openssl/providers/implementations/ciphers/cipher_aes_hw.c

/*
 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * This file uses the low level AES functions (which are deprecated for
 * non-internal use) in order to implement provider AES ciphers.
 */
#include "internal/deprecated.h"

#include "cipher_aes.h"
#include "prov/providercommonerr.h"

static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat,
                                 const unsigned char *key, size_t keylen)
{
    int ret;
    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
    AES_KEY *ks = &adat->ks.ks;

    dat->ks = ks;

    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
        && !dat->enc) {
#ifdef HWAES_CAPABLE
        if (HWAES_CAPABLE) {
            ret = HWAES_set_decrypt_key(key, keylen * 8, ks);
            dat->block = (block128_f)HWAES_decrypt;
            dat->stream.cbc = NULL;
# ifdef HWAES_cbc_encrypt
            if (dat->mode == EVP_CIPH_CBC_MODE)
                dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
# endif
# ifdef HWAES_ecb_encrypt
            if (dat->mode == EVP_CIPH_ECB_MODE)
                dat->stream.ecb = (ecb128_f)HWAES_ecb_encrypt;
# endif
        } else
#endif
#ifdef BSAES_CAPABLE
        if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
            ret = AES_set_decrypt_key(key, keylen * 8, ks);
            dat->block = (block128_f)AES_decrypt;
            dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
        } else
#endif
#ifdef VPAES_CAPABLE
        if (VPAES_CAPABLE) {
            ret = vpaes_set_decrypt_key(key, keylen * 8, ks);
            dat->block = (block128_f)vpaes_decrypt;
            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
                              ?(cbc128_f)vpaes_cbc_encrypt : NULL;
        } else
#endif
        {
            ret = AES_set_decrypt_key(key, keylen * 8, ks);
            dat->block = (block128_f)AES_decrypt;
            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
                              ? (cbc128_f)AES_cbc_encrypt : NULL;
        }
    } else
#ifdef HWAES_CAPABLE
    if (HWAES_CAPABLE) {
        ret = HWAES_set_encrypt_key(key, keylen * 8, ks);
        dat->block = (block128_f)HWAES_encrypt;
        dat->stream.cbc = NULL;
# ifdef HWAES_cbc_encrypt
        if (dat->mode == EVP_CIPH_CBC_MODE)
            dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
        else
# endif
# ifdef HWAES_ecb_encrypt
        if (dat->mode == EVP_CIPH_ECB_MODE)
            dat->stream.ecb = (ecb128_f)HWAES_ecb_encrypt;
        else
# endif
# ifdef HWAES_ctr32_encrypt_blocks
        if (dat->mode == EVP_CIPH_CTR_MODE)
            dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
        else
# endif
            (void)0;            /* terminate potentially open 'else' */
    } else
#endif
#ifdef BSAES_CAPABLE
    if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
        ret = AES_set_encrypt_key(key, keylen * 8, ks);
        dat->block = (block128_f)AES_encrypt;
        dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
    } else
#endif
#ifdef VPAES_CAPABLE
    if (VPAES_CAPABLE) {
        ret = vpaes_set_encrypt_key(key, keylen * 8, ks);
        dat->block = (block128_f)vpaes_encrypt;
        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
                          ? (cbc128_f)vpaes_cbc_encrypt : NULL;
    } else
#endif
    {
        ret = AES_set_encrypt_key(key, keylen * 8, ks);
        dat->block = (block128_f)AES_encrypt;
        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
                          ? (cbc128_f)AES_cbc_encrypt : NULL;
#ifdef AES_CTR_ASM
        if (dat->mode == EVP_CIPH_CTR_MODE)
            dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
#endif
    }

    if (ret < 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
        return 0;
    }

    return 1;
}

IMPLEMENT_CIPHER_HW_COPYCTX(cipher_hw_aes_copyctx, PROV_AES_CTX)

#define PROV_CIPHER_HW_aes_mode(mode)                                          \
static const PROV_CIPHER_HW aes_##mode = {                                     \
    cipher_hw_aes_initkey,                                                     \
    cipher_hw_generic_##mode,                                                  \
    cipher_hw_aes_copyctx                                                      \
};                                                                             \
PROV_CIPHER_HW_declare(mode)                                                   \
const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_##mode(size_t keybits)                \
{                                                                              \
    PROV_CIPHER_HW_select(mode)                                                \
    return &aes_##mode;                                                        \
}

