/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc

Source (jump to first uncovered line)
// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <assert.h>

#include "internal.h"
#include "../bcm_interface.h"


// Be aware that different sets of AES functions use incompatible key
// representations, varying in format of the key schedule, the |AES_KEY.rounds|
// value, or both. Therefore they cannot mix. Also, on AArch64, the plain-C
// code, above, is incompatible with the |aes_hw_*| functions.

bcm_infallible BCM_aes_encrypt(const uint8_t *in, uint8_t *out,
                               const AES_KEY *key) {
  if (hwaes_capable()) {
    aes_hw_encrypt(in, out, key);
  } else if (vpaes_capable()) {
    vpaes_encrypt(in, out, key);
  } else {
    aes_nohw_encrypt(in, out, key);
  }
  return bcm_infallible::not_approved;
}

bcm_infallible BCM_aes_decrypt(const uint8_t *in, uint8_t *out,
                               const AES_KEY *key) {
  if (hwaes_capable()) {
    aes_hw_decrypt(in, out, key);
  } else if (vpaes_capable()) {
    vpaes_decrypt(in, out, key);
  } else {
    aes_nohw_decrypt(in, out, key);
  }
  return bcm_infallible::not_approved;
}

bcm_status BCM_aes_set_encrypt_key(const uint8_t *key, unsigned bits,
                                   AES_KEY *aeskey) {
  int ret = -1;
  if (hwaes_capable()) {
    ret = aes_hw_set_encrypt_key(key, bits, aeskey);
  } else if (vpaes_capable()) {
    ret = vpaes_set_encrypt_key(key, bits, aeskey);
  } else {
    ret = aes_nohw_set_encrypt_key(key, bits, aeskey);
  }
  if (ret < 0) {
    return bcm_status::failure;
  }
  BSSL_CHECK(ret == 0);
  return bcm_status::not_approved;
}

bcm_status BCM_aes_set_decrypt_key(const uint8_t *key, unsigned bits,
                                   AES_KEY *aeskey) {
  int ret = -1;
  if (hwaes_capable()) {
    ret = aes_hw_set_decrypt_key(key, bits, aeskey);
  } else if (vpaes_capable()) {
    ret = vpaes_set_decrypt_key(key, bits, aeskey);
  } else {
    ret = aes_nohw_set_decrypt_key(key, bits, aeskey);
  }
  if (ret < 0) {
    return bcm_status::failure;
  }
  BSSL_CHECK(ret == 0);
  return bcm_status::not_approved;
}

#if defined(HWAES) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
// On x86 and x86_64, |aes_hw_set_decrypt_key|, we implement
// |aes_hw_encrypt_key_to_decrypt_key| in assembly and rely on C code to combine
// the operations.
int aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) {
  int ret = aes_hw_set_encrypt_key(user_key, bits, key);
  if (ret == 0) {
    aes_hw_encrypt_key_to_decrypt_key(key);
  }
  return ret;
}

int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) {
  if (aes_hw_set_encrypt_key_alt_preferred()) {
    return aes_hw_set_encrypt_key_alt(user_key, bits, key);
  } else {
    return aes_hw_set_encrypt_key_base(user_key, bits, key);
  }
}
#endif

#if defined(VPAES) && defined(OPENSSL_X86)
// On x86, there is no |vpaes_ctr32_encrypt_blocks|, so we implement it
// ourselves. This avoids all callers needing to account for a missing function.
void vpaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
                                const AES_KEY *key, const uint8_t iv[16]) {
  uint32_t ctr = CRYPTO_load_u32_be(iv + 12);
  uint8_t iv_buf[16], enc[16];
  OPENSSL_memcpy(iv_buf, iv, 12);
  for (size_t i = 0; i < blocks; i++) {
    CRYPTO_store_u32_be(iv_buf + 12, ctr);
    vpaes_encrypt(iv_buf, enc, key);
    CRYPTO_xor16(out, in, enc);
    ctr++;
    in += 16;
    out += 16;
  }
}
#endif

#if defined(BSAES)
void vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, uint8_t *out,
                                           size_t blocks, const AES_KEY *key,
                                           const uint8_t ivec[16]) {
  // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|,
  // but it takes at least one full 8-block batch to amortize the conversion.
  if (blocks < 8) {
    vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
    return;
  }

  size_t bsaes_blocks = blocks;
  if (bsaes_blocks % 8 < 6) {
    // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the
    // final batch is too small (under six blocks), it is faster to loop over
    // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8.
    bsaes_blocks -= bsaes_blocks % 8;
  }

  AES_KEY bsaes;
  vpaes_encrypt_key_to_bsaes(&bsaes, key);
  bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec);
  OPENSSL_cleanse(&bsaes, sizeof(bsaes));

  in += 16 * bsaes_blocks;
  out += 16 * bsaes_blocks;
  blocks -= bsaes_blocks;

  uint8_t new_ivec[16];
  memcpy(new_ivec, ivec, 12);
  uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks;
  CRYPTO_store_u32_be(new_ivec + 12, ctr);

  // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|.
  vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec);
}
#endif  // BSAES

ctr128_f aes_ctr_set_key(AES_KEY *aes_key, int *out_is_hwaes,
                         block128_f *out_block, const uint8_t *key,
                         size_t key_bytes) {
  // This function assumes the key length was previously validated.
  assert(key_bytes == 128 / 8 || key_bytes == 192 / 8 || key_bytes == 256 / 8);
  if (hwaes_capable()) {
    aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
    if (out_is_hwaes) {
      *out_is_hwaes = 1;
    }
    if (out_block) {
      *out_block = aes_hw_encrypt;
    }
    return aes_hw_ctr32_encrypt_blocks;
  }

  if (vpaes_capable()) {
    vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
    if (out_block) {
      *out_block = vpaes_encrypt;
    }
    if (out_is_hwaes) {
      *out_is_hwaes = 0;
    }
#if defined(BSAES)
    assert(bsaes_capable());
    return vpaes_ctr32_encrypt_blocks_with_bsaes;
#else
    return vpaes_ctr32_encrypt_blocks;
#endif
  }

  aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
  if (out_is_hwaes) {
    *out_is_hwaes = 0;
  }
  if (out_block) {
    *out_block = aes_nohw_encrypt;
  }
  return aes_nohw_ctr32_encrypt_blocks;
}

