#include "internal/cryptlib.h"
#include "internal/modes_int.h"
#include "internal/siv_int.h"
-#include "internal/aes_platform.h"
+#include "internal/ciphermode_platform.h"
#include "evp_locl.h"
typedef struct {
# include <openssl/camellia.h>
# include "internal/evp_int.h"
# include "internal/modes_int.h"
+# include "internal/ciphermode_platform.h"
static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
* assembler support was in general requested... */
# include "sparc_arch.h"
-extern unsigned int OPENSSL_sparcv9cap_P[];
-
-# define SPARC_CMLL_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_CAMELLIA)
-
-void cmll_t4_set_key(const unsigned char *key, int bits, CAMELLIA_KEY *ks);
-void cmll_t4_encrypt(const unsigned char *in, unsigned char *out,
- const CAMELLIA_KEY *key);
-void cmll_t4_decrypt(const unsigned char *in, unsigned char *out,
- const CAMELLIA_KEY *key);
-
-void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const CAMELLIA_KEY *key,
- unsigned char *ivec);
-void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const CAMELLIA_KEY *key,
- unsigned char *ivec);
-void cmll256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const CAMELLIA_KEY *key,
- unsigned char *ivec);
-void cmll256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const CAMELLIA_KEY *key,
- unsigned char *ivec);
-void cmll128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const CAMELLIA_KEY *key,
- unsigned char *ivec);
-void cmll256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const CAMELLIA_KEY *key,
- unsigned char *ivec);
static int cmll_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
case NID_aria_256_ccm:
case NID_aria_192_ccm:
case NID_aria_128_ccm:
+ case NID_aria_256_ecb:
+ case NID_aria_192_ecb:
+ case NID_aria_128_ecb:
+ case NID_aria_256_cbc:
+ case NID_aria_192_cbc:
+ case NID_aria_128_cbc:
+ case NID_aria_256_ofb128:
+ case NID_aria_192_ofb128:
+ case NID_aria_128_ofb128:
+ case NID_aria_256_cfb128:
+ case NID_aria_192_cfb128:
+ case NID_aria_128_cfb128:
+ case NID_aria_256_cfb1:
+ case NID_aria_192_cfb1:
+ case NID_aria_128_cfb1:
+ case NID_aria_256_cfb8:
+ case NID_aria_192_cfb8:
+ case NID_aria_128_cfb8:
+ case NID_aria_256_ctr:
+ case NID_aria_192_ctr:
+ case NID_aria_128_ctr:
+ case NID_camellia_256_ecb:
+ case NID_camellia_192_ecb:
+ case NID_camellia_128_ecb:
+ case NID_camellia_256_cbc:
+ case NID_camellia_192_cbc:
+ case NID_camellia_128_cbc:
+ case NID_camellia_256_ofb128:
+ case NID_camellia_192_ofb128:
+ case NID_camellia_128_ofb128:
+ case NID_camellia_256_cfb128:
+ case NID_camellia_192_cfb128:
+ case NID_camellia_128_cfb128:
+ case NID_camellia_256_cfb1:
+ case NID_camellia_192_cfb1:
+ case NID_camellia_128_cfb1:
+ case NID_camellia_256_cfb8:
+ case NID_camellia_192_cfb8:
+ case NID_camellia_128_cfb8:
+ case NID_camellia_256_ctr:
+ case NID_camellia_192_ctr:
+ case NID_camellia_128_ctr:
break;
default:
goto legacy;
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_INTERNAL_AES_PLATFORM_H
-# define HEADER_INTERNAL_AES_PLATFORM_H
-
-# ifdef VPAES_ASM
-int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
- AES_KEY *key);
-int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
- AES_KEY *key);
-void vpaes_encrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void vpaes_decrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void vpaes_cbc_encrypt(const unsigned char *in,
- unsigned char *out,
- size_t length,
- const AES_KEY *key, unsigned char *ivec, int enc);
-# endif /* VPAES_ASM */
-
-# ifdef BSAES_ASM
-void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t length, const AES_KEY *key,
- unsigned char ivec[16], int enc);
-void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- const unsigned char ivec[16]);
-void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
- size_t len, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char iv[16]);
-void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
- size_t len, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char iv[16]);
-# endif /* BSAES_ASM */
-
-# ifdef AES_CTR_ASM
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- const unsigned char ivec[AES_BLOCK_SIZE]);
-# endif /* AES_CTR_ASM */
-
-# ifdef AES_XTS_ASM
-void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
- const AES_KEY *key1, const AES_KEY *key2,
- const unsigned char iv[16]);
-void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
- const AES_KEY *key1, const AES_KEY *key2,
- const unsigned char iv[16]);
-# endif /* AES_XTS_ASM */
-
-# if defined(OPENSSL_CPUID_OBJ)
-# if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-# include "ppc_arch.h"
-# ifdef VPAES_ASM
-# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
-# endif
-# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
-# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-# define HWAES_encrypt aes_p8_encrypt
-# define HWAES_decrypt aes_p8_decrypt
-# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-# define HWAES_xts_encrypt aes_p8_xts_encrypt
-# define HWAES_xts_decrypt aes_p8_xts_decrypt
-# endif /* PPC */
-
-# if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
-# include "arm_arch.h"
-# if __ARM_MAX_ARCH__>=7
-# if defined(BSAES_ASM)
-# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
-# endif
-# if defined(VPAES_ASM)
-# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
-# endif
-# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
-# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
-# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
-# define HWAES_encrypt aes_v8_encrypt
-# define HWAES_decrypt aes_v8_decrypt
-# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
-# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
-# endif
-# endif
-# endif /* OPENSSL_CPUID_OBJ */
-
-# if defined(AES_ASM) && !defined(I386_ONLY) && ( \
- ((defined(__i386) || defined(__i386__) || \
- defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
- defined(__x86_64) || defined(__x86_64__) || \
- defined(_M_AMD64) || defined(_M_X64) )
-
-/* AES-NI section */
-extern unsigned int OPENSSL_ia32cap_P[];
-
-# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
-# ifdef VPAES_ASM
-# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-# endif
-# ifdef BSAES_ASM
-# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-# endif
-
-int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
- AES_KEY *key);
-int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
- AES_KEY *key);
-
-void aesni_encrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void aesni_decrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-
-void aesni_ecb_encrypt(const unsigned char *in,
- unsigned char *out,
- size_t length, const AES_KEY *key, int enc);
-void aesni_cbc_encrypt(const unsigned char *in,
- unsigned char *out,
- size_t length,
- const AES_KEY *key, unsigned char *ivec, int enc);
-# ifndef OPENSSL_NO_OCB
-void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const void *key,
- size_t start_block_num,
- unsigned char offset_i[16],
- const unsigned char L_[][16],
- unsigned char checksum[16]);
-void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const void *key,
- size_t start_block_num,
- unsigned char offset_i[16],
- const unsigned char L_[][16],
- unsigned char checksum[16]);
-# endif /* OPENSSL_NO_OCB */
-
-void aesni_ctr32_encrypt_blocks(const unsigned char *in,
- unsigned char *out,
- size_t blocks,
- const void *key, const unsigned char *ivec);
-
-void aesni_xts_encrypt(const unsigned char *in,
- unsigned char *out,
- size_t length,
- const AES_KEY *key1, const AES_KEY *key2,
- const unsigned char iv[16]);
-
-void aesni_xts_decrypt(const unsigned char *in,
- unsigned char *out,
- size_t length,
- const AES_KEY *key1, const AES_KEY *key2,
- const unsigned char iv[16]);
-
-void aesni_ccm64_encrypt_blocks(const unsigned char *in,
- unsigned char *out,
- size_t blocks,
- const void *key,
- const unsigned char ivec[16],
- unsigned char cmac[16]);
-
-void aesni_ccm64_decrypt_blocks(const unsigned char *in,
- unsigned char *out,
- size_t blocks,
- const void *key,
- const unsigned char ivec[16],
- unsigned char cmac[16]);
-
-# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
-size_t aesni_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
- const void *key, unsigned char ivec[16], u64 *Xi);
-size_t aesni_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
- const void *key, unsigned char ivec[16], u64 *Xi);
-void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len);
-
-# define AES_GCM_ASM(ctx) (ctx->ctr == aesni_ctr32_encrypt_blocks && \
- ctx->gcm.ghash == gcm_ghash_avx)
-# endif
-
-
-# elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
-
-/* Fujitsu SPARC64 X support */
-extern unsigned int OPENSSL_sparcv9cap_P[];
-# include "sparc_arch.h"
-# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
-# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
-# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
-# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
-# define HWAES_encrypt aes_fx_encrypt
-# define HWAES_decrypt aes_fx_decrypt
-# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
-# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
-
-void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
-void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
-void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-/*
- * Key-length specific subroutines were chosen for following reason.
- * Each SPARC T4 core can execute up to 8 threads which share core's
- * resources. Loading as much key material to registers allows to
- * minimize references to shared memory interface, as well as amount
- * of instructions in inner loops [much needed on T4]. But then having
- * non-key-length specific routines would require conditional branches
- * either in inner loops or on subroutines' entries. Former is hardly
- * acceptable, while latter means code size increase to size occupied
- * by multiple key-length specific subroutines, so why fight?
- */
-void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- unsigned char *ivec);
-void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- unsigned char *ivec);
-void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- unsigned char *ivec);
-void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- unsigned char *ivec);
-void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char *ivec);
-void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char *ivec);
-void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char *ivec);
-void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char *ivec);
-
-# elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/* IBM S390X support */
-# include "s390x_arch.h"
-
-
-/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
-# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
-
-/* Most modes of operation need km for partial block processing. */
-# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
- S390X_CAPBIT(S390X_AES_128))
-# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
- S390X_CAPBIT(S390X_AES_192))
-# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
- S390X_CAPBIT(S390X_AES_256))
-
-# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
-# define S390X_aes_192_cbc_CAPABLE 1
-# define S390X_aes_256_cbc_CAPABLE 1
-
-# define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
-# define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
-# define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
-
-# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
- (OPENSSL_s390xcap_P.kmo[0] & \
- S390X_CAPBIT(S390X_AES_128)))
-# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
- (OPENSSL_s390xcap_P.kmo[0] & \
- S390X_CAPBIT(S390X_AES_192)))
-# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
- (OPENSSL_s390xcap_P.kmo[0] & \
- S390X_CAPBIT(S390X_AES_256)))
-
-# define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE && \
- (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_128)))
-# define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE && \
- (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_192)))
-# define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE && \
- (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_256)))
-# define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_128))
-# define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_192))
-# define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
- S390X_CAPBIT(S390X_AES_256))
-# define S390X_aes_128_cfb1_CAPABLE 0
-# define S390X_aes_192_cfb1_CAPABLE 0
-# define S390X_aes_256_cfb1_CAPABLE 0
-
-# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
-# define S390X_aes_192_ctr_CAPABLE 1
-# define S390X_aes_256_ctr_CAPABLE 1
-
-# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
-# define S390X_aes_256_xts_CAPABLE 1
-
-# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
- (OPENSSL_s390xcap_P.kma[0] & \
- S390X_CAPBIT(S390X_AES_128)))
-# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
- (OPENSSL_s390xcap_P.kma[0] & \
- S390X_CAPBIT(S390X_AES_192)))
-# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
- (OPENSSL_s390xcap_P.kma[0] & \
- S390X_CAPBIT(S390X_AES_256)))
-
-# define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
- (OPENSSL_s390xcap_P.kmac[0] & \
- S390X_CAPBIT(S390X_AES_128)))
-# define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
- (OPENSSL_s390xcap_P.kmac[0] & \
- S390X_CAPBIT(S390X_AES_192)))
-# define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
- (OPENSSL_s390xcap_P.kmac[0] & \
- S390X_CAPBIT(S390X_AES_256)))
-# define S390X_CCM_AAD_FLAG 0x40
-
-# ifndef OPENSSL_NO_OCB
-# define S390X_aes_128_ocb_CAPABLE 0
-# define S390X_aes_192_ocb_CAPABLE 0
-# define S390X_aes_256_ocb_CAPABLE 0
-# endif /* OPENSSL_NO_OCB */
-
-# ifndef OPENSSL_NO_SIV
-# define S390X_aes_128_siv_CAPABLE 0
-# define S390X_aes_192_siv_CAPABLE 0
-# define S390X_aes_256_siv_CAPABLE 0
-# endif /* OPENSSL_NO_SIV */
-
-/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
-# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
-# endif
-
-# if defined(HWAES_CAPABLE)
-int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key);
-int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key);
-void HWAES_encrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void HWAES_decrypt(const unsigned char *in, unsigned char *out,
- const AES_KEY *key);
-void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
- size_t length, const AES_KEY *key,
- unsigned char *ivec, const int enc);
-void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
- size_t len, const AES_KEY *key,
- const unsigned char ivec[16]);
-void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
- size_t len, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char iv[16]);
-void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
- size_t len, const AES_KEY *key1,
- const AES_KEY *key2, const unsigned char iv[16]);
-# ifndef OPENSSL_NO_OCB
-# ifdef HWAES_ocb_encrypt
-void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const void *key,
- size_t start_block_num,
- unsigned char offset_i[16],
- const unsigned char L_[][16],
- unsigned char checksum[16]);
-# else
-# define HWAES_ocb_encrypt ((ocb128_f)NULL)
-# endif
-# ifdef HWAES_ocb_decrypt
-void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const void *key,
- size_t start_block_num,
- unsigned char offset_i[16],
- const unsigned char L_[][16],
- unsigned char checksum[16]);
-# else
-# define HWAES_ocb_decrypt ((ocb128_f)NULL)
-# endif
-# endif /* OPENSSL_NO_OCB */
-
-# endif /* HWAES_CAPABLE */
-
-#endif /* HEADER_INTERNAL_AES_PLATFORM_H */
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+# define HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+
+# include "openssl/aes.h"
+
+# ifdef VPAES_ASM
+int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
+ AES_KEY *key);
+int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
+ AES_KEY *key);
+void vpaes_encrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void vpaes_decrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void vpaes_cbc_encrypt(const unsigned char *in,
+ unsigned char *out,
+ size_t length,
+ const AES_KEY *key, unsigned char *ivec, int enc);
+# endif /* VPAES_ASM */
+
+# ifdef BSAES_ASM
+void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t length, const AES_KEY *key,
+ unsigned char ivec[16], int enc);
+void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ const unsigned char ivec[16]);
+void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
+ size_t len, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char iv[16]);
+void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
+ size_t len, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char iv[16]);
+# endif /* BSAES_ASM */
+
+# ifdef AES_CTR_ASM
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ const unsigned char ivec[AES_BLOCK_SIZE]);
+# endif /* AES_CTR_ASM */
+
+# ifdef AES_XTS_ASM
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
+ const AES_KEY *key1, const AES_KEY *key2,
+ const unsigned char iv[16]);
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
+ const AES_KEY *key1, const AES_KEY *key2,
+ const unsigned char iv[16]);
+# endif /* AES_XTS_ASM */
+
+# if defined(OPENSSL_CPUID_OBJ)
+# if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
+# include "ppc_arch.h"
+# ifdef VPAES_ASM
+# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+# endif
+# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
+# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
+# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+# define HWAES_encrypt aes_p8_encrypt
+# define HWAES_decrypt aes_p8_decrypt
+# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+# define HWAES_xts_encrypt aes_p8_xts_encrypt
+# define HWAES_xts_decrypt aes_p8_xts_decrypt
+# endif /* PPC */
+
+# if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
+# include "arm_arch.h"
+# if __ARM_MAX_ARCH__>=7
+# if defined(BSAES_ASM)
+# define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+# endif
+# if defined(VPAES_ASM)
+# define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+# endif
+# define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
+# define HWAES_set_encrypt_key aes_v8_set_encrypt_key
+# define HWAES_set_decrypt_key aes_v8_set_decrypt_key
+# define HWAES_encrypt aes_v8_encrypt
+# define HWAES_decrypt aes_v8_decrypt
+# define HWAES_cbc_encrypt aes_v8_cbc_encrypt
+# define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
+# endif
+# endif
+# endif /* OPENSSL_CPUID_OBJ */
+
+# if defined(AES_ASM) && !defined(I386_ONLY) && ( \
+ ((defined(__i386) || defined(__i386__) || \
+ defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+/* AES-NI section */
+extern unsigned int OPENSSL_ia32cap_P[];
+
+# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+# ifdef VPAES_ASM
+# define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+# endif
+# ifdef BSAES_ASM
+# define BSAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+# endif
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+ AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+ AES_KEY *key);
+
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+
+void aesni_ecb_encrypt(const unsigned char *in,
+ unsigned char *out,
+ size_t length, const AES_KEY *key, int enc);
+void aesni_cbc_encrypt(const unsigned char *in,
+ unsigned char *out,
+ size_t length,
+ const AES_KEY *key, unsigned char *ivec, int enc);
+# ifndef OPENSSL_NO_OCB
+void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const void *key,
+ size_t start_block_num,
+ unsigned char offset_i[16],
+ const unsigned char L_[][16],
+ unsigned char checksum[16]);
+void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const void *key,
+ size_t start_block_num,
+ unsigned char offset_i[16],
+ const unsigned char L_[][16],
+ unsigned char checksum[16]);
+# endif /* OPENSSL_NO_OCB */
+
+void aesni_ctr32_encrypt_blocks(const unsigned char *in,
+ unsigned char *out,
+ size_t blocks,
+ const void *key, const unsigned char *ivec);
+
+void aesni_xts_encrypt(const unsigned char *in,
+ unsigned char *out,
+ size_t length,
+ const AES_KEY *key1, const AES_KEY *key2,
+ const unsigned char iv[16]);
+
+void aesni_xts_decrypt(const unsigned char *in,
+ unsigned char *out,
+ size_t length,
+ const AES_KEY *key1, const AES_KEY *key2,
+ const unsigned char iv[16]);
+
+void aesni_ccm64_encrypt_blocks(const unsigned char *in,
+ unsigned char *out,
+ size_t blocks,
+ const void *key,
+ const unsigned char ivec[16],
+ unsigned char cmac[16]);
+
+void aesni_ccm64_decrypt_blocks(const unsigned char *in,
+ unsigned char *out,
+ size_t blocks,
+ const void *key,
+ const unsigned char ivec[16],
+ unsigned char cmac[16]);
+
+# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
+size_t aesni_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
+ const void *key, unsigned char ivec[16], u64 *Xi);
+size_t aesni_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
+ const void *key, unsigned char ivec[16], u64 *Xi);
+void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len);
+
+# define AES_GCM_ASM(ctx) (ctx->ctr == aesni_ctr32_encrypt_blocks && \
+ ctx->gcm.ghash == gcm_ghash_avx)
+# endif
+
+
+# elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+
+/* Fujitsu SPARC64 X support */
+extern unsigned int OPENSSL_sparcv9cap_P[];
+# include "sparc_arch.h"
+
+# ifndef OPENSSL_NO_CAMELLIA
+# define SPARC_CMLL_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_CAMELLIA)
+
+void cmll_t4_set_key(const unsigned char *key, int bits, CAMELLIA_KEY *ks);
+void cmll_t4_encrypt(const unsigned char *in, unsigned char *out,
+ const CAMELLIA_KEY *key);
+void cmll_t4_decrypt(const unsigned char *in, unsigned char *out,
+ const CAMELLIA_KEY *key);
+
+void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+void cmll256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+void cmll256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+void cmll128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+void cmll256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const CAMELLIA_KEY *key,
+ unsigned char *ivec);
+# endif /* OPENSSL_NO_CAMELLIA */
+
+
+# define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES)
+# define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
+# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
+# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
+# define HWAES_encrypt aes_fx_encrypt
+# define HWAES_decrypt aes_fx_decrypt
+# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
+# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
+
+void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+/*
+ * Key-length specific subroutines were chosen for following reason.
+ * Each SPARC T4 core can execute up to 8 threads which share core's
+ * resources. Loading as much key material to registers allows to
+ * minimize references to shared memory interface, as well as amount
+ * of instructions in inner loops [much needed on T4]. But then having
+ * non-key-length specific routines would require conditional branches
+ * either in inner loops or on subroutines' entries. Former is hardly
+ * acceptable, while latter means code size increase to size occupied
+ * by multiple key-length specific subroutines, so why fight?
+ */
+void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ unsigned char *ivec);
+void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ unsigned char *ivec);
+void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ unsigned char *ivec);
+void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ unsigned char *ivec);
+void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char *ivec);
+void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char *ivec);
+void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char *ivec);
+void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char *ivec);
+
+# elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/* IBM S390X support */
+# include "s390x_arch.h"
+
+
+/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
+# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
+
+/* Most modes of operation need km for partial block processing. */
+# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
+ S390X_CAPBIT(S390X_AES_128))
+# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
+ S390X_CAPBIT(S390X_AES_192))
+# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] & \
+ S390X_CAPBIT(S390X_AES_256))
+
+# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
+# define S390X_aes_192_cbc_CAPABLE 1
+# define S390X_aes_256_cbc_CAPABLE 1
+
+# define S390X_aes_128_ecb_CAPABLE S390X_aes_128_CAPABLE
+# define S390X_aes_192_ecb_CAPABLE S390X_aes_192_CAPABLE
+# define S390X_aes_256_ecb_CAPABLE S390X_aes_256_CAPABLE
+
+# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmo[0] & \
+ S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmo[0] & \
+ S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmo[0] & \
+ S390X_CAPBIT(S390X_AES_256)))
+
+# define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_256)))
+# define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_128))
+# define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_192))
+# define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] & \
+ S390X_CAPBIT(S390X_AES_256))
+# define S390X_aes_128_cfb1_CAPABLE 0
+# define S390X_aes_192_cfb1_CAPABLE 0
+# define S390X_aes_256_cfb1_CAPABLE 0
+
+# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
+# define S390X_aes_192_ctr_CAPABLE 1
+# define S390X_aes_256_ctr_CAPABLE 1
+
+# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
+# define S390X_aes_256_xts_CAPABLE 1
+
+# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE && \
+ (OPENSSL_s390xcap_P.kma[0] & \
+ S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE && \
+ (OPENSSL_s390xcap_P.kma[0] & \
+ S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE && \
+ (OPENSSL_s390xcap_P.kma[0] & \
+ S390X_CAPBIT(S390X_AES_256)))
+
+# define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmac[0] & \
+ S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmac[0] & \
+ S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE && \
+ (OPENSSL_s390xcap_P.kmac[0] & \
+ S390X_CAPBIT(S390X_AES_256)))
+# define S390X_CCM_AAD_FLAG 0x40
+
+# ifndef OPENSSL_NO_OCB
+# define S390X_aes_128_ocb_CAPABLE 0
+# define S390X_aes_192_ocb_CAPABLE 0
+# define S390X_aes_256_ocb_CAPABLE 0
+# endif /* OPENSSL_NO_OCB */
+
+# ifndef OPENSSL_NO_SIV
+# define S390X_aes_128_siv_CAPABLE 0
+# define S390X_aes_192_siv_CAPABLE 0
+# define S390X_aes_256_siv_CAPABLE 0
+# endif /* OPENSSL_NO_SIV */
+
+/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
+# define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
+# endif
+
+# if defined(HWAES_CAPABLE)
+int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key);
+int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key);
+void HWAES_encrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void HWAES_decrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key);
+void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ size_t length, const AES_KEY *key,
+ unsigned char *ivec, const int enc);
+void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ const unsigned char ivec[16]);
+void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
+ size_t len, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char iv[16]);
+void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
+ size_t len, const AES_KEY *key1,
+ const AES_KEY *key2, const unsigned char iv[16]);
+# ifndef OPENSSL_NO_OCB
+# ifdef HWAES_ocb_encrypt
+void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const void *key,
+ size_t start_block_num,
+ unsigned char offset_i[16],
+ const unsigned char L_[][16],
+ unsigned char checksum[16]);
+# else
+# define HWAES_ocb_encrypt ((ocb128_f)NULL)
+# endif
+# ifdef HWAES_ocb_decrypt
+void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const void *key,
+ size_t start_block_num,
+ unsigned char offset_i[16],
+ const unsigned char L_[][16],
+ unsigned char checksum[16]);
+# else
+# define HWAES_ocb_decrypt ((ocb128_f)NULL)
+# endif
+# endif /* OPENSSL_NO_OCB */
+
+# endif /* HWAES_CAPABLE */
+
+#endif /* HEADER_INTERNAL_CIPHERMODE_PLATFORM_H */
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <openssl/crypto.h>
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include <openssl/rand.h>
-#include "internal/cryptlib.h"
-#include "internal/provider_algs.h"
-#include "ciphers_locl.h"
-#include "internal/providercommonerr.h"
-
-static OSSL_OP_cipher_encrypt_init_fn aes_einit;
-static OSSL_OP_cipher_decrypt_init_fn aes_dinit;
-static OSSL_OP_cipher_update_fn aes_block_update;
-static OSSL_OP_cipher_final_fn aes_block_final;
-static OSSL_OP_cipher_update_fn aes_stream_update;
-static OSSL_OP_cipher_final_fn aes_stream_final;
-static OSSL_OP_cipher_cipher_fn aes_cipher;
-static OSSL_OP_cipher_freectx_fn aes_freectx;
-static OSSL_OP_cipher_dupctx_fn aes_dupctx;
-static OSSL_OP_cipher_get_ctx_params_fn aes_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn aes_set_ctx_params;
-
-static int PROV_AES_KEY_generic_init(PROV_AES_KEY *ctx,
- const unsigned char *iv,
- size_t ivlen,
- int enc)
-{
- if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
- if (ivlen != AES_BLOCK_SIZE) {
- ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
- }
- ctx->enc = enc;
-
- return 1;
-}
-
-static int aes_einit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- if (!PROV_AES_KEY_generic_init(ctx, iv, ivlen, 1)) {
- /* ERR_raise already called */
- return 0;
- }
- if (key != NULL) {
- if (keylen != ctx->keylen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
- return ctx->ciph->init(ctx, key, ctx->keylen);
- }
-
- return 1;
-}
-
-static int aes_dinit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- if (!PROV_AES_KEY_generic_init(ctx, iv, ivlen, 0)) {
- /* ERR_raise already called */
- return 0;
- }
- if (key != NULL) {
- if (keylen != ctx->keylen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
- return ctx->ciph->init(ctx, key, ctx->keylen);
- }
-
- return 1;
-}
-
-static int aes_block_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in, size_t inl)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
- size_t nextblocks = fillblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in,
- &inl);
- size_t outlint = 0;
-
- /*
- * If we're decrypting and we end an update on a block boundary we hold
- * the last block back in case this is the last update call and the last
- * block is padded.
