xref: /freebsd/crypto/openssl/crypto/evp/e_aes.c (revision 15c433351f54e7cd5bec8d36c8e89e6a7fa55b26)
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50 
51 #include <openssl/opensslconf.h>
52 #ifndef OPENSSL_NO_AES
53 #include <openssl/crypto.h>
54 # include <openssl/evp.h>
55 # include <openssl/err.h>
56 # include <string.h>
57 # include <assert.h>
58 # include <openssl/aes.h>
59 # include "evp_locl.h"
60 # include "modes_lcl.h"
61 # include <openssl/rand.h>
62 
63 # undef EVP_CIPH_FLAG_FIPS
64 # define EVP_CIPH_FLAG_FIPS 0
65 
66 typedef struct {
67     union {
68         double align;
69         AES_KEY ks;
70     } ks;
71     block128_f block;
72     union {
73         cbc128_f cbc;
74         ctr128_f ctr;
75     } stream;
76 } EVP_AES_KEY;
77 
78 typedef struct {
79     union {
80         double align;
81         AES_KEY ks;
82     } ks;                       /* AES key schedule to use */
83     int key_set;                /* Set if key initialised */
84     int iv_set;                 /* Set if an iv is set */
85     GCM128_CONTEXT gcm;
86     unsigned char *iv;          /* Temporary IV store */
87     int ivlen;                  /* IV length */
88     int taglen;
89     int iv_gen;                 /* It is OK to generate IVs */
90     int tls_aad_len;            /* TLS AAD length */
91     ctr128_f ctr;
92 } EVP_AES_GCM_CTX;
93 
94 typedef struct {
95     union {
96         double align;
97         AES_KEY ks;
98     } ks1, ks2;                 /* AES key schedules to use */
99     XTS128_CONTEXT xts;
100     void (*stream) (const unsigned char *in,
101                     unsigned char *out, size_t length,
102                     const AES_KEY *key1, const AES_KEY *key2,
103                     const unsigned char iv[16]);
104 } EVP_AES_XTS_CTX;
105 
106 typedef struct {
107     union {
108         double align;
109         AES_KEY ks;
110     } ks;                       /* AES key schedule to use */
111     int key_set;                /* Set if key initialised */
112     int iv_set;                 /* Set if an iv is set */
113     int tag_set;                /* Set if tag is valid */
114     int len_set;                /* Set if message length set */
115     int L, M;                   /* L and M parameters from RFC3610 */
116     CCM128_CONTEXT ccm;
117     ccm128_f str;
118 } EVP_AES_CCM_CTX;
119 
120 # define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
121 
122 # ifdef VPAES_ASM
123 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
124                           AES_KEY *key);
125 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
126                           AES_KEY *key);
127 
128 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
129                    const AES_KEY *key);
130 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
131                    const AES_KEY *key);
132 
133 void vpaes_cbc_encrypt(const unsigned char *in,
134                        unsigned char *out,
135                        size_t length,
136                        const AES_KEY *key, unsigned char *ivec, int enc);
137 # endif
138 # ifdef BSAES_ASM
139 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
140                        size_t length, const AES_KEY *key,
141                        unsigned char ivec[16], int enc);
142 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
143                                 size_t len, const AES_KEY *key,
144                                 const unsigned char ivec[16]);
145 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
146                        size_t len, const AES_KEY *key1,
147                        const AES_KEY *key2, const unsigned char iv[16]);
148 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
149                        size_t len, const AES_KEY *key1,
150                        const AES_KEY *key2, const unsigned char iv[16]);
151 # endif
152 # ifdef AES_CTR_ASM
153 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
154                        size_t blocks, const AES_KEY *key,
155                        const unsigned char ivec[AES_BLOCK_SIZE]);
156 # endif
157 # ifdef AES_XTS_ASM
158 void AES_xts_encrypt(const char *inp, char *out, size_t len,
159                      const AES_KEY *key1, const AES_KEY *key2,
160                      const unsigned char iv[16]);
161 void AES_xts_decrypt(const char *inp, char *out, size_t len,
162                      const AES_KEY *key1, const AES_KEY *key2,
163                      const unsigned char iv[16]);
164 # endif
165 
166 # if     defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
167 #  include "ppc_arch.h"
168 #  ifdef VPAES_ASM
169 #   define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
170 #  endif
171 #  define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
172 #  define HWAES_set_encrypt_key aes_p8_set_encrypt_key
173 #  define HWAES_set_decrypt_key aes_p8_set_decrypt_key
174 #  define HWAES_encrypt aes_p8_encrypt
175 #  define HWAES_decrypt aes_p8_decrypt
176 #  define HWAES_cbc_encrypt aes_p8_cbc_encrypt
177 #  define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
178 # endif
179 
180 # if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
181         ((defined(__i386)       || defined(__i386__)    || \
182           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
183         defined(__x86_64)       || defined(__x86_64__)  || \
184         defined(_M_AMD64)       || defined(_M_X64)      || \
185         defined(__INTEL__)                              )
186 
187 extern unsigned int OPENSSL_ia32cap_P[];
188 
189 #  ifdef VPAES_ASM
190 #   define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
191 #  endif
192 #  ifdef BSAES_ASM
193 #   define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
194 #  endif
195 /*
196  * AES-NI section
197  */
198 #  define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
199 
200 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
201                           AES_KEY *key);
202 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
203                           AES_KEY *key);
204 
205 void aesni_encrypt(const unsigned char *in, unsigned char *out,
206                    const AES_KEY *key);