Coverage Report

Created: 2025-06-24 07:00

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <assert.h>
16
17		#include "internal.h"
18		#include "../bcm_interface.h"
19
20
21		// Be aware that different sets of AES functions use incompatible key
22		// representations, varying in format of the key schedule, the \|AES_KEY.rounds\|
23		// value, or both. Therefore they cannot mix. Also, on AArch64, the plain-C
24		// code, above, is incompatible with the \|aes_hw_*\| functions.
25
26		bcm_infallible BCM_aes_encrypt(const uint8_t in, uint8_t out,
27	0	const AES_KEY *key) {
28	0	if (hwaes_capable()) {
29	0	aes_hw_encrypt(in, out, key);
30	0	} else if (vpaes_capable()) {
31	0	vpaes_encrypt(in, out, key);
32	0	} else {
33	0	aes_nohw_encrypt(in, out, key);
34	0	}
35	0	return bcm_infallible::not_approved;
36	0	}
37
38		bcm_infallible BCM_aes_decrypt(const uint8_t in, uint8_t out,
39	0	const AES_KEY *key) {
40	0	if (hwaes_capable()) {
41	0	aes_hw_decrypt(in, out, key);
42	0	} else if (vpaes_capable()) {
43	0	vpaes_decrypt(in, out, key);
44	0	} else {
45	0	aes_nohw_decrypt(in, out, key);
46	0	}
47	0	return bcm_infallible::not_approved;
48	0	}
49
50		bcm_status BCM_aes_set_encrypt_key(const uint8_t *key, unsigned bits,
51	0	AES_KEY *aeskey) {
52	0	int ret = -1;
53	0	if (hwaes_capable()) {
54	0	ret = aes_hw_set_encrypt_key(key, bits, aeskey);
55	0	} else if (vpaes_capable()) {
56	0	ret = vpaes_set_encrypt_key(key, bits, aeskey);
57	0	} else {
58	0	ret = aes_nohw_set_encrypt_key(key, bits, aeskey);
59	0	}
60	0	if (ret < 0) {
61	0	return bcm_status::failure;
62	0	}
63	0	BSSL_CHECK(ret == 0);
64	0	return bcm_status::not_approved;
65	0	}
66
67		bcm_status BCM_aes_set_decrypt_key(const uint8_t *key, unsigned bits,
68	0	AES_KEY *aeskey) {
69	0	int ret = -1;
70	0	if (hwaes_capable()) {
71	0	ret = aes_hw_set_decrypt_key(key, bits, aeskey);
72	0	} else if (vpaes_capable()) {
73	0	ret = vpaes_set_decrypt_key(key, bits, aeskey);
74	0	} else {
75	0	ret = aes_nohw_set_decrypt_key(key, bits, aeskey);
76	0	}
77	0	if (ret < 0) {
78	0	return bcm_status::failure;
79	0	}
80	0	BSSL_CHECK(ret == 0);
81	0	return bcm_status::not_approved;
82	0	}
83
84		#if defined(HWAES) && (defined(OPENSSL_X86) \|\| defined(OPENSSL_X86_64))
85		// On x86 and x86_64, \|aes_hw_set_decrypt_key\|, we implement
86		// \|aes_hw_encrypt_key_to_decrypt_key\| in assembly and rely on C code to combine
87		// the operations.
88	28.9k	int aes_hw_set_decrypt_key(const uint8_t user_key, int bits, AES_KEY key) {
89	28.9k	int ret = aes_hw_set_encrypt_key(user_key, bits, key);
90	28.9k	if (ret == 0) {
91	28.9k	aes_hw_encrypt_key_to_decrypt_key(key);
92	28.9k	}
93	28.9k	return ret;
94	28.9k	}
95
96	1.32M	int aes_hw_set_encrypt_key(const uint8_t user_key, int bits, AES_KEY key) {
97	1.32M	if (aes_hw_set_encrypt_key_alt_preferred()) {
98	1.32M	return aes_hw_set_encrypt_key_alt(user_key, bits, key);
99	1.32M	} else {
100	0	return aes_hw_set_encrypt_key_base(user_key, bits, key);
101	0	}
102	1.32M	}
103		#endif
104
105		#if defined(VPAES) && defined(OPENSSL_X86)
106		// On x86, there is no \|vpaes_ctr32_encrypt_blocks\|, so we implement it
107		// ourselves. This avoids all callers needing to account for a missing function.
108		void vpaes_ctr32_encrypt_blocks(const uint8_t in, uint8_t out, size_t blocks,
109		const AES_KEY *key, const uint8_t iv[16]) {
110		uint32_t ctr = CRYPTO_load_u32_be(iv + 12);
111		uint8_t iv_buf[16], enc[16];
112		OPENSSL_memcpy(iv_buf, iv, 12);
113		for (size_t i = 0; i < blocks; i++) {
114		CRYPTO_store_u32_be(iv_buf + 12, ctr);
115		vpaes_encrypt(iv_buf, enc, key);
116		CRYPTO_xor16(out, in, enc);
117		ctr++;
118		in += 16;
119		out += 16;
120		}
121		}
122		#endif
123
124		#if defined(BSAES)
125		void vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t in, uint8_t out,
126		size_t blocks, const AES_KEY *key,
127		const uint8_t ivec[16]) {
128		// \|bsaes_ctr32_encrypt_blocks\| is faster than \|vpaes_ctr32_encrypt_blocks\|,
129		// but it takes at least one full 8-block batch to amortize the conversion.
130		if (blocks < 8) {
131		vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
132		return;
133		}
134
135		size_t bsaes_blocks = blocks;
136		if (bsaes_blocks % 8 < 6) {
137		// \|bsaes_ctr32_encrypt_blocks\| internally works in 8-block batches. If the
138		// final batch is too small (under six blocks), it is faster to loop over
139		// \|vpaes_encrypt\|. Round \|bsaes_blocks\| down to a multiple of 8.
140		bsaes_blocks -= bsaes_blocks % 8;
141		}
142
143		AES_KEY bsaes;
144		vpaes_encrypt_key_to_bsaes(&bsaes, key);
145		bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec);
146		OPENSSL_cleanse(&bsaes, sizeof(bsaes));
147
148		in += 16 * bsaes_blocks;
149		out += 16 * bsaes_blocks;
150		blocks -= bsaes_blocks;
151
152		uint8_t new_ivec[16];
153		memcpy(new_ivec, ivec, 12);
154		uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks;
155		CRYPTO_store_u32_be(new_ivec + 12, ctr);
156
157		// Finish any remaining blocks with \|vpaes_ctr32_encrypt_blocks\|.
158		vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec);
159		}
160		#endif // BSAES
161
162		ctr128_f aes_ctr_set_key(AES_KEY aes_key, int out_is_hwaes,
163		block128_f out_block, const uint8_t key,
164	1.26M	size_t key_bytes) {
165		// This function assumes the key length was previously validated.
166	1.26M	assert(key_bytes == 128 / 8 \|\| key_bytes == 192 / 8 \|\| key_bytes == 256 / 8);
167	1.26M	if (hwaes_capable()) {
168	1.26M	aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
169	1.26M	if (out_is_hwaes) {
170	78.6k	*out_is_hwaes = 1;
171	78.6k	}
172	1.26M	if (out_block) {
173	1.26M	*out_block = aes_hw_encrypt;
174	1.26M	}
175	1.26M	return aes_hw_ctr32_encrypt_blocks;
176	1.26M	}
177
178	0	if (vpaes_capable()) {
179	0	vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
180	0	if (out_block) {
181	0	*out_block = vpaes_encrypt;
182	0	}
183	0	if (out_is_hwaes) {
184	0	*out_is_hwaes = 0;
185	0	}
186		#if defined(BSAES)
187		assert(bsaes_capable());
188		return vpaes_ctr32_encrypt_blocks_with_bsaes;
189		#else
190	0	return vpaes_ctr32_encrypt_blocks;
191	0	#endif
192	0	}
193
194	0	aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
195	0	if (out_is_hwaes) {
196	0	*out_is_hwaes = 0;
197	0	}
198	0	if (out_block) {
199	0	*out_block = aes_nohw_encrypt;
200	0	}
201	0	return aes_nohw_ctr32_encrypt_blocks;
202	0	}