8;
352   uint8_t c;
353 
354   do {
355     --n;
356     c = counter[n];
357     ++c;
358     counter[n] = c;
359     if (c) {
360       return;
361     }
362   } while (n);
363 }
364 
aes_gcm_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)365 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
366   EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c);
367   switch (type) {
368     case EVP_CTRL_INIT:
369       gctx->key_set = 0;
370       gctx->iv_set = 0;
371       gctx->ivlen = c->cipher->iv_len;
372       gctx->iv = c->iv;
373       gctx->taglen = -1;
374       gctx->iv_gen = 0;
375       return 1;
376 
377     case EVP_CTRL_AEAD_SET_IVLEN:
378       if (arg <= 0) {
379         return 0;
380       }
381 
382       // Allocate memory for IV if needed
383       if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {
384         if (gctx->iv != c->iv) {
385           OPENSSL_free(gctx->iv);
386         }
387         gctx->iv = OPENSSL_malloc(arg);
388         if (!gctx->iv) {
389           return 0;
390         }
391       }
392       gctx->ivlen = arg;
393       return 1;
394 
395     case EVP_CTRL_AEAD_SET_TAG:
396       if (arg <= 0 || arg > 16 || c->encrypt) {
397         return 0;
398       }
399       OPENSSL_memcpy(c->buf, ptr, arg);
400       gctx->taglen = arg;
401       return 1;
402 
403     case EVP_CTRL_AEAD_GET_TAG:
404       if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) {
405         return 0;
406       }
407       OPENSSL_memcpy(ptr, c->buf, arg);
408       return 1;
409 
410     case EVP_CTRL_AEAD_SET_IV_FIXED:
411       // Special case: -1 length restores whole IV
412       if (arg == -1) {
413         OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);
414         gctx->iv_gen = 1;
415         return 1;
416       }
417       // Fixed field must be at least 4 bytes and invocation field
418       // at least 8.
419       if (arg < 4 || (gctx->ivlen - arg) < 8) {
420         return 0;
421       }
422       if (arg) {
423         OPENSSL_memcpy(gctx->iv, ptr, arg);
424       }
425       if (c->encrypt && !RAND_bytes(gctx->iv + arg, gctx->ivlen - arg)) {
426         return 0;
427       }
428       gctx->iv_gen = 1;
429       return 1;
430 
431     case EVP_CTRL_GCM_IV_GEN:
432       if (gctx->iv_gen == 0 || gctx->key_set == 0) {
433         return 0;
434       }
435       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
436       if (arg <= 0 || arg > gctx->ivlen) {
437         arg = gctx->ivlen;
438       }
439       OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
440       // Invocation field will be at least 8 bytes in size and
441       // so no need to check wrap around or increment more than
442       // last 8 bytes.
443       ctr64_inc(gctx->iv + gctx->ivlen - 8);
444       gctx->iv_set = 1;
445       return 1;
446 
447     case EVP_CTRL_GCM_SET_IV_INV:
448       if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) {
449         return 0;
450       }
451       OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
452       CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
453       gctx->iv_set = 1;
454       return 1;
455 
456     case EVP_CTRL_COPY: {
457       EVP_CIPHER_CTX *out = ptr;
458       EVP_AES_GCM_CTX *gctx_out = aes_gcm_from_cipher_ctx(out);
459       if (gctx->iv == c->iv) {
460         gctx_out->iv = out->iv;
461       } else {
462         gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
463         if (!gctx_out->iv) {
464           return 0;
465         }
466         OPENSSL_memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
467       }
468       return 1;
469     }
470 
471     default:
472       return -1;
473   }
474 }
475 
aes_gcm_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)476 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
477                           size_t len) {
478   EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx);
479 
480   // If not set up, return error
481   if (!gctx->key_set) {
482     return -1;
483   }
484   if (!gctx->iv_set) {
485     return -1;
486   }
487 
488   if (in) {
489     if (out == NULL) {
490       if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) {