- */
- if (ctx->bufsz == AES_BLOCK_SIZE
- && (ctx->enc || inl > 0 || !ctx->pad)) {
- if (outsize < AES_BLOCK_SIZE) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
- if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
- ctx->bufsz = 0;
- outlint = AES_BLOCK_SIZE;
- out += AES_BLOCK_SIZE;
- }
- if (nextblocks > 0) {
- if (!ctx->enc && ctx->pad && nextblocks == inl) {
- if (!ossl_assert(inl >= AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
- nextblocks -= AES_BLOCK_SIZE;
- }
- outlint += nextblocks;
- if (outsize < outlint) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
- if (!ctx->ciph->cipher(ctx, out, in, nextblocks)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
- in += nextblocks;
- inl -= nextblocks;
- }
- if (!trailingdata(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in, &inl)) {
- /* ERR_raise already called */
- return 0;
- }
-
- *outl = outlint;
- return inl == 0;
-}
-
-static int aes_block_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- if (ctx->enc) {
- if (ctx->pad) {
- padblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE);
- } else if (ctx->bufsz == 0) {
- *outl = 0;
- return 1;
- } else if (ctx->bufsz != AES_BLOCK_SIZE) {
- ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
- return 0;
- }
-
- if (outsize < AES_BLOCK_SIZE) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
- if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
- ctx->bufsz = 0;
- *outl = AES_BLOCK_SIZE;
- return 1;
- }
-
- /* Decrypting */
- if (ctx->bufsz != AES_BLOCK_SIZE) {
- if (ctx->bufsz == 0 && !ctx->pad) {
- *outl = 0;
- return 1;
- }
- ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
- return 0;
- }
-
- if (!ctx->ciph->cipher(ctx, ctx->buf, ctx->buf, AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
-
- if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE)) {
- /* ERR_raise already called */
- return 0;
- }
-
- if (outsize < ctx->bufsz) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
- memcpy(out, ctx->buf, ctx->bufsz);
- *outl = ctx->bufsz;
- ctx->bufsz = 0;
- return 1;
-}
-
-static int aes_stream_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in,
- size_t inl)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
-
- if (!ctx->ciph->cipher(ctx, out, in, inl)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
-
- *outl = inl;
- return 1;
-}
-static int aes_stream_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
-{
- *outl = 0;
- return 1;
-}
-
-static int aes_cipher(void *vctx,
- unsigned char *out, size_t *outl, size_t outsize,
- const unsigned char *in, size_t inl)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
-
- if (!ctx->ciph->cipher(ctx, out, in, inl)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
-
- *outl = inl;
- return 1;
-}
-
-static void *aes_new_ctx(void *provctx, size_t mode, size_t kbits,
- const PROV_AES_CIPHER *ciph)
-{
- PROV_AES_KEY *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
- ctx->pad = 1;
- ctx->keylen = kbits / 8;
- ctx->ciph = ciph;
- ctx->mode = mode;
- return ctx;
-}
-
-static void aes_freectx(void *vctx)
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
- OPENSSL_clear_free(ctx, sizeof(*ctx));
-}
-
-static void *aes_dupctx(void *ctx)
-{
- PROV_AES_KEY *in = (PROV_AES_KEY *)ctx;
- PROV_AES_KEY *ret = OPENSSL_malloc(sizeof(*ret));
-
- if (ret == NULL) {
- ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
- *ret = *in;
-
- return ret;
-}
-
-static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
- OSSL_PARAM *p;
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
- if (p != NULL && !OSSL_PARAM_set_int(p, ctx->pad)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
- if (p != NULL
- && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, AES_BLOCK_SIZE)
- && !OSSL_PARAM_set_octet_string(p, &ctx->iv, AES_BLOCK_SIZE)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->num)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
-
- return 1;
-}
-
-static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
- PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
- const OSSL_PARAM *p;
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
- if (p != NULL) {
- int pad;
-
- if (!OSSL_PARAM_get_int(p, &pad)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- ctx->pad = pad ? 1 : 0;
- }
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
- if (p != NULL) {
- int num;
-
- if (!OSSL_PARAM_get_int(p, &num)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- ctx->num = num;
- }
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL) {
- int keylen;
-
- if (!OSSL_PARAM_get_int(p, &keylen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- ctx->keylen = keylen;
- }
- return 1;
-}
-
-#define IMPLEMENT_cipher(lcmode, UCMODE, flags, kbits, blkbits, ivbits) \
- static OSSL_OP_cipher_get_params_fn aes_##kbits##_##lcmode##_get_params; \
- static int aes_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
- { \
- return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
- flags, kbits, blkbits, ivbits); \
- } \
- static OSSL_OP_cipher_newctx_fn aes_##kbits##_##lcmode##_newctx; \
- static void *aes_##kbits##_##lcmode##_newctx(void *provctx) \
- { \
- return aes_new_ctx(provctx, EVP_CIPH_##UCMODE##_MODE, kbits, \
- PROV_AES_CIPHER_##lcmode(kbits / 8)); \
- }
-
-/* ECB */
-IMPLEMENT_cipher(ecb, ECB, 0, 256, 128, 0)
-IMPLEMENT_cipher(ecb, ECB, 0, 192, 128, 0)
-IMPLEMENT_cipher(ecb, ECB, 0, 128, 128, 0)
-
-/* CBC */
-IMPLEMENT_cipher(cbc, CBC, 0, 256, 128, 128)
-IMPLEMENT_cipher(cbc, CBC, 0, 192, 128, 128)
-IMPLEMENT_cipher(cbc, CBC, 0, 128, 128, 128)
-
-/* OFB */
-IMPLEMENT_cipher(ofb, OFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(ofb, OFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(ofb, OFB, 0, 128, 8, 128)
-
-/* CFB */
-IMPLEMENT_cipher(cfb, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb, CFB, 0, 128, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 128, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 128, 8, 128)
-
-/* CTR */
-IMPLEMENT_cipher(ctr, CTR, 0, 256, 8, 128)
-IMPLEMENT_cipher(ctr, CTR, 0, 192, 8, 128)
-IMPLEMENT_cipher(ctr, CTR, 0, 128, 8, 128)
-
-#define IMPLEMENT_funcs(mode, kbits, type) \
-const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
- { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))aes_##kbits##_##mode##_newctx },\
- { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_einit }, \
- { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_dinit }, \
- { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##type##_update }, \
- { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##type##_final }, \
- { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_cipher }, \
- { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_freectx }, \
- { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_dupctx }, \
- { OSSL_FUNC_CIPHER_GET_PARAMS, \
- (void (*)(void))aes_##kbits##_##mode##_get_params }, \
- { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
- (void (*)(void))aes_get_ctx_params }, \
- { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
- (void (*)(void))aes_set_ctx_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
- (void (*)(void))cipher_default_gettable_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
- (void (*)(void))cipher_default_gettable_ctx_params }, \
- { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
- (void (*)(void))cipher_default_settable_ctx_params }, \
- { 0, NULL } \
-};
-
-/* ECB */
-IMPLEMENT_funcs(ecb, 256, block)
-IMPLEMENT_funcs(ecb, 192, block)
-IMPLEMENT_funcs(ecb, 128, block)
-
-/* CBC */
-IMPLEMENT_funcs(cbc, 256, block)
-IMPLEMENT_funcs(cbc, 192, block)
-IMPLEMENT_funcs(cbc, 128, block)
-
-/* OFB */
-IMPLEMENT_funcs(ofb, 256, stream)
-IMPLEMENT_funcs(ofb, 192, stream)
-IMPLEMENT_funcs(ofb, 128, stream)
-
-/* CFB */
-IMPLEMENT_funcs(cfb, 256, stream)
-IMPLEMENT_funcs(cfb, 192, stream)
-IMPLEMENT_funcs(cfb, 128, stream)
-IMPLEMENT_funcs(cfb1, 256, stream)
-IMPLEMENT_funcs(cfb1, 192, stream)
-IMPLEMENT_funcs(cfb1, 128, stream)
-IMPLEMENT_funcs(cfb8, 256, stream)
-IMPLEMENT_funcs(cfb8, 192, stream)
-IMPLEMENT_funcs(cfb8, 128, stream)
-
-/* CTR */
-IMPLEMENT_funcs(ctr, 256, stream)
-IMPLEMENT_funcs(ctr, 192, stream)
-IMPLEMENT_funcs(ctr, 128, stream)
+++ /dev/null
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#include <string.h>
-#include <assert.h>
-#include <openssl/opensslconf.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/aes.h>
-#include <openssl/rand.h>
-#include <openssl/cmac.h>
-#include "ciphers_locl.h"
-#include "internal/evp_int.h"
-#include "internal/providercommonerr.h"
-#include "internal/aes_platform.h"
-
-#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
-
-#if defined(AESNI_CAPABLE)
-
-/* AES-NI section. */
-
-static int aesni_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- int ret;
-
- if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
- && !dat->enc) {
- ret = aesni_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f) aesni_decrypt;
- dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
- (cbc128_f) aesni_cbc_encrypt : NULL;
- } else {
- ret = aesni_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f) aesni_encrypt;
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
- else if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
- else
- dat->stream.cbc = NULL;
- }
-
- if (ret < 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
- return 0;
- }
-
- return 1;
-}
-
-static int aesni_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- aesni_cbc_encrypt(in, out, len, &ctx->ks.ks, ctx->iv, ctx->enc);
-
- return 1;
-}
-
-static int aesni_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- if (len < AES_BLOCK_SIZE)
- return 1;
-
- aesni_ecb_encrypt(in, out, len, &ctx->ks.ks, ctx->enc);
-
- return 1;
-}
-
-# define aesni_ofb_cipher aes_ofb_cipher
-static int aesni_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aesni_cfb_cipher aes_cfb_cipher
-static int aesni_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aesni_cfb8_cipher aes_cfb8_cipher
-static int aesni_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aesni_cfb1_cipher aes_cfb1_cipher
-static int aesni_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aesni_ctr_cipher aes_ctr_cipher
-static int aesni_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aesni_##mode = { \
- aesni_init_key, \
- aesni_##mode##_cipher}; \
-static const PROV_AES_CIPHER aes_##mode = { \
- aes_init_key, \
- aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return AESNI_CAPABLE?&aesni_##mode:&aes_##mode; }
-
-
-#elif defined(SPARC_AES_CAPABLE)
-
-static int aes_t4_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- int ret, bits;
-
- bits = keylen * 8;
- if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
- && !dat->enc) {
- ret = 0;
- aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
- dat->block = (block128_f) aes_t4_decrypt;
- switch (bits) {
- case 128:
- dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
- (cbc128_f) aes128_t4_cbc_decrypt : NULL;
- break;
- case 192:
- dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
- (cbc128_f) aes192_t4_cbc_decrypt : NULL;
- break;
- case 256:
- dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
- (cbc128_f) aes256_t4_cbc_decrypt : NULL;
- break;
- default:
- ret = -1;
- }
- } else {
- ret = 0;
- aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
- dat->block = (block128_f)aes_t4_encrypt;
- switch (bits) {
- case 128:
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
- else if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
- else
- dat->stream.cbc = NULL;
- break;
- case 192:
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
- else if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
- else
- dat->stream.cbc = NULL;
- break;
- case 256:
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
- else if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
- else
- dat->stream.cbc = NULL;
- break;
- default:
- ret = -1;
- }
- }
-
- if (ret < 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
- return 0;
- }
-
- return 1;
-}
-
-# define aes_t4_cbc_cipher aes_cbc_cipher
-static int aes_t4_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_ecb_cipher aes_ecb_cipher
-static int aes_t4_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_ofb_cipher aes_ofb_cipher
-static int aes_t4_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_cfb_cipher aes_cfb_cipher
-static int aes_t4_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_cfb8_cipher aes_cfb8_cipher
-static int aes_t4_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_cfb1_cipher aes_cfb1_cipher
-static int aes_t4_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define aes_t4_ctr_cipher aes_ctr_cipher
-static int aes_t4_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aes_t4_##mode = { \
- aes_t4_init_key, \
- aes_t4_##mode##_cipher}; \
-static const PROV_AES_CIPHER aes_##mode = { \
- aes_init_key, \
- aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return SPARC_AES_CAPABLE?&aes_t4_##mode:&aes_##mode; }
-
-
-#elif defined(S390X_aes_128_CAPABLE)
-/*
- * IBM S390X support
- */
-# include "s390x_arch.h"
-
-# define s390x_aes_init_key aes_init_key
-static int s390x_aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen);
-# define S390X_AES_CBC_CTX PROV_AES_KEY
-
-# define s390x_aes_cbc_init_key aes_init_key
-
-# define s390x_aes_cbc_cipher aes_cbc_cipher
-static int s390x_aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len);
-
-static int s390x_aes_ecb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- dat->plat.s390x.fc = S390X_AES_FC(keylen);
- if (!dat->enc)
- dat->plat.s390x.fc |= S390X_DECRYPT;
-
- memcpy(dat->plat.s390x.param.km.k, key, keylen);
- return 1;
-}
-
-static int s390x_aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- s390x_km(in, len, out, dat->plat.s390x.fc,
- &dat->plat.s390x.param.km);
- return 1;
-}
-
-static int s390x_aes_ofb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
- memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
- dat->plat.s390x.fc = S390X_AES_FC(keylen);
- dat->plat.s390x.res = 0;
- return 1;
-}
-
-static int s390x_aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int n = dat->plat.s390x.res;
- int rem;
-
- while (n && len) {
- *out = *in ^ dat->plat.s390x.param.kmo_kmf.cv[n];
- n = (n + 1) & 0xf;
- --len;
- ++in;
- ++out;
- }
-
- rem = len & 0xf;
-
- len &= ~(size_t)0xf;
- if (len) {
- s390x_kmo(in, len, out, dat->plat.s390x.fc,
- &dat->plat.s390x.param.kmo_kmf);
-
- out += len;
- in += len;
- }
-
- if (rem) {
- s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
- dat->plat.s390x.param.kmo_kmf.cv, dat->plat.s390x.fc,
- dat->plat.s390x.param.kmo_kmf.k);
-
- while (rem--) {
- out[n] = in[n] ^ dat->plat.s390x.param.kmo_kmf.cv[n];
- ++n;
- }
- }
-
- dat->plat.s390x.res = n;
- return 1;
-}
-
-static int s390x_aes_cfb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- dat->plat.s390x.fc = S390X_AES_FC(keylen);
- dat->plat.s390x.fc |= 16 << 24; /* 16 bytes cipher feedback */
- if (!dat->enc)
- dat->plat.s390x.fc |= S390X_DECRYPT;
-
- dat->plat.s390x.res = 0;
- memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
- memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
- return 1;
-}
-
-static int s390x_aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int n = dat->plat.s390x.res;
- int rem;
- unsigned char tmp;
-
- while (n && len) {
- tmp = *in;
- *out = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
- dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? *out : tmp;
- n = (n + 1) & 0xf;
- --len;
- ++in;
- ++out;
- }
-
- rem = len & 0xf;
-
- len &= ~(size_t)0xf;
- if (len) {
- s390x_kmf(in, len, out, dat->plat.s390x.fc,
- &dat->plat.s390x.param.kmo_kmf);
-
- out += len;
- in += len;
- }
-
- if (rem) {
- s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
- dat->plat.s390x.param.kmo_kmf.cv,
- S390X_AES_FC(dat->keylen), dat->plat.s390x.param.kmo_kmf.k);
-
- while (rem--) {
- tmp = in[n];
- out[n] = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
- dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? out[n] : tmp;
- ++n;
- }
- }
-
- dat->plat.s390x.res = n;
- return 1;
-}
-
-static int s390x_aes_cfb8_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- dat->plat.s390x.fc = S390X_AES_FC(keylen);
- dat->plat.s390x.fc |= 1 << 24; /* 1 byte cipher feedback */
- if (!dat->enc)
- dat->plat.s390x.fc |= S390X_DECRYPT;
-
- memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
- memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
- return 1;
-}
-
-static int s390x_aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- s390x_kmf(in, len, out, dat->plat.s390x.fc,
- &dat->plat.s390x.param.kmo_kmf);
- return 1;
-}
-
-# define s390x_aes_cfb1_init_key aes_init_key
-
-# define s390x_aes_cfb1_cipher aes_cfb1_cipher
-static int s390x_aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len);
-# define S390X_AES_CTR_CTX PROV_AES_KEY
-
-# define s390x_aes_ctr_init_key aes_init_key
-
-# define s390x_aes_ctr_cipher aes_ctr_cipher
-static int s390x_aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER s390x_aes_##mode = { \
- s390x_aes_##mode##_init_key, \
- s390x_aes_##mode##_cipher \
-}; \
-static const PROV_AES_CIPHER aes_##mode = { \
- aes_init_key, \
- aes_##mode##_cipher \
-}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ \
- if ((keylen == 16 && S390X_aes_128_##mode##_CAPABLE) \
- || (keylen == 24 && S390X_aes_192_##mode##_CAPABLE) \
- || (keylen == 32 && S390X_aes_256_##mode##_CAPABLE)) \
- return &s390x_aes_##mode; \
- \
- return &aes_##mode; \
-}
-
-#else
-/* The generic case */
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aes_##mode = { \
- aes_init_key, \
- aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return &aes_##mode; }
-
-#endif
-
-static int aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
- size_t keylen)
-{
- int ret;
-
- if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
- && !dat->enc) {
-#ifdef HWAES_CAPABLE
- if (HWAES_CAPABLE) {
- ret = HWAES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)HWAES_decrypt;
- dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
-# endif
- } else
-#endif
-#ifdef BSAES_CAPABLE
- if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
- ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)AES_decrypt;
- dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
- } else
-#endif
-#ifdef VPAES_CAPABLE
- if (VPAES_CAPABLE) {
- ret = vpaes_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)vpaes_decrypt;
- dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
- ?(cbc128_f)vpaes_cbc_encrypt : NULL;
- } else
-#endif
- {
- ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)AES_decrypt;
- dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
- ? (cbc128_f)AES_cbc_encrypt : NULL;
- }
- } else
-#ifdef HWAES_CAPABLE
- if (HWAES_CAPABLE) {
- ret = HWAES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)HWAES_encrypt;
- dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
- if (dat->mode == EVP_CIPH_CBC_MODE)
- dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
- else
-# endif
-# ifdef HWAES_ctr32_encrypt_blocks
- if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
- else
-# endif
- (void)0; /* terminate potentially open 'else' */
- } else
-#endif
-#ifdef BSAES_CAPABLE
- if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
- ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)AES_encrypt;
- dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
- } else
-#endif
-#ifdef VPAES_CAPABLE
- if (VPAES_CAPABLE) {
- ret = vpaes_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)vpaes_encrypt;
- dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
- ? (cbc128_f)vpaes_cbc_encrypt : NULL;
- } else
-#endif
- {
- ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
- dat->block = (block128_f)AES_encrypt;
- dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
- ? (cbc128_f)AES_cbc_encrypt : NULL;
-#ifdef AES_CTR_ASM
- if (dat->mode == EVP_CIPH_CTR_MODE)
- dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
-#endif
- }
-
- if (ret < 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
- return 0;
- }
-
- return 1;
-}
-
-static int aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- if (dat->stream.cbc)
- (*dat->stream.cbc) (in, out, len, &dat->ks, dat->iv, dat->enc);
- else if (dat->enc)
- CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, dat->iv, dat->block);
- else
- CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, dat->iv, dat->block);
-
- return 1;
-}
-
-static int aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- size_t i;
-
- if (len < AES_BLOCK_SIZE)
- return 1;
-
- for (i = 0, len -= AES_BLOCK_SIZE; i <= len; i += AES_BLOCK_SIZE)
- (*dat->block) (in + i, out + i, &dat->ks);
-
- return 1;
-}
-
-static int aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int num = dat->num;
- CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->block);
- dat->num = num;
-
- return 1;
-}
-
-static int aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int num = dat->num;
- CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
- dat->block);
- dat->num = num;
-
- return 1;
-}
-
-static int aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int num = dat->num;
- CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
- dat->block);
- dat->num = num;
-
- return 1;
-}
-
-static int aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- int num = dat->num;
-
- if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
- CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, dat->iv, &num,
- dat->enc, dat->block);
- dat->num = num;
- return 1;
- }
-
- while (len >= MAXBITCHUNK) {
- CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
- dat->iv, &num, dat->enc, dat->block);
- len -= MAXBITCHUNK;
- out += MAXBITCHUNK;
- in += MAXBITCHUNK;
- }
- if (len)
- CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, dat->iv, &num,
- dat->enc, dat->block);
-
- dat->num = num;
-
- return 1;
-}
-
-static int aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
- const unsigned char *in, size_t len)
-{
- unsigned int num = dat->num;
-
- if (dat->stream.ctr)
- CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, dat->iv, dat->buf,
- &num, dat->stream.ctr);
- else
- CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, dat->iv, dat->buf,
- &num, dat->block);
- dat->num = num;
-
- return 1;
-}
-
-BLOCK_CIPHER_generic_prov(cbc)
-BLOCK_CIPHER_generic_prov(ecb)
-BLOCK_CIPHER_generic_prov(ofb)
-BLOCK_CIPHER_generic_prov(cfb)
-BLOCK_CIPHER_generic_prov(cfb1)
-BLOCK_CIPHER_generic_prov(cfb8)
-BLOCK_CIPHER_generic_prov(ctr)
-
+++ /dev/null
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#define S390X_CCM_AAD_FLAG 0x40
-
-static int s390x_aes_ccm_init_key(PROV_CCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
- sctx->ccm.s390x.fc = S390X_AES_FC(keylen);
- memcpy(&sctx->ccm.s390x.kmac.k, key, keylen);
- /* Store encoded m and l. */
- sctx->ccm.s390x.nonce.b[0] = ((ctx->l - 1) & 0x7)
- | (((ctx->m - 2) >> 1) & 0x7) << 3;
- memset(sctx->ccm.s390x.nonce.b + 1, 0, sizeof(sctx->ccm.s390x.nonce.b));
- sctx->ccm.s390x.blocks = 0;
- ctx->key_set = 1;
- return 1;
-}
-
-static int s390x_aes_ccm_setiv(PROV_CCM_CTX *ctx,
- const unsigned char *nonce, size_t noncelen,
- size_t mlen)
-{
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
- sctx->ccm.s390x.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
- sctx->ccm.s390x.nonce.g[1] = mlen;
- memcpy(sctx->ccm.s390x.nonce.b + 1, nonce, 15 - ctx->l);
- return 1;
-}
-
-/*-
- * Process additional authenticated data. Code is big-endian.
- */
-static int s390x_aes_ccm_setaad(PROV_CCM_CTX *ctx,
- const unsigned char *aad, size_t alen)
-{
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
- unsigned char *ptr;
- int i, rem;
-
- if (!alen)
- return 1;
-
- sctx->ccm.s390x.nonce.b[0] |= S390X_CCM_AAD_FLAG;
-
- /* Suppress 'type-punned pointer dereference' warning. */
- ptr = sctx->ccm.s390x.buf.b;
-
- if (alen < ((1 << 16) - (1 << 8))) {
- *(uint16_t *)ptr = alen;
- i = 2;
- } else if (sizeof(alen) == 8
- && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
- *(uint16_t *)ptr = 0xffff;
- *(uint64_t *)(ptr + 2) = alen;
- i = 10;
- } else {
- *(uint16_t *)ptr = 0xfffe;
- *(uint32_t *)(ptr + 2) = alen;
- i = 6;
- }
-
- while (i < 16 && alen) {
- sctx->ccm.s390x.buf.b[i] = *aad;
- ++aad;
- --alen;
- ++i;
- }
- while (i < 16) {
- sctx->ccm.s390x.buf.b[i] = 0;
- ++i;
- }
-
- sctx->ccm.s390x.kmac.icv.g[0] = 0;
- sctx->ccm.s390x.kmac.icv.g[1] = 0;
- s390x_kmac(sctx->ccm.s390x.nonce.b, 32, sctx->ccm.s390x.fc,
- &sctx->ccm.s390x.kmac);
- sctx->ccm.s390x.blocks += 2;
-
- rem = alen & 0xf;
- alen &= ~(size_t)0xf;
- if (alen) {
- s390x_kmac(aad, alen, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
- sctx->ccm.s390x.blocks += alen >> 4;
- aad += alen;
- }
- if (rem) {
- for (i = 0; i < rem; i++)
- sctx->ccm.s390x.kmac.icv.b[i] ^= aad[i];
-
- s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
- sctx->ccm.s390x.kmac.icv.b, sctx->ccm.s390x.fc,
- sctx->ccm.s390x.kmac.k);
- sctx->ccm.s390x.blocks++;
- }
- return 1;
-}
-
-/*-
- * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 1 for
- * success.
- */
-static int s390x_aes_ccm_auth_encdec(PROV_CCM_CTX *ctx,
- const unsigned char *in,
- unsigned char *out, size_t len, int enc)
-{
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
- size_t n, rem;
- unsigned int i, l, num;
- unsigned char flags;
-
- flags = sctx->ccm.s390x.nonce.b[0];
- if (!(flags & S390X_CCM_AAD_FLAG)) {
- s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.kmac.icv.b,
- sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
- sctx->ccm.s390x.blocks++;
- }
- l = flags & 0x7;
- sctx->ccm.s390x.nonce.b[0] = l;
-
- /*-
- * Reconstruct length from encoded length field
- * and initialize it with counter value.