207 void aesni_decrypt(const unsigned char *in, unsigned char *out,
208                    const AES_KEY *key);
209 
210 void aesni_ecb_encrypt(const unsigned char *in,
211                        unsigned char *out,
212                        size_t length, const AES_KEY *key, int enc);
213 void aesni_cbc_encrypt(const unsigned char *in,
214                        unsigned char *out,
215                        size_t length,
216                        const AES_KEY *key, unsigned char *ivec, int enc);
217 
218 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
219                                 unsigned char *out,
220                                 size_t blocks,
221                                 const void *key, const unsigned char *ivec);
222 
223 void aesni_xts_encrypt(const unsigned char *in,
224                        unsigned char *out,
225                        size_t length,
226                        const AES_KEY *key1, const AES_KEY *key2,
227                        const unsigned char iv[16]);
228 
229 void aesni_xts_decrypt(const unsigned char *in,
230                        unsigned char *out,
231                        size_t length,
232                        const AES_KEY *key1, const AES_KEY *key2,
233                        const unsigned char iv[16]);
234 
235 void aesni_ccm64_encrypt_blocks(const unsigned char *in,
236                                 unsigned char *out,
237                                 size_t blocks,
238                                 const void *key,
239                                 const unsigned char ivec[16],
240                                 unsigned char cmac[16]);
241 
242 void aesni_ccm64_decrypt_blocks(const unsigned char *in,
243                                 unsigned char *out,
244                                 size_t blocks,
245                                 const void *key,
246                                 const unsigned char ivec[16],
247                                 unsigned char cmac[16]);
248 
249 #  if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
250 size_t aesni_gcm_encrypt(const unsigned char *in,
251                          unsigned char *out,
252                          size_t len,
253                          const void *key, unsigned char ivec[16], u64 *Xi);
254 #   define AES_gcm_encrypt aesni_gcm_encrypt
255 size_t aesni_gcm_decrypt(const unsigned char *in,
256                          unsigned char *out,
257                          size_t len,
258                          const void *key, unsigned char ivec[16], u64 *Xi);
259 #   define AES_gcm_decrypt aesni_gcm_decrypt
260 void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
261                    size_t len);
262 #   define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
263                                  gctx->gcm.ghash==gcm_ghash_avx)
264 #   define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
265                                  gctx->gcm.ghash==gcm_ghash_avx)
266 #   undef AES_GCM_ASM2          /* minor size optimization */
267 #  endif
268 
269 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
270                           const unsigned char *iv, int enc)
271 {
272     int ret, mode;
273     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
274 
275     mode = ctx->cipher->flags & EVP_CIPH_MODE;
276     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
277         && !enc) {
278         ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
279         dat->block = (block128_f) aesni_decrypt;
280         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
281             (cbc128_f) aesni_cbc_encrypt : NULL;
282     } else {
283         ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
284         dat->block = (block128_f) aesni_encrypt;
285         if (mode == EVP_CIPH_CBC_MODE)
286             dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
287         else if (mode == EVP_CIPH_CTR_MODE)
288             dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
289         else
290             dat->stream.cbc = NULL;
291     }
292 
293     if (ret < 0) {
294         EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
295         return 0;
296     }
297 
298     return 1;
299 }
300 
301 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
302                             const unsigned char *in, size_t len)
303 {
304     aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt);
305 
306     return 1;
307 }
308 
309 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
310                             const unsigned char *in, size_t len)
311 {
312     size_t bl = ctx->cipher->block_size;
313 
314     if (len < bl)
315         return 1;
316 
317     aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
318 
319     return 1;
320 }
321 
322 #  define aesni_ofb_cipher aes_ofb_cipher
323 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
324                             const unsigned char *in, size_t len);
325 
326 #  define aesni_cfb_cipher aes_cfb_cipher
327 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
328                             const unsigned char *in, size_t len);
329 
330 #  define aesni_cfb8_cipher aes_cfb8_cipher
331 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
332                              const unsigned char *in, size_t len);
333 
334 #  define aesni_cfb1_cipher aes_cfb1_cipher
335 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
336                              const unsigned char *in, size_t len);
337 
338 #  define aesni_ctr_cipher aes_ctr_cipher
339 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
340                             const unsigned char *in, size_t len);
341 
342 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
343                               const unsigned char *iv, int enc)
344 {
345     EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
346     if (!iv && !key)
347         return 1;
348     if (key) {
349         aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
350         CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
351         gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
352         /*
353          * If we have an iv can set it directly, otherwise use saved IV.