491         return -1;
492       }
493     } else if (ctx->encrypt) {
494       if (gctx->ctr) {
495         if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
496                                          gctx->ctr)) {
497           return -1;
498         }
499       } else {
500         if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
501           return -1;
502         }
503       }
504     } else {
505       if (gctx->ctr) {
506         if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
507                                          gctx->ctr)) {
508           return -1;
509         }
510       } else {
511         if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
512           return -1;
513         }
514       }
515     }
516     return len;
517   } else {
518     if (!ctx->encrypt) {
519       if (gctx->taglen < 0 ||
520           !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) {
521         return -1;
522       }
523       gctx->iv_set = 0;
524       return 0;
525     }
526     CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
527     gctx->taglen = 16;
528     // Don't reuse the IV
529     gctx->iv_set = 0;
530     return 0;
531   }
532 }
533 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_128_cbc_generic)534 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_cbc_generic) {
535   memset(out, 0, sizeof(EVP_CIPHER));
536 
537   out->nid = NID_aes_128_cbc;
538   out->block_size = 16;
539   out->key_len = 16;
540   out->iv_len = 16;
541   out->ctx_size = sizeof(EVP_AES_KEY);
542   out->flags = EVP_CIPH_CBC_MODE;
543   out->init = aes_init_key;
544   out->cipher = aes_cbc_cipher;
545 }
546 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_128_ctr_generic)547 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ctr_generic) {
548   memset(out, 0, sizeof(EVP_CIPHER));
549 
550   out->nid = NID_aes_128_ctr;
551   out->block_size = 1;
552   out->key_len = 16;
553   out->iv_len = 16;
554   out->ctx_size = sizeof(EVP_AES_KEY);
555   out->flags = EVP_CIPH_CTR_MODE;
556   out->init = aes_init_key;
557   out->cipher = aes_ctr_cipher;
558 }
559 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_128_ecb_generic)560 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) {
561   memset(out, 0, sizeof(EVP_CIPHER));
562 
563   out->nid = NID_aes_128_ecb;
564   out->block_size = 16;
565   out->key_len = 16;
566   out->ctx_size = sizeof(EVP_AES_KEY);
567   out->flags = EVP_CIPH_ECB_MODE;
568   out->init = aes_init_key;
569   out->cipher = aes_ecb_cipher;
570 }
571 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_128_ofb_generic)572 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ofb_generic) {
573   memset(out, 0, sizeof(EVP_CIPHER));
574 
575   out->nid = NID_aes_128_ofb128;
576   out->block_size = 1;
577   out->key_len = 16;
578   out->iv_len = 16;
579   out->ctx_size = sizeof(EVP_AES_KEY);
580   out->flags = EVP_CIPH_OFB_MODE;
581   out->init = aes_init_key;
582   out->cipher = aes_ofb_cipher;
583 }
584 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_128_gcm_generic)585 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_gcm_generic) {
586   memset(out, 0, sizeof(EVP_CIPHER));
587 
588   out->nid = NID_aes_128_gcm;
589   out->block_size = 1;
590   out->key_len = 16;
591   out->iv_len = 12;
592   out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
593   out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV |
594                EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
595                EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
596   out->init = aes_gcm_init_key;
597   out->cipher = aes_gcm_cipher;
598   out->cleanup = aes_gcm_cleanup;
599   out->ctrl = aes_gcm_ctrl;
600 }
601 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_192_cbc_generic)602 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_cbc_generic) {
603   memset(out, 0, sizeof(EVP_CIPHER));
604 
605   out->nid = NID_aes_192_cbc;
606   out->block_size = 16;
607   out->key_len = 24;
608   out->iv_len = 16;
609   out->ctx_size = sizeof(EVP_AES_KEY);
610   out->flags = EVP_CIPH_CBC_MODE;
611   out->init = aes_init_key;
612   out->cipher = aes_cbc_cipher;
613 }