- */
- n = 0;
- for (i = 15 - l; i < 15; i++) {
- n |= sctx->ccm.s390x.nonce.b[i];
- sctx->ccm.s390x.nonce.b[i] = 0;
- n <<= 8;
- }
- n |= sctx->ccm.s390x.nonce.b[15];
- sctx->ccm.s390x.nonce.b[15] = 1;
-
- if (n != len)
- return 0; /* length mismatch */
-
- if (enc) {
- /* Two operations per block plus one for tag encryption */
- sctx->ccm.s390x.blocks += (((len + 15) >> 4) << 1) + 1;
- if (sctx->ccm.s390x.blocks > (1ULL << 61))
- return 0; /* too much data */
- }
-
- num = 0;
- rem = len & 0xf;
- len &= ~(size_t)0xf;
-
- if (enc) {
- /* mac-then-encrypt */
- if (len)
- s390x_kmac(in, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
- if (rem) {
- for (i = 0; i < rem; i++)
- sctx->ccm.s390x.kmac.icv.b[i] ^= in[len + i];
-
- s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
- sctx->ccm.s390x.kmac.icv.b,
- sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
- }
-
- CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
- sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
- &num, (ctr128_f)AES_ctr32_encrypt);
- } else {
- /* decrypt-then-mac */
- CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
- sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
- &num, (ctr128_f)AES_ctr32_encrypt);
-
- if (len)
- s390x_kmac(out, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
- if (rem) {
- for (i = 0; i < rem; i++)
- sctx->ccm.s390x.kmac.icv.b[i] ^= out[len + i];
-
- s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
- sctx->ccm.s390x.kmac.icv.b,
- sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
- }
- }
- /* encrypt tag */
- for (i = 15 - l; i < 16; i++)
- sctx->ccm.s390x.nonce.b[i] = 0;
-
- s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.buf.b,
- sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
- sctx->ccm.s390x.kmac.icv.g[0] ^= sctx->ccm.s390x.buf.g[0];
- sctx->ccm.s390x.kmac.icv.g[1] ^= sctx->ccm.s390x.buf.g[1];
-
- sctx->ccm.s390x.nonce.b[0] = flags; /* restore flags field */
- return 1;
-}
-
-
-static int s390x_aes_ccm_gettag(PROV_CCM_CTX *ctx,
- unsigned char *tag, size_t tlen)
-{
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
- if (tlen > ctx->m)
- return 0;
- memcpy(tag, sctx->ccm.s390x.kmac.icv.b, tlen);
- return 1;
-}
-
-static int s390x_aes_ccm_auth_encrypt(PROV_CCM_CTX *ctx,
- const unsigned char *in,
- unsigned char *out, size_t len,
- unsigned char *tag, size_t taglen)
-{
- int rv;
-
- rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 1);
- if (rv && tag != NULL)
- rv = s390x_aes_ccm_gettag(ctx, tag, taglen);
- return rv;
-}
-
-static int s390x_aes_ccm_auth_decrypt(PROV_CCM_CTX *ctx,
- const unsigned char *in,
- unsigned char *out, size_t len,
- unsigned char *expected_tag,
- size_t taglen)
-{
- int rv = 0;
- PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
- rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 0);
- if (rv) {
- if (CRYPTO_memcmp(sctx->ccm.s390x.kmac.icv.b, expected_tag, ctx->m) != 0)
- rv = 0;
- }
- if (rv == 0)
- OPENSSL_cleanse(out, len);
- return rv;
-}
-
-static const PROV_CCM_HW s390x_aes_ccm = {
- s390x_aes_ccm_init_key,
- s390x_aes_ccm_setiv,
- s390x_aes_ccm_setaad,
- s390x_aes_ccm_auth_encrypt,
- s390x_aes_ccm_auth_decrypt,
- s390x_aes_ccm_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
- if ((keybits == 128 && S390X_aes_128_ccm_CAPABLE)
- || (keybits == 192 && S390X_aes_192_ccm_CAPABLE)
- || (keybits == 256 && S390X_aes_256_ccm_CAPABLE))
- return &s390x_aes_ccm;
- return &aes_ccm;
-}
* https://www.openssl.org/source/license.html
*/
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include "ciphers_locl.h"
#include <assert.h>
-#include "internal/providercommonerr.h"
+#include "cipher_locl.h"
/*
* Fills a single block of buffered data from the input, and returns the amount
LIBS=../../../libcrypto
-$COMMON=block.c aes.c aes_basic.c gcm.c gcm_hw.c ciphers_common.c \
- ccm.c ccm_hw.c
+$COMMON=cipher_common.c cipher_common_hw.c block.c \
+ cipher_aes.c cipher_aes_hw.c \
+ cipher_gcm.c cipher_aes_gcm.c cipher_gcm_hw.c \
+ cipher_ccm.c cipher_aes_ccm.c cipher_ccm_hw.c
SOURCE[../../../libcrypto]=$COMMON
+IF[{- !$disabled{aria} -}]
+ SOURCE[../../../libcrypto]=\
+ cipher_aria.c cipher_aria_hw.c \
+ cipher_aria_gcm.c cipher_aria_ccm.c
+ENDIF
+
+IF[{- !$disabled{camellia} -}]
+ SOURCE[../../../libcrypto]=\
+ cipher_camellia.c cipher_camellia_hw.c
+ENDIF
INCLUDE[../../../libcrypto]=. ../../../crypto
SOURCE[../../fips]=$COMMON
-INCLUDE[../../fips]=. ../../../crypto
+INCLUDE[../../fips]=. ../../../crypto
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include "internal/provider_algs.h"
-#include "internal/providercommonerr.h"
-#include "ciphers_locl.h"
-
-/* TODO(3.0) Figure out what flags are really needed here */
-#define CCM_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
- | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
- | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY)
-
-static OSSL_OP_cipher_encrypt_init_fn ccm_einit;
-static OSSL_OP_cipher_decrypt_init_fn ccm_dinit;
-static OSSL_OP_cipher_get_ctx_params_fn ccm_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn ccm_set_ctx_params;
-static OSSL_OP_cipher_update_fn ccm_stream_update;
-static OSSL_OP_cipher_final_fn ccm_stream_final;
-static OSSL_OP_cipher_cipher_fn ccm_cipher;
-
-static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
- size_t *padlen, const unsigned char *in,
- size_t len);
-
-static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
-{
- size_t len;
-
- if (alen != EVP_AEAD_TLS1_AAD_LEN)
- return 0;
-
- /* Save the aad for later use. */
- memcpy(ctx->buf, aad, alen);
- ctx->tls_aad_len = alen;
-
- len = ctx->buf[alen - 2] << 8 | ctx->buf[alen - 1];
- if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
- return 0;
-
- /* Correct length for explicit iv. */
- len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
-
- if (!ctx->enc) {
- if (len < ctx->m)
- return 0;
- /* Correct length for tag. */
- len -= ctx->m;
- }
- ctx->buf[alen - 2] = (unsigned char)(len >> 8);
- ctx->buf[alen - 1] = (unsigned char)(len & 0xff);
-
- /* Extra padding: tag appended to record. */
- return ctx->m;
-}
-
-static int ccm_tls_iv_set_fixed(PROV_CCM_CTX *ctx, unsigned char *fixed,
- size_t flen)
-{
- if (flen != EVP_CCM_TLS_FIXED_IV_LEN)
- return 0;
-
- /* Copy to first part of the iv. */
- memcpy(ctx->iv, fixed, flen);
- return 1;
-}
-
-static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx)
-{
- return 15 - ctx->l;
-}
-
-static int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
- const OSSL_PARAM *p;
- size_t sz;
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
- if (p != NULL) {
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
- return 0;
- }
-
- if (p->data != NULL) {
- if (ctx->enc) {
- ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_NEEDED);
- return 0;
- }
- memcpy(ctx->buf, p->data, p->data_size);
- ctx->tag_set = 1;
- }
- ctx->m = p->data_size;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
- if (p != NULL) {
- size_t ivlen;
-
- if (!OSSL_PARAM_get_size_t(p, &sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- ivlen = 15 - sz;
- if (ivlen < 2 || ivlen > 8) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
- return 0;
- }
- ctx->l = ivlen;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
- if (p != NULL) {
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- sz = ccm_tls_init(ctx, p->data, p->data_size);
- if (sz == 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
- return 0;
- }
- ctx->tls_aad_pad_sz = sz;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
- if (p != NULL) {
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
- return 0;
- }
- }
-
- return 1;
-}
-
-static int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
- OSSL_PARAM *p;
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ccm_get_ivlen(ctx))) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
- if (p != NULL) {
- if (ccm_get_ivlen(ctx) != p->data_size) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
- return 0;
- }
- if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
- if (p != NULL) {
- if (!ctx->enc || !ctx->tag_set) {
- ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET);
- return 0;
- }
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- if (!ctx->hw->gettag(ctx, p->data, p->data_size))
- return 0;
- ctx->tag_set = 0;
- ctx->iv_set = 0;
- ctx->len_set = 0;
- }
- return 1;
-}
-
-static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen, int enc)
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
- ctx->enc = enc;
-
- if (iv != NULL) {
- if (ivlen != ccm_get_ivlen(ctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
- return 0;
- }
-
- memcpy(ctx->iv, iv, ivlen);
- ctx->iv_set = 1;
- }
- if (key != NULL) {
- if (keylen != ctx->keylen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
- return 0;
- }
- return ctx->hw->setkey(ctx, key, keylen);
- }
- return 1;
-}
-
-static int ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- return ccm_init(vctx, key, keylen, iv, ivlen, 1);
-}
-
-static int ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- return ccm_init(vctx, key, keylen, iv, ivlen, 0);
-}
-
-static int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in,
- size_t inl)
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
- }
-
- if (!ccm_cipher_internal(ctx, out, outl, in, inl)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return 0;
- }
- return 1;
-}
-
-static int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
- int i;
-
- i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
- if (i <= 0)
- return 0;
-
- *outl = 0;
- return 1;
-}
-
-static int ccm_cipher(void *vctx,
- unsigned char *out, size_t *outl, size_t outsize,
- const unsigned char *in, size_t inl)
-{
- PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return -1;
- }
-
- if (ccm_cipher_internal(ctx, out, outl, in, inl) <= 0)
- return -1;
-
- *outl = inl;
- return 1;
-}
-
-/* Copy the buffered iv */
-static int ccm_set_iv(PROV_CCM_CTX *ctx, size_t mlen)
-{
- const PROV_CCM_HW *hw = ctx->hw;
-
- if (!hw->setiv(ctx, ctx->iv, ccm_get_ivlen(ctx), mlen))
- return 0;
- ctx->len_set = 1;
- return 1;
-}
-
-static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
- unsigned char *out, size_t *padlen,
- const unsigned char *in, size_t len)
-{
- int rv = 0;
- size_t olen = 0;
-
- /* Encrypt/decrypt must be performed in place */
- if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)ctx->m))
- goto err;
-
- /* If encrypting set explicit IV from sequence number (start of AAD) */
- if (ctx->enc)
- memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
- /* Get rest of IV from explicit IV */
- memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
- /* Correct length value */
- len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
- if (!ccm_set_iv(ctx, len))
- goto err;
-
- /* Use saved AAD */
- if (!ctx->hw->setaad(ctx, ctx->buf, ctx->tls_aad_len))
- goto err;
-
- /* Fix buffer to point to payload */
- in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
- out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
- if (ctx->enc) {
- if (!ctx->hw->auth_encrypt(ctx, in, out, len, out + len, ctx->m))
- goto err;
- olen = len + EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
- } else {
- if (!ctx->hw->auth_decrypt(ctx, in, out, len,
- (unsigned char *)in + len, ctx->m))
- goto err;
- olen = len;
- }
- rv = 1;
-err:
- *padlen = olen;
- return rv;
-}
-
-static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
- size_t *padlen, const unsigned char *in,
- size_t len)
-{
- int rv = 0;
- size_t olen = 0;
- const PROV_CCM_HW *hw = ctx->hw;
-
- /* If no key set, return error */
- if (!ctx->key_set)
- return 0;
-
- if (ctx->tls_aad_len >= 0)
- return ccm_tls_cipher(ctx, out, padlen, in, len);
-
- /* EVP_*Final() doesn't return any data */
- if (in == NULL && out != NULL)
- return 1;
-
- if (!ctx->iv_set)
- goto err;
-
- if (out == NULL) {
- if (in == NULL) {
- if (!ccm_set_iv(ctx, len))
- goto err;
- } else {
- /* If we have AAD, we need a message length */
- if (!ctx->len_set && len)
- goto err;
- if (!hw->setaad(ctx, in, len))
- goto err;
- }
- } else {
- /* If not set length yet do it */
- if (!ctx->len_set && !ccm_set_iv(ctx, len))
- goto err;
-
- if (ctx->enc) {
- if (!hw->auth_encrypt(ctx, in, out, len, NULL, 0))
- goto err;
- ctx->tag_set = 1;
- } else {
- /* The tag must be set before actually decrypting data */
- if (!ctx->tag_set)
- goto err;
-
- if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
- goto err;
- /* Finished - reset flags so calling this method again will fail */
- ctx->iv_set = 0;
- ctx->tag_set = 0;
- ctx->len_set = 0;
- }
- }
- olen = len;
- rv = 1;
-err:
- *padlen = olen;
- return rv;
-}
-
-static void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits,
- const PROV_CCM_HW *hw)
-{
- ctx->keylen = keybits / 8;
- ctx->key_set = 0;
- ctx->iv_set = 0;
- ctx->tag_set = 0;
- ctx->len_set = 0;
- ctx->l = 8;
- ctx->m = 12;
- ctx->tls_aad_len = -1;
- ctx->hw = hw;
-}
-
-static void ccm_finalctx(PROV_CCM_CTX *ctx)
-{
- OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
-}
-
-/*- Algorithm specific methods for CCM mode */
-
-static void *aes_ccm_newctx(void *provctx, size_t keybits)
-{
- PROV_AES_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
- ccm_initctx(&ctx->base, keybits, PROV_AES_HW_ccm(keybits));
- return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aes_ccm_freectx;
-static void aes_ccm_freectx(void *vctx)
-{
- PROV_AES_CCM_CTX *ctx = (PROV_AES_CCM_CTX *)vctx;
-
- ccm_finalctx((PROV_CCM_CTX *)ctx);
- OPENSSL_clear_free(ctx, sizeof(*ctx));
-}
-
-/*- CCM Dispatch macros */
-
-/* aes128ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 128, 8, 96);
-/* aes192ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 192, 8, 96);
-/* aes256ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 256, 8, 96);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-static void *aria_ccm_newctx(void *provctx, size_t keybits)
-{
- PROV_ARIA_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
- ccm_initctx(&ctx->base, keybits, PROV_ARIA_HW_ccm(keybits));
- return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aria_ccm_freectx;
-static void aria_ccm_freectx(void *vctx)
-{
- PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx;
-
- ccm_finalctx((PROV_CCM_CTX *)ctx);
- OPENSSL_clear_free(ctx, sizeof(*ctx));
-}
-
-/* aria128ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 128, 8, 96);
-/* aria192ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 192, 8, 96);
-/* aria256ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 256, 8, 96);
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#include "ciphers_locl.h"
-#include "internal/aes_platform.h"
-
-#define AES_CCM_SET_KEY_FN(fn_set_enc_key, fn_blk, fn_ccm_enc, fn_ccm_dec) \
- fn_set_enc_key(key, keylen * 8, &actx->ccm.ks.ks); \
- CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ccm.ks.ks, \
- (block128_f)fn_blk); \
- ctx->str = ctx->enc ? (ccm128_f)fn_ccm_enc : (ccm128_f)fn_ccm_dec; \
- ctx->key_set = 1;
-
-static int ccm_generic_aes_init_key(PROV_CCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
-#ifdef HWAES_CAPABLE
- if (HWAES_CAPABLE) {
- AES_CCM_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_encrypt, NULL, NULL);
- } else
-#endif /* HWAES_CAPABLE */
-#ifdef VPAES_CAPABLE
- if (VPAES_CAPABLE) {
- AES_CCM_SET_KEY_FN(vpaes_set_encrypt_key, vpaes_encrypt, NULL, NULL);
- } else
-#endif
- {
- AES_CCM_SET_KEY_FN(AES_set_encrypt_key, AES_encrypt, NULL, NULL)
- }
- return 1;
-}
-
-static int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce,
- size_t nlen, size_t mlen)
-{
- return CRYPTO_ccm128_setiv(&ctx->ccm_ctx, nonce, nlen, mlen) == 0;
-}
-
-static int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad,
- size_t alen)
-{
- CRYPTO_ccm128_aad(&ctx->ccm_ctx, aad, alen);
- return 1;
-}
-
-static int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag,
- size_t tlen)
-{
- return CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, tlen) > 0;
-}
-
-static int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len,
- unsigned char *tag, size_t taglen)
-{
- int rv;
-
- if (ctx->str != NULL)
- rv = CRYPTO_ccm128_encrypt_ccm64(&ctx->ccm_ctx, in,
- out, len, ctx->str) == 0;
- else
- rv = CRYPTO_ccm128_encrypt(&ctx->ccm_ctx, in, out, len) == 0;
-
- if (rv == 1 && tag != NULL)
- rv = (CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen) > 0);
- return rv;
-}
-
-static int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len,
- unsigned char *expected_tag,
- size_t taglen)
-{
- int rv = 0;
-
- if (ctx->str != NULL)
- rv = CRYPTO_ccm128_decrypt_ccm64(&ctx->ccm_ctx, in, out, len,
- ctx->str) == 0;
- else
- rv = CRYPTO_ccm128_decrypt(&ctx->ccm_ctx, in, out, len) == 0;
- if (rv) {
- unsigned char tag[16];
-
- if (!CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen)
- || CRYPTO_memcmp(tag, expected_tag, taglen) != 0)
- rv = 0;
- }
- if (rv == 0)
- OPENSSL_cleanse(out, len);
- return rv;
-}
-
-static const PROV_CCM_HW aes_ccm = {
- ccm_generic_aes_init_key,
- ccm_generic_setiv,
- ccm_generic_setaad,
- ccm_generic_auth_encrypt,
- ccm_generic_auth_decrypt,
- ccm_generic_gettag
-};
-
-#if defined(S390X_aes_128_CAPABLE)
-# include "aes_ccm_s390x.c"
-#elif defined(AESNI_CAPABLE)
-
-/* AES-NI section */
-static int ccm_aesni_init_key(PROV_CCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
- AES_CCM_SET_KEY_FN(aesni_set_encrypt_key, aesni_encrypt,
- aesni_ccm64_encrypt_blocks, aesni_ccm64_decrypt_blocks);
- return 1;
-}
-
-static const PROV_CCM_HW aesni_ccm = {
- ccm_aesni_init_key,
- ccm_generic_setiv,
- ccm_generic_setaad,
- ccm_generic_auth_encrypt,
- ccm_generic_auth_decrypt,
- ccm_generic_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
- return AESNI_CAPABLE ? &aesni_ccm : &aes_ccm;
-}
-
-#elif defined(SPARC_AES_CAPABLE)
-/* Fujitsu SPARC64 X support */
-static int ccm_t4_aes_init_key(PROV_CCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
- AES_CCM_SET_KEY_FN(aes_t4_set_encrypt_key, aes_t4_encrypt, NULL, NULL);
- return 1;
-}
-
-static const PROV_CCM_HW t4_aes_ccm = {
- ccm_t4_aes_init_key,
- ccm_generic_setiv,
- ccm_generic_setaad,
- ccm_generic_auth_encrypt,
- ccm_generic_auth_decrypt,
- ccm_generic_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
- return SPARC_AES_CAPABLE ? &t4_aes_ccm : &aes_ccm;
-}
-
-#else
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
- return &aes_ccm;
-}
-#endif
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-/* ARIA CCM Algorithm specific methods */
-static int ccm_aria_init_key(PROV_CCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_ARIA_CCM_CTX *actx = (PROV_ARIA_CCM_CTX *)ctx;
-
- aria_set_encrypt_key(key, keylen * 8, &actx->ks.ks);
- CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks,
- (block128_f)aria_encrypt);
- ctx->str = NULL;
- ctx->key_set = 1;
- return 1;
-}
-
-static const PROV_CCM_HW ccm_aria = {
- ccm_aria_init_key,
- ccm_generic_setiv,
- ccm_generic_setaad,
- ccm_generic_auth_encrypt,
- ccm_generic_auth_decrypt,
- ccm_generic_gettag
-};
-const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keybits)
-{
- return &ccm_aria;
-}
-#endif /* OPENSSL_NO_ARIA */
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+static OSSL_OP_cipher_freectx_fn aes_freectx;
+static OSSL_OP_cipher_dupctx_fn aes_dupctx;
+
+static void aes_freectx(void *vctx)
+{
+ PROV_AES_CTX *ctx = (PROV_AES_CTX *)vctx;
+
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+static void *aes_dupctx(void *ctx)
+{
+ PROV_AES_CTX *in = (PROV_AES_CTX *)ctx;
+ PROV_AES_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+ if (ret == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ *ret = *in;
+
+ return ret;
+}
+
+/* aes256ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 256, 128, 0, block)
+/* aes192ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 192, 128, 0, block)
+/* aes128ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 128, 128, 0, block)
+/* aes256cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 256, 128, 128, block)
+/* aes192cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 192, 128, 128, block)
+/* aes128cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 128, 128, 128, block)
+/* aes256ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 256, 8, 128, stream)
+/* aes192ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 192, 8, 128, stream)
+/* aes128ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 128, 8, 128, stream)
+/* aes256cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 256, 8, 128, stream)
+/* aes192cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 192, 8, 128, stream)
+/* aes128cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 128, 8, 128, stream)
+/* aes256cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 256, 8, 128, stream)
+/* aes192cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 192, 8, 128, stream)
+/* aes128cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 128, 8, 128, stream)
+/* aes256cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 256, 8, 128, stream)
+/* aes192cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 192, 8, 128, stream)
+/* aes128cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 128, 8, 128, stream)
+/* aes256ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 256, 8, 128, stream)
+/* aes192ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 192, 8, 128, stream)
+/* aes128ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 128, 8, 128, stream)
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+
+typedef struct prov_aes_ctx_st {
+ PROV_CIPHER_CTX base; /* Must be first */
+ union {
+ OSSL_UNION_ALIGN;
+ AES_KEY ks;
+ } ks;
+
+ /* Platform specific data */
+ union {
+ int dummy;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+ struct {
+ union {
+ OSSL_UNION_ALIGN;
+ /*-
+ * KM-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-06)
+ */
+ struct {
+ unsigned char k[32];
+ } km;
+ /* KM-AES parameter block - end */
+ /*-
+ * KMO-AES/KMF-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-08)
+ */
+ struct {
+ unsigned char cv[16];
+ unsigned char k[32];
+ } kmo_kmf;
+ /* KMO-AES/KMF-AES parameter block - end */
+ } param;
+ unsigned int fc;
+ int res;
+ } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+ } plat;
+
+} PROV_AES_CTX;
+
+#define PROV_CIPHER_HW_aes_ofb PROV_CIPHER_HW_aes_ofb128
+#define PROV_CIPHER_HW_aes_cfb PROV_CIPHER_HW_aes_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ctr(size_t keybits);
+
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES CCM mode */
+
+#include "cipher_locl.h"
+
+static void *aes_ccm_newctx(void *provctx, size_t keybits)
+{
+ PROV_AES_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+ if (ctx != NULL)
+ ccm_initctx(&ctx->base, keybits, PROV_AES_HW_ccm(keybits));
+ return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aes_ccm_freectx;
+static void aes_ccm_freectx(void *vctx)
+{
+ PROV_AES_CCM_CTX *ctx = (PROV_AES_CCM_CTX *)vctx;
+
+ ccm_finalctx((PROV_CCM_CTX *)ctx);
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+/* aes128ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+/* aes192ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+/* aes256ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+static int ccm_aesni_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+ AES_CCM_SET_KEY_FN(aesni_set_encrypt_key, aesni_encrypt,
+ aesni_ccm64_encrypt_blocks, aesni_ccm64_decrypt_blocks);
+ return 1;
+}
+
+static const PROV_CCM_HW aesni_ccm = {
+ ccm_aesni_initkey,
+ ccm_generic_setiv,
+ ccm_generic_setaad,
+ ccm_generic_auth_encrypt,
+ ccm_generic_auth_decrypt,
+ ccm_generic_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+ return AESNI_CAPABLE ? &aesni_ccm : &aes_ccm;
+}
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * S390X support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+#define S390X_CCM_AAD_FLAG 0x40
+
+static int s390x_aes_ccm_initkey(PROV_CCM_CTX *ctx,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+ sctx->ccm.s390x.fc = S390X_AES_FC(keylen);
+ memcpy(&sctx->ccm.s390x.kmac.k, key, keylen);
+ /* Store encoded m and l. */
+ sctx->ccm.s390x.nonce.b[0] = ((ctx->l - 1) & 0x7)
+ | (((ctx->m - 2) >> 1) & 0x7) << 3;
+ memset(sctx->ccm.s390x.nonce.b + 1, 0, sizeof(sctx->ccm.s390x.nonce.b));
+ sctx->ccm.s390x.blocks = 0;
+ ctx->key_set = 1;
+ return 1;
+}
+
+static int s390x_aes_ccm_setiv(PROV_CCM_CTX *ctx,
+ const unsigned char *nonce, size_t noncelen,
+ size_t mlen)
+{
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+ sctx->ccm.s390x.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
+ sctx->ccm.s390x.nonce.g[1] = mlen;
+ memcpy(sctx->ccm.s390x.nonce.b + 1, nonce, 15 - ctx->l);
+ return 1;
+}
+
+/*-
+ * Process additional authenticated data. Code is big-endian.
+ */
+static int s390x_aes_ccm_setaad(PROV_CCM_CTX *ctx,
+ const unsigned char *aad, size_t alen)
+{
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+ unsigned char *ptr;
+ int i, rem;
+
+ if (!alen)
+ return 1;
+
+ sctx->ccm.s390x.nonce.b[0] |= S390X_CCM_AAD_FLAG;
+
+ /* Suppress 'type-punned pointer dereference' warning. */
+ ptr = sctx->ccm.s390x.buf.b;
+
+ if (alen < ((1 << 16) - (1 << 8))) {
+ *(uint16_t *)ptr = alen;
+ i = 2;
+ } else if (sizeof(alen) == 8
+ && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
+ *(uint16_t *)ptr = 0xffff;
+ *(uint64_t *)(ptr + 2) = alen;
+ i = 10;
+ } else {
+ *(uint16_t *)ptr = 0xfffe;
+ *(uint32_t *)(ptr + 2) = alen;
+ i = 6;
+ }
+
+ while (i < 16 && alen) {
+ sctx->ccm.s390x.buf.b[i] = *aad;
+ ++aad;
+ --alen;
+ ++i;
+ }
+ while (i < 16) {
+ sctx->ccm.s390x.buf.b[i] = 0;
+ ++i;
+ }
+
+ sctx->ccm.s390x.kmac.icv.g[0] = 0;
+ sctx->ccm.s390x.kmac.icv.g[1] = 0;
+ s390x_kmac(sctx->ccm.s390x.nonce.b, 32, sctx->ccm.s390x.fc,
+ &sctx->ccm.s390x.kmac);
+ sctx->ccm.s390x.blocks += 2;
+
+ rem = alen & 0xf;
+ alen &= ~(size_t)0xf;
+ if (alen) {
+ s390x_kmac(aad, alen, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+ sctx->ccm.s390x.blocks += alen >> 4;
+ aad += alen;
+ }
+ if (rem) {
+ for (i = 0; i < rem; i++)
+ sctx->ccm.s390x.kmac.icv.b[i] ^= aad[i];
+
+ s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+ sctx->ccm.s390x.kmac.icv.b, sctx->ccm.s390x.fc,
+ sctx->ccm.s390x.kmac.k);
+ sctx->ccm.s390x.blocks++;
+ }
+ return 1;
+}
+
+/*-
+ * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 1 for
+ * success.
+ */
+static int s390x_aes_ccm_auth_encdec(PROV_CCM_CTX *ctx,
+ const unsigned char *in,
+ unsigned char *out, size_t len, int enc)
+{
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+ size_t n, rem;
+ unsigned int i, l, num;
+ unsigned char flags;
+
+ flags = sctx->ccm.s390x.nonce.b[0];
+ if (!(flags & S390X_CCM_AAD_FLAG)) {
+ s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.kmac.icv.b,
+ sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+ sctx->ccm.s390x.blocks++;
+ }
+ l = flags & 0x7;
+ sctx->ccm.s390x.nonce.b[0] = l;
+
+ /*-
+ * Reconstruct length from encoded length field
+ * and initialize it with counter value.
+ */
+ n = 0;
+ for (i = 15 - l; i < 15; i++) {
+ n |= sctx->ccm.s390x.nonce.b[i];
+ sctx->ccm.s390x.nonce.b[i] = 0;
+ n <<= 8;
+ }
+ n |= sctx->ccm.s390x.nonce.b[15];
+ sctx->ccm.s390x.nonce.b[15] = 1;
+
+ if (n != len)
+ return 0; /* length mismatch */
+
+ if (enc) {
+ /* Two operations per block plus one for tag encryption */
+ sctx->ccm.s390x.blocks += (((len + 15) >> 4) << 1) + 1;
+ if (sctx->ccm.s390x.blocks > (1ULL << 61))
+ return 0; /* too much data */
+ }
+
+ num = 0;
+ rem = len & 0xf;
+ len &= ~(size_t)0xf;
+
+ if (enc) {
+ /* mac-then-encrypt */
+ if (len)
+ s390x_kmac(in, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+ if (rem) {
+ for (i = 0; i < rem; i++)
+ sctx->ccm.s390x.kmac.icv.b[i] ^= in[len + i];
+
+ s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+ sctx->ccm.s390x.kmac.icv.b,
+ sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+ }
+
+ CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
+ sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
+ &num, (ctr128_f)AES_ctr32_encrypt);
+ } else {
+ /* decrypt-then-mac */
+ CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
+ sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
+ &num, (ctr128_f)AES_ctr32_encrypt);
+
+ if (len)
+ s390x_kmac(out, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+ if (rem) {
+ for (i = 0; i < rem; i++)
+ sctx->ccm.s390x.kmac.icv.b[i] ^= out[len + i];
+
+ s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+ sctx->ccm.s390x.kmac.icv.b,
+ sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+ }
+ }
+ /* encrypt tag */
+ for (i = 15 - l; i < 16; i++)
+ sctx->ccm.s390x.nonce.b[i] = 0;
+
+ s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.buf.b,
+ sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+ sctx->ccm.s390x.kmac.icv.g[0] ^= sctx->ccm.s390x.buf.g[0];
+ sctx->ccm.s390x.kmac.icv.g[1] ^= sctx->ccm.s390x.buf.g[1];
+
+ sctx->ccm.s390x.nonce.b[0] = flags; /* restore flags field */
+ return 1;
+}
+
+
+static int s390x_aes_ccm_gettag(PROV_CCM_CTX *ctx,
+ unsigned char *tag, size_t tlen)
+{
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+ if (tlen > ctx->m)
+ return 0;
+ memcpy(tag, sctx->ccm.s390x.kmac.icv.b, tlen);
+ return 1;
+}
+
+static int s390x_aes_ccm_auth_encrypt(PROV_CCM_CTX *ctx,
+ const unsigned char *in,
+ unsigned char *out, size_t len,
+ unsigned char *tag, size_t taglen)
+{
+ int rv;
+
+ rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 1);
+ if (rv && tag != NULL)
+ rv = s390x_aes_ccm_gettag(ctx, tag, taglen);
+ return rv;
+}
+
+static int s390x_aes_ccm_auth_decrypt(PROV_CCM_CTX *ctx,
+ const unsigned char *in,
+ unsigned char *out, size_t len,
+ unsigned char *expected_tag,
+ size_t taglen)
+{
+ int rv = 0;
+ PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+ rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 0);
+ if (rv) {
+ if (CRYPTO_memcmp(sctx->ccm.s390x.kmac.icv.b, expected_tag, ctx->m) != 0)
+ rv = 0;
+ }
+ if (rv == 0)
+ OPENSSL_cleanse(out, len);
+ return rv;
+}
+
+static const PROV_CCM_HW s390x_aes_ccm = {
+ s390x_aes_ccm_initkey,
+ s390x_aes_ccm_setiv,
+ s390x_aes_ccm_setaad,
+ s390x_aes_ccm_auth_encrypt,
+ s390x_aes_ccm_auth_decrypt,
+ s390x_aes_ccm_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+ if ((keybits == 128 && S390X_aes_128_ccm_CAPABLE)
+ || (keybits == 192 && S390X_aes_192_ccm_CAPABLE)
+ || (keybits == 256 && S390X_aes_256_ccm_CAPABLE))
+ return &s390x_aes_ccm;
+ return &aes_ccm;
+}
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+static int ccm_t4_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+ AES_CCM_SET_KEY_FN(aes_t4_set_encrypt_key, aes_t4_encrypt, NULL, NULL);
+ return 1;
+}
+
+static const PROV_CCM_HW t4_aes_ccm = {
+ ccm_t4_aes_initkey,
+ ccm_generic_setiv,
+ ccm_generic_setaad,
+ ccm_generic_auth_encrypt,
+ ccm_generic_auth_decrypt,
+ ccm_generic_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+ return SPARC_AES_CAPABLE ? &t4_aes_ccm : &aes_ccm;
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES GCM mode */
+
+#include "cipher_locl.h"
+
+static void *aes_gcm_newctx(void *provctx, size_t keybits)
+{
+ PROV_AES_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+ if (ctx != NULL)
+ gcm_initctx(provctx, &ctx->base, keybits, PROV_AES_HW_gcm(keybits), 8);
+ return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aes_gcm_freectx;
+static void aes_gcm_freectx(void *vctx)
+{
+ PROV_AES_GCM_CTX *ctx = (PROV_AES_GCM_CTX *)vctx;
+
+ gcm_deinitctx((PROV_GCM_CTX *)ctx);
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+/* aes128gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+/* aes192gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+/* aes256gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+static int aesni_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ AES_KEY *ks = &actx->ks.ks;
+
+ SET_KEY_CTR_FN(ks, aesni_set_encrypt_key, aesni_encrypt,
+ aesni_ctr32_encrypt_blocks);
+ return 1;
+}
+
+static const PROV_GCM_HW aesni_gcm = {
+ aesni_gcm_initkey,
+ gcm_setiv,
+ gcm_aad_update,
+ gcm_cipher_update,
+ gcm_cipher_final,
+ gcm_one_shot
+};
+
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+ return AESNI_CAPABLE ? &aesni_gcm : &aes_gcm;
+}
+
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * IBM S390X support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+/* iv + padding length for iv lengths != 12 */
+#define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
+
+static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+
+ ctx->key_set = 1;
+ memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
+ actx->plat.s390x.fc = S390X_AES_FC(keylen);
+ if (!ctx->enc)
+ actx->plat.s390x.fc |= S390X_DECRYPT;
+ return 1;
+}
+
+static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
+ size_t ivlen)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+
+ kma->t.g[0] = 0;
+ kma->t.g[1] = 0;
+ kma->tpcl = 0;
+ kma->taadl = 0;
+ actx->plat.s390x.mreslen = 0;
+ actx->plat.s390x.areslen = 0;
+ actx->plat.s390x.kreslen = 0;
+
+ if (ivlen == GCM_IV_DEFAULT_SIZE) {
+ memcpy(&kma->j0, iv, ivlen);
+ kma->j0.w[3] = 1;
+ kma->cv.w = 1;
+ } else {
+ unsigned long long ivbits = ivlen << 3;
+ size_t len = S390X_gcm_ivpadlen(ivlen);
+ unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
+ /*
+ * The IV length needs to be zero padded to be a multiple of 16 bytes
+ * followed by 8 bytes of zeros and 8 bytes for the IV length.
+ * The GHASH of this value can then be calculated.
+ */
+ memcpy(iv_zero_pad, iv, ivlen);
+ memset(iv_zero_pad + ivlen, 0, len - ivlen);
+ memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
+ /*
+ * Calculate the ghash of the iv - the result is stored into the tag
+ * param.
+ */
+ s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
+ actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */
+
+ /* Copy the 128 bit GHASH result into J0 and clear the tag */
+ kma->j0.g[0] = kma->t.g[0];
+ kma->j0.g[1] = kma->t.g[1];
+ kma->t.g[0] = 0;
+ kma->t.g[1] = 0;
+ /* Set the 32 bit counter */
+ kma->cv.w = kma->j0.w[3];
+ }
+ return 1;
+}
+
+static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+ unsigned char out[AES_BLOCK_SIZE];
+ int rc;
+
+ kma->taadl <<= 3;
+ kma->tpcl <<= 3;
+ s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
+ actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
+ actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
+
+ /* gctx->mres already returned to the caller */
+ OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
+
+ if (ctx->enc) {
+ ctx->taglen = GCM_TAG_MAX_SIZE;
+ memcpy(tag, kma->t.b, ctx->taglen);
+ rc = 1;
+ } else {
+ if (ctx->taglen < 0)
+ rc = 0;
+ else
+ rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
+ }
+ return rc;
+}
+
+static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
+ unsigned char *aad, size_t aad_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *out,
+ unsigned char *tag, size_t taglen)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+ int rc;
+
+ kma->taadl = aad_len << 3;
+ kma->tpcl = in_len << 3;
+ s390x_kma(aad, aad_len, in, in_len, out,
+ actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
+
+ if (ctx->enc) {
+ memcpy(tag, kma->t.b, taglen);
+ rc = 1;
+ } else {
+ rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
+ }
+ return rc;
+}
+
+/*
+ * Process additional authenticated data. Returns 1 on success. Code is
+ * big-endian.
+ */
+static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
+ const unsigned char *aad, size_t len)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+ unsigned long long alen;
+ int n, rem;
+
+ /* If already processed pt/ct then error */
+ if (kma->tpcl != 0)
+ return 0;
+
+ /* update the total aad length */
+ alen = kma->taadl + len;
+ if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
+ return 0;
+ kma->taadl = alen;
+
+ /* check if there is any existing aad data from a previous add */
+ n = actx->plat.s390x.areslen;
+ if (n) {
+ /* add additional data to a buffer until it has 16 bytes */
+ while (n && len) {
+ actx->plat.s390x.ares[n] = *aad;
+ ++aad;
+ --len;
+ n = (n + 1) & 0xf;
+ }
+ /* ctx->ares contains a complete block if offset has wrapped around */
+ if (!n) {
+ s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
+ actx->plat.s390x.fc, kma);
+ actx->plat.s390x.fc |= S390X_KMA_HS;
+ }
+ actx->plat.s390x.areslen = n;
+ }
+
+ /* If there are leftover bytes (< 128 bits) save them for next time */
+ rem = len & 0xf;
+ /* Add any remaining 16 byte blocks (128 bit each) */
+ len &= ~(size_t)0xf;
+ if (len) {
+ s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
+ actx->plat.s390x.fc |= S390X_KMA_HS;
+ aad += len;
+ }
+
+ if (rem) {
+ actx->plat.s390x.areslen = rem;
+
+ do {
+ --rem;
+ actx->plat.s390x.ares[rem] = aad[rem];
+ } while (rem);
+ }
+ return 1;
+}
+
+/*-
+ * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
+ * success. Code is big-endian.