354          */
355         if (iv == NULL && gctx->iv_set)
356             iv = gctx->iv;
357         if (iv) {
358             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
359             gctx->iv_set = 1;
360         }
361         gctx->key_set = 1;
362     } else {
363         /* If key set use IV, otherwise copy */
364         if (gctx->key_set)
365             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
366         else
367             memcpy(gctx->iv, iv, gctx->ivlen);
368         gctx->iv_set = 1;
369         gctx->iv_gen = 0;
370     }
371     return 1;
372 }
373 
374 #  define aesni_gcm_cipher aes_gcm_cipher
375 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
376                             const unsigned char *in, size_t len);
377 
378 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
379                               const unsigned char *iv, int enc)
380 {
381     EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
382     if (!iv && !key)
383         return 1;
384 
385     if (key) {
386         /* key_len is two AES keys */
387         if (enc) {
388             aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
389             xctx->xts.block1 = (block128_f) aesni_encrypt;
390             xctx->stream = aesni_xts_encrypt;
391         } else {
392             aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
393             xctx->xts.block1 = (block128_f) aesni_decrypt;
394             xctx->stream = aesni_xts_decrypt;
395         }
396 
397         aesni_set_encrypt_key(key + ctx->key_len / 2,
398                               ctx->key_len * 4, &xctx->ks2.ks);
399         xctx->xts.block2 = (block128_f) aesni_encrypt;
400 
401         xctx->xts.key1 = &xctx->ks1;
402     }
403 
404     if (iv) {
405         xctx->xts.key2 = &xctx->ks2;
406         memcpy(ctx->iv, iv, 16);
407     }
408 
409     return 1;
410 }
411 
412 #  define aesni_xts_cipher aes_xts_cipher
413 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414                             const unsigned char *in, size_t len);
415 
416 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
417                               const unsigned char *iv, int enc)
418 {
419     EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
420     if (!iv && !key)
421         return 1;
422     if (key) {
423         aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
424         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
425                            &cctx->ks, (block128_f) aesni_encrypt);
426         cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
427             (ccm128_f) aesni_ccm64_decrypt_blocks;
428         cctx->key_set = 1;
429     }
430     if (iv) {
431         memcpy(ctx->iv, iv, 15 - cctx->L);
432         cctx->iv_set = 1;
433     }
434     return 1;
435 }
436 
437 #  define aesni_ccm_cipher aes_ccm_cipher
438 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
439                             const unsigned char *in, size_t len);
440 
441 #  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
442 static const EVP_CIPHER aesni_##keylen##_##mode = { \
443         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
444         flags|EVP_CIPH_##MODE##_MODE,   \
445         aesni_init_key,                 \
446         aesni_##mode##_cipher,          \
447         NULL,                           \
448         sizeof(EVP_AES_KEY),            \
449         NULL,NULL,NULL,NULL }; \
450 static const EVP_CIPHER aes_##keylen##_##mode = { \
451         nid##_##keylen##_##nmode,blocksize,     \
452         keylen/8,ivlen, \
453         flags|EVP_CIPH_##MODE##_MODE,   \
454         aes_init_key,                   \
455         aes_##mode##_cipher,            \
456         NULL,                           \
457         sizeof(EVP_AES_KEY),            \
458         NULL,NULL,NULL,NULL }; \
459 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
460 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
461 
462 #  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
463 static const EVP_CIPHER aesni_##keylen##_##mode = { \
464         nid##_##keylen##_##mode,blocksize, \
465         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
466         flags|EVP_CIPH_##MODE##_MODE,   \
467         aesni_##mode##_init_key,        \
468         aesni_##mode##_cipher,          \
469         aes_##mode##_cleanup,           \
470         sizeof(EVP_AES_##MODE##_CTX),   \
471         NULL,NULL,aes_##mode##_ctrl,NULL }; \
472 static const EVP_CIPHER aes_##keylen##_##mode = { \
473         nid##_##keylen##_##mode,blocksize, \
474         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
475         flags|EVP_CIPH_##MODE##_MODE,   \
476         aes_##mode##_init_key,          \
477         aes_##mode##_cipher,            \
478         aes_##mode##_cleanup,           \
479         sizeof(EVP_AES_##MODE##_CTX),   \
480         NULL,NULL,aes_##mode##_ctrl,NULL }; \
481 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
482 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
483 
484 # elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
485 
486 #  include "sparc_arch.h"
487 
488 extern unsigned int OPENSSL_sparcv9cap_P[];
489 
490 #  define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
491 
492 void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
493 void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
494 void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
495                     const AES_KEY *key);
496 void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
497                     const AES_KEY *key);
498 /*
499  * Key-length specific subroutines were chosen for following reason.
500  * Each SPARC T4 core can execute up to 8 threads which share core's
501  * resources. Loading as much key material to registers allows to
502  * minimize references to shared memory interface, as well as amount
503  * of instructions in inner loops [much needed on T4]. But then having
504  * non-key-length specific routines would require conditional branches
505  * either in inner loops or on subroutines' entries. Former is hardly
506  * acceptable, while latter means code size increase to size occupied
507  * by multiple key-length specfic subroutines, so why fight?
508  */
509 void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
510                            size_t len, const AES_KEY *key,
511                            unsigned char *ivec);
512 void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
513                            size_t len, const AES_KEY *key,
514                            unsigned char *ivec);
515 void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
516                            size_t len, const AES_KEY *key,
517                            unsigned char *ivec);
518 void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
519                            size_t len, const AES_KEY *key,
520                            unsigned char *ivec);
521 void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
522                            size_t len, const AES_KEY *key,
523                            unsigned char *ivec);
524 void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
525                            size_t len, const AES_KEY *key,
526                            unsigned char *ivec);
527 void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
528                              size_t blocks, const AES_KEY *key,
529                              unsigned char *ivec);
530 void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
531                              size_t blocks, const AES_KEY *key,
532                              unsigned char *ivec);
533 void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
534                              size_t blocks, const AES_KEY *key,
535                              unsigned char *ivec);
536 void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
537                            size_t blocks, const AES_KEY *key1,
538                            const AES_KEY *key2, const unsigned char *ivec);
539 void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
540                            size_t blocks, const AES_KEY *key1,
541                            const AES_KEY *key2, const unsigned char *ivec);