#if defined(AESNI_CAPABLE)
# include "cipher_aes_hw_aesni.inc"
#elif defined(SPARC_AES_CAPABLE)
# include "cipher_aes_hw_t4.inc"
#elif defined(S390X_aes_128_CAPABLE)
# include "cipher_aes_hw_s390x.inc"
#else
/* The generic case */
# define PROV_CIPHER_HW_declare(mode)
# define PROV_CIPHER_HW_select(mode)
#endif

PROV_CIPHER_HW_aes_mode(cbc)
PROV_CIPHER_HW_aes_mode(ecb)
PROV_CIPHER_HW_aes_mode(ofb128)
PROV_CIPHER_HW_aes_mode(cfb128)
PROV_CIPHER_HW_aes_mode(cfb1)
PROV_CIPHER_HW_aes_mode(cfb8)
PROV_CIPHER_HW_aes_mode(ctr)
Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00			`/*`
			`* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.`
			`*`
			`* Licensed under the Apache License 2.0 (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
			`*/`

Deprecate the low level AES functions Use of the low level AES functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt functions. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10580) 2019-12-06 01:09:49 +08:00			`/*`
			`* This file uses the low level AES functions (which are deprecated for`
			`* non-internal use) in order to implement provider AES ciphers.`
			`*/`
			`#include "internal/deprecated.h"`

Cleanup ciphers and Add 3des ciphers. Moved the relevant ciphers into default and restructed headers to allow the move. This removed most of the cases of #ifdef NO_XXX (which are now specified in build.info) Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9482) 2019-08-26 15:05:08 +08:00			`#include "cipher_aes.h"`
Cleanup: move remaining providers/common/include/internal/*.h The end up in providers/common/include/prov/. All inclusions are adjusted accordingly. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10088) 2019-10-04 21:25:59 +08:00			`#include "prov/providercommonerr.h"`
Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00
			`static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat,`
			`const unsigned char *key, size_t keylen)`
			`{`
			`int ret;`
			`PROV_AES_CTX adat = (PROV_AES_CTX )dat;`
			`AES_KEY *ks = &adat->ks.ks;`