+ */
+static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
+ const unsigned char *in, size_t len,
+ unsigned char *out)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+ const unsigned char *inptr;
+ unsigned long long mlen;
+ union {
+ unsigned int w[4];
+ unsigned char b[16];
+ } buf;
+ size_t inlen;
+ int n, rem, i;
+
+ mlen = kma->tpcl + len;
+ if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
+ return 0;
+ kma->tpcl = mlen;
+
+ n = actx->plat.s390x.mreslen;
+ if (n) {
+ inptr = in;
+ inlen = len;
+ while (n && inlen) {
+ actx->plat.s390x.mres[n] = *inptr;
+ n = (n + 1) & 0xf;
+ ++inptr;
+ --inlen;
+ }
+ /* ctx->mres contains a complete block if offset has wrapped around */
+ if (!n) {
+ s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
+ actx->plat.s390x.mres, 16, buf.b,
+ actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
+ actx->plat.s390x.fc |= S390X_KMA_HS;
+ actx->plat.s390x.areslen = 0;
+
+ /* previous call already encrypted/decrypted its remainder,
+ * see comment below */
+ n = actx->plat.s390x.mreslen;
+ while (n) {
+ *out = buf.b[n];
+ n = (n + 1) & 0xf;
+ ++out;
+ ++in;
+ --len;
+ }
+ actx->plat.s390x.mreslen = 0;
+ }
+ }
+
+ rem = len & 0xf;
+
+ len &= ~(size_t)0xf;
+ if (len) {
+ s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
+ actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
+ in += len;
+ out += len;
+ actx->plat.s390x.fc |= S390X_KMA_HS;
+ actx->plat.s390x.areslen = 0;
+ }
+
+ /*-
+ * If there is a remainder, it has to be saved such that it can be
+ * processed by kma later. However, we also have to do the for-now
+ * unauthenticated encryption/decryption part here and now...
+ */
+ if (rem) {
+ if (!actx->plat.s390x.mreslen) {
+ buf.w[0] = kma->j0.w[0];
+ buf.w[1] = kma->j0.w[1];
+ buf.w[2] = kma->j0.w[2];
+ buf.w[3] = kma->cv.w + 1;
+ s390x_km(buf.b, 16, actx->plat.s390x.kres,
+ actx->plat.s390x.fc & 0x1f, &kma->k);
+ }
+
+ n = actx->plat.s390x.mreslen;
+ for (i = 0; i < rem; i++) {
+ actx->plat.s390x.mres[n + i] = in[i];
+ out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
+ }
+ actx->plat.s390x.mreslen += rem;
+ }
+ return 1;
+}
+
+static const PROV_GCM_HW s390x_aes_gcm = {
+ s390x_aes_gcm_initkey,
+ s390x_aes_gcm_setiv,
+ s390x_aes_gcm_aad_update,
+ s390x_aes_gcm_cipher_update,
+ s390x_aes_gcm_cipher_final,
+ s390x_aes_gcm_one_shot
+};
+
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+ if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
+ || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
+ || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
+ return &s390x_aes_gcm;
+ return &aes_gcm;
+}
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+static int t4_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ ctr128_f ctr;
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ AES_KEY *ks = &actx->ks.ks;
+
+
+ switch (keylen) {
+ case 16:
+ ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
+ break;
+ case 24:
+ ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
+ break;
+ case 32:
+ ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
+ break;
+ default:
+ return 0;
+ }
+
+ SET_KEY_CTR_FN(ks, aes_t4_set_encrypt_key, aes_t4_encrypt, ctr);
+ return 1;
+}
+
+static const PROV_GCM_HW t4_aes_gcm = {
+ t4_aes_gcm_initkey,
+ gcm_setiv,
+ gcm_aad_update,
+ gcm_cipher_update,
+ gcm_cipher_final,
+ gcm_one_shot
+};
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+ return SPARC_AES_CAPABLE ? &t4_aes_gcm : &aes_gcm;
+}
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ int ret;
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+ AES_KEY *ks = &adat->ks.ks;
+
+ dat->ks = ks;
+
+ if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+ && !dat->enc) {
+#ifdef HWAES_CAPABLE
+ if (HWAES_CAPABLE) {
+ ret = HWAES_set_decrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)HWAES_decrypt;
+ dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+# endif
+ } else
+#endif
+#ifdef BSAES_CAPABLE
+ if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
+ ret = AES_set_decrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)AES_decrypt;
+ dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
+ } else
+#endif
+#ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE) {
+ ret = vpaes_set_decrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)vpaes_decrypt;
+ dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+ ?(cbc128_f)vpaes_cbc_encrypt : NULL;
+ } else
+#endif
+ {
+ ret = AES_set_decrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)AES_decrypt;
+ dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+ ? (cbc128_f)AES_cbc_encrypt : NULL;
+ }
+ } else
+#ifdef HWAES_CAPABLE
+ if (HWAES_CAPABLE) {
+ ret = HWAES_set_encrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)HWAES_encrypt;
+ dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+ else
+# endif
+# ifdef HWAES_ctr32_encrypt_blocks
+ if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
+ else
+# endif
+ (void)0; /* terminate potentially open 'else' */
+ } else
+#endif
+#ifdef BSAES_CAPABLE
+ if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
+ ret = AES_set_encrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)AES_encrypt;
+ dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
+ } else
+#endif
+#ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE) {
+ ret = vpaes_set_encrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)vpaes_encrypt;
+ dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+ ? (cbc128_f)vpaes_cbc_encrypt : NULL;
+ } else
+#endif
+ {
+ ret = AES_set_encrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f)AES_encrypt;
+ dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+ ? (cbc128_f)AES_cbc_encrypt : NULL;
+#ifdef AES_CTR_ASM
+ if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
+#endif
+ }
+
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+#define PROV_CIPHER_HW_aes_mode(mode) \
+static const PROV_CIPHER_HW aes_##mode = { \
+ cipher_hw_aes_initkey, \
+ cipher_hw_generic_##mode \
+}; \
+PROV_CIPHER_HW_declare(mode) \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_##mode(size_t keybits) \
+{ \
+ PROV_CIPHER_HW_select(mode) \
+ return &aes_##mode; \
+}
+
+#if defined(AESNI_CAPABLE)
+# include "cipher_aes_hw_aesni.inc"
+#elif defined(SPARC_AES_CAPABLE)
+# include "cipher_aes_hw_t4.inc"
+#elif defined(S390X_aes_128_CAPABLE)
+# include "cipher_aes_hw_s390x.inc"
+#else
+/* The generic case */
+# define PROV_CIPHER_HW_declare(mode)
+# define PROV_CIPHER_HW_select(mode)
+#endif
+
+PROV_CIPHER_HW_aes_mode(cbc)
+PROV_CIPHER_HW_aes_mode(ecb)
+PROV_CIPHER_HW_aes_mode(ofb128)
+PROV_CIPHER_HW_aes_mode(cfb128)
+PROV_CIPHER_HW_aes_mode(cfb1)
+PROV_CIPHER_HW_aes_mode(cfb8)
+PROV_CIPHER_HW_aes_mode(ctr)
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+#define cipher_hw_aesni_ofb128 cipher_hw_generic_ofb128
+#define cipher_hw_aesni_cfb128 cipher_hw_generic_cfb128
+#define cipher_hw_aesni_cfb8 cipher_hw_generic_cfb8
+#define cipher_hw_aesni_cfb1 cipher_hw_generic_cfb1
+#define cipher_hw_aesni_ctr cipher_hw_generic_ctr
+
+static int cipher_hw_aesni_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ int ret;
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+ AES_KEY *ks = &adat->ks.ks;
+
+ dat->ks = ks;
+
+ if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+ && !dat->enc) {
+ ret = aesni_set_decrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f) aesni_decrypt;
+ dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) aesni_cbc_encrypt : NULL;
+ } else {
+ ret = aesni_set_encrypt_key(key, keylen * 8, ks);
+ dat->block = (block128_f) aesni_encrypt;
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
+ else if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
+ else
+ dat->stream.cbc = NULL;
+ }
+
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int cipher_hw_aesni_cbc(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ const AES_KEY *ks = ctx->ks;
+
+ aesni_cbc_encrypt(in, out, len, ks, ctx->iv, ctx->enc);
+
+ return 1;
+}
+
+static int cipher_hw_aesni_ecb(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ if (len < ctx->blocksize)
+ return 1;
+
+ aesni_ecb_encrypt(in, out, len, ctx->ks, ctx->enc);
+
+ return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode) \
+static const PROV_CIPHER_HW aesni_##mode = { \
+ cipher_hw_aesni_initkey, \
+ cipher_hw_aesni_##mode \
+};
+#define PROV_CIPHER_HW_select(mode) \
+if (AESNI_CAPABLE) \
+ return &aesni_##mode;
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * IBM S390X support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+#include "s390x_arch.h"
+
+#define s390x_aes_cbc_initkey cipher_hw_aes_initkey
+#define s390x_aes_cfb1_initkey cipher_hw_aes_initkey
+#define s390x_aes_ctr_initkey cipher_hw_aes_initkey
+#define s390x_aes_cbc_cipher_hw cipher_hw_generic_cbc
+#define s390x_aes_cfb1_cipher_hw cipher_hw_generic_cfb1
+#define s390x_aes_ctr_cipher_hw cipher_hw_generic_ctr
+
+static int s390x_aes_ecb_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ adat->plat.s390x.fc = S390X_AES_FC(keylen);
+ if (!dat->enc)
+ adat->plat.s390x.fc |= S390X_DECRYPT;
+
+ memcpy(adat->plat.s390x.param.km.k, key, keylen);
+ return 1;
+}
+
+static int s390x_aes_ecb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ s390x_km(in, len, out, adat->plat.s390x.fc, &adat->plat.s390x.param.km);
+ return 1;
+}
+
+static int s390x_aes_ofb_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+ memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+ adat->plat.s390x.fc = S390X_AES_FC(keylen);
+ adat->plat.s390x.res = 0;
+ return 1;
+}
+
+static int s390x_aes_ofb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+ int n = adat->plat.s390x.res;
+ int rem;
+
+ while (n && len) {
+ *out = *in ^ adat->plat.s390x.param.kmo_kmf.cv[n];
+ n = (n + 1) & 0xf;
+ --len;
+ ++in;
+ ++out;
+ }
+
+ rem = len & 0xf;
+
+ len &= ~(size_t)0xf;
+ if (len) {
+ s390x_kmo(in, len, out, adat->plat.s390x.fc,
+ &adat->plat.s390x.param.kmo_kmf);
+
+ out += len;
+ in += len;
+ }
+
+ if (rem) {
+ s390x_km(adat->plat.s390x.param.kmo_kmf.cv, 16,
+ adat->plat.s390x.param.kmo_kmf.cv, adat->plat.s390x.fc,
+ adat->plat.s390x.param.kmo_kmf.k);
+
+ while (rem--) {
+ out[n] = in[n] ^ adat->plat.s390x.param.kmo_kmf.cv[n];
+ ++n;
+ }
+ }
+
+ adat->plat.s390x.res = n;
+ return 1;
+}
+
+static int s390x_aes_cfb_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ adat->plat.s390x.fc = S390X_AES_FC(keylen);
+ adat->plat.s390x.fc |= 16 << 24; /* 16 bytes cipher feedback */
+ if (!dat->enc)
+ adat->plat.s390x.fc |= S390X_DECRYPT;
+
+ adat->plat.s390x.res = 0;
+ memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+ memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+ return 1;
+}
+
+static int s390x_aes_cfb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+ int n = adat->plat.s390x.res;
+ int rem;
+ unsigned char tmp;
+
+ while (n && len) {
+ tmp = *in;
+ *out = adat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
+ adat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? *out : tmp;
+ n = (n + 1) & 0xf;
+ --len;
+ ++in;
+ ++out;
+ }
+
+ rem = len & 0xf;
+
+ len &= ~(size_t)0xf;
+ if (len) {
+ s390x_kmf(in, len, out, adat->plat.s390x.fc,
+ &adat->plat.s390x.param.kmo_kmf);
+
+ out += len;
+ in += len;
+ }
+
+ if (rem) {
+ s390x_km(adat->plat.s390x.param.kmo_kmf.cv, 16,
+ adat->plat.s390x.param.kmo_kmf.cv,
+ S390X_AES_FC(dat->keylen), adat->plat.s390x.param.kmo_kmf.k);
+
+ while (rem--) {
+ tmp = in[n];
+ out[n] = adat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
+ adat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? out[n] : tmp;
+ ++n;
+ }
+ }
+
+ adat->plat.s390x.res = n;
+ return 1;
+}
+
+static int s390x_aes_cfb8_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ adat->plat.s390x.fc = S390X_AES_FC(keylen);
+ adat->plat.s390x.fc |= 1 << 24; /* 1 byte cipher feedback */
+ if (!dat->enc)
+ adat->plat.s390x.fc |= S390X_DECRYPT;
+
+ memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+ memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+ return 1;
+}
+
+static int s390x_aes_cfb8_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ s390x_kmf(in, len, out, adat->plat.s390x.fc,
+ &adat->plat.s390x.param.kmo_kmf);
+ return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode) \
+static const PROV_CIPHER_HW s390x_aes_##mode = { \
+ s390x_aes_##mode##_initkey, \
+ s390x_aes_##mode##_cipher_hw \
+};
+#define PROV_CIPHER_HW_select(mode) \
+if ((keybits == 128 && S390X_aes_128_##mode##_CAPABLE) \
+ || (keybits == 192 && S390X_aes_192_##mode##_CAPABLE) \
+ || (keybits == 256 && S390X_aes_256_##mode##_CAPABLE)) \
+ return &s390x_aes_##mode;
+
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Sparc t4 support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+static int cipher_hw_aes_t4_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ int ret, bits;
+ PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+ dat->ks = &adat->ks.ks;
+
+ bits = keylen * 8;
+ if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+ && !dat->enc) {
+ ret = 0;
+ aes_t4_set_decrypt_key(key, bits, dat->ks);
+ dat->block = (block128_f) aes_t4_decrypt;
+ switch (bits) {
+ case 128:
+ dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) aes128_t4_cbc_decrypt : NULL;
+ break;
+ case 192:
+ dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) aes192_t4_cbc_decrypt : NULL;
+ break;
+ case 256:
+ dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) aes256_t4_cbc_decrypt : NULL;
+ break;
+ default:
+ ret = -1;
+ }
+ } else {
+ ret = 0;
+ aes_t4_set_encrypt_key(key, bits, dat->ks);
+ dat->block = (block128_f)aes_t4_encrypt;
+ switch (bits) {
+ case 128:
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
+ else if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
+ else
+ dat->stream.cbc = NULL;
+ break;
+ case 192:
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
+ else if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
+ else
+ dat->stream.cbc = NULL;
+ break;
+ case 256:
+ if (dat->mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
+ else if (dat->mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
+ else
+ dat->stream.cbc = NULL;
+ break;
+ default:
+ ret = -1;
+ }
+ }
+
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode) \
+static const PROV_CIPHER_HW aes_t4_##mode = { \
+ cipher_hw_aes_t4_initkey, \
+ cipher_hw_generic_##mode \
+};
+#define PROV_CIPHER_HW_select(mode) \
+ if (SPARC_AES_CAPABLE) \
+ return aes_t4_##mode;
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+static OSSL_OP_cipher_freectx_fn aria_freectx;
+static OSSL_OP_cipher_dupctx_fn aria_dupctx;
+
+static void aria_freectx(void *vctx)
+{
+ PROV_ARIA_CTX *ctx = (PROV_ARIA_CTX *)vctx;
+
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+static void *aria_dupctx(void *ctx)
+{
+ PROV_ARIA_CTX *in = (PROV_ARIA_CTX *)ctx;
+ PROV_ARIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+ if (ret == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ *ret = *in;
+
+ return ret;
+}
+
+/* aria256ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 256, 128, 0, block)
+/* aria192ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 192, 128, 0, block)
+/* aria128ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 128, 128, 0, block)
+/* aria256cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 256, 128, 128, block)
+/* aria192cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 192, 128, 128, block)
+/* aria128cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 128, 128, 128, block)
+/* aria256ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 256, 8, 128, stream)
+/* aria192ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 192, 8, 128, stream)
+/* aria128ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 128, 8, 128, stream)
+/* aria256cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb, CFB, 0, 256, 8, 128, stream)
+/* aria192cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb, CFB, 0, 192, 8, 128, stream)
+/* aria128cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb, CFB, 0, 128, 8, 128, stream)
+/* aria256cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 256, 8, 128, stream)
+/* aria192cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 192, 8, 128, stream)
+/* aria128cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 128, 8, 128, stream)
+/* aria256cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 256, 8, 128, stream)
+/* aria192cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 192, 8, 128, stream)
+/* aria128cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 128, 8, 128, stream)
+/* aria256ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 256, 8, 128, stream)
+/* aria192ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 192, 8, 128, stream)
+/* aria128ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 128, 8, 128, stream)
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#if !defined(OPENSSL_NO_ARIA)
+# include "internal/aria.h"
+
+typedef struct prov_aria_ctx_st {
+ PROV_CIPHER_CTX base; /* Must be first */
+ union {
+ OSSL_UNION_ALIGN;
+ ARIA_KEY ks;
+ } ks;
+} PROV_ARIA_CTX;
+
+# define PROV_CIPHER_HW_aria_ofb PROV_CIPHER_HW_aria_ofb128
+# define PROV_CIPHER_HW_aria_cfb PROV_CIPHER_HW_aria_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ctr(size_t keybits);
+
+#endif /* OPENSSL_NO_ARIA */
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA CCM mode */
+
+#include "cipher_locl.h"
+
+static void *aria_ccm_newctx(void *provctx, size_t keybits)
+{
+ PROV_ARIA_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+ if (ctx != NULL)
+ ccm_initctx(&ctx->base, keybits, PROV_ARIA_HW_ccm(keybits));
+ return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aria_ccm_freectx;
+static void aria_ccm_freectx(void *vctx)
+{
+ PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx;
+
+ ccm_finalctx((PROV_CCM_CTX *)ctx);
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+/* aria128ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+/* aria192ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+/* aria256ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
+
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Generic support for ARIA CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+static int ccm_aria_initkey(PROV_CCM_CTX *ctx,
+ const unsigned char *key, size_t keylen)
+{
+ PROV_ARIA_CCM_CTX *actx = (PROV_ARIA_CCM_CTX *)ctx;
+
+ aria_set_encrypt_key(key, keylen * 8, &actx->ks.ks);
+ CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks,
+ (block128_f)aria_encrypt);
+ ctx->str = NULL;
+ ctx->key_set = 1;
+ return 1;
+}
+
+static const PROV_CCM_HW ccm_aria = {
+ ccm_aria_initkey,
+ ccm_generic_setiv,
+ ccm_generic_setaad,
+ ccm_generic_auth_encrypt,
+ ccm_generic_auth_decrypt,
+ ccm_generic_gettag
+};
+const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keybits)
+{
+ return &ccm_aria;
+}
+#endif /* OPENSSL_NO_ARIA */
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA GCM mode */
+
+#include "cipher_locl.h"
+
+static void *aria_gcm_newctx(void *provctx, size_t keybits)
+{
+ PROV_ARIA_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+ if (ctx != NULL)
+ gcm_initctx(provctx, &ctx->base, keybits, PROV_ARIA_HW_gcm(keybits), 4);
+ return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aria_gcm_freectx;
+static void aria_gcm_freectx(void *vctx)
+{
+ PROV_ARIA_GCM_CTX *ctx = (PROV_ARIA_GCM_CTX *)vctx;
+
+ gcm_deinitctx((PROV_GCM_CTX *)ctx);
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+/* aria128gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+/* aria192gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+/* aria256gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
+
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Generic support for ARIA GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+static int aria_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_ARIA_GCM_CTX *actx = (PROV_ARIA_GCM_CTX *)ctx;
+ ARIA_KEY *ks = &actx->ks.ks;
+
+ SET_KEY_CTR_FN(ks, aria_set_encrypt_key, aria_encrypt, NULL);
+ return 1;
+}
+
+static int aria_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+ size_t len, unsigned char *out)
+{
+ if (ctx->enc) {
+ if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
+ return 0;
+ } else {
+ if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
+ return 0;
+ }
+ return 1;
+}
+
+static const PROV_GCM_HW aria_gcm = {
+ aria_gcm_initkey,
+ gcm_setiv,
+ gcm_aad_update,
+ aria_cipher_update,
+ gcm_cipher_final,
+ gcm_one_shot
+};
+const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits)
+{
+ return &aria_gcm;
+}
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static int cipher_hw_aria_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ int ret, mode = dat->mode;
+ PROV_ARIA_CTX *adat = (PROV_ARIA_CTX *)dat;
+ ARIA_KEY *ks = &adat->ks.ks;
+
+ if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE))
+ ret = aria_set_encrypt_key(key, keylen * 8, ks);
+ else
+ ret = aria_set_decrypt_key(key, keylen * 8, ks);
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED);
+ return 0;
+ }
+ dat->ks = ks;
+ dat->block = (block128_f)aria_encrypt;
+ return 1;
+}
+
+# define PROV_CIPHER_HW_aria_mode(mode) \
+static const PROV_CIPHER_HW aria_##mode = { \
+ cipher_hw_aria_initkey, \
+ cipher_hw_chunked_##mode \
+}; \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_##mode(size_t keybits) \
+{ \
+ return &aria_##mode; \
+}
+
+PROV_CIPHER_HW_aria_mode(cbc)
+PROV_CIPHER_HW_aria_mode(ecb)
+PROV_CIPHER_HW_aria_mode(ofb128)
+PROV_CIPHER_HW_aria_mode(cfb128)
+PROV_CIPHER_HW_aria_mode(cfb1)
+PROV_CIPHER_HW_aria_mode(cfb8)
+PROV_CIPHER_HW_aria_mode(ctr)
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for CAMELLIA cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+#if !defined(OPENSSL_NO_CAMELLIA)
+static OSSL_OP_cipher_freectx_fn camellia_freectx;
+static OSSL_OP_cipher_dupctx_fn camellia_dupctx;
+
+static void camellia_freectx(void *vctx)
+{
+ PROV_CAMELLIA_CTX *ctx = (PROV_CAMELLIA_CTX *)vctx;
+
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
+}
+
+static void *camellia_dupctx(void *ctx)
+{
+ PROV_CAMELLIA_CTX *in = (PROV_CAMELLIA_CTX *)ctx;
+ PROV_CAMELLIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+ if (ret == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ *ret = *in;
+
+ return ret;
+}
+
+/* camellia256ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 256, 128, 0, block)
+/* camellia192ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 192, 128, 0, block)
+/* camellia128ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 128, 128, 0, block)
+/* camellia256cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 256, 128, 128, block)
+/* camellia192cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 192, 128, 128, block)
+/* camellia128cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 128, 128, 128, block)
+/* camellia256ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 256, 8, 128, stream)
+/* camellia192ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 192, 8, 128, stream)
+/* camellia128ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 128, 8, 128, stream)
+/* camellia256cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb, CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb, CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb, CFB, 0, 128, 8, 128, stream)
+/* camellia256cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 128, 8, 128, stream)
+/* camellia256cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 128, 8, 128, stream)
+/* camellia256ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 256, 8, 128, stream)
+/* camellia192ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream)
+/* camellia128ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream)
+
+#endif /* OPENSSL_NO_CAMELLIA */
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_CAMELLIA
+
+# include <openssl/camellia.h>
+
+typedef struct prov_camellia_ctx_st {
+ PROV_CIPHER_CTX base; /* Must be first */
+ union {
+ OSSL_UNION_ALIGN;
+ CAMELLIA_KEY ks;
+ } ks;
+} PROV_CAMELLIA_CTX;
+
+# define PROV_CIPHER_HW_camellia_ofb PROV_CIPHER_HW_camellia_ofb128
+# define PROV_CIPHER_HW_camellia_cfb PROV_CIPHER_HW_camellia_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ctr(size_t keybits);
+
+#endif /* OPENSSL_NO_CAMELLIA */
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#if !defined(OPENSSL_NO_CAMELLIA)
+static int cipher_hw_camellia_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key, size_t keylen)
+{
+ int ret, mode = dat->mode;
+ PROV_CAMELLIA_CTX *adat = (PROV_CAMELLIA_CTX *)dat;
+ CAMELLIA_KEY *ks = &adat->ks.ks;
+
+ dat->ks = ks;
+ ret = Camellia_set_key(key, keylen * 8, ks);
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED);
+ return 0;
+ }
+ if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) {
+ dat->block = (block128_f) Camellia_encrypt;
+ dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) Camellia_cbc_encrypt : NULL;
+ } else {
+ dat->block = (block128_f) Camellia_decrypt;
+ dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) Camellia_cbc_encrypt : NULL;
+ }
+ return 1;
+}
+
+# if defined(SPARC_CMLL_CAPABLE)
+# include "cipher_camellia_hw_t4.inc"
+# else
+/* The generic case */
+# define PROV_CIPHER_HW_declare(mode)
+# define PROV_CIPHER_HW_select(mode)
+# endif /* SPARC_CMLL_CAPABLE */
+
+#define PROV_CIPHER_HW_camellia_mode(mode) \
+static const PROV_CIPHER_HW camellia_##mode = { \
+ cipher_hw_camellia_initkey, \
+ cipher_hw_generic_##mode \
+}; \
+PROV_CIPHER_HW_declare(mode) \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_##mode(size_t keybits) \
+{ \
+ PROV_CIPHER_HW_select(mode) \
+ return &camellia_##mode; \
+}
+
+PROV_CIPHER_HW_camellia_mode(cbc)
+PROV_CIPHER_HW_camellia_mode(ecb)
+PROV_CIPHER_HW_camellia_mode(ofb128)
+PROV_CIPHER_HW_camellia_mode(cfb128)
+PROV_CIPHER_HW_camellia_mode(cfb1)
+PROV_CIPHER_HW_camellia_mode(cfb8)
+PROV_CIPHER_HW_camellia_mode(ctr)
+#endif /* OPENSSL_NO_CAMELLIA */
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for camellia modes.