542 void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
543                            size_t blocks, const AES_KEY *key1,
544                            const AES_KEY *key2, const unsigned char *ivec);
545 void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
546                            size_t blocks, const AES_KEY *key1,
547                            const AES_KEY *key2, const unsigned char *ivec);
548 
549 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
550                            const unsigned char *iv, int enc)
551 {
552     int ret, mode, bits;
553     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
554 
555     mode = ctx->cipher->flags & EVP_CIPH_MODE;
556     bits = ctx->key_len * 8;
557     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
558         && !enc) {
559         ret = 0;
560         aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
561         dat->block = (block128_f) aes_t4_decrypt;
562         switch (bits) {
563         case 128:
564             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
565                 (cbc128_f) aes128_t4_cbc_decrypt : NULL;
566             break;
567         case 192:
568             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
569                 (cbc128_f) aes192_t4_cbc_decrypt : NULL;
570             break;
571         case 256:
572             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
573                 (cbc128_f) aes256_t4_cbc_decrypt : NULL;
574             break;
575         default:
576             ret = -1;
577         }
578     } else {
579         ret = 0;
580         aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
581         dat->block = (block128_f) aes_t4_encrypt;
582         switch (bits) {
583         case 128:
584             if (mode == EVP_CIPH_CBC_MODE)
585                 dat->stream.cbc = (cbc128_f) aes128_t4_cbc_encrypt;
586             else if (mode == EVP_CIPH_CTR_MODE)
587                 dat->stream.ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
588             else
589                 dat->stream.cbc = NULL;
590             break;
591         case 192:
592             if (mode == EVP_CIPH_CBC_MODE)
593                 dat->stream.cbc = (cbc128_f) aes192_t4_cbc_encrypt;
594             else if (mode == EVP_CIPH_CTR_MODE)
595                 dat->stream.ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
596             else
597                 dat->stream.cbc = NULL;
598             break;
599         case 256:
600             if (mode == EVP_CIPH_CBC_MODE)
601                 dat->stream.cbc = (cbc128_f) aes256_t4_cbc_encrypt;
602             else if (mode == EVP_CIPH_CTR_MODE)
603                 dat->stream.ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
604             else
605                 dat->stream.cbc = NULL;
606             break;
607         default:
608             ret = -1;
609         }
610     }
611 
612     if (ret < 0) {
613         EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
614         return 0;
615     }
616 
617     return 1;
618 }
619 
620 #  define aes_t4_cbc_cipher aes_cbc_cipher
621 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
622                              const unsigned char *in, size_t len);
623 
624 #  define aes_t4_ecb_cipher aes_ecb_cipher
625 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
626                              const unsigned char *in, size_t len);
627 
628 #  define aes_t4_ofb_cipher aes_ofb_cipher
629 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
630                              const unsigned char *in, size_t len);
631 
632 #  define aes_t4_cfb_cipher aes_cfb_cipher
633 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
634                              const unsigned char *in, size_t len);
635 
636 #  define aes_t4_cfb8_cipher aes_cfb8_cipher
637 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
638                               const unsigned char *in, size_t len);
639 
640 #  define aes_t4_cfb1_cipher aes_cfb1_cipher
641 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
642                               const unsigned char *in, size_t len);
643 
644 #  define aes_t4_ctr_cipher aes_ctr_cipher
645 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
646                              const unsigned char *in, size_t len);
647 
648 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
649                                const unsigned char *iv, int enc)
650 {
651     EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
652     if (!iv && !key)
653         return 1;
654     if (key) {
655         int bits = ctx->key_len * 8;
656         aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
657         CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
658                            (block128_f) aes_t4_encrypt);
659         switch (bits) {
660         case 128:
661             gctx->ctr = (ctr128_f) aes128_t4_ctr32_encrypt;
662             break;
663         case 192:
664             gctx->ctr = (ctr128_f) aes192_t4_ctr32_encrypt;
665             break;
666         case 256:
667             gctx->ctr = (ctr128_f) aes256_t4_ctr32_encrypt;
668             break;
669         default:
670             return 0;
671         }
672         /*
673          * If we have an iv can set it directly, otherwise use saved IV.
674          */
675         if (iv == NULL && gctx->iv_set)
676             iv = gctx->iv;
677         if (iv) {
678             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
679             gctx->iv_set = 1;
680         }
681         gctx->key_set = 1;
682     } else {
683         /* If key set use IV, otherwise copy */
684         if (gctx->key_set)
685             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
686         else
687             memcpy(gctx->iv, iv, gctx->ivlen);
688         gctx->iv_set = 1;
689         gctx->iv_gen = 0;
690     }
691     return 1;
692 }
693 
694 #  define aes_t4_gcm_cipher aes_gcm_cipher
695 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
696                              const unsigned char *in, size_t len);
697 
698 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
699                                const unsigned char *iv, int enc)
700 {
701     EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
702     if (!iv && !key)
703         return 1;
704 
705     if (key) {
706         int bits = ctx->key_len * 4;
707         xctx->stream = NULL;
708         /* key_len is two AES keys */
709         if (enc) {
710             aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
711             xctx->xts.block1 = (block128_f) aes_t4_encrypt;
712             switch (bits) {
713             case 128:
714                 xctx->stream = aes128_t4_xts_encrypt;
715                 break;
716 #  if 0                         /* not yet */
717             case 192:
718                 xctx->stream = aes192_t4_xts_encrypt;
719                 break;
720 #  endif
721             case 256:
722                 xctx->stream = aes256_t4_xts_encrypt;
723                 break;
724             default:
725                 return 0;
726             }
727         } else {
728             aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
729             xctx->xts.block1 = (block128_f) aes_t4_decrypt;
730             switch (bits) {
731             case 128:
732                 xctx->stream = aes128_t4_xts_decrypt;
733                 break;
734 #  if 0                         /* not yet */
735             case 192:
736                 xctx->stream = aes192_t4_xts_decrypt;
737                 break;
738 #  endif
739             case 256:
740                 xctx->stream = aes256_t4_xts_decrypt;
741                 break;
742             default:
743                 return 0;
744             }
745         }
746 
747         aes_t4_set_encrypt_key(key + ctx->key_len / 2,
748                                ctx->key_len * 4, &xctx->ks2.ks);
749         xctx->xts.block2 = (block128_f) aes_t4_encrypt;
750 
751         xctx->xts.key1 = &xctx->ks1;
752     }
753 
754     if (iv) {
755         xctx->xts.key2 = &xctx->ks2;
756         memcpy(ctx->iv, iv, 16);
757     }
758 
759     return 1;
760 }
761 
762 #  define aes_t4_xts_cipher aes_xts_cipher
763 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