614 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_192_ctr_generic)615 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ctr_generic) {
616   memset(out, 0, sizeof(EVP_CIPHER));
617 
618   out->nid = NID_aes_192_ctr;
619   out->block_size = 1;
620   out->key_len = 24;
621   out->iv_len = 16;
622   out->ctx_size = sizeof(EVP_AES_KEY);
623   out->flags = EVP_CIPH_CTR_MODE;
624   out->init = aes_init_key;
625   out->cipher = aes_ctr_cipher;
626 }
627 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_192_ecb_generic)628 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) {
629   memset(out, 0, sizeof(EVP_CIPHER));
630 
631   out->nid = NID_aes_192_ecb;
632   out->block_size = 16;
633   out->key_len = 24;
634   out->ctx_size = sizeof(EVP_AES_KEY);
635   out->flags = EVP_CIPH_ECB_MODE;
636   out->init = aes_init_key;
637   out->cipher = aes_ecb_cipher;
638 }
639 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_192_ofb_generic)640 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ofb_generic) {
641   memset(out, 0, sizeof(EVP_CIPHER));
642 
643   out->nid = NID_aes_192_ofb128;
644   out->block_size = 1;
645   out->key_len = 24;
646   out->iv_len = 16;
647   out->ctx_size = sizeof(EVP_AES_KEY);
648   out->flags = EVP_CIPH_OFB_MODE;
649   out->init = aes_init_key;
650   out->cipher = aes_ofb_cipher;
651 }
652 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_192_gcm_generic)653 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_gcm_generic) {
654   memset(out, 0, sizeof(EVP_CIPHER));
655 
656   out->nid = NID_aes_192_gcm;
657   out->block_size = 1;
658   out->key_len = 24;
659   out->iv_len = 12;
660   out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
661   out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV |
662                EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
663                EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
664   out->init = aes_gcm_init_key;
665   out->cipher = aes_gcm_cipher;
666   out->cleanup = aes_gcm_cleanup;
667   out->ctrl = aes_gcm_ctrl;
668 }
669 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_256_cbc_generic)670 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_cbc_generic) {
671   memset(out, 0, sizeof(EVP_CIPHER));
672 
673   out->nid = NID_aes_256_cbc;
674   out->block_size = 16;
675   out->key_len = 32;
676   out->iv_len = 16;
677   out->ctx_size = sizeof(EVP_AES_KEY);
678   out->flags = EVP_CIPH_CBC_MODE;
679   out->init = aes_init_key;
680   out->cipher = aes_cbc_cipher;
681 }
682 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_256_ctr_generic)683 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ctr_generic) {
684   memset(out, 0, sizeof(EVP_CIPHER));
685 
686   out->nid = NID_aes_256_ctr;
687   out->block_size = 1;
688   out->key_len = 32;
689   out->iv_len = 16;
690   out->ctx_size = sizeof(EVP_AES_KEY);
691   out->flags = EVP_CIPH_CTR_MODE;
692   out->init = aes_init_key;
693   out->cipher = aes_ctr_cipher;
694 }
695 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_256_ecb_generic)696 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) {
697   memset(out, 0, sizeof(EVP_CIPHER));
698 
699   out->nid = NID_aes_256_ecb;
700   out->block_size = 16;
701   out->key_len = 32;
702   out->ctx_size = sizeof(EVP_AES_KEY);
703   out->flags = EVP_CIPH_ECB_MODE;
704   out->init = aes_init_key;
705   out->cipher = aes_ecb_cipher;
706 }
707 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_256_ofb_generic)708 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ofb_generic) {
709   memset(out, 0, sizeof(EVP_CIPHER));
710 
711   out->nid = NID_aes_256_ofb128;
712   out->block_size = 1;
713   out->key_len = 32;
714   out->iv_len = 16;
715   out->ctx_size = sizeof(EVP_AES_KEY);
716   out->flags = EVP_CIPH_OFB_MODE;
717   out->init = aes_init_key;
718   out->cipher = aes_ofb_cipher;
719 }
720 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_256_gcm_generic)721 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_gcm_generic) {
722   memset(out, 0, sizeof(EVP_CIPHER));
723 
724   out->nid = NID_aes_256_gcm;
725   out->block_size = 1;
726   out->key_len = 32;
727   out->iv_len = 12;