+ * This file is included by cipher_camellia_hw.c
+ */
+
+static int cipher_hw_camellia_t4_initkey(PROV_CIPHER_CTX *dat,
+ const unsigned char *key,
+ size_t keylen)
+{
+ int ret = 0, bits, mode = dat->mode;
+ PROV_CAMELLIA_CTX *adat = (PROV_CAMELLIA_CTX *)dat;
+ CAMELLIA_KEY *ks = &adat->ks.ks;
+
+ dat->ks = ks;
+ bits = keylen * 8;
+
+ cmll_t4_set_key(key, bits, ks);
+
+ if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) {
+ dat->block = (block128_f) cmll_t4_encrypt;
+ switch (bits) {
+ case 128:
+ if (mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f) cmll128_t4_cbc_encrypt;
+ else if (mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f) cmll128_t4_ctr32_encrypt;
+ else
+ dat->stream.cbc = NULL;
+ break;
+ case 192:
+ case 256:
+ if (mode == EVP_CIPH_CBC_MODE)
+ dat->stream.cbc = (cbc128_f) cmll256_t4_cbc_encrypt;
+ else if (mode == EVP_CIPH_CTR_MODE)
+ dat->stream.ctr = (ctr128_f) cmll256_t4_ctr32_encrypt;
+ else
+ dat->stream.cbc = NULL;
+ break;
+ default:
+ ret = -1;
+ break;
+ }
+ } else {
+ dat->block = (block128_f) cmll_t4_decrypt;
+ switch (bits) {
+ case 128:
+ dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) cmll128_t4_cbc_decrypt : NULL;
+ break;
+ case 192:
+ case 256:
+ dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+ (cbc128_f) cmll256_t4_cbc_decrypt : NULL;
+ break;
+ default:
+ ret = -1;
+ break;
+ }
+ }
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_PROV, EVP_R_CAMELLIA_KEY_SETUP_FAILED);
+ return 0;
+ }
+ return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode) \
+static const PROV_CIPHER_HW t4_camellia_##mode = { \
+ cipher_hw_camellia_t4_initkey, \
+ cipher_hw_generic_##mode \
+};
+#define PROV_CIPHER_HW_select(mode) \
+if (SPARC_CMLL_CAPABLE) \
+ return &t4_camellia_##mode;
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ccm mode */
+
+#include "cipher_locl.h"
+
+static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
+ size_t *padlen, const unsigned char *in,
+ size_t len);
+
+static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
+{
+ size_t len;
+
+ if (alen != EVP_AEAD_TLS1_AAD_LEN)
+ return 0;
+
+ /* Save the aad for later use. */
+ memcpy(ctx->buf, aad, alen);
+ ctx->tls_aad_len = alen;
+
+ len = ctx->buf[alen - 2] << 8 | ctx->buf[alen - 1];
+ if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
+ return 0;
+
+ /* Correct length for explicit iv. */
+ len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
+
+ if (!ctx->enc) {
+ if (len < ctx->m)
+ return 0;
+ /* Correct length for tag. */
+ len -= ctx->m;
+ }
+ ctx->buf[alen - 2] = (unsigned char)(len >> 8);
+ ctx->buf[alen - 1] = (unsigned char)(len & 0xff);
+
+ /* Extra padding: tag appended to record. */
+ return ctx->m;
+}
+
+static int ccm_tls_iv_set_fixed(PROV_CCM_CTX *ctx, unsigned char *fixed,
+ size_t flen)
+{
+ if (flen != EVP_CCM_TLS_FIXED_IV_LEN)
+ return 0;
+
+ /* Copy to first part of the iv. */
+ memcpy(ctx->iv, fixed, flen);
+ return 1;
+}
+
+static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx)
+{
+ return 15 - ctx->l;
+}
+
+int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+ const OSSL_PARAM *p;
+ size_t sz;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
+ return 0;
+ }
+
+ if (p->data != NULL) {
+ if (ctx->enc) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_NEEDED);
+ return 0;
+ }
+ memcpy(ctx->buf, p->data, p->data_size);
+ ctx->tag_set = 1;
+ }
+ ctx->m = p->data_size;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
+ if (p != NULL) {
+ size_t ivlen;
+
+ if (!OSSL_PARAM_get_size_t(p, &sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ ivlen = 15 - sz;
+ if (ivlen < 2 || ivlen > 8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+ return 0;
+ }
+ ctx->l = ivlen;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ sz = ccm_tls_init(ctx, p->data, p->data_size);
+ if (sz == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
+ return 0;
+ }
+ ctx->tls_aad_pad_sz = sz;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ccm_get_ivlen(ctx))) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+ if (p != NULL) {
+ if (ccm_get_ivlen(ctx) != p->data_size) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+ return 0;
+ }
+ if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+ if (p != NULL) {
+ if (!ctx->enc || !ctx->tag_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET);
+ return 0;
+ }
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ if (!ctx->hw->gettag(ctx, p->data, p->data_size))
+ return 0;
+ ctx->tag_set = 0;
+ ctx->iv_set = 0;
+ ctx->len_set = 0;
+ }
+ return 1;
+}
+
+static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen, int enc)
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+ ctx->enc = enc;
+
+ if (iv != NULL) {
+ if (ivlen != ccm_get_ivlen(ctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+ return 0;
+ }
+
+ memcpy(ctx->iv, iv, ivlen);
+ ctx->iv_set = 1;
+ }
+ if (key != NULL) {
+ if (keylen != ctx->keylen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
+ return 0;
+ }
+ return ctx->hw->setkey(ctx, key, keylen);
+ }
+ return 1;
+}
+
+int ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return ccm_init(vctx, key, keylen, iv, ivlen, 1);
+}
+
+int ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return ccm_init(vctx, key, keylen, iv, ivlen, 0);
+}
+
+int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in,
+ size_t inl)
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (!ccm_cipher_internal(ctx, out, outl, in, inl)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+ return 1;
+}
+
+int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize)
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+ int i;
+
+ i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
+ if (i <= 0)
+ return 0;
+
+ *outl = 0;
+ return 1;
+}
+
+int ccm_cipher(void *vctx,
+ unsigned char *out, size_t *outl, size_t outsize,
+ const unsigned char *in, size_t inl)
+{
+ PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return -1;
+ }
+
+ if (ccm_cipher_internal(ctx, out, outl, in, inl) <= 0)
+ return -1;
+
+ *outl = inl;
+ return 1;
+}
+
+/* Copy the buffered iv */
+static int ccm_set_iv(PROV_CCM_CTX *ctx, size_t mlen)
+{
+ const PROV_CCM_HW *hw = ctx->hw;
+
+ if (!hw->setiv(ctx, ctx->iv, ccm_get_ivlen(ctx), mlen))
+ return 0;
+ ctx->len_set = 1;
+ return 1;
+}
+
+static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
+ unsigned char *out, size_t *padlen,
+ const unsigned char *in, size_t len)
+{
+ int rv = 0;
+ size_t olen = 0;
+
+ /* Encrypt/decrypt must be performed in place */
+ if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)ctx->m))
+ goto err;
+
+ /* If encrypting set explicit IV from sequence number (start of AAD) */
+ if (ctx->enc)
+ memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+ /* Get rest of IV from explicit IV */
+ memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+ /* Correct length value */
+ len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
+ if (!ccm_set_iv(ctx, len))
+ goto err;
+
+ /* Use saved AAD */
+ if (!ctx->hw->setaad(ctx, ctx->buf, ctx->tls_aad_len))
+ goto err;
+
+ /* Fix buffer to point to payload */
+ in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+ out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+ if (ctx->enc) {
+ if (!ctx->hw->auth_encrypt(ctx, in, out, len, out + len, ctx->m))
+ goto err;
+ olen = len + EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
+ } else {
+ if (!ctx->hw->auth_decrypt(ctx, in, out, len,
+ (unsigned char *)in + len, ctx->m))
+ goto err;
+ olen = len;
+ }
+ rv = 1;
+err:
+ *padlen = olen;
+ return rv;
+}
+
+static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
+ size_t *padlen, const unsigned char *in,
+ size_t len)
+{
+ int rv = 0;
+ size_t olen = 0;
+ const PROV_CCM_HW *hw = ctx->hw;
+
+ /* If no key set, return error */
+ if (!ctx->key_set)
+ return 0;
+
+ if (ctx->tls_aad_len >= 0)
+ return ccm_tls_cipher(ctx, out, padlen, in, len);
+
+ /* EVP_*Final() doesn't return any data */
+ if (in == NULL && out != NULL)
+ return 1;
+
+ if (!ctx->iv_set)
+ goto err;
+
+ if (out == NULL) {
+ if (in == NULL) {
+ if (!ccm_set_iv(ctx, len))
+ goto err;
+ } else {
+ /* If we have AAD, we need a message length */
+ if (!ctx->len_set && len)
+ goto err;
+ if (!hw->setaad(ctx, in, len))
+ goto err;
+ }
+ } else {
+ /* If not set length yet do it */
+ if (!ctx->len_set && !ccm_set_iv(ctx, len))
+ goto err;
+
+ if (ctx->enc) {
+ if (!hw->auth_encrypt(ctx, in, out, len, NULL, 0))
+ goto err;
+ ctx->tag_set = 1;
+ } else {
+ /* The tag must be set before actually decrypting data */
+ if (!ctx->tag_set)
+ goto err;
+
+ if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
+ goto err;
+ /* Finished - reset flags so calling this method again will fail */
+ ctx->iv_set = 0;
+ ctx->tag_set = 0;
+ ctx->len_set = 0;
+ }
+ }
+ olen = len;
+ rv = 1;
+err:
+ *padlen = olen;
+ return rv;
+}
+
+void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw)
+{
+ ctx->keylen = keybits / 8;
+ ctx->key_set = 0;
+ ctx->iv_set = 0;
+ ctx->tag_set = 0;
+ ctx->len_set = 0;
+ ctx->l = 8;
+ ctx->m = 12;
+ ctx->tls_aad_len = -1;
+ ctx->hw = hw;
+}
+
+void ccm_finalctx(PROV_CCM_CTX *ctx)
+{
+ OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+typedef struct prov_ccm_hw_st PROV_CCM_HW;
+
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/*-
+ * KMAC-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-08)
+ */
+typedef struct S390X_kmac_params_st {
+ union {
+ unsigned long long g[2];
+ unsigned char b[16];
+ } icv;
+ unsigned char k[32];
+} S390X_KMAC_PARAMS;
+/* KMAC-AES parameter block - end */
+#endif
+
+/* Base structure that is shared by AES & ARIA for CCM MODE */
+typedef struct prov_ccm_st {
+ int enc;
+ int key_set; /* Set if key initialised */
+ int iv_set; /* Set if an iv is set */
+ int tag_set; /* Set if tag is valid */
+ int len_set; /* Set if message length set */
+ size_t l, m; /* L and M parameters from RFC3610 */
+ size_t keylen;
+ int tls_aad_len; /* TLS AAD length */
+ int tls_aad_pad_sz;
+ unsigned char iv[AES_BLOCK_SIZE];
+ unsigned char buf[AES_BLOCK_SIZE];
+ CCM128_CONTEXT ccm_ctx;
+ ccm128_f str;
+ const PROV_CCM_HW *hw; /* hardware specific methods */
+} PROV_CCM_CTX;
+
+typedef struct prov_aes_ccm_ctx_st {
+ PROV_CCM_CTX base; /* Must be first */
+ union {
+ OSSL_UNION_ALIGN;
+ /*-
+ * Padding is chosen so that s390x.kmac.k overlaps with ks.ks and
+ * fc with ks.ks.rounds. Remember that on s390x, an AES_KEY's
+ * rounds field is used to store the function code and that the key
+ * schedule is not stored (if aes hardware support is detected).
+ */
+ struct {
+ unsigned char pad[16];
+ AES_KEY ks;
+ } ks;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+ struct {
+ S390X_KMAC_PARAMS kmac;
+ unsigned long long blocks;
+ union {
+ unsigned long long g[2];
+ unsigned char b[AES_BLOCK_SIZE];
+ } nonce;
+ union {
+ unsigned long long g[2];
+ unsigned char b[AES_BLOCK_SIZE];
+ } buf;
+ unsigned char dummy_pad[168];
+ unsigned int fc; /* fc has same offset as ks.ks.rounds */
+ } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+ } ccm;
+} PROV_AES_CCM_CTX;
+
+PROV_CIPHER_FUNC(int, CCM_cipher, (PROV_CCM_CTX *ctx, unsigned char *out, \
+ size_t *padlen, const unsigned char *in, \
+ size_t len));
+PROV_CIPHER_FUNC(int, CCM_setkey, (PROV_CCM_CTX *ctx, \
+ const unsigned char *key, size_t keylen));
+PROV_CIPHER_FUNC(int, CCM_setiv, (PROV_CCM_CTX *dat, \
+ const unsigned char *iv, size_t ivlen, \
+ size_t mlen));
+PROV_CIPHER_FUNC(int, CCM_setaad, (PROV_CCM_CTX *ctx, \
+ const unsigned char *aad, size_t aadlen));
+PROV_CIPHER_FUNC(int, CCM_auth_encrypt, (PROV_CCM_CTX *ctx, \
+ const unsigned char *in, \
+ unsigned char *out, size_t len, \
+ unsigned char *tag, size_t taglen));
+PROV_CIPHER_FUNC(int, CCM_auth_decrypt, (PROV_CCM_CTX *ctx, \
+ const unsigned char *in, \
+ unsigned char *out, size_t len, \
+ unsigned char *tag, size_t taglen));
+PROV_CIPHER_FUNC(int, CCM_gettag, (PROV_CCM_CTX *ctx, \
+ unsigned char *tag, size_t taglen));
+
+/*
+ * CCM Mode internal method table used to handle hardware specific differences,
+ * (and different algorithms).
+ */
+struct prov_ccm_hw_st {
+ OSSL_CCM_setkey_fn setkey;
+ OSSL_CCM_setiv_fn setiv;
+ OSSL_CCM_setaad_fn setaad;
+ OSSL_CCM_auth_encrypt_fn auth_encrypt;
+ OSSL_CCM_auth_decrypt_fn auth_decrypt;
+ OSSL_CCM_gettag_fn gettag;
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keylen);
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+# include "internal/aria.h"
+typedef struct prov_aria_ccm_ctx_st {
+ PROV_CCM_CTX base; /* Must be first */
+ union {
+ OSSL_UNION_ALIGN;
+ ARIA_KEY ks;
+ } ks; /* ARIA key schedule to use */
+} PROV_ARIA_CCM_CTX;
+
+const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keylen);
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+
+OSSL_OP_cipher_encrypt_init_fn ccm_einit;
+OSSL_OP_cipher_decrypt_init_fn ccm_dinit;
+OSSL_OP_cipher_get_ctx_params_fn ccm_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn ccm_set_ctx_params;
+OSSL_OP_cipher_update_fn ccm_stream_update;
+OSSL_OP_cipher_final_fn ccm_stream_final;
+OSSL_OP_cipher_cipher_fn ccm_cipher;
+void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw);
+void ccm_finalctx(PROV_CCM_CTX *ctx);
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#define AES_CCM_SET_KEY_FN(fn_set_enc_key, fn_blk, fn_ccm_enc, fn_ccm_dec) \
+ fn_set_enc_key(key, keylen * 8, &actx->ccm.ks.ks); \
+ CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ccm.ks.ks, \
+ (block128_f)fn_blk); \
+ ctx->str = ctx->enc ? (ccm128_f)fn_ccm_enc : (ccm128_f)fn_ccm_dec; \
+ ctx->key_set = 1;
+
+static int ccm_generic_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+#ifdef HWAES_CAPABLE
+ if (HWAES_CAPABLE) {
+ AES_CCM_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_encrypt, NULL, NULL);
+ } else
+#endif /* HWAES_CAPABLE */
+#ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE) {
+ AES_CCM_SET_KEY_FN(vpaes_set_encrypt_key, vpaes_encrypt, NULL, NULL);
+ } else
+#endif
+ {
+ AES_CCM_SET_KEY_FN(AES_set_encrypt_key, AES_encrypt, NULL, NULL)
+ }
+ return 1;
+}
+
+static int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce,
+ size_t nlen, size_t mlen)
+{
+ return CRYPTO_ccm128_setiv(&ctx->ccm_ctx, nonce, nlen, mlen) == 0;
+}
+
+static int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad,
+ size_t alen)
+{
+ CRYPTO_ccm128_aad(&ctx->ccm_ctx, aad, alen);
+ return 1;
+}
+
+static int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag,
+ size_t tlen)
+{
+ return CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, tlen) > 0;
+}
+
+static int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
+ unsigned char *out, size_t len,
+ unsigned char *tag, size_t taglen)
+{
+ int rv;
+
+ if (ctx->str != NULL)
+ rv = CRYPTO_ccm128_encrypt_ccm64(&ctx->ccm_ctx, in,
+ out, len, ctx->str) == 0;
+ else
+ rv = CRYPTO_ccm128_encrypt(&ctx->ccm_ctx, in, out, len) == 0;
+
+ if (rv == 1 && tag != NULL)
+ rv = (CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen) > 0);
+ return rv;
+}
+
+static int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
+ unsigned char *out, size_t len,
+ unsigned char *expected_tag,
+ size_t taglen)
+{
+ int rv = 0;
+
+ if (ctx->str != NULL)
+ rv = CRYPTO_ccm128_decrypt_ccm64(&ctx->ccm_ctx, in, out, len,
+ ctx->str) == 0;
+ else
+ rv = CRYPTO_ccm128_decrypt(&ctx->ccm_ctx, in, out, len) == 0;
+ if (rv) {
+ unsigned char tag[16];
+
+ if (!CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen)
+ || CRYPTO_memcmp(tag, expected_tag, taglen) != 0)
+ rv = 0;
+ }
+ if (rv == 0)
+ OPENSSL_cleanse(out, len);
+ return rv;
+}
+
+static const PROV_CCM_HW aes_ccm = {
+ ccm_generic_aes_initkey,
+ ccm_generic_setiv,
+ ccm_generic_setaad,
+ ccm_generic_auth_encrypt,
+ ccm_generic_auth_decrypt,
+ ccm_generic_gettag
+};
+#if defined(S390X_aes_128_CAPABLE)
+# include "cipher_aes_ccm_hw_s390x.inc"
+#elif defined(AESNI_CAPABLE)
+# include "cipher_aes_ccm_hw_aesni.inc"
+#elif defined(SPARC_AES_CAPABLE)
+# include "cipher_aes_ccm_hw_t4.inc"
+#else
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+ return &aes_ccm;
+}
+#endif
+
+#include "cipher_aria_ccm_hw.inc"
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Generic dispatch table functions for ciphers.
+ */
+
+#include "cipher_locl.h"
+
+#define MAXCHUNK ((size_t)1 << (sizeof(long) * 8 - 2))
+#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
+
+/*-
+ * Default cipher functions for OSSL_PARAM gettables and settables
+ */
+static const OSSL_PARAM cipher_known_gettable_params[] = {
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_MODE, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
+ OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_gettable_params(void)
+{
+ return cipher_known_gettable_params;
+}
+
+int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
+ int kbits, int blkbits, int ivbits)
+{
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
+ if (p != NULL && !OSSL_PARAM_set_int(p, md)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS);
+ if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, kbits / 8)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
+ if (p != NULL && !OSSL_PARAM_set_int(p, blkbits / 8)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ivbits / 8)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ return 1;
+}
+
+static const OSSL_PARAM cipher_known_gettable_ctx_params[] = {
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
+ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_NUM, NULL),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
+ OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_gettable_ctx_params(void)
+{
+ return cipher_known_gettable_ctx_params;
+}
+
+static const OSSL_PARAM cipher_known_settable_ctx_params[] = {
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_NUM, NULL),
+ OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_settable_ctx_params(void)
+{
+ return cipher_known_settable_ctx_params;
+}
+
+/*-
+ * AEAD cipher functions for OSSL_PARAM gettables and settables
+ */
+static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+ OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_aead_gettable_ctx_params(void)
+{
+ return cipher_aead_known_gettable_ctx_params;
+}
+
+static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
+ OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_aead_settable_ctx_params(void)
+{
+ return cipher_aead_known_settable_ctx_params;
+}
+
+static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen,
+ int enc)
+{
+ ctx->enc = enc;
+
+ if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
+ if (ivlen != GENERIC_BLOCK_SIZE) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ memcpy(ctx->iv, iv, GENERIC_BLOCK_SIZE);
+ }
+ if (key != NULL) {
+ if (keylen != ctx->keylen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
+ return 0;
+ }
+ return ctx->hw->init(ctx, key, ctx->keylen);
+ }
+ return 1;
+}
+
+int cipher_generic_einit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
+ iv, ivlen, 1);
+}
+
+int cipher_generic_dinit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
+ iv, ivlen, 0);
+}
+
+int cipher_generic_block_update(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in,
+ size_t inl)
+{
+ size_t outlint = 0;
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ size_t nextblocks = fillblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE, &in,
+ &inl);
+
+ /*
+ * If we're decrypting and we end an update on a block boundary we hold
+ * the last block back in case this is the last update call and the last
+ * block is padded.
+ */
+ if (ctx->bufsz == GENERIC_BLOCK_SIZE && (ctx->enc || inl > 0 || !ctx->pad)) {
+ if (outsize < GENERIC_BLOCK_SIZE) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ if (!ctx->hw->cipher(ctx, out, ctx->buf, GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+ ctx->bufsz = 0;
+ outlint = GENERIC_BLOCK_SIZE;
+ out += GENERIC_BLOCK_SIZE;
+ }
+ if (nextblocks > 0) {
+ if (!ctx->enc && ctx->pad && nextblocks == inl) {
+ if (!ossl_assert(inl >= GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ nextblocks -= GENERIC_BLOCK_SIZE;
+ }
+ outlint += nextblocks;
+ if (outsize < outlint) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ if (!ctx->hw->cipher(ctx, out, in, nextblocks)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+ in += nextblocks;
+ inl -= nextblocks;
+ }
+ if (!trailingdata(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE, &in, &inl)) {
+ /* ERR_raise already called */
+ return 0;
+ }
+
+ *outl = outlint;
+ return inl == 0;
+}
+
+int cipher_generic_block_final(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize)
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+ if (ctx->enc) {
+ if (ctx->pad) {
+ padblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE);
+ } else if (ctx->bufsz == 0) {
+ *outl = 0;
+ return 1;
+ } else if (ctx->bufsz != GENERIC_BLOCK_SIZE) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+ return 0;
+ }
+
+ if (outsize < GENERIC_BLOCK_SIZE) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ if (!ctx->hw->cipher(ctx, out, ctx->buf, GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+ ctx->bufsz = 0;
+ *outl = GENERIC_BLOCK_SIZE;
+ return 1;
+ }
+
+ /* Decrypting */
+ if (ctx->bufsz != GENERIC_BLOCK_SIZE) {
+ if (ctx->bufsz == 0 && !ctx->pad) {
+ *outl = 0;
+ return 1;
+ }
+ ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+ return 0;
+ }
+
+ if (!ctx->hw->cipher(ctx, ctx->buf, ctx->buf, GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+
+ if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE)) {
+ /* ERR_raise already called */
+ return 0;
+ }
+
+ if (outsize < ctx->bufsz) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ memcpy(out, ctx->buf, ctx->bufsz);
+ *outl = ctx->bufsz;
+ ctx->bufsz = 0;
+ return 1;
+}
+
+int cipher_generic_stream_update(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in,
+ size_t inl)
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (!ctx->hw->cipher(ctx, out, in, inl)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+
+ *outl = inl;
+ return 1;
+}
+int cipher_generic_stream_final(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize)
+{
+ *outl = 0;
+ return 1;
+}
+
+int cipher_generic_cipher(void *vctx,
+ unsigned char *out, size_t *outl, size_t outsize,
+ const unsigned char *in, size_t inl)
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (!ctx->hw->cipher(ctx, out, in, inl)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+
+ *outl = inl;
+ return 1;
+}
+
+int cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ctx->pad)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+ if (p != NULL
+ && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, GENERIC_BLOCK_SIZE)
+ && !OSSL_PARAM_set_octet_string(p, &ctx->iv, GENERIC_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->num)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+
+ return 1;
+}
+
+int cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ const OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
+ if (p != NULL) {
+ int pad;
+
+ if (!OSSL_PARAM_get_int(p, &pad)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ ctx->pad = pad ? 1 : 0;
+ }
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
+ if (p != NULL) {
+ int num;
+
+ if (!OSSL_PARAM_get_int(p, &num)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ ctx->num = num;
+ }
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL) {
+ int keylen;
+
+ if (!OSSL_PARAM_get_int(p, &keylen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ ctx->keylen = keylen;
+ }
+ return 1;
+}
+
+void cipher_generic_initkey(void *vctx, int kbits, int blkbits, int mode,
+ const PROV_CIPHER_HW *hw)
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+ ctx->pad = 1;
+ ctx->keylen = ((kbits) / 8);
+ ctx->hw = hw;
+ ctx->mode = mode;
+ ctx->blocksize = blkbits/8;
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#define MAXCHUNK ((size_t)1 << (sizeof(long) * 8 - 2))
+#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
+
+/*-
+ * The generic cipher functions for cipher modes cbc, ecb, ofb, cfb and ctr.
+ * Used if there is no special hardware implementations.
+ */
+int cipher_hw_generic_cbc(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ if (dat->stream.cbc)
+ (*dat->stream.cbc) (in, out, len, dat->ks, dat->iv, dat->enc);
+ else if (dat->enc)
+ CRYPTO_cbc128_encrypt(in, out, len, dat->ks, dat->iv, dat->block);
+ else
+ CRYPTO_cbc128_decrypt(in, out, len, dat->ks, dat->iv, dat->block);
+
+ return 1;
+}
+
+int cipher_hw_generic_ecb(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ size_t i, bl = dat->blocksize;
+
+ if (len < bl)
+ return 1;
+
+ for (i = 0, len -= bl; i <= len; i += bl)
+ (*dat->block) (in + i, out + i, dat->ks);
+
+ return 1;
+}
+
+int cipher_hw_generic_ofb128(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ int num = dat->num;
+
+ CRYPTO_ofb128_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->block);
+ dat->num = num;
+
+ return 1;
+}
+
+int cipher_hw_generic_cfb128(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ int num = dat->num;
+
+ CRYPTO_cfb128_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->enc,
+ dat->block);
+ dat->num = num;
+
+ return 1;
+}
+
+int cipher_hw_generic_cfb8(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ int num = dat->num;
+
+ CRYPTO_cfb128_8_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->enc,
+ dat->block);
+ dat->num = num;
+
+ return 1;
+}
+
+int cipher_hw_generic_cfb1(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ int num = dat->num;
+
+ if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
+ CRYPTO_cfb128_1_encrypt(in, out, len, dat->ks, dat->iv, &num,
+ dat->enc, dat->block);
+ dat->num = num;
+ return 1;
+ }
+
+ while (len >= MAXBITCHUNK) {
+ CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, dat->ks,
+ dat->iv, &num, dat->enc, dat->block);
+ len -= MAXBITCHUNK;
+ out += MAXBITCHUNK;
+ in += MAXBITCHUNK;
+ }
+ if (len)
+ CRYPTO_cfb128_1_encrypt(in, out, len * 8, dat->ks, dat->iv, &num,
+ dat->enc, dat->block);
+
+ dat->num = num;
+
+ return 1;
+}
+
+int cipher_hw_generic_ctr(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ unsigned int num = dat->num;
+
+ if (dat->stream.ctr)
+ CRYPTO_ctr128_encrypt_ctr32(in, out, len, dat->ks, dat->iv, dat->buf,
+ &num, dat->stream.ctr);
+ else
+ CRYPTO_ctr128_encrypt(in, out, len, dat->ks, dat->iv, dat->buf,
+ &num, dat->block);
+ dat->num = num;
+
+ return 1;
+}
+
+/*-
+ * The chunked cipher functions for cipher modes cbc, ecb, ofb, cfb and ctr.
+ * Used if there is no special hardware implementations.
+ */
+
+int cipher_hw_chunked_cbc(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ while (inl >= MAXCHUNK) {
+ cipher_hw_generic_cbc(ctx, out, in, MAXCHUNK);
+ inl -= MAXCHUNK;
+ in += MAXCHUNK;
+ out += MAXCHUNK;
+ }
+ if (inl > 0)
+ cipher_hw_generic_cbc(ctx, out, in, inl);
+ return 1;
+}
+
+int cipher_hw_chunked_cfb8(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ size_t chunk = MAXCHUNK;
+
+ if (inl < chunk)
+ chunk = inl;
+ while (inl > 0 && inl >= chunk) {
+ cipher_hw_generic_cfb8(ctx, out, in, inl);
+ inl -= chunk;
+ in += chunk;
+ out += chunk;
+ if (inl < chunk)
+ chunk = inl;
+ }
+ return 1;
+}
+
+int cipher_hw_chunked_cfb128(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ size_t chunk = MAXCHUNK;
+
+ if (inl < chunk)
+ chunk = inl;
+ while (inl > 0 && inl >= chunk) {
+ cipher_hw_generic_cfb128(ctx, out, in, inl);
+ inl -= chunk;
+ in += chunk;
+ out += chunk;
+ if (inl < chunk)
+ chunk = inl;
+ }
+ return 1;
+}
+
+int cipher_hw_chunked_ofb128(PROV_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ while (inl >= MAXCHUNK) {
+ cipher_hw_generic_ofb128(ctx, out, in, MAXCHUNK);
+ inl -= MAXCHUNK;
+ in += MAXCHUNK;
+ out += MAXCHUNK;
+ }
+ if (inl > 0)
+ cipher_hw_generic_ofb128(ctx, out, in, inl);
+ return 1;
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for gcm mode */
+
+#include "cipher_locl.h"
+#include "internal/rand_int.h"
+#include "internal/provider_ctx.h"
+
+static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
+static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
+ size_t len);
+static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
+ const unsigned char *in, size_t len);
+static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
+ size_t *padlen, const unsigned char *in,
+ size_t len);
+
+void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
+ const PROV_GCM_HW *hw, size_t ivlen_min)
+{
+ ctx->pad = 1;
+ ctx->mode = EVP_CIPH_GCM_MODE;
+ ctx->taglen = -1;
+ ctx->tls_aad_len = -1;
+ ctx->ivlen_min = ivlen_min;
+ ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
+ ctx->keylen = keybits / 8;
+ ctx->hw = hw;
+ ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+}
+
+void gcm_deinitctx(PROV_GCM_CTX *ctx)
+{
+ OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
+}
+
+static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen, int enc)
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+ ctx->enc = enc;
+
+ if (iv != NULL) {
+ if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+ return 0;
+ }
+ ctx->ivlen = ivlen;
+ memcpy(ctx->iv, iv, ctx->ivlen);
+ ctx->iv_state = IV_STATE_BUFFERED;
+ }
+
+ if (key != NULL) {
+ if (keylen != ctx->keylen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ return ctx->hw->setkey(ctx, key, ctx->keylen);
+ }
+ return 1;
+}
+
+int gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return gcm_init(vctx, key, keylen, iv, ivlen, 1);
+}
+
+int gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen)
+{
+ return gcm_init(vctx, key, keylen, iv, ivlen, 0);
+}
+
+int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+ OSSL_PARAM *p;
+ size_t sz;
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ctx->ivlen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+ if (p != NULL) {
+ if (ctx->iv_gen != 1 && ctx->iv_gen_rand != 1)
+ return 0;
+ if (ctx->ivlen != (int)p->data_size) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+ return 0;
+ }
+ if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+ if (p != NULL) {
+ sz = p->data_size;
+ if (sz == 0 || sz > EVP_GCM_TLS_TAG_LEN || !ctx->enc || ctx->taglen < 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
+ return 0;
+ }
+ if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+ const OSSL_PARAM *p;
+ size_t sz;
+ void *vp;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+ if (p != NULL) {
+ vp = ctx->buf;
+ if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if (sz == 0 || ctx->enc) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
+ return 0;
+ }
+ ctx->taglen = sz;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
+ if (p != NULL) {
+ if (!OSSL_PARAM_get_size_t(p, &sz)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if (sz == 0 || sz > sizeof(ctx->iv)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+ return 0;
+ }
+ ctx->ivlen = sz;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ sz = gcm_tls_init(ctx, p->data, p->data_size);
+ if (sz == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
+ return 0;
+ }
+ ctx->tls_aad_pad_sz = sz;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ }
+
+ /*
+ * TODO(3.0) Temporary solution to address fuzz test crash, which will be
+ * reworked once the discussion in PR #9510 is resolved. i.e- We need a
+ * general solution for handling missing parameters inside set_params and
+ * get_params methods.
+ */
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL) {
+ int keylen;
+
+ if (!OSSL_PARAM_get_int(p, &keylen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ /* The key length can not be modified for gcm mode */
+ if (keylen != (int)ctx->keylen)
+ return 0;
+ }
+
+ return 1;
+}
+
+int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in, size_t inl)
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return -1;
+ }
+
+ if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return -1;
+ }
+ return 1;
+}
+
+int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize)
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+ int i;
+
+ i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
+ if (i <= 0)
+ return 0;
+
+ *outl = 0;
+ return 1;
+}
+
+int gcm_cipher(void *vctx,
+ unsigned char *out, size_t *outl, size_t outsize,
+ const unsigned char *in, size_t inl)
+{
+ PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return -1;
+ }
+
+ if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
+ return -1;
+
+ *outl = inl;
+ return 1;
+}
+
+/*
+ * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
+ *
+ * See also 8.2.2 RBG-based construction.
+ * Random construction consists of a free field (which can be NULL) and a
+ * random field which will use a DRBG that can return at least 96 bits of
+ * entropy strength. (The DRBG must be seeded by the FIPS module).
+ */
+static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
+{
+ int sz = ctx->ivlen - offset;
+
+ /* Must be at least 96 bits */
+ if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
+ return 0;
+
+ /* Use DRBG to generate random iv */
+ if (rand_bytes_ex(ctx->libctx, ctx->iv + offset, sz) <= 0)
+ return 0;
+ ctx->iv_state = IV_STATE_BUFFERED;
+ ctx->iv_gen_rand = 1;
+ return 1;
+}
+
+static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
+ size_t *padlen, const unsigned char *in,
+ size_t len)
+{
+ size_t olen = 0;
+ int rv = 0;
+ const PROV_GCM_HW *hw = ctx->hw;
+
+ if (ctx->tls_aad_len >= 0)
+ return gcm_tls_cipher(ctx, out, padlen, in, len);
+
+ if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
+ goto err;
+
+ /*
+ * FIPS requires generation of AES-GCM IV's inside the FIPS module.