764                              const unsigned char *in, size_t len);
765 
766 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
767                                const unsigned char *iv, int enc)
768 {
769     EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
770     if (!iv && !key)
771         return 1;
772     if (key) {
773         int bits = ctx->key_len * 8;
774         aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
775         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
776                            &cctx->ks, (block128_f) aes_t4_encrypt);
777 #  if 0                         /* not yet */
778         switch (bits) {
779         case 128:
780             cctx->str = enc ? (ccm128_f) aes128_t4_ccm64_encrypt :
781                 (ccm128_f) ae128_t4_ccm64_decrypt;
782             break;
783         case 192:
784             cctx->str = enc ? (ccm128_f) aes192_t4_ccm64_encrypt :
785                 (ccm128_f) ae192_t4_ccm64_decrypt;
786             break;
787         case 256:
788             cctx->str = enc ? (ccm128_f) aes256_t4_ccm64_encrypt :
789                 (ccm128_f) ae256_t4_ccm64_decrypt;
790             break;
791         default:
792             return 0;
793         }
794 #  else
795         cctx->str = NULL;
796 #  endif
797         cctx->key_set = 1;
798     }
799     if (iv) {
800         memcpy(ctx->iv, iv, 15 - cctx->L);
801         cctx->iv_set = 1;
802     }
803     return 1;
804 }
805 
806 #  define aes_t4_ccm_cipher aes_ccm_cipher
807 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
808                              const unsigned char *in, size_t len);
809 
810 #  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
811 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
812         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
813         flags|EVP_CIPH_##MODE##_MODE,   \
814         aes_t4_init_key,                \
815         aes_t4_##mode##_cipher,         \
816         NULL,                           \
817         sizeof(EVP_AES_KEY),            \
818         NULL,NULL,NULL,NULL }; \
819 static const EVP_CIPHER aes_##keylen##_##mode = { \
820         nid##_##keylen##_##nmode,blocksize,     \
821         keylen/8,ivlen, \
822         flags|EVP_CIPH_##MODE##_MODE,   \
823         aes_init_key,                   \
824         aes_##mode##_cipher,            \
825         NULL,                           \
826         sizeof(EVP_AES_KEY),            \
827         NULL,NULL,NULL,NULL }; \
828 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
829 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
830 
831 #  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
832 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
833         nid##_##keylen##_##mode,blocksize, \
834         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
835         flags|EVP_CIPH_##MODE##_MODE,   \
836         aes_t4_##mode##_init_key,       \
837         aes_t4_##mode##_cipher,         \
838         aes_##mode##_cleanup,           \
839         sizeof(EVP_AES_##MODE##_CTX),   \
840         NULL,NULL,aes_##mode##_ctrl,NULL }; \
841 static const EVP_CIPHER aes_##keylen##_##mode = { \
842         nid##_##keylen##_##mode,blocksize, \
843         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
844         flags|EVP_CIPH_##MODE##_MODE,   \
845         aes_##mode##_init_key,          \
846         aes_##mode##_cipher,            \
847         aes_##mode##_cleanup,           \
848         sizeof(EVP_AES_##MODE##_CTX),   \
849         NULL,NULL,aes_##mode##_ctrl,NULL }; \
850 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
851 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
852 
853 # else
854 
855 #  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
856 static const EVP_CIPHER aes_##keylen##_##mode = { \
857         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
858         flags|EVP_CIPH_##MODE##_MODE,   \
859         aes_init_key,                   \
860         aes_##mode##_cipher,            \
861         NULL,                           \
862         sizeof(EVP_AES_KEY),            \
863         NULL,NULL,NULL,NULL }; \
864 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
865 { return &aes_##keylen##_##mode; }
866 
867 #  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
868 static const EVP_CIPHER aes_##keylen##_##mode = { \
869         nid##_##keylen##_##mode,blocksize, \
870         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
871         flags|EVP_CIPH_##MODE##_MODE,   \
872         aes_##mode##_init_key,          \
873         aes_##mode##_cipher,            \
874         aes_##mode##_cleanup,           \
875         sizeof(EVP_AES_##MODE##_CTX),   \
876         NULL,NULL,aes_##mode##_ctrl,NULL }; \
877 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
878 { return &aes_##keylen##_##mode; }
879 # endif
880 
881 # if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
882 #  include "arm_arch.h"
883 #  if __ARM_MAX_ARCH__>=7
884 #   if defined(BSAES_ASM)
885 #    define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
886 #   endif
887 #   define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
888 #   define HWAES_set_encrypt_key aes_v8_set_encrypt_key
889 #   define HWAES_set_decrypt_key aes_v8_set_decrypt_key
890 #   define HWAES_encrypt aes_v8_encrypt
891 #   define HWAES_decrypt aes_v8_decrypt
892 #   define HWAES_cbc_encrypt aes_v8_cbc_encrypt
893 #   define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
894 #  endif
895 # endif
896 
897 # if defined(HWAES_CAPABLE)
898 int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
899                           AES_KEY *key);
900 int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
901                           AES_KEY *key);
902 void HWAES_encrypt(const unsigned char *in, unsigned char *out,
903                    const AES_KEY *key);
904 void HWAES_decrypt(const unsigned char *in, unsigned char *out,
905                    const AES_KEY *key);
906 void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
907                        size_t length, const AES_KEY *key,
908                        unsigned char *ivec, const int enc);
909 void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
910                                 size_t len, const AES_KEY *key,
911                                 const unsigned char ivec[16]);
912 # endif
913 
914 # define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
915         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
916         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
917         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
918         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
919         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
920         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
921         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
922 
923 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
924                         const unsigned char *iv, int enc)
925 {
926     int ret, mode;
927     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
928 
929     mode = ctx->cipher->flags & EVP_CIPH_MODE;
930     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
931         && !enc)
932 # ifdef HWAES_CAPABLE
933         if (HWAES_CAPABLE) {
934             ret = HWAES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
935             dat->block = (block128_f) HWAES_decrypt;
936             dat->stream.cbc = NULL;
937 #  ifdef HWAES_cbc_encrypt
938             if (mode == EVP_CIPH_CBC_MODE)
939                 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
940 #  endif
941         } else
942 # endif
943 # ifdef BSAES_CAPABLE
944         if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
945             ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
946             dat->block = (block128_f) AES_decrypt;
947             dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
948         } else
949 # endif
950 # ifdef VPAES_CAPABLE
951         if (VPAES_CAPABLE) {
952             ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
953             dat->block = (block128_f) vpaes_decrypt;
954             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
955                 (cbc128_f) vpaes_cbc_encrypt : NULL;
956         } else