			`dat->ks = ks;`

			`if ((dat->mode == EVP_CIPH_ECB_MODE \|\| dat->mode == EVP_CIPH_CBC_MODE)`
			`&& !dat->enc) {`
			`#ifdef HWAES_CAPABLE`
			`if (HWAES_CAPABLE) {`
			`ret = HWAES_set_decrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)HWAES_decrypt;`
			`dat->stream.cbc = NULL;`
			`# ifdef HWAES_cbc_encrypt`
			`if (dat->mode == EVP_CIPH_CBC_MODE)`
			`dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;`
Optimize AES-ECB mode in OpenSSL for both aarch64 and aarch32 Aes-ecb mode can be optimized by inverleaving cipher operation on several blocks and loop unrolling. Interleaving needs one ideal unrolling factor, here we adopt the same factor with aes-cbc, which is described as below: If blocks number > 5, select 5 blocks as one iteration,every loop, decrease the blocks number by 5. If 3 < left blocks < 5 select 3 blocks as one iteration, every loop, decrease the block number by 3. If left blocks < 3, treat them as tail blocks. Detailed implementation will have a little adjustment for squeezing code space. With this way, for small size such as 16 bytes, the performance is similar as before, but for big size such as 16k bytes, the performance improves a lot, even reaches to 100%, for some arches such as A57, the improvement even exceeds 100%. The following table will list the encryption performance data on aarch64, take a72 and a57 as examples. Performance value takes the unit of cycles per byte, takes the format as comparision of values. List them as below: A72: Before optimization After optimization Improve evp-aes-128-ecb@16 17.26538237 16.82663866 2.61% evp-aes-128-ecb@64 5.50528499 5.222637557 5.41% evp-aes-128-ecb@256 2.632700213 1.908442892 37.95% evp-aes-128-ecb@1024 1.876102047 1.078018868 74.03% evp-aes-128-ecb@8192 1.6550392 0.853982929 93.80% evp-aes-128-ecb@16384 1.636871283 0.847623957 93.11% evp-aes-192-ecb@16 17.73104961 17.09692468 3.71% evp-aes-192-ecb@64 5.78984398 5.418545192 6.85% evp-aes-192-ecb@256 2.872005308 2.081815274 37.96% evp-aes-192-ecb@1024 2.083226672 1.25095642 66.53% evp-aes-192-ecb@8192 1.831992057 0.995916251 83.95% evp-aes-192-ecb@16384 1.821590009 0.993820525 83.29% evp-aes-256-ecb@16 18.0606306 17.96963317 0.51% evp-aes-256-ecb@64 6.19651997 5.762465812 7.53% evp-aes-256-ecb@256 3.176991394 2.24642538 41.42% evp-aes-256-ecb@1024 2.385991919 1.396018192 70.91% evp-aes-256-ecb@8192 2.147862636 1.142222597 88.04% evp-aes-256-ecb@16384 2.131361787 1.135944617 87.63% A57: Before optimization After optimization Improve evp-aes-128-ecb@16 18.61045121 18.36456218 1.34% evp-aes-128-ecb@64 6.438628994 5.467959461 17.75% evp-aes-128-ecb@256 2.957452881 1.97238604 49.94% evp-aes-128-ecb@1024 2.117096219 1.099665054 92.52% evp-aes-128-ecb@8192 1.868385973 0.837440804 123.11% evp-aes-128-ecb@16384 1.853078526 0.822420027 125.32% evp-aes-192-ecb@16 19.07021756 18.50018552 3.08% evp-aes-192-ecb@64 6.672351486 5.696088921 17.14% evp-aes-192-ecb@256 3.260427769 2.131449916 52.97% evp-aes-192-ecb@1024 2.410522832 1.250529718 92.76% evp-aes-192-ecb@8192 2.17921605 0.973225504 123.92% evp-aes-192-ecb@16384 2.162250997 0.95919871 125.42% evp-aes-256-ecb@16 19.3008384 19.12743654 0.91% evp-aes-256-ecb@64 6.992950658 5.92149541 18.09% evp-aes-256-ecb@256 3.576361743 2.287619504 56.34% evp-aes-256-ecb@1024 2.726671027 1.381267599 97.40% evp-aes-256-ecb@8192 2.493583657 1.110959913 124.45% evp-aes-256-ecb@16384 2.473916816 1.099967073 124.91% Change-Id: Iccd23d972e0d52d22dc093f4c208f69c9d5a0ca7 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10518) 2019-11-07 10:36:45 +08:00			`# endif`
			`# ifdef HWAES_ecb_encrypt`
			`if (dat->mode == EVP_CIPH_ECB_MODE)`
			`dat->stream.ecb = (ecb128_f)HWAES_ecb_encrypt;`
Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00			`# endif`
			`} else`
			`#endif`
			`#ifdef BSAES_CAPABLE`
			`if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {`
			`ret = AES_set_decrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)AES_decrypt;`
			`dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;`
			`} else`
			`#endif`
			`#ifdef VPAES_CAPABLE`
			`if (VPAES_CAPABLE) {`
			`ret = vpaes_set_decrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)vpaes_decrypt;`
			`dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)`
			`?(cbc128_f)vpaes_cbc_encrypt : NULL;`
			`} else`
			`#endif`
			`{`
			`ret = AES_set_decrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)AES_decrypt;`
			`dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)`
			`? (cbc128_f)AES_cbc_encrypt : NULL;`
			`}`
			`} else`
			`#ifdef HWAES_CAPABLE`
			`if (HWAES_CAPABLE) {`
			`ret = HWAES_set_encrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)HWAES_encrypt;`