+ * The IV can still be set externally (the security policy will state that
+ * this is not FIPS compliant). There are some applications
+ * where setting the IV externally is the only option available.
+ */
+ if (ctx->iv_state == IV_STATE_UNINITIALISED) {
+ if (!ctx->enc || !gcm_iv_generate(ctx, 0))
+ goto err;
+ }
+
+ if (ctx->iv_state == IV_STATE_BUFFERED) {
+ if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
+ goto err;
+ ctx->iv_state = IV_STATE_COPIED;
+ }
+
+ if (in != NULL) {
+ /* The input is AAD if out is NULL */
+ if (out == NULL) {
+ if (!hw->aadupdate(ctx, in, len))
+ goto err;
+ } else {
+ /* The input is ciphertext OR plaintext */
+ if (!hw->cipherupdate(ctx, in, len, out))
+ goto err;
+ }
+ } else {
+ /* Finished when in == NULL */
+ if (!hw->cipherfinal(ctx, ctx->buf))
+ goto err;
+ ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
+ goto finish;
+ }
+ olen = len;
+finish:
+ rv = 1;
+err:
+ *padlen = olen;
+ return rv;
+}
+
+static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
+{
+ unsigned char *buf;
+ size_t len;
+
+ if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
+ return 0;
+
+ /* Save the aad for later use. */
+ buf = dat->buf;
+ memcpy(buf, aad, aad_len);
+ dat->tls_aad_len = aad_len;
+ dat->tls_enc_records = 0;
+
+ len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
+ /* Correct length for explicit iv. */
+ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+
+ /* If decrypting correct for tag too. */
+ if (!dat->enc) {
+ if (len < EVP_GCM_TLS_TAG_LEN)
+ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
+ }
+ buf[aad_len - 2] = (unsigned char)(len >> 8);
+ buf[aad_len - 1] = (unsigned char)(len & 0xff);
+ /* Extra padding: tag appended to record. */
+ return EVP_GCM_TLS_TAG_LEN;
+}
+
+static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
+ size_t len)
+{
+ /* Special case: -1 length restores whole IV */
+ if (len == (size_t)-1) {
+ memcpy(ctx->iv, iv, ctx->ivlen);
+ ctx->iv_gen = 1;
+ ctx->iv_state = IV_STATE_BUFFERED;
+ return 1;
+ }
+ /* Fixed field must be at least 4 bytes and invocation field at least 8 */
+ if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
+ || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+ return 0;
+ if (len > 0)
+ memcpy(ctx->iv, iv, len);
+ if (ctx->enc
+ && rand_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len) <= 0)
+ return 0;
+ ctx->iv_gen = 1;
+ ctx->iv_state = IV_STATE_BUFFERED;
+ return 1;
+}
+
+/* increment counter (64-bit int) by 1 */
+static void ctr64_inc(unsigned char *counter)
+{
+ int n = 8;
+ unsigned char c;
+
+ do {
+ --n;
+ c = counter[n];
+ ++c;
+ counter[n] = c;
+ if (c > 0)
+ return;
+ } while (n > 0);
+}
+
+/*
+ * Handle TLS GCM packet format. This consists of the last portion of the IV
+ * followed by the payload and finally the tag. On encrypt generate IV,
+ * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
+ * and verify tag.
+ */
+static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
+ const unsigned char *in, size_t len)
+{
+ int rv = 0, arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ size_t plen = 0;
+ unsigned char *tag = NULL;
+
+ if (!ctx->key_set)
+ goto err;
+
+ /* Encrypt/decrypt must be performed in place */
+ if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
+ goto err;
+
+ /*
+ * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
+ * Requirements from SP 800-38D". The requirements is for one party to the
+ * communication to fail after 2^64 - 1 keys. We do this on the encrypting
+ * side only.
+ */
+ if (ctx->enc && ++ctx->tls_enc_records == 0) {
+ ERR_raise(ERR_LIB_PROV, EVP_R_TOO_MANY_RECORDS);
+ goto err;
+ }
+
+ if (ctx->iv_gen == 0)
+ goto err;
+ /*
+ * Set IV from start of buffer or generate IV and write to start of
+ * buffer.
+ */
+ if (ctx->enc) {
+ if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
+ goto err;
+ if (arg > ctx->ivlen)
+ arg = ctx->ivlen;
+ memcpy(out, ctx->iv + ctx->ivlen - arg, arg);
+ /*
+ * Invocation field will be at least 8 bytes in size and so no need
+ * to check wrap around or increment more than last 8 bytes.
+ */
+ ctr64_inc(ctx->iv + ctx->ivlen - 8);
+ } else {
+ memcpy(ctx->iv + ctx->ivlen - arg, out, arg);
+ if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
+ goto err;
+ }
+ ctx->iv_state = IV_STATE_COPIED;
+
+ /* Fix buffer and length to point to payload */
+ in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
+
+ tag = ctx->enc ? out + len : (unsigned char *)in + len;
+ if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
+ EVP_GCM_TLS_TAG_LEN)) {
+ if (!ctx->enc)
+ OPENSSL_cleanse(out, len);
+ goto err;
+ }
+ if (ctx->enc)
+ plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
+ else
+ plen = len;
+
+ rv = 1;
+err:
+ ctx->iv_state = IV_STATE_FINISHED;
+ ctx->tls_aad_len = -1;
+ *padlen = plen;
+ return rv;
+}
--- /dev/null
+
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+
+typedef struct prov_gcm_hw_st PROV_GCM_HW;
+
+#define GCM_IV_DEFAULT_SIZE 12/* IV's for AES_GCM should normally be 12 bytes */
+#define GCM_IV_MAX_SIZE 64
+#define GCM_TAG_MAX_SIZE 16
+
+/* TODO(3.0) Figure out what flags are really needed */
+#define AEAD_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
+ | EVP_CIPH_CUSTOM_COPY)
+
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/*-
+ * KMA-GCM-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-11)
+ */
+typedef struct S390X_kma_params_st {
+ unsigned char reserved[12];
+ union {
+ unsigned int w;
+ unsigned char b[4];
+ } cv; /* 32 bit counter value */
+ union {
+ unsigned long long g[2];
+ unsigned char b[16];
+ } t; /* tag */
+ unsigned char h[16]; /* hash subkey */
+ unsigned long long taadl; /* total AAD length */
+ unsigned long long tpcl; /* total plaintxt/ciphertxt len */
+ union {
+ unsigned long long g[2];
+ unsigned int w[4];
+ } j0; /* initial counter value */
+ unsigned char k[32]; /* key */
+} S390X_KMA_PARAMS;
+
+#endif
+
+typedef struct prov_gcm_ctx_st {
+ int enc; /* Set to 1 if we are encrypting or 0 otherwise */
+ int mode; /* The mode that we are using */
+ size_t keylen;
+ int ivlen;
+ size_t ivlen_min;
+ int taglen;
+ int key_set; /* Set if key initialised */
+ int iv_state; /* set to one of IV_STATE_XXX */
+ int iv_gen_rand; /* No IV was specified, so generate a rand IV */
+ int iv_gen; /* It is OK to generate IVs */
+ int tls_aad_pad_sz;
+ int tls_aad_len; /* TLS AAD length */
+ uint64_t tls_enc_records; /* Number of TLS records encrypted */
+
+ /*
+ * num contains the number of bytes of |iv| which are valid for modes that
+ * manage partial blocks themselves.
+ */
+ size_t num;
+ size_t bufsz; /* Number of bytes in buf */
+ uint64_t flags;
+
+ unsigned int pad : 1; /* Whether padding should be used or not */
+
+ unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
+ unsigned char buf[AES_BLOCK_SIZE]; /* Buffer of partial blocks processed via update calls */
+
+ OPENSSL_CTX *libctx; /* needed for rand calls */
+ const PROV_GCM_HW *hw; /* hardware specific methods */
+ GCM128_CONTEXT gcm;
+ ctr128_f ctr;
+ const void *ks;
+} PROV_GCM_CTX;
+
+typedef struct prov_aes_gcm_ctx_st {
+ PROV_GCM_CTX base; /* must be first entry in struct */
+ union {
+ OSSL_UNION_ALIGN;
+ AES_KEY ks;
+ } ks; /* AES key schedule to use */
+
+ /* Platform specific data */
+ union {
+ int dummy;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+ struct {
+ union {
+ OSSL_UNION_ALIGN;
+ S390X_KMA_PARAMS kma;
+ } param;
+ unsigned int fc;
+ unsigned char ares[16];
+ unsigned char mres[16];
+ unsigned char kres[16];
+ int areslen;
+ int mreslen;
+ int kreslen;
+ int res;
+ } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+ } plat;
+} PROV_AES_GCM_CTX;
+
+PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key,
+ size_t keylen));
+PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv,
+ size_t ivlen));
+PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx,
+ const unsigned char *aad, size_t aadlen));
+PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx,
+ const unsigned char *in, size_t len,
+ unsigned char *out));
+PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag));
+PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad,
+ size_t aad_len, const unsigned char *in,
+ size_t in_len, unsigned char *out,
+ unsigned char *tag, size_t taglen));
+struct prov_gcm_hw_st {
+ OSSL_GCM_setkey_fn setkey;
+ OSSL_GCM_setiv_fn setiv;
+ OSSL_GCM_aadupdate_fn aadupdate;
+ OSSL_GCM_cipherupdate_fn cipherupdate;
+ OSSL_GCM_cipherfinal_fn cipherfinal;
+ OSSL_GCM_oneshot_fn oneshot;
+};
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits);
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+#include "internal/aria.h"
+
+typedef struct prov_aria_gcm_ctx_st {
+ PROV_GCM_CTX base; /* must be first entry in struct */
+ union {
+ OSSL_UNION_ALIGN;
+ ARIA_KEY ks;
+ } ks;
+} PROV_ARIA_GCM_CTX;
+const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits);
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+
+OSSL_OP_cipher_encrypt_init_fn gcm_einit;
+OSSL_OP_cipher_decrypt_init_fn gcm_dinit;
+OSSL_OP_cipher_get_ctx_params_fn gcm_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn gcm_set_ctx_params;
+OSSL_OP_cipher_cipher_fn gcm_cipher;
+OSSL_OP_cipher_update_fn gcm_stream_update;
+OSSL_OP_cipher_final_fn gcm_stream_final;
+void gcm_deinitctx(PROV_GCM_CTX *ctx);
+void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
+ const PROV_GCM_HW *hw, size_t ivlen_min);
+
--- /dev/null
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static const PROV_GCM_HW aes_gcm;
+
+static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
+static int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
+ size_t aad_len);
+static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
+static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *out, unsigned char *tag, size_t tag_len);
+static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+ size_t len, unsigned char *out);
+
+#define SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr) \
+ ctx->ks = ks; \
+ fn_set_enc_key(key, keylen * 8, ks); \
+ CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block); \
+ ctx->ctr = (ctr128_f)fn_ctr; \
+ ctx->key_set = 1;
+
+#if defined(AESNI_CAPABLE)
+# include "cipher_aes_gcm_hw_aesni.inc"
+#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+# include "cipher_aes_gcm_hw_t4.inc"
+#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+# include "cipher_aes_gcm_hw_s390x.inc"
+#else
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+ return &aes_gcm;
+}
+#endif
+
+static int generic_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+ size_t keylen)
+{
+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+ AES_KEY *ks = &actx->ks.ks;
+
+# ifdef HWAES_CAPABLE
+ if (HWAES_CAPABLE) {
+# ifdef HWAES_ctr32_encrypt_blocks
+ SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt,
+ HWAES_ctr32_encrypt_blocks);
+# else
+ SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt, NULL);
+# endif /* HWAES_ctr32_encrypt_blocks */
+ } else
+# endif /* HWAES_CAPABLE */
+
+# ifdef BSAES_CAPABLE
+ if (BSAES_CAPABLE) {
+ SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt,
+ bsaes_ctr32_encrypt_blocks);
+ } else
+# endif /* BSAES_CAPABLE */
+
+# ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE) {
+ SET_KEY_CTR_FN(ks, vpaes_set_encrypt_key, vpaes_encrypt, NULL);
+ } else
+# endif /* VPAES_CAPABLE */
+
+ {
+# ifdef AES_CTR_ASM
+ SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, AES_ctr32_encrypt);
+# else
+ SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, NULL);
+# endif /* AES_CTR_ASM */
+ }
+ ctx->key_set = 1;
+ return 1;
+}
+
+static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen)
+{
+ CRYPTO_gcm128_setiv(&ctx->gcm, iv, ivlen);
+ return 1;
+}
+
+static int gcm_aad_update(PROV_GCM_CTX *ctx,
+ const unsigned char *aad, size_t aad_len)
+{
+ return CRYPTO_gcm128_aad(&ctx->gcm, aad, aad_len) == 0;
+}
+
+static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+ size_t len, unsigned char *out)
+{
+ if (ctx->enc) {
+ if (ctx->ctr != NULL) {
+#if defined(AES_GCM_ASM)
+ size_t bulk = 0;
+
+ if (len >= 32 && AES_GCM_ASM(ctx)) {
+ size_t res = (16 - ctx->gcm.mres) % 16;
+
+ if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res))
+ return 0;
+ bulk = aesni_gcm_encrypt(in + res, out + res, len - res,
+ ctx->gcm.key,
+ ctx->gcm.Yi.c, ctx->gcm.Xi.u);
+ ctx->gcm.len.u[1] += bulk;
+ bulk += res;
+ }
+ if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
+ len - bulk, ctx->ctr))
+ return 0;
+#else
+ if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
+ return 0;
+#endif /* AES_GCM_ASM */
+ } else {
+ if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
+ return 0;
+ }
+ } else {
+ if (ctx->ctr != NULL) {
+#if defined(AES_GCM_ASM)
+ size_t bulk = 0;
+
+ if (len >= 16 && AES_GCM_ASM(ctx)) {
+ size_t res = (16 - ctx->gcm.mres) % 16;
+
+ if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res))
+ return -1;
+
+ bulk = aesni_gcm_decrypt(in + res, out + res, len - res,
+ ctx->gcm.key,
+ ctx->gcm.Yi.c, ctx->gcm.Xi.u);
+ ctx->gcm.len.u[1] += bulk;
+ bulk += res;
+ }
+ if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
+ len - bulk, ctx->ctr))
+ return 0;
+#else
+ if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
+ return 0;
+#endif /* AES_GCM_ASM */
+ } else {
+ if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
+{
+ if (ctx->enc) {
+ CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE);
+ ctx->taglen = GCM_TAG_MAX_SIZE;
+ } else {
+ if (ctx->taglen < 0
+ || CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0)
+ return 0;
+ }
+ return 1;
+}
+
+static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *out, unsigned char *tag, size_t tag_len)
+{
+ int ret = 0;
+
+ /* Use saved AAD */
+ if (!ctx->hw->aadupdate(ctx, aad, aad_len))
+ goto err;
+ if (!ctx->hw->cipherupdate(ctx, in, in_len, out))
+ goto err;
+ ctx->taglen = GCM_TAG_MAX_SIZE;
+ if (!ctx->hw->cipherfinal(ctx, tag))
+ goto err;
+ ret = 1;
+
+err:
+ return ret;
+}
+
+static const PROV_GCM_HW aes_gcm = {
+ generic_aes_gcm_initkey,
+ gcm_setiv,
+ gcm_aad_update,
+ gcm_cipher_update,
+ gcm_cipher_final,
+ gcm_one_shot
+};
+
+#include "cipher_aria_gcm_hw.inc"
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/opensslconf.h>
+#include <openssl/params.h>
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include "internal/cryptlib.h"
+#include "internal/modes_int.h"
+#include "internal/provider_algs.h"
+#include "internal/providercommonerr.h"
+#include "internal/ciphermode_platform.h"
+
+#define GENERIC_BLOCK_SIZE 16
+#define IV_STATE_UNINITIALISED 0 /* initial state is not initialized */
+#define IV_STATE_BUFFERED 1 /* iv has been copied to the iv buffer */
+#define IV_STATE_COPIED 2 /* iv has been copied from the iv buffer */
+#define IV_STATE_FINISHED 3 /* the iv has been used - so don't reuse it */
+
+#define PROV_CIPHER_FUNC(type, name, args) typedef type (* OSSL_##name##_fn)args
+
+typedef struct prov_cipher_hw_st PROV_CIPHER_HW;
+typedef struct prov_cipher_ctx_st PROV_CIPHER_CTX;
+
+typedef int (PROV_CIPHER_HW_FN)(PROV_CIPHER_CTX *dat, unsigned char *out,
+ const unsigned char *in, size_t len);
+
+struct prov_cipher_ctx_st {
+ block128_f block;
+ union {
+ cbc128_f cbc;
+ ctr128_f ctr;
+ } stream;
+
+ /*
+ * num contains the number of bytes of |iv| which are valid for modes that
+ * manage partial blocks themselves.
+ */
+ size_t num;
+
+ int mode;
+ int enc; /* Set to 1 for encrypt, or 0 otherwise */
+ size_t bufsz; /* Number of bytes in buf */
+ size_t keylen; /* key size (in bytes) */
+ size_t blocksize;
+ uint64_t flags;
+ unsigned int pad : 1; /* Whether padding should be used or not */
+
+ /* Buffer of partial blocks processed via update calls */
+ unsigned char buf[GENERIC_BLOCK_SIZE];
+ unsigned char iv[GENERIC_BLOCK_SIZE];
+ const PROV_CIPHER_HW *hw; /* hardware specific functions */
+ const void *ks; /* Pointer to algorithm specific key data */
+};
+
+struct prov_cipher_hw_st {
+ int (*init)(PROV_CIPHER_CTX *dat, const uint8_t *key, size_t keylen);
+ PROV_CIPHER_HW_FN *cipher;
+};
+
+OSSL_OP_cipher_encrypt_init_fn cipher_generic_einit;
+OSSL_OP_cipher_decrypt_init_fn cipher_generic_dinit;
+OSSL_OP_cipher_update_fn cipher_generic_block_update;
+OSSL_OP_cipher_final_fn cipher_generic_block_final;
+OSSL_OP_cipher_update_fn cipher_generic_stream_update;
+OSSL_OP_cipher_final_fn cipher_generic_stream_final;
+OSSL_OP_cipher_cipher_fn cipher_generic_cipher;
+OSSL_OP_cipher_get_ctx_params_fn cipher_generic_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn cipher_generic_set_ctx_params;
+OSSL_OP_cipher_gettable_params_fn cipher_default_gettable_params;
+OSSL_OP_cipher_gettable_ctx_params_fn cipher_default_gettable_ctx_params;
+OSSL_OP_cipher_settable_ctx_params_fn cipher_default_settable_ctx_params;
+OSSL_OP_cipher_gettable_ctx_params_fn cipher_aead_gettable_ctx_params;
+OSSL_OP_cipher_settable_ctx_params_fn cipher_aead_settable_ctx_params;
+int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
+ int kbits, int blkbits, int ivbits);
+void cipher_generic_initkey(void *vctx, int kbits, int blkbits, int mode,
+ const PROV_CIPHER_HW *ciph);
+
+size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
+ const unsigned char **in, size_t *inlen);
+int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
+ const unsigned char **in, size_t *inlen);
+void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
+int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);
+
+#include "cipher_aes.h"
+#include "cipher_aria.h"
+#include "cipher_camellia.h"
+#include "cipher_gcm.h"
+#include "cipher_ccm.h"
+
+#define IMPLEMENT_generic_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \
+ blkbits, ivbits, typ) \
+static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \
+static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
+{ \
+ return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags, \
+ kbits, blkbits, ivbits); \
+} \
+static OSSL_OP_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \
+static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \
+{ \
+ PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ if (ctx != NULL) { \
+ cipher_generic_initkey(ctx, kbits, blkbits, EVP_CIPH_##UCMODE##_MODE, \
+ PROV_CIPHER_HW_##alg##_##lcmode(kbits)); \
+ } \
+ return ctx; \
+} \
+const OSSL_DISPATCH alg##kbits##lcmode##_functions[] = { \
+ { OSSL_FUNC_CIPHER_NEWCTX, \
+ (void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \
+ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \
+ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))cipher_generic_einit }, \
+ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))cipher_generic_dinit }, \
+ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))cipher_generic_##typ##_update },\
+ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))cipher_generic_##typ##_final }, \
+ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))cipher_generic_cipher }, \
+ { OSSL_FUNC_CIPHER_GET_PARAMS, \
+ (void (*)(void)) alg##_##kbits##_##lcmode##_get_params }, \
+ { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
+ (void (*)(void))cipher_generic_get_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
+ (void (*)(void))cipher_generic_set_ctx_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
+ (void (*)(void))cipher_default_gettable_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
+ (void (*)(void))cipher_default_gettable_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
+ (void (*)(void))cipher_default_settable_ctx_params }, \
+ { 0, NULL } \
+};
+
+#define IMPLEMENT_aead_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits) \
+static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \
+static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \
+{ \
+ return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
+ flags, kbits, blkbits, ivbits); \
+} \
+static OSSL_OP_cipher_newctx_fn alg##kbits##lc##_newctx; \
+static void * alg##kbits##lc##_newctx(void *provctx) \
+{ \
+ return alg##_##lc##_newctx(provctx, kbits); \
+} \
+const OSSL_DISPATCH alg##kbits##lc##_functions[] = { \
+ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \
+ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \
+ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) lc##_einit }, \
+ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) lc##_dinit }, \
+ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void)) lc##_stream_update }, \
+ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void)) lc##_stream_final }, \
+ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void)) lc##_cipher }, \
+ { OSSL_FUNC_CIPHER_GET_PARAMS, \
+ (void (*)(void)) alg##_##kbits##_##lc##_get_params }, \
+ { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
+ (void (*)(void)) lc##_get_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
+ (void (*)(void)) lc##_set_ctx_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
+ (void (*)(void))cipher_default_gettable_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
+ (void (*)(void))cipher_aead_gettable_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
+ (void (*)(void))cipher_aead_settable_ctx_params }, \
+ { 0, NULL } \
+}
+
+PROV_CIPHER_HW_FN cipher_hw_generic_cbc;
+PROV_CIPHER_HW_FN cipher_hw_generic_ecb;
+PROV_CIPHER_HW_FN cipher_hw_generic_ofb128;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb128;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb8;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb1;
+PROV_CIPHER_HW_FN cipher_hw_generic_ctr;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cbc;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cfb8;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cfb128;
+PROV_CIPHER_HW_FN cipher_hw_chunked_ofb128;
+#define cipher_hw_chunked_ecb cipher_hw_generic_ecb
+#define cipher_hw_chunked_ctr cipher_hw_generic_ctr
+#define cipher_hw_chunked_cfb1 cipher_hw_generic_cfb1
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-typedef struct prov_ccm_hw_st PROV_CCM_HW;
-
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/*-
- * KMAC-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-08)
- */
-typedef struct S390X_kmac_params_st {
- union {
- unsigned long long g[2];
- unsigned char b[16];
- } icv;
- unsigned char k[32];
-} S390X_KMAC_PARAMS;
-/* KMAC-AES parameter block - end */
-#endif
-
-/* Base structure that is shared by AES & ARIA for CCM MODE */
-typedef struct prov_ccm_st {
- int enc;
- int key_set; /* Set if key initialised */
- int iv_set; /* Set if an iv is set */
- int tag_set; /* Set if tag is valid */
- int len_set; /* Set if message length set */
- size_t l, m; /* L and M parameters from RFC3610 */
- size_t keylen;
- int tls_aad_len; /* TLS AAD length */
- int tls_aad_pad_sz;
- unsigned char iv[AES_BLOCK_SIZE];
- unsigned char buf[AES_BLOCK_SIZE];
- CCM128_CONTEXT ccm_ctx;
- ccm128_f str;
- const PROV_CCM_HW *hw; /* hardware specific methods */
-} PROV_CCM_CTX;
-
-typedef struct prov_aes_ccm_ctx_st {
- PROV_CCM_CTX base; /* Must be first */
- union {
- OSSL_UNION_ALIGN;
- /*-
- * Padding is chosen so that s390x.kmac.k overlaps with ks.ks and
- * fc with ks.ks.rounds. Remember that on s390x, an AES_KEY's
- * rounds field is used to store the function code and that the key
- * schedule is not stored (if aes hardware support is detected).
- */
- struct {
- unsigned char pad[16];
- AES_KEY ks;
- } ks;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
- struct {
- S390X_KMAC_PARAMS kmac;
- unsigned long long blocks;
- union {
- unsigned long long g[2];
- unsigned char b[AES_BLOCK_SIZE];
- } nonce;
- union {
- unsigned long long g[2];
- unsigned char b[AES_BLOCK_SIZE];
- } buf;
- unsigned char dummy_pad[168];
- unsigned int fc; /* fc has same offset as ks.ks.rounds */
- } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
- } ccm;
-} PROV_AES_CCM_CTX;
-
-PROV_CIPHER_FUNC(int, CCM_cipher, (PROV_CCM_CTX *ctx, unsigned char *out, \
- size_t *padlen, const unsigned char *in, \
- size_t len));
-PROV_CIPHER_FUNC(int, CCM_setkey, (PROV_CCM_CTX *ctx, \
- const unsigned char *key, size_t keylen));
-PROV_CIPHER_FUNC(int, CCM_setiv, (PROV_CCM_CTX *dat, \
- const unsigned char *iv, size_t ivlen, \
- size_t mlen));
-PROV_CIPHER_FUNC(int, CCM_setaad, (PROV_CCM_CTX *ctx, \
- const unsigned char *aad, size_t aadlen));
-PROV_CIPHER_FUNC(int, CCM_auth_encrypt, (PROV_CCM_CTX *ctx, \
- const unsigned char *in, \
- unsigned char *out, size_t len, \
- unsigned char *tag, size_t taglen));
-PROV_CIPHER_FUNC(int, CCM_auth_decrypt, (PROV_CCM_CTX *ctx, \
- const unsigned char *in, \
- unsigned char *out, size_t len, \
- unsigned char *tag, size_t taglen));
-PROV_CIPHER_FUNC(int, CCM_gettag, (PROV_CCM_CTX *ctx, \
- unsigned char *tag, size_t taglen));
-
-/*
- * CCM Mode internal method table used to handle hardware specific differences,
- * (and different algorithms).
- */
-struct prov_ccm_hw_st {
- OSSL_CCM_setkey_fn setkey;
- OSSL_CCM_setiv_fn setiv;
- OSSL_CCM_setaad_fn setaad;
- OSSL_CCM_auth_encrypt_fn auth_encrypt;
- OSSL_CCM_auth_decrypt_fn auth_decrypt;
- OSSL_CCM_gettag_fn gettag;
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keylen);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-# include "internal/aria.h"
-typedef struct prov_aria_ccm_ctx_st {
- PROV_CCM_CTX base; /* Must be first */
- union {
- OSSL_UNION_ALIGN;
- ARIA_KEY ks;
- } ks; /* ARIA key schedule to use */
-} PROV_ARIA_CCM_CTX;
-
-const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keylen);
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/core_names.h>
-#include <openssl/params.h>
-#include "ciphers_locl.h"
-#include "internal/provider_algs.h"
-#include "internal/providercommonerr.h"
-
-/*-
- * Default cipher functions for OSSL_PARAM gettables and settables
- */
-static const OSSL_PARAM cipher_known_gettable_params[] = {
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_MODE, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
- OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_gettable_params(void)
-{
- return cipher_known_gettable_params;
-}
-
-int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
- int kbits, int blkbits, int ivbits)
-{
- OSSL_PARAM *p;
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
- if (p != NULL && !OSSL_PARAM_set_int(p, md)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS);
- if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, kbits / 8)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
- if (p != NULL && !OSSL_PARAM_set_int(p, blkbits / 8)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ivbits / 8)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- return 1;
-}
-
-static const OSSL_PARAM cipher_known_gettable_ctx_params[] = {
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
- OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_NUM, NULL),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
- OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_gettable_ctx_params(void)
-{
- return cipher_known_gettable_ctx_params;
-}
-
-static const OSSL_PARAM cipher_known_settable_ctx_params[] = {
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_NUM, NULL),
- OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_settable_ctx_params(void)
-{
- return cipher_known_settable_ctx_params;
-}
-
-/*-
- * AEAD cipher functions for OSSL_PARAM gettables and settables
- */
-static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
- OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
- OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_aead_gettable_ctx_params(void)
-{
- return cipher_aead_known_gettable_ctx_params;
-}
-
-static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
- OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
- OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
- OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
- OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_aead_settable_ctx_params(void)
-{
- return cipher_aead_known_settable_ctx_params;
-}
+++ /dev/null
-
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/aes.h>
-
-typedef struct prov_gcm_hw_st PROV_GCM_HW;
-
-#define GCM_IV_DEFAULT_SIZE 12/* IV's for AES_GCM should normally be 12 bytes */
-#define GCM_IV_MAX_SIZE 64
-#define GCM_TAG_MAX_SIZE 16
-
-
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/*-
- * KMA-GCM-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-11)
- */
-typedef struct S390X_kma_params_st {
- unsigned char reserved[12];
- union {
- unsigned int w;
- unsigned char b[4];
- } cv; /* 32 bit counter value */
- union {
- unsigned long long g[2];
- unsigned char b[16];
- } t; /* tag */
- unsigned char h[16]; /* hash subkey */
- unsigned long long taadl; /* total AAD length */
- unsigned long long tpcl; /* total plaintxt/ciphertxt len */
- union {
- unsigned long long g[2];
- unsigned int w[4];
- } j0; /* initial counter value */
- unsigned char k[32]; /* key */
-} S390X_KMA_PARAMS;
-
-#endif
-
-typedef struct prov_gcm_ctx_st {
- int enc; /* Set to 1 if we are encrypting or 0 otherwise */
- int mode; /* The mode that we are using */
- size_t keylen;
- int ivlen;
- size_t ivlen_min;
- int taglen;
- int key_set; /* Set if key initialised */
- int iv_state; /* set to one of IV_STATE_XXX */
- int iv_gen_rand; /* No IV was specified, so generate a rand IV */
- int iv_gen; /* It is OK to generate IVs */
- int tls_aad_pad_sz;
- int tls_aad_len; /* TLS AAD length */
- uint64_t tls_enc_records; /* Number of TLS records encrypted */
-
- /*
- * num contains the number of bytes of |iv| which are valid for modes that
- * manage partial blocks themselves.