957 # endif
958         {
959             ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
960             dat->block = (block128_f) AES_decrypt;
961             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
962                 (cbc128_f) AES_cbc_encrypt : NULL;
963     } else
964 # ifdef HWAES_CAPABLE
965     if (HWAES_CAPABLE) {
966         ret = HWAES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
967         dat->block = (block128_f) HWAES_encrypt;
968         dat->stream.cbc = NULL;
969 #  ifdef HWAES_cbc_encrypt
970         if (mode == EVP_CIPH_CBC_MODE)
971             dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
972         else
973 #  endif
974 #  ifdef HWAES_ctr32_encrypt_blocks
975         if (mode == EVP_CIPH_CTR_MODE)
976             dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
977         else
978 #  endif
979             (void)0;            /* terminate potentially open 'else' */
980     } else
981 # endif
982 # ifdef BSAES_CAPABLE
983     if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
984         ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
985         dat->block = (block128_f) AES_encrypt;
986         dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
987     } else
988 # endif
989 # ifdef VPAES_CAPABLE
990     if (VPAES_CAPABLE) {
991         ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
992         dat->block = (block128_f) vpaes_encrypt;
993         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
994             (cbc128_f) vpaes_cbc_encrypt : NULL;
995     } else
996 # endif
997     {
998         ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
999         dat->block = (block128_f) AES_encrypt;
1000         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
1001             (cbc128_f) AES_cbc_encrypt : NULL;
1002 # ifdef AES_CTR_ASM
1003         if (mode == EVP_CIPH_CTR_MODE)
1004             dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
1005 # endif
1006     }
1007 
1008     if (ret < 0) {
1009         EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
1010         return 0;
1011     }
1012 
1013     return 1;
1014 }
1015 
1016 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1017                           const unsigned char *in, size_t len)
1018 {
1019     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1020 
1021     if (dat->stream.cbc)
1022         (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
1023     else if (ctx->encrypt)
1024         CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
1025     else
1026         CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
1027 
1028     return 1;
1029 }
1030 
1031 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1032                           const unsigned char *in, size_t len)
1033 {
1034     size_t bl = ctx->cipher->block_size;
1035     size_t i;
1036     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1037 
1038     if (len < bl)
1039         return 1;
1040 
1041     for (i = 0, len -= bl; i <= len; i += bl)
1042         (*dat->block) (in + i, out + i, &dat->ks);
1043 
1044     return 1;
1045 }
1046 
1047 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1048                           const unsigned char *in, size_t len)
1049 {
1050     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1051 
1052     CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
1053                           ctx->iv, &ctx->num, dat->block);
1054     return 1;
1055 }
1056 
1057 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1058                           const unsigned char *in, size_t len)
1059 {
1060     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1061 
1062     CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
1063                           ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1064     return 1;
1065 }
1066 
1067 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1068                            const unsigned char *in, size_t len)
1069 {
1070     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1071 
1072     CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
1073                             ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1074     return 1;
1075 }
1076 
1077 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1078                            const unsigned char *in, size_t len)
1079 {
1080     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1081 
1082     if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) {
1083         CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
1084                                 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1085         return 1;
1086     }
1087 
1088     while (len >= MAXBITCHUNK) {
1089         CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
1090                                 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1091         len -= MAXBITCHUNK;
1092     }
1093     if (len)
1094         CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
1095                                 ctx->iv, &ctx->num, ctx->encrypt, dat->block);
1096 
1097     return 1;
1098 }
1099 
1100 static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1101                           const unsigned char *in, size_t len)
1102 {
1103     unsigned int num = ctx->num;
1104     EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
1105 
1106     if (dat->stream.ctr)
1107         CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
1108                                     ctx->iv, ctx->buf, &num, dat->stream.ctr);
1109     else
1110         CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
1111                               ctx->iv, ctx->buf, &num, dat->block);
1112     ctx->num = (size_t)num;
1113     return 1;
1114 }
1115 
1116 BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
1117     BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
1118     BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
1119 
1120 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1121 {
1122     EVP_AES_GCM_CTX *gctx = c->cipher_data;
1123     OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1124     if (gctx->iv != c->iv)
1125         OPENSSL_free(gctx->iv);
1126     return 1;
1127 }
1128 
1129 /* increment counter (64-bit int) by 1 */
1130 static void ctr64_inc(unsigned char *counter)
1131 {
1132     int n = 8;
1133     unsigned char c;
1134 
1135     do {
1136         --n;
1137         c = counter[n];
1138         ++c;
1139         counter[n] = c;
1140         if (c)
1141             return;
1142     } while (n);
1143 }
1144 
1145 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1146 {
1147     EVP_AES_GCM_CTX *gctx = c->cipher_data;
1148     switch (type) {
1149     case EVP_CTRL_INIT:
1150         gctx->key_set = 0;
1151         gctx->iv_set = 0;
1152         gctx->ivlen = c->cipher->iv_len;
1153         gctx->iv = c->iv;
1154         gctx->taglen = -1;
1155         gctx->iv_gen = 0;
1156         gctx->tls_aad_len = -1;
1157         return 1;
1158 
1159     case EVP_CTRL_GCM_SET_IVLEN:
1160         if (arg <= 0)
1161             return 0;
1162         /* Allocate memory for IV if needed */
1163         if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
1164             if (gctx->iv != c->iv)
1165                 OPENSSL_free(gctx->iv);
1166             gctx->iv = OPENSSL_malloc(arg);
1167             if (!gctx->iv)
1168                 return 0;
1169         }
1170         gctx->ivlen = arg;
1171         return 1;
1172 
1173     case EVP_CTRL_GCM_SET_TAG:
1174         if (arg <= 0 || arg > 16 || c->encrypt)
1175             return 0;
1176         memcpy(c->buf, ptr, arg);
1177         gctx->taglen = arg;
1178         return 1;
1179 
1180     case EVP_CTRL_GCM_GET_TAG:
1181         if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1182             return 0;
1183         memcpy(ptr, c->buf, arg);
1184         return 1;
1185 
1186     case EVP_CTRL_GCM_SET_IV_FIXED:
1187         /* Special case: -1 length restores whole IV */
1188         if (arg == -1) {
1189             memcpy(gctx->iv, ptr, gctx->ivlen);
1190             gctx->iv_gen = 1;
1191             return 1;
1192         }
1193         /*
1194          * Fixed field must be at least 4 bytes and invocation field at least
1195          * 8.