			`dat->stream.cbc = NULL;`
			`# ifdef HWAES_cbc_encrypt`
			`if (dat->mode == EVP_CIPH_CBC_MODE)`
			`dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;`
			`else`
			`# endif`
Optimize AES-ECB mode in OpenSSL for both aarch64 and aarch32 Aes-ecb mode can be optimized by inverleaving cipher operation on several blocks and loop unrolling. Interleaving needs one ideal unrolling factor, here we adopt the same factor with aes-cbc, which is described as below: If blocks number > 5, select 5 blocks as one iteration,every loop, decrease the blocks number by 5. If 3 < left blocks < 5 select 3 blocks as one iteration, every loop, decrease the block number by 3. If left blocks < 3, treat them as tail blocks. Detailed implementation will have a little adjustment for squeezing code space. With this way, for small size such as 16 bytes, the performance is similar as before, but for big size such as 16k bytes, the performance improves a lot, even reaches to 100%, for some arches such as A57, the improvement even exceeds 100%. The following table will list the encryption performance data on aarch64, take a72 and a57 as examples. Performance value takes the unit of cycles per byte, takes the format as comparision of values. List them as below: A72: Before optimization After optimization Improve evp-aes-128-ecb@16 17.26538237 16.82663866 2.61% evp-aes-128-ecb@64 5.50528499 5.222637557 5.41% evp-aes-128-ecb@256 2.632700213 1.908442892 37.95% evp-aes-128-ecb@1024 1.876102047 1.078018868 74.03% evp-aes-128-ecb@8192 1.6550392 0.853982929 93.80% evp-aes-128-ecb@16384 1.636871283 0.847623957 93.11% evp-aes-192-ecb@16 17.73104961 17.09692468 3.71% evp-aes-192-ecb@64 5.78984398 5.418545192 6.85% evp-aes-192-ecb@256 2.872005308 2.081815274 37.96% evp-aes-192-ecb@1024 2.083226672 1.25095642 66.53% evp-aes-192-ecb@8192 1.831992057 0.995916251 83.95% evp-aes-192-ecb@16384 1.821590009 0.993820525 83.29% evp-aes-256-ecb@16 18.0606306 17.96963317 0.51% evp-aes-256-ecb@64 6.19651997 5.762465812 7.53% evp-aes-256-ecb@256 3.176991394 2.24642538 41.42% evp-aes-256-ecb@1024 2.385991919 1.396018192 70.91% evp-aes-256-ecb@8192 2.147862636 1.142222597 88.04% evp-aes-256-ecb@16384 2.131361787 1.135944617 87.63% A57: Before optimization After optimization Improve evp-aes-128-ecb@16 18.61045121 18.36456218 1.34% evp-aes-128-ecb@64 6.438628994 5.467959461 17.75% evp-aes-128-ecb@256 2.957452881 1.97238604 49.94% evp-aes-128-ecb@1024 2.117096219 1.099665054 92.52% evp-aes-128-ecb@8192 1.868385973 0.837440804 123.11% evp-aes-128-ecb@16384 1.853078526 0.822420027 125.32% evp-aes-192-ecb@16 19.07021756 18.50018552 3.08% evp-aes-192-ecb@64 6.672351486 5.696088921 17.14% evp-aes-192-ecb@256 3.260427769 2.131449916 52.97% evp-aes-192-ecb@1024 2.410522832 1.250529718 92.76% evp-aes-192-ecb@8192 2.17921605 0.973225504 123.92% evp-aes-192-ecb@16384 2.162250997 0.95919871 125.42% evp-aes-256-ecb@16 19.3008384 19.12743654 0.91% evp-aes-256-ecb@64 6.992950658 5.92149541 18.09% evp-aes-256-ecb@256 3.576361743 2.287619504 56.34% evp-aes-256-ecb@1024 2.726671027 1.381267599 97.40% evp-aes-256-ecb@8192 2.493583657 1.110959913 124.45% evp-aes-256-ecb@16384 2.473916816 1.099967073 124.91% Change-Id: Iccd23d972e0d52d22dc093f4c208f69c9d5a0ca7 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10518) 2019-11-07 10:36:45 +08:00			`# ifdef HWAES_ecb_encrypt`
			`if (dat->mode == EVP_CIPH_ECB_MODE)`
			`dat->stream.ecb = (ecb128_f)HWAES_ecb_encrypt;`
			`else`
			`# endif`
Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00			`# ifdef HWAES_ctr32_encrypt_blocks`
			`if (dat->mode == EVP_CIPH_CTR_MODE)`
			`dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;`
			`else`
			`# endif`
			`(void)0; /* terminate potentially open 'else' */`
			`} else`
			`#endif`
			`#ifdef BSAES_CAPABLE`
			`if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {`
			`ret = AES_set_encrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)AES_encrypt;`
			`dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;`
			`} else`
			`#endif`
			`#ifdef VPAES_CAPABLE`
			`if (VPAES_CAPABLE) {`
			`ret = vpaes_set_encrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)vpaes_encrypt;`
			`dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)`
			`? (cbc128_f)vpaes_cbc_encrypt : NULL;`
			`} else`
			`#endif`
			`{`
			`ret = AES_set_encrypt_key(key, keylen * 8, ks);`
			`dat->block = (block128_f)AES_encrypt;`
			`dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)`
			`? (cbc128_f)AES_cbc_encrypt : NULL;`
			`#ifdef AES_CTR_ASM`
			`if (dat->mode == EVP_CIPH_CTR_MODE)`
			`dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;`
			`#endif`
			`}`

			`if (ret < 0) {`
			`ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);`
			`return 0;`
			`}`

			`return 1;`
			`}`

Fix Use after free when copying cipher ctx Fixes #10438 issue found by clusterfuzz/ossfuzz The dest was getting a copy of the src structure which contained a pointer that should point to an offset inside itself - because of the copy it was pointing to the original structure. The setup for a ctx is mainly done by the initkey method in the PROV_CIPHER_HW structure. Because of this it makes sense that the structure should also contain a copyctx method that is use to resolve any pointers that need to be setup. A dup_ctx has been added to the cipher_enc tests in evp_test. It does a dup after setup and then frees the original ctx. This detects any floating pointers in the duplicated context that were pointing back to the freed ctx. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10443) 2019-11-18 11:13:05 +08:00			`IMPLEMENT_CIPHER_HW_COPYCTX(cipher_hw_aes_copyctx, PROV_AES_CTX)`

Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00			`#define PROV_CIPHER_HW_aes_mode(mode) \`
			`static const PROV_CIPHER_HW aes_##mode = { \`
			`cipher_hw_aes_initkey, \`
Fix Use after free when copying cipher ctx Fixes #10438 issue found by clusterfuzz/ossfuzz The dest was getting a copy of the src structure which contained a pointer that should point to an offset inside itself - because of the copy it was pointing to the original structure. The setup for a ctx is mainly done by the initkey method in the PROV_CIPHER_HW structure. Because of this it makes sense that the structure should also contain a copyctx method that is use to resolve any pointers that need to be setup. A dup_ctx has been added to the cipher_enc tests in evp_test. It does a dup after setup and then frees the original ctx. This detects any floating pointers in the duplicated context that were pointing back to the freed ctx. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10443) 2019-11-18 11:13:05 +08:00			`cipher_hw_generic_##mode, \`
			`cipher_hw_aes_copyctx \`
Add basic aria and camellia ciphers modes to default provider The aes code has been refactored into generic and algorithn specific parts, so that most of the code can be shared. The cipher related files have been broken up into smaller parts. Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the generic code used by aes). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9451) 2019-08-22 09:42:54 +08:00			`}; \`
			`PROV_CIPHER_HW_declare(mode) \`
			`const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_##mode(size_t keybits) \`
			`{ \`
			`PROV_CIPHER_HW_select(mode) \`
			`return &aes_##mode; \`
			`}`

			`#if defined(AESNI_CAPABLE)`
			`# include "cipher_aes_hw_aesni.inc"`
			`#elif defined(SPARC_AES_CAPABLE)`
			`# include "cipher_aes_hw_t4.inc"`
			`#elif defined(S390X_aes_128_CAPABLE)`
			`# include "cipher_aes_hw_s390x.inc"`
			`#else`
			`/* The generic case */`
			`# define PROV_CIPHER_HW_declare(mode)`
			`# define PROV_CIPHER_HW_select(mode)`
			`#endif`

			`PROV_CIPHER_HW_aes_mode(cbc)`
			`PROV_CIPHER_HW_aes_mode(ecb)`
			`PROV_CIPHER_HW_aes_mode(ofb128)`
			`PROV_CIPHER_HW_aes_mode(cfb128)`
			`PROV_CIPHER_HW_aes_mode(cfb1)`
			`PROV_CIPHER_HW_aes_mode(cfb8)`
			`PROV_CIPHER_HW_aes_mode(ctr)`