- */
- size_t num;
- size_t bufsz; /* Number of bytes in buf */
- uint64_t flags;
-
- unsigned int pad : 1; /* Whether padding should be used or not */
-
- unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
- unsigned char buf[AES_BLOCK_SIZE]; /* Buffer of partial blocks processed via update calls */
-
- OPENSSL_CTX *libctx; /* needed for rand calls */
- const PROV_GCM_HW *hw; /* hardware specific methods */
- GCM128_CONTEXT gcm;
- ctr128_f ctr;
- const void *ks;
-} PROV_GCM_CTX;
-
-typedef struct prov_aes_gcm_ctx_st {
- PROV_GCM_CTX base; /* must be first entry in struct */
- union {
- OSSL_UNION_ALIGN;
- AES_KEY ks;
- } ks; /* AES key schedule to use */
-
- /* Platform specific data */
- union {
- int dummy;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
- struct {
- union {
- OSSL_UNION_ALIGN;
- S390X_KMA_PARAMS kma;
- } param;
- unsigned int fc;
- unsigned char ares[16];
- unsigned char mres[16];
- unsigned char kres[16];
- int areslen;
- int mreslen;
- int kreslen;
- int res;
- } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
- } plat;
-} PROV_AES_GCM_CTX;
-
-PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key,
- size_t keylen));
-PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv,
- size_t ivlen));
-PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx,
- const unsigned char *aad, size_t aadlen));
-PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx,
- const unsigned char *in, size_t len,
- unsigned char *out));
-PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag));
-PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad,
- size_t aad_len, const unsigned char *in,
- size_t in_len, unsigned char *out,
- unsigned char *tag, size_t taglen));
-struct prov_gcm_hw_st {
- OSSL_GCM_setkey_fn setkey;
- OSSL_GCM_setiv_fn setiv;
- OSSL_GCM_aadupdate_fn aadupdate;
- OSSL_GCM_cipherupdate_fn cipherupdate;
- OSSL_GCM_cipherfinal_fn cipherfinal;
- OSSL_GCM_oneshot_fn oneshot;
-};
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-#include "internal/aria.h"
-
-typedef struct prov_aria_gcm_ctx_st {
- PROV_GCM_CTX base; /* must be first entry in struct */
- union {
- OSSL_UNION_ALIGN;
- ARIA_KEY ks;
- } ks;
-} PROV_ARIA_GCM_CTX;
-const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits);
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#include <openssl/aes.h>
-#include <openssl/params.h>
-#include <openssl/core_numbers.h>
-#include "internal/cryptlib.h"
-#include "internal/modes_int.h"
-
-#define IV_STATE_UNINITIALISED 0 /* initial state is not initialized */
-#define IV_STATE_BUFFERED 1 /* iv has been copied to the iv buffer */
-#define IV_STATE_COPIED 2 /* iv has been copied from the iv buffer */
-#define IV_STATE_FINISHED 3 /* the iv has been used - so don't reuse it */
-
-#define PROV_CIPHER_FUNC(type, name, args) typedef type (* OSSL_##name##_fn)args
-
-typedef struct prov_aes_cipher_st PROV_AES_CIPHER;
-
-typedef struct prov_aes_key_st {
- union {
- OSSL_UNION_ALIGN;
- AES_KEY ks;
- } ks;
- block128_f block;
- union {
- cbc128_f cbc;
- ctr128_f ctr;
- } stream;
-
- /* Platform specific data */
- union {
- int dummy;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
- struct {
- union {
- OSSL_UNION_ALIGN;
- /*-
- * KM-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-06)
- */
- struct {
- unsigned char k[32];
- } km;
- /* KM-AES parameter block - end */
- /*-
- * KMO-AES/KMF-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-08)
- */
- struct {
- unsigned char cv[16];
- unsigned char k[32];
- } kmo_kmf;
- /* KMO-AES/KMF-AES parameter block - end */
- } param;
- unsigned int fc;
- int res;
- } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
- } plat;
-
- /* The cipher functions we are going to use */
- const PROV_AES_CIPHER *ciph;
-
- /* The mode that we are using */
- int mode;
-
- /* Set to 1 if we are encrypting or 0 otherwise */
- int enc;
-
- unsigned char iv[AES_BLOCK_SIZE];
-
- /*
- * num contains the number of bytes of |iv| which are valid for modes that
- * manage partial blocks themselves.
- */
- size_t num;
-
- /* Buffer of partial blocks processed via update calls */
- unsigned char buf[AES_BLOCK_SIZE];
-
- /* Number of bytes in buf */
- size_t bufsz;
-
- uint64_t flags;
-
- size_t keylen;
-
- /* Whether padding should be used or not */
- unsigned int pad : 1;
-} PROV_AES_KEY;
-
-struct prov_aes_cipher_st {
- int (*init)(PROV_AES_KEY *dat, const uint8_t *key, size_t keylen);
- int (*cipher)(PROV_AES_KEY *dat, uint8_t *out, const uint8_t *in,
- size_t inl);
-};
-
-#include "ciphers_gcm.h"
-#include "ciphers_ccm.h"
-
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ecb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cbc(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ofb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb1(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb8(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ctr(size_t keylen);
-
-size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
- const unsigned char **in, size_t *inlen);
-int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
- const unsigned char **in, size_t *inlen);
-void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
-int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);
-
-OSSL_OP_cipher_gettable_params_fn cipher_default_gettable_params;
-OSSL_OP_cipher_gettable_ctx_params_fn cipher_default_gettable_ctx_params;
-OSSL_OP_cipher_settable_ctx_params_fn cipher_default_settable_ctx_params;
-OSSL_OP_cipher_gettable_ctx_params_fn cipher_aead_gettable_ctx_params;
-OSSL_OP_cipher_settable_ctx_params_fn cipher_aead_settable_ctx_params;
-
-int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
- int kbits, int blkbits, int ivbits);
-
-#define IMPLEMENT_aead_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits) \
- static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lc##_get_params; \
- static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \
- { \
- return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
- flags, kbits, blkbits, ivbits); \
- } \
- static OSSL_OP_cipher_newctx_fn alg##kbits##lc##_newctx; \
- static void * alg##kbits##lc##_newctx(void *provctx) \
- { \
- return alg##_##lc##_newctx(provctx, kbits); \
- } \
- const OSSL_DISPATCH alg##kbits##lc##_functions[] = { \
- { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \
- { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \
- { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) lc##_einit }, \
- { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) lc##_dinit }, \
- { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void)) lc##_stream_update }, \
- { OSSL_FUNC_CIPHER_FINAL, (void (*)(void)) lc##_stream_final }, \
- { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void)) lc##_cipher }, \
- { OSSL_FUNC_CIPHER_GET_PARAMS, \
- (void (*)(void)) alg##_##kbits##_##lc##_get_params }, \
- { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
- (void (*)(void)) lc##_get_ctx_params }, \
- { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
- (void (*)(void)) lc##_set_ctx_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
- (void (*)(void))cipher_default_gettable_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
- (void (*)(void))cipher_aead_gettable_ctx_params }, \
- { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
- (void (*)(void))cipher_aead_settable_ctx_params }, \
- { 0, NULL } \
- }
+++ /dev/null
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include "internal/rand_int.h"
-#include "internal/provider_algs.h"
-#include "internal/provider_ctx.h"
-#include "internal/providercommonerr.h"
-#include "ciphers_locl.h"
-
-/* TODO(3.0) Figure out what flags are really needed */
-#define AEAD_GCM_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
- | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
- | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY)
-
-static OSSL_OP_cipher_encrypt_init_fn gcm_einit;
-static OSSL_OP_cipher_decrypt_init_fn gcm_dinit;
-static OSSL_OP_cipher_get_ctx_params_fn gcm_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn gcm_set_ctx_params;
-static OSSL_OP_cipher_cipher_fn gcm_cipher;
-static OSSL_OP_cipher_update_fn gcm_stream_update;
-static OSSL_OP_cipher_final_fn gcm_stream_final;
-
-static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
-static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
- size_t len);
-static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
- const unsigned char *in, size_t len);
-static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
- size_t *padlen, const unsigned char *in,
- size_t len);
-
-static void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
- const PROV_GCM_HW *hw, size_t ivlen_min)
-{
- ctx->pad = 1;
- ctx->mode = EVP_CIPH_GCM_MODE;
- ctx->taglen = -1;
- ctx->tls_aad_len = -1;
- ctx->ivlen_min = ivlen_min;
- ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
- ctx->keylen = keybits / 8;
- ctx->hw = hw;
- ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
-}
-
-static void gcm_deinitctx(PROV_GCM_CTX *ctx)
-{
- OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
-}
-
-static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen, int enc)
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
- ctx->enc = enc;
-
- if (iv != NULL) {
- if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
- return 0;
- }
- ctx->ivlen = ivlen;
- memcpy(ctx->iv, iv, ctx->ivlen);
- ctx->iv_state = IV_STATE_BUFFERED;
- }
-
- if (key != NULL) {
- if (keylen != ctx->keylen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
- return ctx->hw->setkey(ctx, key, ctx->keylen);
- }
- return 1;
-}
-
-static int gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- return gcm_init(vctx, key, keylen, iv, ivlen, 1);
-}
-
-static int gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
- const unsigned char *iv, size_t ivlen)
-{
- return gcm_init(vctx, key, keylen, iv, ivlen, 0);
-}
-
-static int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
- OSSL_PARAM *p;
- size_t sz;
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ctx->ivlen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
- if (p != NULL) {
- if (ctx->iv_gen != 1 && ctx->iv_gen_rand != 1)
- return 0;
- if (ctx->ivlen != (int)p->data_size) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
- return 0;
- }
- if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- }
-
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
- if (p != NULL) {
- sz = p->data_size;
- if (sz == 0 || sz > EVP_GCM_TLS_TAG_LEN || !ctx->enc || ctx->taglen < 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
- return 0;
- }
- if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
- return 0;
- }
- }
- return 1;
-}
-
-static int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
- const OSSL_PARAM *p;
- size_t sz;
- void *vp;
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
- if (p != NULL) {
- vp = ctx->buf;
- if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- if (sz == 0 || ctx->enc) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
- return 0;
- }
- ctx->taglen = sz;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
- if (p != NULL) {
- if (!OSSL_PARAM_get_size_t(p, &sz)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- if (sz == 0 || sz > sizeof(ctx->iv)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
- return 0;
- }
- ctx->ivlen = sz;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
- if (p != NULL) {
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- sz = gcm_tls_init(ctx, p->data, p->data_size);
- if (sz == 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
- return 0;
- }
- ctx->tls_aad_pad_sz = sz;
- }
-
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
- if (p != NULL) {
- if (p->data_type != OSSL_PARAM_OCTET_STRING) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- }
-
- /*
- * TODO(3.0) Temporary solution to address fuzz test crash, which will be
- * reworked once the discussion in PR #9510 is resolved. i.e- We need a
- * general solution for handling missing parameters inside set_params and
- * get_params methods.
- */
- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
- if (p != NULL) {
- int keylen;
-
- if (!OSSL_PARAM_get_int(p, &keylen)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
- /* The key length can not be modified for gcm mode */
- if (keylen != (int)ctx->keylen)
- return 0;
- }
-
- return 1;
-}
-
-static int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in,
- size_t inl)
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return -1;
- }
-
- if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
- ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
- return -1;
- }
- return 1;
-}
-
-static int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
- int i;
-
- i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
- if (i <= 0)
- return 0;
-
- *outl = 0;
- return 1;
-}
-
-static int gcm_cipher(void *vctx,
- unsigned char *out, size_t *outl, size_t outsize,
- const unsigned char *in, size_t inl)
-{
- PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return -1;
- }
-
- if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
- return -1;
-
- *outl = inl;
- return 1;
-}
-
-/*
- * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
- *
- * See also 8.2.2 RBG-based construction.
- * Random construction consists of a free field (which can be NULL) and a
- * random field which will use a DRBG that can return at least 96 bits of
- * entropy strength. (The DRBG must be seeded by the FIPS module).
- */
-static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
-{
- int sz = ctx->ivlen - offset;
-
- /* Must be at least 96 bits */
- if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
- return 0;
-
- /* Use DRBG to generate random iv */
- if (rand_bytes_ex(ctx->libctx, ctx->iv + offset, sz) <= 0)
- return 0;
- ctx->iv_state = IV_STATE_BUFFERED;
- ctx->iv_gen_rand = 1;
- return 1;
-}
-
-static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
- size_t *padlen, const unsigned char *in,
- size_t len)
-{
- size_t olen = 0;
- int rv = 0;
- const PROV_GCM_HW *hw = ctx->hw;
-
- if (ctx->tls_aad_len >= 0)
- return gcm_tls_cipher(ctx, out, padlen, in, len);
-
- if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
- goto err;
-
- /*
- * FIPS requires generation of AES-GCM IV's inside the FIPS module.
- * The IV can still be set externally (the security policy will state that
- * this is not FIPS compliant). There are some applications
- * where setting the IV externally is the only option available.
- */
- if (ctx->iv_state == IV_STATE_UNINITIALISED) {
- if (!ctx->enc || !gcm_iv_generate(ctx, 0))
- goto err;
- }
-
- if (ctx->iv_state == IV_STATE_BUFFERED) {
- if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
- goto err;
- ctx->iv_state = IV_STATE_COPIED;
- }
-
- if (in != NULL) {
- /* The input is AAD if out is NULL */
- if (out == NULL) {
- if (!hw->aadupdate(ctx, in, len))
- goto err;
- } else {
- /* The input is ciphertext OR plaintext */
- if (!hw->cipherupdate(ctx, in, len, out))
- goto err;
- }
- } else {
- /* Finished when in == NULL */
- if (!hw->cipherfinal(ctx, ctx->buf))
- goto err;
- ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
- goto finish;
- }
- olen = len;
-finish:
- rv = 1;
-err:
- *padlen = olen;
- return rv;
-}
-
-static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
-{
- unsigned char *buf;
- size_t len;
-
- if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
- return 0;
-
- /* Save the aad for later use. */
- buf = dat->buf;
- memcpy(buf, aad, aad_len);
- dat->tls_aad_len = aad_len;
- dat->tls_enc_records = 0;
-
- len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
- /* Correct length for explicit iv. */
- if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
- return 0;
- len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
-
- /* If decrypting correct for tag too. */
- if (!dat->enc) {
- if (len < EVP_GCM_TLS_TAG_LEN)
- return 0;
- len -= EVP_GCM_TLS_TAG_LEN;
- }
- buf[aad_len - 2] = (unsigned char)(len >> 8);
- buf[aad_len - 1] = (unsigned char)(len & 0xff);
- /* Extra padding: tag appended to record. */
- return EVP_GCM_TLS_TAG_LEN;
-}
-
-static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
- size_t len)
-{
- /* Special case: -1 length restores whole IV */
- if (len == (size_t)-1) {
- memcpy(ctx->iv, iv, ctx->ivlen);
- ctx->iv_gen = 1;
- ctx->iv_state = IV_STATE_BUFFERED;
- return 1;
- }
- /* Fixed field must be at least 4 bytes and invocation field at least 8 */
- if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
- || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
- return 0;
- if (len > 0)
- memcpy(ctx->iv, iv, len);
- if (ctx->enc
- && rand_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len) <= 0)
- return 0;
- ctx->iv_gen = 1;
- ctx->iv_state = IV_STATE_BUFFERED;
- return 1;
-}
-
-/* increment counter (64-bit int) by 1 */
-static void ctr64_inc(unsigned char *counter)
-{
- int n = 8;
- unsigned char c;
-
- do {
- --n;
- c = counter[n];
- ++c;
- counter[n] = c;
- if (c > 0)
- return;
- } while (n > 0);
-}
-
-/*
- * Handle TLS GCM packet format. This consists of the last portion of the IV
- * followed by the payload and finally the tag. On encrypt generate IV,
- * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
- * and verify tag.
- */
-static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
- const unsigned char *in, size_t len)
-{
- int rv = 0, arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
- size_t plen = 0;
- unsigned char *tag = NULL;
-
- if (!ctx->key_set)
- goto err;
-
- /* Encrypt/decrypt must be performed in place */
- if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
- goto err;
-
- /*
- * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
- * Requirements from SP 800-38D". The requirements is for one party to the
- * communication to fail after 2^64 - 1 keys. We do this on the encrypting
- * side only.
- */
- if (ctx->enc && ++ctx->tls_enc_records == 0) {
- ERR_raise(ERR_LIB_PROV, EVP_R_TOO_MANY_RECORDS);
- goto err;
- }
-
- if (ctx->iv_gen == 0)
- goto err;
- /*
- * Set IV from start of buffer or generate IV and write to start of
- * buffer.
- */
- if (ctx->enc) {
- if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
- goto err;
- if (arg > ctx->ivlen)
- arg = ctx->ivlen;
- memcpy(out, ctx->iv + ctx->ivlen - arg, arg);
- /*
- * Invocation field will be at least 8 bytes in size and so no need
- * to check wrap around or increment more than last 8 bytes.
- */
- ctr64_inc(ctx->iv + ctx->ivlen - 8);
- } else {
- memcpy(ctx->iv + ctx->ivlen - arg, out, arg);
- if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
- goto err;
- }
- ctx->iv_state = IV_STATE_COPIED;
-
- /* Fix buffer and length to point to payload */
- in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
- out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
- len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
-
- tag = ctx->enc ? out + len : (unsigned char *)in + len;
- if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
- EVP_GCM_TLS_TAG_LEN)) {
- if (!ctx->enc)
- OPENSSL_cleanse(out, len);
- goto err;
- }
- if (ctx->enc)
- plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
- else
- plen = len;
-
- rv = 1;
-err:
- ctx->iv_state = IV_STATE_FINISHED;
- ctx->tls_aad_len = -1;
- *padlen = plen;
- return rv;
-}
-
-static void *aes_gcm_newctx(void *provctx, size_t keybits)
-{
- PROV_AES_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
- if (ctx != NULL)
- gcm_initctx(provctx, (PROV_GCM_CTX *)ctx, keybits,
- PROV_AES_HW_gcm(keybits), 8);
- return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aes_gcm_freectx;
-static void aes_gcm_freectx(void *vctx)
-{
- PROV_AES_GCM_CTX *ctx = (PROV_AES_GCM_CTX *)vctx;
-
- gcm_deinitctx((PROV_GCM_CTX *)ctx);
- OPENSSL_clear_free(ctx, sizeof(*ctx));
-}
-
-/* aes128gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 128, 8, 96);
-/* aes192gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 192, 8, 96);
-/* aes256gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 256, 8, 96);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-static void *aria_gcm_newctx(void *provctx, size_t keybits)
-{
- PROV_ARIA_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
- if (ctx != NULL)
- gcm_initctx(provctx, (PROV_GCM_CTX *)ctx, keybits,
- PROV_ARIA_HW_gcm(keybits), 4);
- return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aria_gcm_freectx;
-static void aria_gcm_freectx(void *vctx)
-{
- PROV_ARIA_GCM_CTX *ctx = (PROV_ARIA_GCM_CTX *)vctx;
-
- gcm_deinitctx((PROV_GCM_CTX *)ctx);
- OPENSSL_clear_free(ctx, sizeof(*ctx));
-}
-
-/* aria128gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 128, 8, 96);
-/* aria192gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 192, 8, 96);
-/* aria256gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 256, 8, 96);
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+++ /dev/null
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "ciphers_locl.h"
-#include "internal/aes_platform.h"
-
-static const PROV_GCM_HW aes_gcm;
-
-static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
-static int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
- size_t aad_len);
-static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
-static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
- const unsigned char *in, size_t in_len,
- unsigned char *out, unsigned char *tag, size_t tag_len);
-static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
- size_t len, unsigned char *out);
-
-#define SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr) \
- ctx->ks = ks; \
- fn_set_enc_key(key, keylen * 8, ks); \
- CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block); \
- ctx->ctr = (ctr128_f)fn_ctr; \
- ctx->key_set = 1;
-
-#if defined(AESNI_CAPABLE)
-
-/* AES-NI section */
-static int aesni_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
- size_t keylen)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- AES_KEY *ks = &actx->ks.ks;
-
- SET_KEY_CTR_FN(ks, aesni_set_encrypt_key, aesni_encrypt,
- aesni_ctr32_encrypt_blocks);
- return 1;
-}
-
-static const PROV_GCM_HW aesni_gcm = {
- aesni_gcm_init_key,
- gcm_setiv,
- gcm_aad_update,
- gcm_cipher_update,
- gcm_cipher_final,
- gcm_one_shot
-};
-
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
- return AESNI_CAPABLE ? &aesni_gcm : &aes_gcm;
-}
-
-#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
-
-/* Fujitsu SPARC64 X support */
-
-static int t4_aes_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
- size_t keylen)
-{
- ctr128_f ctr;
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- AES_KEY *ks = &actx->ks.ks;
-
-
- switch (keylen) {
- case 16:
- ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
- break;
- case 24:
- ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
- break;
- case 32:
- ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
- break;
- default:
- return 0;
- }
-
- SET_KEY_CTR_FN(ks, aes_t4_set_encrypt_key, aes_t4_encrypt, ctr);
- return 1;
-}
-
-static const PROV_GCM_HW t4_aes_gcm = {
- t4_aes_gcm_init_key,
- gcm_setiv,
- gcm_aad_update,
- gcm_cipher_update,
- gcm_cipher_final,
- gcm_one_shot
-};
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
- return SPARC_AES_CAPABLE ? &t4_aes_gcm : &aes_gcm;
-}
-
-#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-# include "gcm_s390x.c"
-#else
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
- return &aes_gcm;
-}
-#endif
-
-static int generic_aes_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
- size_t keylen)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- AES_KEY *ks = &actx->ks.ks;
-
-# ifdef HWAES_CAPABLE
- if (HWAES_CAPABLE) {
-# ifdef HWAES_ctr32_encrypt_blocks
- SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt,
- HWAES_ctr32_encrypt_blocks);
-# else
- SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt, NULL);
-# endif /* HWAES_ctr32_encrypt_blocks */
- } else
-# endif /* HWAES_CAPABLE */
-
-# ifdef BSAES_CAPABLE
- if (BSAES_CAPABLE) {
- SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt,
- bsaes_ctr32_encrypt_blocks);
- } else
-# endif /* BSAES_CAPABLE */
-
-# ifdef VPAES_CAPABLE
- if (VPAES_CAPABLE) {
- SET_KEY_CTR_FN(ks, vpaes_set_encrypt_key, vpaes_encrypt, NULL);
- } else
-# endif /* VPAES_CAPABLE */
-
- {
-# ifdef AES_CTR_ASM
- SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, AES_ctr32_encrypt);
-# else
- SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, NULL);
-# endif /* AES_CTR_ASM */
- }
- ctx->key_set = 1;
- return 1;
-}
-
-static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen)
-{
- CRYPTO_gcm128_setiv(&ctx->gcm, iv, ivlen);
- return 1;
-}
-
-static int gcm_aad_update(PROV_GCM_CTX *ctx,
- const unsigned char *aad, size_t aad_len)
-{
- return CRYPTO_gcm128_aad(&ctx->gcm, aad, aad_len) == 0;
-}
-
-static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
- size_t len, unsigned char *out)
-{
- if (ctx->enc) {
- if (ctx->ctr != NULL) {
-#if defined(AES_GCM_ASM)
- size_t bulk = 0;
-
- if (len >= 32 && AES_GCM_ASM(ctx)) {
- size_t res = (16 - ctx->gcm.mres) % 16;
-
- if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res))
- return 0;
- bulk = aesni_gcm_encrypt(in + res, out + res, len - res,
- ctx->gcm.key,
- ctx->gcm.Yi.c, ctx->gcm.Xi.u);
- ctx->gcm.len.u[1] += bulk;
- bulk += res;
- }
- if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
- len - bulk, ctx->ctr))
- return 0;
-#else
- if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
- return 0;
-#endif /* AES_GCM_ASM */
- } else {
- if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
- return 0;
- }
- } else {
- if (ctx->ctr != NULL) {
-#if defined(AES_GCM_ASM)
- size_t bulk = 0;
-
- if (len >= 16 && AES_GCM_ASM(ctx)) {
- size_t res = (16 - ctx->gcm.mres) % 16;
-
- if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res))
- return -1;
-
- bulk = aesni_gcm_decrypt(in + res, out + res, len - res,
- ctx->gcm.key,
- ctx->gcm.Yi.c, ctx->gcm.Xi.u);
- ctx->gcm.len.u[1] += bulk;
- bulk += res;
- }
- if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
- len - bulk, ctx->ctr))
- return 0;
-#else
- if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
- return 0;
-#endif /* AES_GCM_ASM */
- } else {
- if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
- return 0;
- }
- }
- return 1;
-}
-
-static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
-{
- if (ctx->enc) {
- CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE);
- ctx->taglen = GCM_TAG_MAX_SIZE;
- } else {
- if (ctx->taglen < 0
- || CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0)
- return 0;
- }
- return 1;
-}
-
-static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
- const unsigned char *in, size_t in_len,
- unsigned char *out, unsigned char *tag, size_t tag_len)
-{
- int ret = 0;
-
- /* Use saved AAD */
- if (!ctx->hw->aadupdate(ctx, aad, aad_len))
- goto err;
- if (!ctx->hw->cipherupdate(ctx, in, in_len, out))
- goto err;
- ctx->taglen = GCM_TAG_MAX_SIZE;
- if (!ctx->hw->cipherfinal(ctx, tag))
- goto err;
- ret = 1;
-
-err:
- return ret;
-}
-
-static const PROV_GCM_HW aes_gcm = {
- generic_aes_gcm_init_key,
- gcm_setiv,
- gcm_aad_update,
- gcm_cipher_update,
- gcm_cipher_final,
- gcm_one_shot
-};
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-static int aria_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
- size_t keylen)
-{
- PROV_ARIA_GCM_CTX *actx = (PROV_ARIA_GCM_CTX *)ctx;
- ARIA_KEY *ks = &actx->ks.ks;
-
- SET_KEY_CTR_FN(ks, aria_set_encrypt_key, aria_encrypt, NULL);
- return 1;
-}
-
-static int aria_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
- size_t len, unsigned char *out)
-{
- if (ctx->enc) {
- if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
- return 0;
- } else {
- if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
- return 0;
- }
- return 1;
-}
-
-static const PROV_GCM_HW aria_gcm = {
- aria_gcm_init_key,
- gcm_setiv,
- gcm_aad_update,
- aria_cipher_update,
- gcm_cipher_final,
- gcm_one_shot
-};
-const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits)
-{
- return &aria_gcm;
-}
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+++ /dev/null
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * IBM S390X AES GCM support
- * Note this file is included by aes_gcm_hw.c
- */
-
-/* iv + padding length for iv lengths != 12 */
-#define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
-
-static int s390x_aes_gcm_init_key(PROV_GCM_CTX *ctx,
- const unsigned char *key, size_t keylen)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-
- ctx->key_set = 1;
- memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
- actx->plat.s390x.fc = S390X_AES_FC(keylen);
- if (!ctx->enc)
- actx->plat.s390x.fc |= S390X_DECRYPT;
- return 1;
-}
-
-static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
- size_t ivlen)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-
- kma->t.g[0] = 0;
- kma->t.g[1] = 0;
- kma->tpcl = 0;
- kma->taadl = 0;
- actx->plat.s390x.mreslen = 0;
- actx->plat.s390x.areslen = 0;
- actx->plat.s390x.kreslen = 0;
-
- if (ivlen == GCM_IV_DEFAULT_SIZE) {
- memcpy(&kma->j0, iv, ivlen);
- kma->j0.w[3] = 1;
- kma->cv.w = 1;
- } else {
- unsigned long long ivbits = ivlen << 3;
- size_t len = S390X_gcm_ivpadlen(ivlen);
- unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
- /*
- * The IV length needs to be zero padded to be a multiple of 16 bytes
- * followed by 8 bytes of zeros and 8 bytes for the IV length.
- * The GHASH of this value can then be calculated.
- */
- memcpy(iv_zero_pad, iv, ivlen);
- memset(iv_zero_pad + ivlen, 0, len - ivlen);
- memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
- /*
- * Calculate the ghash of the iv - the result is stored into the tag
- * param.
- */
- s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
- actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */
-
- /* Copy the 128 bit GHASH result into J0 and clear the tag */
- kma->j0.g[0] = kma->t.g[0];
- kma->j0.g[1] = kma->t.g[1];
- kma->t.g[0] = 0;
- kma->t.g[1] = 0;
- /* Set the 32 bit counter */
- kma->cv.w = kma->j0.w[3];
- }
- return 1;
-}
-
-static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
- unsigned char out[AES_BLOCK_SIZE];
- int rc;
-
- kma->taadl <<= 3;
- kma->tpcl <<= 3;
- s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
- actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
- actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
-
- /* gctx->mres already returned to the caller */
- OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
-
- if (ctx->enc) {
- ctx->taglen = GCM_TAG_MAX_SIZE;
- memcpy(tag, kma->t.b, ctx->taglen);
- rc = 1;
- } else {
- if (ctx->taglen < 0)
- rc = 0;
- else
- rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
- }
- return rc;
-}
-
-static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
- unsigned char *aad, size_t aad_len,
- const unsigned char *in, size_t in_len,
- unsigned char *out,
- unsigned char *tag, size_t taglen)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
- int rc;
-
- kma->taadl = aad_len << 3;
- kma->tpcl = in_len << 3;
- s390x_kma(aad, aad_len, in, in_len, out,
- actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
-
- if (ctx->enc) {
- memcpy(tag, kma->t.b, taglen);
- rc = 1;
- } else {
- rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
- }
- return rc;
-}
-
-/*
- * Process additional authenticated data. Returns 1 on success. Code is
- * big-endian.