1196          */
1197         if ((arg < 4) || (gctx->ivlen - arg) < 8)
1198             return 0;
1199         if (arg)
1200             memcpy(gctx->iv, ptr, arg);
1201         if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1202             return 0;
1203         gctx->iv_gen = 1;
1204         return 1;
1205 
1206     case EVP_CTRL_GCM_IV_GEN:
1207         if (gctx->iv_gen == 0 || gctx->key_set == 0)
1208             return 0;
1209         CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1210         if (arg <= 0 || arg > gctx->ivlen)
1211             arg = gctx->ivlen;
1212         memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1213         /*
1214          * Invocation field will be at least 8 bytes in size and so no need
1215          * to check wrap around or increment more than last 8 bytes.
1216          */
1217         ctr64_inc(gctx->iv + gctx->ivlen - 8);
1218         gctx->iv_set = 1;
1219         return 1;
1220 
1221     case EVP_CTRL_GCM_SET_IV_INV:
1222         if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1223             return 0;
1224         memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1225         CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1226         gctx->iv_set = 1;
1227         return 1;
1228 
1229     case EVP_CTRL_AEAD_TLS1_AAD:
1230         /* Save the AAD for later use */
1231         if (arg != EVP_AEAD_TLS1_AAD_LEN)
1232             return 0;
1233         memcpy(c->buf, ptr, arg);
1234         gctx->tls_aad_len = arg;
1235         {
1236             unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
1237             /* Correct length for explicit IV */
1238             len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1239             /* If decrypting correct for tag too */
1240             if (!c->encrypt)
1241                 len -= EVP_GCM_TLS_TAG_LEN;
1242             c->buf[arg - 2] = len >> 8;
1243             c->buf[arg - 1] = len & 0xff;
1244         }
1245         /* Extra padding: tag appended to record */
1246         return EVP_GCM_TLS_TAG_LEN;
1247 
1248     case EVP_CTRL_COPY:
1249         {
1250             EVP_CIPHER_CTX *out = ptr;
1251             EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1252             if (gctx->gcm.key) {
1253                 if (gctx->gcm.key != &gctx->ks)
1254                     return 0;
1255                 gctx_out->gcm.key = &gctx_out->ks;
1256             }
1257             if (gctx->iv == c->iv)
1258                 gctx_out->iv = out->iv;
1259             else {
1260                 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
1261                 if (!gctx_out->iv)
1262                     return 0;
1263                 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1264             }
1265             return 1;
1266         }
1267 
1268     default:
1269         return -1;
1270 
1271     }
1272 }
1273 
1274 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1275                             const unsigned char *iv, int enc)
1276 {
1277     EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1278     if (!iv && !key)
1279         return 1;
1280     if (key) {
1281         do {
1282 # ifdef HWAES_CAPABLE
1283             if (HWAES_CAPABLE) {
1284                 HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1285                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1286                                    (block128_f) HWAES_encrypt);
1287 #  ifdef HWAES_ctr32_encrypt_blocks
1288                 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
1289 #  else
1290                 gctx->ctr = NULL;
1291 #  endif
1292                 break;
1293             } else
1294 # endif
1295 # ifdef BSAES_CAPABLE
1296             if (BSAES_CAPABLE) {
1297                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1298                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1299                                    (block128_f) AES_encrypt);
1300                 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
1301                 break;
1302             } else
1303 # endif
1304 # ifdef VPAES_CAPABLE
1305             if (VPAES_CAPABLE) {
1306                 vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1307                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1308                                    (block128_f) vpaes_encrypt);
1309                 gctx->ctr = NULL;
1310                 break;
1311             } else
1312 # endif
1313                 (void)0;        /* terminate potentially open 'else' */
1314 
1315             AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1316             CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
1317                                (block128_f) AES_encrypt);
1318 # ifdef AES_CTR_ASM
1319             gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
1320 # else
1321             gctx->ctr = NULL;
1322 # endif
1323         } while (0);
1324 
1325         /*
1326          * If we have an iv can set it directly, otherwise use saved IV.