728   out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
729   out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV |
730                EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
731                EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
732   out->init = aes_gcm_init_key;
733   out->cipher = aes_gcm_cipher;
734   out->cleanup = aes_gcm_cleanup;
735   out->ctrl = aes_gcm_ctrl;
736 }
737 
738 #if defined(HWAES_ECB)
739 
aes_hw_ecb_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)740 static int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
741                              const uint8_t *in, size_t len) {
742   size_t bl = ctx->cipher->block_size;
743 
744   if (len < bl) {
745     return 1;
746   }
747 
748   aes_hw_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
749 
750   return 1;
751 }
752 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_hw_128_ecb)753 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) {
754   memset(out, 0, sizeof(EVP_CIPHER));
755 
756   out->nid = NID_aes_128_ecb;
757   out->block_size = 16;
758   out->key_len = 16;
759   out->ctx_size = sizeof(EVP_AES_KEY);
760   out->flags = EVP_CIPH_ECB_MODE;
761   out->init = aes_init_key;
762   out->cipher = aes_hw_ecb_cipher;
763 }
764 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_hw_192_ecb)765 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) {
766   memset(out, 0, sizeof(EVP_CIPHER));
767 
768   out->nid = NID_aes_192_ecb;
769   out->block_size = 16;
770   out->key_len = 24;
771   out->ctx_size = sizeof(EVP_AES_KEY);
772   out->flags = EVP_CIPH_ECB_MODE;
773   out->init = aes_init_key;
774   out->cipher = aes_hw_ecb_cipher;
775 }
776 
DEFINE_LOCAL_DATA(EVP_CIPHER,aes_hw_256_ecb)777 DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) {
778   memset(out, 0, sizeof(EVP_CIPHER));
779 
780   out->nid = NID_aes_256_ecb;
781   out->block_size = 16;
782   out->key_len = 32;
783   out->ctx_size = sizeof(EVP_AES_KEY);
784   out->flags = EVP_CIPH_ECB_MODE;
785   out->init = aes_init_key;
786   out->cipher = aes_hw_ecb_cipher;
787 }
788 
789 #define EVP_ECB_CIPHER_FUNCTION(keybits)            \
790   const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
791     if (hwaes_capable()) {                          \
792       return aes_hw_##keybits##_ecb();              \
793     }                                               \
794     return aes_##keybits##_ecb_generic();           \
795   }
796 
797 #else
798 
799 #define EVP_ECB_CIPHER_FUNCTION(keybits)            \
800   const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
801     return aes_##keybits##_ecb_generic();           \
802   }
803 
804 #endif  // HWAES_ECB
805 
806 #define EVP_CIPHER_FUNCTION(keybits, mode)             \
807   const EVP_CIPHER *EVP_aes_##keybits##_##mode(void) { \
808     return aes_##keybits##_##mode##_generic();         \
809   }
810 
811 EVP_CIPHER_FUNCTION(128, cbc)
812 EVP_CIPHER_FUNCTION(128, ctr)
813 EVP_CIPHER_FUNCTION(128, ofb)
814 EVP_CIPHER_FUNCTION(128, gcm)
815 
816 EVP_CIPHER_FUNCTION(192, cbc)
817 EVP_CIPHER_FUNCTION(192, ctr)
818 EVP_CIPHER_FUNCTION(192, ofb)
819 EVP_CIPHER_FUNCTION(192, gcm)
820 
821 EVP_CIPHER_FUNCTION(256, cbc)
822 EVP_CIPHER_FUNCTION(256, ctr)
823 EVP_CIPHER_FUNCTION(256, ofb)
824 EVP_CIPHER_FUNCTION(256, gcm)
825 
826 EVP_ECB_CIPHER_FUNCTION(128)
827 EVP_ECB_CIPHER_FUNCTION(192)
828 EVP_ECB_CIPHER_FUNCTION(256)
829 
830 
831 #define EVP_AEAD_AES_GCM_TAG_LEN 16
832 
833 struct aead_aes_gcm_ctx {
834   union {
835     double align;
836     AES_KEY ks;
837   } ks;
838   GCM128_KEY gcm_key;
839   ctr128_f ctr;
840 };
841 
aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx * gcm_ctx,size_t * out_tag_len,const uint8_t * key,size_t key_len,size_t tag_len)842 static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
843                                   size_t *out_tag_len, const uint8_t *key,
844                                   size_t key_len, size_t tag_len) {
845   const size_t key_bits = key_len * 8;
846 
847   if (key_bits != 128 && key_bits != 256) {
848     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
849     return 0;  // EVP_AEAD_CTX_init should catch this.
850   }
851 
852   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
853     tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
854   }
855 
856   if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
857     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
858     return 0;
859   }
860 
861   gcm_ctx->ctr =
862       aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key, key_len);
863   *out_tag_len = tag_len;
864   return 1;
865 }
866 
867 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
868                           sizeof(struct aead_aes_gcm_ctx),
869                       "AEAD state is too small");
870 #if defined(__GNUC__) || defined(__clang__)
871 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
872                           alignof(struct aead_aes_gcm_ctx),
873                       "AEAD state has insufficient alignment");
874 #endif
875 
aead_aes_gcm_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t requested_tag_len)876 static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
877                              size_t key_len, size_t requested_tag_len) {
878   struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state;
879 
880   size_t actual_tag_len;
881   if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len,
882                               requested_tag_len)) {
883     return 0;
884   }
885 
886   ctx->tag_len = actual_tag_len;
887   return 1;
888 }
889 
aead_aes_gcm_cleanup(EVP_AEAD_CTX * ctx)890 static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {}
891 
aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)892 static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
893                                      uint8_t *out_tag, size_t *out_tag_len,
894                                      size_t max_out_tag_len,
895                                      const uint8_t *nonce, size_t nonce_len,
896                                      const uint8_t *in, size_t in_len,
897                                      const uint8_t *extra_in,
898                                      size_t extra_in_len,
899                                      const uint8_t *ad, size_t ad_len) {
900   struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state;
901 
902   if (extra_in_len + ctx->tag_len < ctx->tag_len) {
903     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
904     return 0;
905   }
906   if (max_out_tag_len < extra_in_len + ctx->tag_len) {
907     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
908     return 0;
909   }
910   if (nonce_len == 0) {
911     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
912     return 0;
913   }
914 
915   const AES_KEY *key = &gcm_ctx->ks.ks;
916 
917   GCM128_CONTEXT gcm;
918   OPENSSL_memset(&gcm, 0, sizeof(gcm));
919   OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key));
920   CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
921 
922   if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
923     return 0;
924   }
925 
926   if (gcm_ctx->ctr) {
927     if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
928                                      gcm_ctx->ctr)) {
929       return 0;
930     }
931   } else {
932     if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
933       return 0;
934     }
935   }
936 
937   if (extra_in_len) {
938     if (gcm_ctx->ctr) {
939       if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, extra_in, out_tag,
940                                        extra_in_len, gcm_ctx->ctr)) {
941         return 0;
942       }
943     } else {
944       if (!CRYPTO_gcm128_encrypt(&gcm, key, extra_in, out_tag, extra_in_len)) {
945         return 0;
946       }
947     }
948   }
949 
950   CRYPTO_gcm128_tag(&gcm, out_tag + extra_in_len, ctx->tag_len);
951   *out_tag_len = ctx->tag_len + extra_in_len;
952 
953   return 1;
954 }
955 
aead_aes_gcm_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)956 static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
957                                     const uint8_t *nonce, size_t nonce_len,
958                                     const uint8_t *in, size_t in_len,
959                                     const uint8_t *in_tag, size_t in_tag_len,
960                                     const uint8_t *ad, size_t ad_len) {
961   struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state;
962   uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN];
963 
964   if (nonce_len == 0) {
965     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
966     return 0;
967   }
968 
969   if (in_tag_len != ctx->tag_len) {
970     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
971     return 0;
972   }
973 
974   const AES_KEY *key = &gcm_ctx->ks.ks;
975 
976   GCM128_CONTEXT gcm;
977   OPENSSL_memset(&gcm, 0, sizeof(gcm));
978   OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key));
979   CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
980 
981   if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
982     return 0;
983   }
984 
985   if (gcm_ctx->ctr) {
986     if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out, in_len,