- */
-static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
- const unsigned char *aad, size_t len)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
- unsigned long long alen;
- int n, rem;
-
- /* If already processed pt/ct then error */
- if (kma->tpcl != 0)
- return 0;
-
- /* update the total aad length */
- alen = kma->taadl + len;
- if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
- return 0;
- kma->taadl = alen;
-
- /* check if there is any existing aad data from a previous add */
- n = actx->plat.s390x.areslen;
- if (n) {
- /* add additional data to a buffer until it has 16 bytes */
- while (n && len) {
- actx->plat.s390x.ares[n] = *aad;
- ++aad;
- --len;
- n = (n + 1) & 0xf;
- }
- /* ctx->ares contains a complete block if offset has wrapped around */
- if (!n) {
- s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
- actx->plat.s390x.fc, kma);
- actx->plat.s390x.fc |= S390X_KMA_HS;
- }
- actx->plat.s390x.areslen = n;
- }
-
- /* If there are leftover bytes (< 128 bits) save them for next time */
- rem = len & 0xf;
- /* Add any remaining 16 byte blocks (128 bit each) */
- len &= ~(size_t)0xf;
- if (len) {
- s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
- actx->plat.s390x.fc |= S390X_KMA_HS;
- aad += len;
- }
-
- if (rem) {
- actx->plat.s390x.areslen = rem;
-
- do {
- --rem;
- actx->plat.s390x.ares[rem] = aad[rem];
- } while (rem);
- }
- return 1;
-}
-
-/*-
- * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
- * success. Code is big-endian.
- */
-static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
- const unsigned char *in, size_t len,
- unsigned char *out)
-{
- PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
- S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
- const unsigned char *inptr;
- unsigned long long mlen;
- union {
- unsigned int w[4];
- unsigned char b[16];
- } buf;
- size_t inlen;
- int n, rem, i;
-
- mlen = kma->tpcl + len;
- if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
- return 0;
- kma->tpcl = mlen;
-
- n = actx->plat.s390x.mreslen;
- if (n) {
- inptr = in;
- inlen = len;
- while (n && inlen) {
- actx->plat.s390x.mres[n] = *inptr;
- n = (n + 1) & 0xf;
- ++inptr;
- --inlen;
- }
- /* ctx->mres contains a complete block if offset has wrapped around */
- if (!n) {
- s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
- actx->plat.s390x.mres, 16, buf.b,
- actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
- actx->plat.s390x.fc |= S390X_KMA_HS;
- actx->plat.s390x.areslen = 0;
-
- /* previous call already encrypted/decrypted its remainder,
- * see comment below */
- n = actx->plat.s390x.mreslen;
- while (n) {
- *out = buf.b[n];
- n = (n + 1) & 0xf;
- ++out;
- ++in;
- --len;
- }
- actx->plat.s390x.mreslen = 0;
- }
- }
-
- rem = len & 0xf;
-
- len &= ~(size_t)0xf;
- if (len) {
- s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
- actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
- in += len;
- out += len;
- actx->plat.s390x.fc |= S390X_KMA_HS;
- actx->plat.s390x.areslen = 0;
- }
-
- /*-
- * If there is a remainder, it has to be saved such that it can be
- * processed by kma later. However, we also have to do the for-now
- * unauthenticated encryption/decryption part here and now...
- */
- if (rem) {
- if (!actx->plat.s390x.mreslen) {
- buf.w[0] = kma->j0.w[0];
- buf.w[1] = kma->j0.w[1];
- buf.w[2] = kma->j0.w[2];
- buf.w[3] = kma->cv.w + 1;
- s390x_km(buf.b, 16, actx->plat.s390x.kres,
- actx->plat.s390x.fc & 0x1f, &kma->k);
- }
-
- n = actx->plat.s390x.mreslen;
- for (i = 0; i < rem; i++) {
- actx->plat.s390x.mres[n + i] = in[i];
- out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
- }
- actx->plat.s390x.mreslen += rem;
- }
- return 1;
-}
-
-static const PROV_GCM_HW s390x_aes_gcm = {
- s390x_aes_gcm_init_key,
- s390x_aes_gcm_setiv,
- s390x_aes_gcm_aad_update,
- s390x_aes_gcm_cipher_update,
- s390x_aes_gcm_cipher_final,
- s390x_aes_gcm_one_shot
-};
-
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
- if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
- || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
- || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
- return &s390x_aes_gcm;
- return &aes_gcm;
-}
extern const OSSL_DISPATCH aria256ccm_functions[];
extern const OSSL_DISPATCH aria192ccm_functions[];
extern const OSSL_DISPATCH aria128ccm_functions[];
+extern const OSSL_DISPATCH aria256ecb_functions[];
+extern const OSSL_DISPATCH aria192ecb_functions[];
+extern const OSSL_DISPATCH aria128ecb_functions[];
+extern const OSSL_DISPATCH aria256cbc_functions[];
+extern const OSSL_DISPATCH aria192cbc_functions[];
+extern const OSSL_DISPATCH aria128cbc_functions[];
+extern const OSSL_DISPATCH aria256ofb_functions[];
+extern const OSSL_DISPATCH aria192ofb_functions[];
+extern const OSSL_DISPATCH aria128ofb_functions[];
+extern const OSSL_DISPATCH aria256cfb_functions[];
+extern const OSSL_DISPATCH aria192cfb_functions[];
+extern const OSSL_DISPATCH aria128cfb_functions[];
+extern const OSSL_DISPATCH aria256cfb1_functions[];
+extern const OSSL_DISPATCH aria192cfb1_functions[];
+extern const OSSL_DISPATCH aria128cfb1_functions[];
+extern const OSSL_DISPATCH aria256cfb8_functions[];
+extern const OSSL_DISPATCH aria192cfb8_functions[];
+extern const OSSL_DISPATCH aria128cfb8_functions[];
+extern const OSSL_DISPATCH aria256ctr_functions[];
+extern const OSSL_DISPATCH aria192ctr_functions[];
+extern const OSSL_DISPATCH aria128ctr_functions[];
#endif /* OPENSSL_NO_ARIA */
+#ifndef OPENSSL_NO_CAMELLIA
+extern const OSSL_DISPATCH camellia256ecb_functions[];
+extern const OSSL_DISPATCH camellia192ecb_functions[];
+extern const OSSL_DISPATCH camellia128ecb_functions[];
+extern const OSSL_DISPATCH camellia256cbc_functions[];
+extern const OSSL_DISPATCH camellia192cbc_functions[];
+extern const OSSL_DISPATCH camellia128cbc_functions[];
+extern const OSSL_DISPATCH camellia256ofb_functions[];
+extern const OSSL_DISPATCH camellia192ofb_functions[];
+extern const OSSL_DISPATCH camellia128ofb_functions[];
+extern const OSSL_DISPATCH camellia256cfb_functions[];
+extern const OSSL_DISPATCH camellia192cfb_functions[];
+extern const OSSL_DISPATCH camellia128cfb_functions[];
+extern const OSSL_DISPATCH camellia256cfb1_functions[];
+extern const OSSL_DISPATCH camellia192cfb1_functions[];
+extern const OSSL_DISPATCH camellia128cfb1_functions[];
+extern const OSSL_DISPATCH camellia256cfb8_functions[];
+extern const OSSL_DISPATCH camellia192cfb8_functions[];
+extern const OSSL_DISPATCH camellia128cfb8_functions[];
+extern const OSSL_DISPATCH camellia256ctr_functions[];
+extern const OSSL_DISPATCH camellia192ctr_functions[];
+extern const OSSL_DISPATCH camellia128ctr_functions[];
+#endif /* OPENSSL_NO_CAMELLIA */
/* MACs */
extern const OSSL_DISPATCH blake2bmac_functions[];
# define PROV_F_GMAC_SET_PARAMS 0
# define PROV_F_KMAC_SET_PARAMS 0
# define PROV_F_POLY1305_SET_PARAMS 0
-# define PROV_F_PROV_AES_KEY_GENERIC_INIT 0
+# define PROV_F_PROV_AES_CTX_GENERIC_INIT 0
# define PROV_F_TRAILINGDATA 0
# define PROV_F_UNPADBLOCK 0
# endif
{ "ARIA-256-CCM", "default=yes", aria256ccm_functions },
{ "ARIA-192-CCM", "default=yes", aria192ccm_functions },
{ "ARIA-128-CCM", "default=yes", aria128ccm_functions },
+ { "ARIA-256-ECB", "default=yes", aria256ecb_functions },
+ { "ARIA-192-ECB", "default=yes", aria192ecb_functions },
+ { "ARIA-128-ECB", "default=yes", aria128ecb_functions },
+ { "ARIA-256-CBC", "default=yes", aria256cbc_functions },
+ { "ARIA-192-CBC", "default=yes", aria192cbc_functions },
+ { "ARIA-128-CBC", "default=yes", aria128cbc_functions },
+ { "ARIA-256-OFB", "default=yes", aria256ofb_functions },
+ { "ARIA-192-OFB", "default=yes", aria192ofb_functions },
+ { "ARIA-128-OFB", "default=yes", aria128ofb_functions },
+ { "ARIA-256-CFB", "default=yes", aria256cfb_functions },
+ { "ARIA-192-CFB", "default=yes", aria192cfb_functions },
+ { "ARIA-128-CFB", "default=yes", aria128cfb_functions },
+ { "ARIA-256-CFB1", "default=yes", aria256cfb1_functions },
+ { "ARIA-192-CFB1", "default=yes", aria192cfb1_functions },
+ { "ARIA-128-CFB1", "default=yes", aria128cfb1_functions },
+ { "ARIA-256-CFB8", "default=yes", aria256cfb8_functions },
+ { "ARIA-192-CFB8", "default=yes", aria192cfb8_functions },
+ { "ARIA-128-CFB8", "default=yes", aria128cfb8_functions },
+ { "ARIA-256-CTR", "default=yes", aria256ctr_functions },
+ { "ARIA-192-CTR", "default=yes", aria192ctr_functions },
+ { "ARIA-128-CTR", "default=yes", aria128ctr_functions },
#endif /* OPENSSL_NO_ARIA */
+#ifndef OPENSSL_NO_CAMELLIA
+ { "CAMELLIA-256-ECB", "default=yes", camellia256ecb_functions },
+ { "CAMELLIA-192-ECB", "default=yes", camellia192ecb_functions },
+ { "CAMELLIA-128-ECB", "default=yes", camellia128ecb_functions },
+ { "CAMELLIA-256-CBC", "default=yes", camellia256cbc_functions },
+ { "CAMELLIA-192-CBC", "default=yes", camellia192cbc_functions },
+ { "CAMELLIA-128-CBC", "default=yes", camellia128cbc_functions },
+ { "CAMELLIA-256-OFB", "default=yes", camellia256ofb_functions },
+ { "CAMELLIA-192-OFB", "default=yes", camellia192ofb_functions },
+ { "CAMELLIA-128-OFB", "default=yes", camellia128ofb_functions },
+ { "CAMELLIA-256-CFB", "default=yes", camellia256cfb_functions },
+ { "CAMELLIA-192-CFB", "default=yes", camellia192cfb_functions },
+ { "CAMELLIA-128-CFB", "default=yes", camellia128cfb_functions },
+ { "CAMELLIA-256-CFB1", "default=yes", camellia256cfb1_functions },
+ { "CAMELLIA-192-CFB1", "default=yes", camellia192cfb1_functions },
+ { "CAMELLIA-128-CFB1", "default=yes", camellia128cfb1_functions },
+ { "CAMELLIA-256-CFB8", "default=yes", camellia256cfb8_functions },
+ { "CAMELLIA-192-CFB8", "default=yes", camellia192cfb8_functions },
+ { "CAMELLIA-128-CFB8", "default=yes", camellia128cfb8_functions },
+ { "CAMELLIA-256-CTR", "default=yes", camellia256ctr_functions },
+ { "CAMELLIA-192-CTR", "default=yes", camellia192ctr_functions },
+ { "CAMELLIA-128-CTR", "default=yes", camellia128ctr_functions },
+#endif /* OPENSSL_NO_CAMELLIA */
{ NULL, NULL, NULL }
};
# For all ECB encrypts and decrypts, the transformed sequence is
# CAMELLIA-bits-ECB:key::plaintext:ciphertext:encdec
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 0123456789abcdeffedcba9876543210
Plaintext = 0123456789abcdeffedcba9876543210
Ciphertext = 67673138549669730857065648eabe43
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 0123456789abcdeffedcba98765432100011223344556677
Plaintext = 0123456789abcdeffedcba9876543210
Ciphertext = b4993401b3e996f84ee5cee7d79b09b9
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff
Plaintext = 0123456789abcdeffedcba9876543210
Ciphertext = 9acc237dff16d76c20ef7c919e3a7509
# ECB-CAMELLIA128.Encrypt
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Plaintext = 00112233445566778899AABBCCDDEEFF
Ciphertext = 77CF412067AF8270613529149919546F
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 000102030405060708090A0B0C0D0E0F1011121314151617
Operation = ENCRYPT
Plaintext = 00112233445566778899AABBCCDDEEFF
Ciphertext = B22F3C36B72D31329EEE8ADDC2906C68
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
Operation = ENCRYPT
Plaintext = 00112233445566778899AABBCCDDEEFF
# ECB-CAMELLIA128.Encrypt and ECB-CAMELLIA128.Decrypt
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = 432FC5DCD628115B7C388D770B270C96
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = 0BE1F14023782A22E8384C5ABB7FAB2B
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = A0A1ABCD1893AB6FE0FE5B65DF5F8636
Cipher = CAMELLIA-128-ECB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
Ciphertext = E61925E0D5DFAA9BB29F815B3076E51A
# ECB-CAMELLIA192.Encrypt and ECB-CAMELLIA192.Decrypt
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = CCCC6C4E138B45848514D48D0D3439D3
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = 5713C62C14B2EC0F8393B6AFD6F5785A
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = B40ED2B60EB54D09D030CF511FEEF366
Cipher = CAMELLIA-192-ECB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
Ciphertext = 909DBD95799096748CB27357E73E1D26
# ECB-CAMELLIA256.Encrypt and ECB-CAMELLIA256.Decrypt
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = BEFD219B112FA00098919CD101C9CCFA
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = C91D3A8F1AEA08A9386CF4B66C0169EA
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = A623D711DC5F25A51BB8A80D56397D28
Cipher = CAMELLIA-256-ECB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
Ciphertext = 7960109FB6DC42947FCFE59EA3C5EB6B
# CAMELLIA-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec
# CBC-CAMELLIA128.Encrypt and CBC-CAMELLIA128.Decrypt
Cipher = CAMELLIA-128-CBC
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 000102030405060708090A0B0C0D0E0F
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = 1607CF494B36BBF00DAEB0B503C831AB
Cipher = CAMELLIA-128-CBC
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 1607CF494B36BBF00DAEB0B503C831AB
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = A2F2CF671629EF7840C5A5DFB5074887
Cipher = CAMELLIA-128-CBC
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = A2F2CF671629EF7840C5A5DFB5074887
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = 0F06165008CF8B8B5A63586362543E54
Cipher = CAMELLIA-128-CBC
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 36A84CDAFD5F9A85ADA0F0A993D6D577
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
# CBC-CAMELLIA192.Encrypt and CBC-CAMELLIA192.Decrypt
Cipher = CAMELLIA-192-CBC
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 000102030405060708090A0B0C0D0E0F
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = 2A4830AB5AC4A1A2405955FD2195CF93
Cipher = CAMELLIA-192-CBC
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 2A4830AB5AC4A1A2405955FD2195CF93
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = 5D5A869BD14CE54264F892A6DD2EC3D5
Cipher = CAMELLIA-192-CBC
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 5D5A869BD14CE54264F892A6DD2EC3D5
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = 37D359C3349836D884E310ADDF68C449
Cipher = CAMELLIA-192-CBC
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 37D359C3349836D884E310ADDF68C449
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
# CBC-CAMELLIA256.Encrypt and CBC-CAMELLIA256.Decrypt
Cipher = CAMELLIA-256-CBC
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 000102030405060708090A0B0C0D0E0F
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = E6CFA35FC02B134A4D2C0B6737AC3EDA
Cipher = CAMELLIA-256-CBC
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = E6CFA35FC02B134A4D2C0B6737AC3EDA
Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
Ciphertext = 36CBEB73BD504B4070B1B7DE2B21EB50
Cipher = CAMELLIA-256-CBC
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 36CBEB73BD504B4070B1B7DE2B21EB50
Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
Ciphertext = E31A6055297D96CA3330CDF1B1860A83
Cipher = CAMELLIA-256-CBC
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = E31A6055297D96CA3330CDF1B1860A83
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
# CAMELLIA-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
# CFB128-CAMELLIA128.Encrypt
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = 14F7646187817EB586599146B82BD719
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 14F7646187817EB586599146B82BD719
Operation = ENCRYPT
Ciphertext = A53D28BB82DF741103EA4F921A44880B
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = A53D28BB82DF741103EA4F921A44880B
Operation = ENCRYPT
Ciphertext = 9C2157A664626D1DEF9EA420FDE69B96
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 9C2157A664626D1DEF9EA420FDE69B96
Operation = ENCRYPT
# CFB128-CAMELLIA128.Decrypt
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = 14F7646187817EB586599146B82BD719
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 14F7646187817EB586599146B82BD719
Operation = DECRYPT
Ciphertext = A53D28BB82DF741103EA4F921A44880B
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = A53D28BB82DF741103EA4F921A44880B
Operation = DECRYPT
Ciphertext = 9C2157A664626D1DEF9EA420FDE69B96
Cipher = CAMELLIA-128-CFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 9C2157A664626D1DEF9EA420FDE69B96
Operation = DECRYPT
# CFB128-CAMELLIA192.Encrypt
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = C832BB9780677DAA82D9B6860DCD565E
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = C832BB9780677DAA82D9B6860DCD565E
Operation = ENCRYPT
Ciphertext = 86F8491627906D780C7A6D46EA331F98
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 86F8491627906D780C7A6D46EA331F98
Operation = ENCRYPT
Ciphertext = 69511CCE594CF710CB98BB63D7221F01
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 69511CCE594CF710CB98BB63D7221F01
Operation = ENCRYPT
# CFB128-CAMELLIA192.Decrypt
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = C832BB9780677DAA82D9B6860DCD565E
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = C832BB9780677DAA82D9B6860DCD565E
Operation = DECRYPT
Ciphertext = 86F8491627906D780C7A6D46EA331F98
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 86F8491627906D780C7A6D46EA331F98
Operation = DECRYPT
Ciphertext = 69511CCE594CF710CB98BB63D7221F01
Cipher = CAMELLIA-192-CFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 69511CCE594CF710CB98BB63D7221F01
Operation = DECRYPT
# CFB128-CAMELLIA256.Encrypt
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Operation = ENCRYPT
Ciphertext = 89BEDB4CCDD864EA11BA4CBE849B5E2B
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 89BEDB4CCDD864EA11BA4CBE849B5E2B
Operation = ENCRYPT
Ciphertext = 555FC3F34BDD2D54C62D9E3BF338C1C4
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 555FC3F34BDD2D54C62D9E3BF338C1C4
Operation = ENCRYPT
# CFB128-CAMELLIA256.Decrypt
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Operation = DECRYPT
Ciphertext = 89BEDB4CCDD864EA11BA4CBE849B5E2B
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 89BEDB4CCDD864EA11BA4CBE849B5E2B
Operation = DECRYPT
Ciphertext = 555FC3F34BDD2D54C62D9E3BF338C1C4
Cipher = CAMELLIA-256-CFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 555FC3F34BDD2D54C62D9E3BF338C1C4
Operation = DECRYPT
# CAMELLIA-bits-OFB:key:IV/output':plaintext:ciphertext:encdec
# OFB-CAMELLIA128.Encrypt
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = 14F7646187817EB586599146B82BD719
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 50FE67CC996D32B6DA0937E99BAFEC60
Operation = ENCRYPT
Ciphertext = 25623DB569CA51E01482649977E28D84
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = D9A4DADA0892239F6B8B3D7680E15674
Operation = ENCRYPT
Ciphertext = C776634A60729DC657D12B9FCA801E98
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = A78819583F0308E7A6BF36B1386ABF23
Operation = ENCRYPT
# OFB-CAMELLIA128.Decrypt
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = 14F7646187817EB586599146B82BD719
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 50FE67CC996D32B6DA0937E99BAFEC60
Operation = DECRYPT
Ciphertext = 25623DB569CA51E01482649977E28D84
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = D9A4DADA0892239F6B8B3D7680E15674
Operation = DECRYPT
Ciphertext = C776634A60729DC657D12B9FCA801E98
Cipher = CAMELLIA-128-OFB
+Availablein = default
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = A78819583F0308E7A6BF36B1386ABF23
Operation = DECRYPT
# OFB-CAMELLIA192.Encrypt
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = C832BB9780677DAA82D9B6860DCD565E
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = A609B38DF3B1133DDDFF2718BA09565E
Operation = ENCRYPT
Ciphertext = 8ECEB7D0350D72C7F78562AEBDF99339
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 52EF01DA52602FE0975F78AC84BF8A50
Operation = ENCRYPT
Ciphertext = BDD62DBBB9700846C53B507F544696F0
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = BD5286AC63AABD7EB067AC54B553F71D
Operation = ENCRYPT
# OFB-CAMELLIA192.Decrypt
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = C832BB9780677DAA82D9B6860DCD565E
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = A609B38DF3B1133DDDFF2718BA09565E
Operation = DECRYPT
Ciphertext = 8ECEB7D0350D72C7F78562AEBDF99339
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = 52EF01DA52602FE0975F78AC84BF8A50
Operation = DECRYPT
Ciphertext = BDD62DBBB9700846C53B507F544696F0
Cipher = CAMELLIA-192-OFB
+Availablein = default
Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
IV = BD5286AC63AABD7EB067AC54B553F71D
Operation = DECRYPT
# OFB-CAMELLIA256.Encrypt
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 000102030405060708090A0B0C0D0E0F
Operation = ENCRYPT
Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
Operation = ENCRYPT
Ciphertext = 127AD97E8E3994E4820027D7BA109368
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = E1C656305ED1A7A6563805746FE03EDC
Operation = ENCRYPT
Ciphertext = 6BFF6265A6A6B7A535BC65A80B17214E
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 41635BE625B48AFC1666DD42A09D96E7
Operation = ENCRYPT
# OFB-CAMELLIA256.Decrypt
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 000102030405060708090A0B0C0D0E0F
Operation = DECRYPT
Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
Operation = DECRYPT
Ciphertext = 127AD97E8E3994E4820027D7BA109368
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = E1C656305ED1A7A6563805746FE03EDC
Operation = DECRYPT
Ciphertext = 6BFF6265A6A6B7A535BC65A80B17214E
Cipher = CAMELLIA-256-OFB
+Availablein = default
Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
IV = 41635BE625B48AFC1666DD42A09D96E7
Operation = DECRYPT
# Camellia test vectors from RFC5528
Cipher = CAMELLIA-128-CTR
+Availablein = default
Key = AE6852F8121067CC4BF7A5765577F39E
IV = 00000030000000000000000000000001
Operation = ENCRYPT
Ciphertext = D09DC29A8214619A20877C76DB1F0B3F
Cipher = CAMELLIA-128-CTR
+Availablein = default
Key = 7E24067817FAE0D743D6CE1F32539163
IV = 006CB6DBC0543B59DA48D90B00000001
Operation = ENCRYPT
Ciphertext = DBF3C78DC08396D4DA7C907765BBCB442B8E8E0F31F0DCA72C7417E35360E048
Cipher = CAMELLIA-128-CTR
+Availablein = default
Key = 7691BE035E5020A8AC6E618529F9A0DC
IV = 00E0017B27777F3F4A1786F000000001
Operation = ENCRYPT
Ciphertext = B19D1FCDCB75EB882F849CE24D85CF739CE64B2B5C9D73F14F2D5D9DCE9889CDDF508696
Cipher = CAMELLIA-192-CTR
+Availablein = default
Key = 16AF5B145FC9F579C175F93E3BFB0EED863D06CCFDB78515
IV = 0000004836733C147D6D93CB00000001
Operation = ENCRYPT
Ciphertext = 2379399E8A8D2B2B16702FC78B9E9696
Cipher = CAMELLIA-192-CTR
+Availablein = default
Key = 7C5CB2401B3DC33C19E7340819E0F69C678C3DB8E6F6A91A
IV = 0096B03B020C6EADC2CB500D00000001
Operation = ENCRYPT
Ciphertext = 7DEF34F7A5D0E415674B7FFCAE67C75DD018B86FF23051E056392A99F35A4CED
Cipher = CAMELLIA-192-CTR
+Availablein = default
Key = 02BF391EE8ECB159B959617B0965279BF59B60A786D3E0FE
IV = 0007BDFD5CBD60278DCC091200000001
Operation = ENCRYPT
Ciphertext = 5710E556E1487A20B5AC0E73F19E4E7876F37FDC91B1EF4D4DADE8E666A64D0ED557AB57
Cipher = CAMELLIA-256-CTR
+Availablein = default
Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104
IV = 00000060DB5672C97AA8F0B200000001
Operation = ENCRYPT
Ciphertext = 3401F9C8247EFFCEBD6994714C1BBB11
Cipher = CAMELLIA-256-CTR
+Availablein = default
Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884
IV = 00FAAC24C1585EF15A43D87500000001
Operation = ENCRYPT
Ciphertext = D6C30392246F7808A83C2B22A8839E45E51CD48A1CDF406EBC9CC2D3AB834108
Cipher = CAMELLIA-256-CTR
+Availablein = default
Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D
IV = 001CC5B751A51D70A1C1114800000001
Operation = ENCRYPT
Title = ARIA test vectors from RFC5794 (and others)
Cipher = ARIA-128-ECB
+Availablein = default
Key = 000102030405060708090a0b0c0d0e0f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = d718fbd6ab644c739da95f3be6451778
Cipher = ARIA-192-ECB
+Availablein = default
Key = 000102030405060708090a0b0c0d0e0f1011121314151617
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 26449c1805dbe7aa25a468ce263a9e79
Cipher = ARIA-256-ECB
+Availablein = default
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = f92bd7c79fb72e2f2b8f80c1972d24fc
# Additional ARIA mode vectors from http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
Cipher = ARIA-128-ECB
+Availablein = default
Key = 00112233445566778899aabbccddeeff
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8
Cipher = ARIA-128-CBC
+Availablein = default
Key = 00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a
Cipher = ARIA-128-CFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11
Cipher = ARIA-128-CFB8
+Availablein = default
Key = 00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 373c8f6a965599ec785cc8f8149f6c81b632ccb8e0c6eb6a9707ae52c59257a41f94701c1096933127a90195ed0c8e98690547572423bb45c3d70e4a18ee56b967c10e000ba4df5fba7c404134a343d8375d04b151d161ef83417fe1748447d30a6723c406733df7d18aa39a20752d2381942e244811bb97f72eae446b1815aa690cd1b1adcbd007c0088ecdc91cb2e2caf0e11e72459878137eea64ac62a9a1
Cipher = ARIA-128-OFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 3720e53ba7d615383406b09f0a05a2000063063f0560083483faeb041c8adecef30cf80cefb002a0d280759168ec01db3d49f61aced260bd43eec0a2731730eec6fa4f2304319cf8ccac2d7be7833e4f8ae6ce967012c1c6badc5d28e7e4144f6bf5cebe01253ee202afce4bc61f28dec069a6f16f6c8a7dd2afae44148f6ff4d0029d5c607b5fa6b8c8a6301cde5c7033565cd0b8f0974ab490b236197ba04a
Cipher = ARIA-128-CTR
+Availablein = default
Key = 00112233445566778899aabbccddeeff
IV = 00000000000000000000000000000000
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = ac5d7de805a0bf1c57c854501af60fa11497e2a34519dea1569e91e5b5ccae2ff3bfa1bf975f4571f48be191613546c3911163c085f871f0e7ae5f2a085b81851c2a3ddf20ecb8fa51901aec8ee4ba32a35dab67bb72cd9140ad188a967ac0fbbdfa94ea6cce47dcf8525ab5a814cfeb2bb60ee2b126e2d9d847c1a9e96f9019e3e6a7fe40d3829afb73db1cc245646addb62d9b907baaafbe46a73dbc131d3d
Cipher = ARIA-192-ECB
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0
Cipher = ARIA-192-CBC
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c
Cipher = ARIA-192-CFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4
Cipher = ARIA-192-CFB8
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 411d3b4f57f705aa4d13c46e2cf426af7c8c916ed7923d889f0047bbf11471b6d54f8757ef519339105be3cb69babb976a57d5631fc23cc3051fe9d36e8b8e27a2b2c0c4d31928ccbf30ea8239b46ba1b77f6198e7ecd2ce27b35958148e826f06aaf385bd30362ff141583e7c1d8924d44d36a1133094074631e18adafa9d2e55de98f6895c89d4266ebd33f3d4be5153a96fa12132ece2e81e66e55baa7ade
Cipher = ARIA-192-OFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 4171f7192bf4495494d2736129640f5cc224d26d364b5a06ddde13d0f1e74faa846de354c63cda77469d1a2d425c47ff41734c71b3fa1fcdc11e0b2de22bfeed54898e233df652c75ae136e61de6524e62b3f806fb2e8e616eb410a1b9500537e327ffb04f19f7f82fde2b122100261f81b82723bf936be7beaaf3067d1c036001f1ade71422268d274d7dc6c6ae1970b27a5f2c2f39c1d241fe8cac5ccd74e9
Cipher = ARIA-192-CTR
+Availablein = default
Key = 00112233445566778899aabbccddeeff0011223344556677
IV = 00000000000000000000000000000000
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531
Cipher = ARIA-256-ECB
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00
Cipher = ARIA-256-CBC
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de
Cipher = ARIA-256-CFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be
Cipher = ARIA-256-CFB8
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 26baa33651e1f66434fec88ef27fd2b9a79e246dd89a3ffa00e8bdb37155433e6c24bd0b87d9a85baa9f485ccb984f5ec24d6a3ef5e3c81396177f039cf580dfdb55d6e1c47a28921dfe369e12fd357b289ad3a5544e1c1bd616d454db9c5f91f603373f29d5b2ed1b4b51de80f28537bbd43d5e3b5dd071dc91153cbbe732dfc325821b06ed8acaae656dcf2da9f13e4f29db671476f1e644ff06d9b67d6bd4
Cipher = ARIA-256-OFB
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 26834705b0f2c0e2588d4a7f0900963584c256815c4292b59f8d3f966a75b52345b4f5f98c785d3f368a8d5ff89b7f950ceab3cd63773c2621d652b8ef98b4196afb2c2b30496bc5b7d9e7f9084f9d855f63a511751c8909e7a6deadbe0a67a4fb89383ca5d209c6f66f793fc471195c476fb9c1eab2ac91e680e454b4f3ed9a67fb52f09c29b965b23cfa6f3f6bbb2a86c6cdbaa2857bf2486f543231892a52
Cipher = ARIA-256-CTR
+Availablein = default
Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
IV = 00000000000000000000000000000000
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd