diff -up openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes openssl-1.1.1k/crypto/evp/e_aes.c --- openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes 2021-07-16 11:03:14.362127435 +0200 +++ openssl-1.1.1k/crypto/evp/e_aes.c 2021-07-16 15:00:42.531477251 +0200 @@ -1168,9 +1168,9 @@ typedef struct { static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); -# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */ -# define S390X_aes_192_cbc_CAPABLE 1 -# define S390X_aes_256_cbc_CAPABLE 1 +# define S390X_aes_128_cbc_CAPABLE 0 /* checked by callee */ +# define S390X_aes_192_cbc_CAPABLE 0 +# define S390X_aes_256_cbc_CAPABLE 0 # define S390X_AES_CBC_CTX EVP_AES_KEY # define s390x_aes_cbc_init_key aes_init_key @@ -1190,11 +1190,10 @@ static int s390x_aes_ecb_init_key(EVP_CI S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT); - memcpy(cctx->km.param.k, key, keylen); + if (key != NULL) + memcpy(cctx->km.param.k, key, keylen); return 1; } @@ -1222,14 +1221,17 @@ static int s390x_aes_ofb_init_key(EVP_CI const unsigned char *ivec, int enc) { S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - memcpy(cctx->kmo.param.cv, iv, ivlen); - memcpy(cctx->kmo.param.k, key, keylen); cctx->fc = S390X_AES_FC(keylen); + + if (key != NULL) + memcpy(cctx->kmo.param.k, key, keylen); + cctx->res = 0; + memcpy(cctx->kmo.param.cv, oiv, ivlen); return 1; } @@ -1287,18 +1289,18 @@ static int s390x_aes_cfb_init_key(EVP_CI const unsigned char *ivec, int enc) { S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */ - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen)| (enc ? 0 : S390X_DECRYPT) + | (16 << 24); /* 16 bytes cipher feedback */ + + if (key != NULL) + memcpy(cctx->kmf.param.k, key, keylen); cctx->res = 0; - memcpy(cctx->kmf.param.cv, iv, ivlen); - memcpy(cctx->kmf.param.k, key, keylen); + memcpy(cctx->kmf.param.cv, oiv, ivlen); return 1; } @@ -1360,17 +1362,18 @@ static int s390x_aes_cfb8_init_key(EVP_C const unsigned char *ivec, int enc) { S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 1 << 24; /* 1 byte cipher feedback */ - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT) + | (1 << 24); /* 1 byte cipher feedback flag */ + + if (key != NULL) + memcpy(cctx->kmf.param.k, key, keylen); - memcpy(cctx->kmf.param.cv, iv, ivlen); - memcpy(cctx->kmf.param.k, key, keylen); + cctx->res = 0; + memcpy(cctx->kmf.param.cv, oiv, ivlen); return 1; } @@ -1393,9 +1396,9 @@ static int s390x_aes_cfb8_cipher(EVP_CIP static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len); -# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */ -# define S390X_aes_192_ctr_CAPABLE 1 -# define S390X_aes_256_ctr_CAPABLE 1 +# define S390X_aes_128_ctr_CAPABLE 0 /* checked by callee */ +# define S390X_aes_192_ctr_CAPABLE 0 +# define S390X_aes_256_ctr_CAPABLE 0 # define S390X_AES_CTR_CTX EVP_AES_KEY # define s390x_aes_ctr_init_key aes_init_key @@ -1563,8 +1566,7 @@ static int s390x_aes_gcm(S390X_AES_GCM_C /*- * Initialize context structure. Code is big-endian. */ -static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx, - const unsigned char *iv) +static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx) { ctx->kma.param.t.g[0] = 0; ctx->kma.param.t.g[1] = 0; @@ -1575,12 +1577,11 @@ static void s390x_aes_gcm_setiv(S390X_AE ctx->kreslen = 0; if (ctx->ivlen == 12) { - memcpy(&ctx->kma.param.j0, iv, ctx->ivlen); + memcpy(&ctx->kma.param.j0, ctx->iv, ctx->ivlen); ctx->kma.param.j0.w[3] = 1; ctx->kma.param.cv.w = 1; } else { /* ctx->iv has the right size and is already padded. */ - memcpy(ctx->iv, iv, ctx->ivlen); s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL, ctx->fc, &ctx->kma.param); ctx->fc |= S390X_KMA_HS; @@ -1694,7 +1695,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER if (gctx->iv_gen == 0 || gctx->key_set == 0) return 0; - s390x_aes_gcm_setiv(gctx, gctx->iv); + s390x_aes_gcm_setiv(gctx); if (arg <= 0 || arg > gctx->ivlen) arg = gctx->ivlen; @@ -1714,7 +1715,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER return 0; memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); - s390x_aes_gcm_setiv(gctx, gctx->iv); + s390x_aes_gcm_setiv(gctx); gctx->iv_set = 1; return 1; @@ -1770,43 +1771,35 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER } /*- - * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned. + * Set key or iv or enc/dec. Returns 1 on success. Otherwise 0 is returned. */ static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx); - int keylen; + const int keylen = EVP_CIPHER_CTX_key_length(ctx); - if (iv == NULL && key == NULL) - return 1; + gctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT); if (key != NULL) { - keylen = EVP_CIPHER_CTX_key_length(ctx); + gctx->fc &= ~S390X_KMA_HS; memcpy(&gctx->kma.param.k, key, keylen); - - gctx->fc = S390X_AES_FC(keylen); - if (!enc) - gctx->fc |= S390X_DECRYPT; - - if (iv == NULL && gctx->iv_set) - iv = gctx->iv; - - if (iv != NULL) { - s390x_aes_gcm_setiv(gctx, iv); - gctx->iv_set = 1; - } gctx->key_set = 1; - } else { - if (gctx->key_set) - s390x_aes_gcm_setiv(gctx, iv); - else - memcpy(gctx->iv, iv, gctx->ivlen); - - gctx->iv_set = 1; + } + if (iv != NULL) { + memcpy(gctx->iv, iv, gctx->ivlen); gctx->iv_gen = 0; + gctx->iv_set = 1; } + + if (gctx->key_set && gctx->iv_set) + s390x_aes_gcm_setiv(gctx); + + gctx->fc &= ~(S390X_KMA_LPC | S390X_KMA_LAAD); + gctx->areslen = 0; + gctx->mreslen = 0; + gctx->kreslen = 0; return 1; } @@ -1895,7 +1888,6 @@ static int s390x_aes_gcm_cipher(EVP_CIPH /* recall that we already did en-/decrypt gctx->mres * and returned it to caller... */ OPENSSL_cleanse(tmp, gctx->mreslen); - gctx->iv_set = 0; enc = EVP_CIPHER_CTX_encrypting(ctx); if (enc) { @@ -1929,8 +1921,8 @@ static int s390x_aes_gcm_cleanup(EVP_CIP } # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX -# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */ -# define S390X_aes_256_xts_CAPABLE 1 +# define S390X_aes_128_xts_CAPABLE 0 /* checked by callee */ +# define S390X_aes_256_xts_CAPABLE 0 # define s390x_aes_xts_init_key aes_xts_init_key static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx, @@ -2134,9 +2126,10 @@ static int s390x_aes_ccm_tls_cipher(EVP_ const unsigned char *in, size_t len) { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); - unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx); + const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx); unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); const int enc = EVP_CIPHER_CTX_encrypting(ctx); + unsigned char iv[EVP_MAX_IV_LENGTH]; if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m)) @@ -2152,8 +2145,9 @@ static int s390x_aes_ccm_tls_cipher(EVP_ * Get explicit iv (sequence number). We already have fixed iv * (server/client_write_iv) here. */ - memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN); - s390x_aes_ccm_setiv(cctx, ivec, len); + memcpy(iv, ivec, sizeof(iv)); + memcpy(iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN); + s390x_aes_ccm_setiv(cctx, iv, len); /* Process aad (sequence number|type|version|length) */ s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len); @@ -2180,42 +2174,34 @@ static int s390x_aes_ccm_tls_cipher(EVP_ } /*- - * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is - * returned. + * Set key or iv or enc/dec. Returns 1 if successful. + * Otherwise 0 is returned. */ static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); - unsigned char *ivec; - int keylen; + const int keylen = EVP_CIPHER_CTX_key_length(ctx); + unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx); - if (iv == NULL && key == NULL) - return 1; + cctx->aes.ccm.fc = S390X_AES_FC(keylen); if (key != NULL) { - keylen = EVP_CIPHER_CTX_key_length(ctx); - cctx->aes.ccm.fc = S390X_AES_FC(keylen); memcpy(cctx->aes.ccm.kmac_param.k, key, keylen); - - /* Store encoded m and l. */ - cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7) - | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3; - memset(cctx->aes.ccm.nonce.b + 1, 0, - sizeof(cctx->aes.ccm.nonce.b)); - cctx->aes.ccm.blocks = 0; - cctx->aes.ccm.key_set = 1; } - if (iv != NULL) { - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); memcpy(ivec, iv, 15 - cctx->aes.ccm.l); - cctx->aes.ccm.iv_set = 1; } + /* Store encoded m and l. */ + cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7) + | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3; + memset(cctx->aes.ccm.nonce.b + 1, 0, sizeof(cctx->aes.ccm.nonce.b) - 1); + cctx->aes.ccm.blocks = 0; + cctx->aes.ccm.len_set = 0; return 1; } @@ -2230,8 +2216,9 @@ static int s390x_aes_ccm_cipher(EVP_CIPH { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); const int enc = EVP_CIPHER_CTX_encrypting(ctx); + const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx); + unsigned char *buf; int rv; - unsigned char *buf, *ivec; if (!cctx->aes.ccm.key_set) return -1; @@ -2253,7 +2240,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH if (out == NULL) { /* Update(): Pass message length. */ if (in == NULL) { - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); s390x_aes_ccm_setiv(cctx, ivec, len); cctx->aes.ccm.len_set = 1; @@ -2279,7 +2265,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH * In case message length was not previously set explicitly via * Update(), set it now. */ - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); s390x_aes_ccm_setiv(cctx, ivec, len); cctx->aes.ccm.len_set = 1; @@ -2304,9 +2289,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH if (rv == -1) OPENSSL_cleanse(out, len); - cctx->aes.ccm.iv_set = 0; - cctx->aes.ccm.tag_set = 0; - cctx->aes.ccm.len_set = 0; return rv; } } @@ -2414,9 +2396,6 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER return 0; memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m); - cctx->aes.ccm.tag_set = 0; - cctx->aes.ccm.iv_set = 0; - cctx->aes.ccm.len_set = 0; return 1; case EVP_CTRL_COPY: @@ -2453,7 +2432,7 @@ static const EVP_CIPHER s390x_aes_##keyl nid##_##keylen##_##nmode,blocksize, \ keylen / 8, \ ivlen, \ - flags | EVP_CIPH_##MODE##_MODE, \ + flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \ s390x_aes_##mode##_init_key, \ s390x_aes_##mode##_cipher, \ NULL, \ @@ -2490,7 +2469,7 @@ static const EVP_CIPHER s390x_aes_##keyl blocksize, \ (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \ ivlen, \ - flags | EVP_CIPH_##MODE##_MODE, \ + flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \ s390x_aes_##mode##_init_key, \ s390x_aes_##mode##_cipher, \ s390x_aes_##mode##_cleanup, \