987                                      gcm_ctx->ctr)) {
988       return 0;
989     }
990   } else {
991     if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len)) {
992       return 0;
993     }
994   }
995 
996   CRYPTO_gcm128_tag(&gcm, tag, ctx->tag_len);
997   if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
998     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
999     return 0;
1000   }
1001 
1002   return 1;
1003 }
1004 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_128_gcm)1005 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) {
1006   memset(out, 0, sizeof(EVP_AEAD));
1007 
1008   out->key_len = 16;
1009   out->nonce_len = 12;
1010   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1011   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1012   out->seal_scatter_supports_extra_in = 1;
1013 
1014   out->init = aead_aes_gcm_init;
1015   out->cleanup = aead_aes_gcm_cleanup;
1016   out->seal_scatter = aead_aes_gcm_seal_scatter;
1017   out->open_gather = aead_aes_gcm_open_gather;
1018 }
1019 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_256_gcm)1020 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) {
1021   memset(out, 0, sizeof(EVP_AEAD));
1022 
1023   out->key_len = 32;
1024   out->nonce_len = 12;
1025   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1026   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1027   out->seal_scatter_supports_extra_in = 1;
1028 
1029   out->init = aead_aes_gcm_init;
1030   out->cleanup = aead_aes_gcm_cleanup;
1031   out->seal_scatter = aead_aes_gcm_seal_scatter;
1032   out->open_gather = aead_aes_gcm_open_gather;
1033 }
1034 
1035 struct aead_aes_gcm_tls12_ctx {
1036   struct aead_aes_gcm_ctx gcm_ctx;
1037   uint64_t min_next_nonce;
1038 };
1039 
1040 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
1041                           sizeof(struct aead_aes_gcm_tls12_ctx),
1042                       "AEAD state is too small");
1043 #if defined(__GNUC__) || defined(__clang__)
1044 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
1045                           alignof(struct aead_aes_gcm_tls12_ctx),
1046                       "AEAD state has insufficient alignment");
1047 #endif
1048 
aead_aes_gcm_tls12_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t requested_tag_len)1049 static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1050                                    size_t key_len, size_t requested_tag_len) {
1051   struct aead_aes_gcm_tls12_ctx *gcm_ctx =
1052       (struct aead_aes_gcm_tls12_ctx *) &ctx->state;
1053 
1054   gcm_ctx->min_next_nonce = 0;
1055 
1056   size_t actual_tag_len;
1057   if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
1058                               requested_tag_len)) {
1059     return 0;
1060   }
1061 
1062   ctx->tag_len = actual_tag_len;
1063   return 1;
1064 }
1065 
aead_aes_gcm_tls12_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)1066 static int aead_aes_gcm_tls12_seal_scatter(
1067     const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
1068     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
1069     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
1070     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
1071   struct aead_aes_gcm_tls12_ctx *gcm_ctx =
1072       (struct aead_aes_gcm_tls12_ctx *) &ctx->state;
1073 
1074   if (nonce_len != 12) {
1075     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1076     return 0;
1077   }
1078 
1079   // The given nonces must be strictly monotonically increasing.
1080   uint64_t given_counter;
1081   OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter),
1082                  sizeof(given_counter));
1083   given_counter = CRYPTO_bswap8(given_counter);
1084   if (given_counter == UINT64_MAX ||
1085       given_counter < gcm_ctx->min_next_nonce) {
1086     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
1087     return 0;
1088   }
1089 
1090   gcm_ctx->min_next_nonce = given_counter + 1;
1091 
1092   return aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
1093                                    max_out_tag_len, nonce, nonce_len, in,
1094                                    in_len, extra_in, extra_in_len, ad, ad_len);
1095 }
1096 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_128_gcm_tls12)1097 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) {
1098   memset(out, 0, sizeof(EVP_AEAD));
1099 
1100   out->key_len = 16;
1101   out->nonce_len = 12;
1102   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1103   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1104   out->seal_scatter_supports_extra_in = 1;
1105 
1106   out->init = aead_aes_gcm_tls12_init;
1107   out->cleanup = aead_aes_gcm_cleanup;
1108   out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;
1109   out->open_gather = aead_aes_gcm_open_gather;
1110 }
1111 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_256_gcm_tls12)1112 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) {
1113   memset(out, 0, sizeof(EVP_AEAD));
1114 
1115   out->key_len = 32;
1116   out->nonce_len = 12;
1117   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1118   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1119   out->seal_scatter_supports_extra_in = 1;
1120 
1121   out->init = aead_aes_gcm_tls12_init;
1122   out->cleanup = aead_aes_gcm_cleanup;
1123   out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;
1124   out->open_gather = aead_aes_gcm_open_gather;
1125 }
1126 
1127 struct aead_aes_gcm_tls13_ctx {
1128   struct aead_aes_gcm_ctx gcm_ctx;
1129   uint64_t min_next_nonce;
1130   uint64_t mask;
1131   uint8_t first;
1132 };
1133 
1134 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
1135                           sizeof(struct aead_aes_gcm_tls13_ctx),
1136                       "AEAD state is too small");
1137 #if defined(__GNUC__) || defined(__clang__)
1138 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
1139                           alignof(struct aead_aes_gcm_tls13_ctx),
1140                       "AEAD state has insufficient alignment");
1141 #endif
1142 
aead_aes_gcm_tls13_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t requested_tag_len)1143 static int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1144                                    size_t key_len, size_t requested_tag_len) {
1145   struct aead_aes_gcm_tls13_ctx *gcm_ctx =
1146       (struct aead_aes_gcm_tls13_ctx *) &ctx->state;
1147 
1148   gcm_ctx->min_next_nonce = 0;
1149   gcm_ctx->first = 1;
1150 
1151   size_t actual_tag_len;
1152   if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
1153                               requested_tag_len)) {
1154     return 0;
1155   }
1156 
1157   ctx->tag_len = actual_tag_len;
1158   return 1;
1159 }
1160 
aead_aes_gcm_tls13_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)1161 static int aead_aes_gcm_tls13_seal_scatter(
1162     const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
1163     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
1164     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
1165     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
1166   struct aead_aes_gcm_tls13_ctx *gcm_ctx =
1167       (struct aead_aes_gcm_tls13_ctx *) &ctx->state;
1168 
1169   if (nonce_len != 12) {
1170     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1171     return 0;
1172   }
1173 
1174   // The given nonces must be strictly monotonically increasing. See
1175   // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3
1176   // nonce construction.
1177   uint64_t given_counter;
1178   OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter),
1179                  sizeof(given_counter));
1180   given_counter = CRYPTO_bswap8(given_counter);
1181 
1182   if (gcm_ctx->first) {
1183     // In the first call the sequence number will be zero and therefore the
1184     // given nonce will be 0 ^ mask = mask.
1185     gcm_ctx->mask = given_counter;
1186     gcm_ctx->first = 0;
1187   }
1188   given_counter ^= gcm_ctx->mask;
1189 
1190   if (given_counter == UINT64_MAX ||
1191       given_counter < gcm_ctx->min_next_nonce) {
1192     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
1193     return 0;
1194   }
1195 
1196   gcm_ctx->min_next_nonce = given_counter + 1;
1197 
1198   return aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
1199                                    max_out_tag_len, nonce, nonce_len, in,
1200                                    in_len, extra_in, extra_in_len, ad, ad_len);
1201 }
1202 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_128_gcm_tls13)1203 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) {
1204   memset(out, 0, sizeof(EVP_AEAD));
1205 
1206   out->key_len = 16;
1207   out->nonce_len = 12;
1208   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1209   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1210   out->seal_scatter_supports_extra_in = 1;
1211 
1212   out->init = aead_aes_gcm_tls13_init;
1213   out->cleanup = aead_aes_gcm_cleanup;
1214   out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;
1215   out->open_gather = aead_aes_gcm_open_gather;
1216 }
1217 
DEFINE_METHOD_FUNCTION(EVP_AEAD,EVP_aead_aes_256_gcm_tls13)1218 DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) {
1219   memset(out, 0, sizeof(EVP_AEAD));
1220 
1221   out->key_len = 32;
1222   out->nonce_len = 12;
1223   out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1224   out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1225   out->seal_scatter_supports_extra_in = 1;
1226 
1227   out->init = aead_aes_gcm_tls13_init;
1228   out->cleanup = aead_aes_gcm_cleanup;
1229   out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;
1230   out->open_gather = aead_aes_gcm_open_gather;
1231 }
1232 
EVP_has_aes_hardware(void)1233 int EVP_has_aes_hardware(void) {
1234 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
1235   return hwaes_capable() && crypto_gcm_clmul_enabled();
1236 #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
1237   return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable();
1238 #else
1239   return 0;
1240 #endif
1241 }
1242 
1243 OPENSSL_MSVC_PRAGMA(warning(pop))
1244