1327          */
1328         if (iv == NULL && gctx->iv_set)
1329             iv = gctx->iv;
1330         if (iv) {
1331             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1332             gctx->iv_set = 1;
1333         }
1334         gctx->key_set = 1;
1335     } else {
1336         /* If key set use IV, otherwise copy */
1337         if (gctx->key_set)
1338             CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1339         else
1340             memcpy(gctx->iv, iv, gctx->ivlen);
1341         gctx->iv_set = 1;
1342         gctx->iv_gen = 0;
1343     }
1344     return 1;
1345 }
1346 
1347 /*
1348  * Handle TLS GCM packet format. This consists of the last portion of the IV
1349  * followed by the payload and finally the tag. On encrypt generate IV,
1350  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1351  * and verify tag.
1352  */
1353 
1354 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1355                               const unsigned char *in, size_t len)
1356 {
1357     EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1358     int rv = -1;
1359     /* Encrypt/decrypt must be performed in place */
1360     if (out != in
1361         || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
1362         return -1;
1363     /*
1364      * Set IV from start of buffer or generate IV and write to start of
1365      * buffer.
1366      */
1367     if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1368                             EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1369                             EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1370         goto err;
1371     /* Use saved AAD */
1372     if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1373         goto err;
1374     /* Fix buffer and length to point to payload */
1375     in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1376     out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1377     len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1378     if (ctx->encrypt) {
1379         /* Encrypt payload */
1380         if (gctx->ctr) {
1381             size_t bulk = 0;
1382 # if defined(AES_GCM_ASM)
1383             if (len >= 32 && AES_GCM_ASM(gctx)) {
1384                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1385                     return -1;
1386 
1387                 bulk = AES_gcm_encrypt(in, out, len,
1388                                        gctx->gcm.key,
1389                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1390                 gctx->gcm.len.u[1] += bulk;
1391             }
1392 # endif
1393             if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1394                                             in + bulk,
1395                                             out + bulk,
1396                                             len - bulk, gctx->ctr))
1397                 goto err;
1398         } else {
1399             size_t bulk = 0;
1400 # if defined(AES_GCM_ASM2)
1401             if (len >= 32 && AES_GCM_ASM2(gctx)) {
1402                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
1403                     return -1;
1404 
1405                 bulk = AES_gcm_encrypt(in, out, len,
1406                                        gctx->gcm.key,
1407                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1408                 gctx->gcm.len.u[1] += bulk;
1409             }
1410 # endif
1411             if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1412                                       in + bulk, out + bulk, len - bulk))
1413                 goto err;
1414         }
1415         out += len;
1416         /* Finally write tag */
1417         CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1418         rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1419     } else {
1420         /* Decrypt */
1421         if (gctx->ctr) {
1422             size_t bulk = 0;
1423 # if defined(AES_GCM_ASM)
1424             if (len >= 16 && AES_GCM_ASM(gctx)) {
1425                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1426                     return -1;
1427 
1428                 bulk = AES_gcm_decrypt(in, out, len,
1429                                        gctx->gcm.key,
1430                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1431                 gctx->gcm.len.u[1] += bulk;
1432             }
1433 # endif
1434             if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1435                                             in + bulk,
1436                                             out + bulk,
1437                                             len - bulk, gctx->ctr))
1438                 goto err;
1439         } else {
1440             size_t bulk = 0;
1441 # if defined(AES_GCM_ASM2)
1442             if (len >= 16 && AES_GCM_ASM2(gctx)) {
1443                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
1444                     return -1;
1445 
1446                 bulk = AES_gcm_decrypt(in, out, len,
1447                                        gctx->gcm.key,
1448                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1449                 gctx->gcm.len.u[1] += bulk;
1450             }
1451 # endif
1452             if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1453                                       in + bulk, out + bulk, len - bulk))
1454                 goto err;
1455         }
1456         /* Retrieve tag */
1457         CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
1458         /* If tag mismatch wipe buffer */
1459         if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
1460             OPENSSL_cleanse(out, len);
1461             goto err;
1462         }
1463         rv = len;
1464     }
1465 
1466  err:
1467     gctx->iv_set = 0;
1468     gctx->tls_aad_len = -1;
1469     return rv;
1470 }
1471 
1472 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1473                           const unsigned char *in, size_t len)
1474 {
1475     EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1476     /* If not set up, return error */
1477     if (!gctx->key_set)
1478         return -1;
1479 
1480     if (gctx->tls_aad_len >= 0)
1481         return aes_gcm_tls_cipher(ctx, out, in, len);
1482 
1483     if (!gctx->iv_set)
1484         return -1;
1485     if (in) {
1486         if (out == NULL) {
1487             if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1488                 return -1;
1489         } else if (ctx->encrypt) {
1490             if (gctx->ctr) {
1491                 size_t bulk = 0;
1492 # if defined(AES_GCM_ASM)
1493                 if (len >= 32 && AES_GCM_ASM(gctx)) {
1494                     size_t res = (16 - gctx->gcm.mres) % 16;
1495 
1496                     if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1497                         return -1;
1498 
1499                     bulk = AES_gcm_encrypt(in + res,
1500                                            out + res, len - res,
1501                                            gctx->gcm.key, gctx->gcm.Yi.c,
1502                                            gctx->gcm.Xi.u);
1503                     gctx->gcm.len.u[1] += bulk;
1504                     bulk += res;
1505                 }
1506 # endif
1507                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1508                                                 in + bulk,
1509                                                 out + bulk,
1510                                                 len - bulk, gctx->ctr))
1511                     return -1;
1512             } else {
1513                 size_t bulk = 0;
1514 # if defined(AES_GCM_ASM2)
1515                 if (len >= 32 && AES_GCM_ASM2(gctx)) {
1516                     size_t res = (16 - gctx->gcm.mres) % 16;
1517 
1518                     if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
1519                         return -1;
1520 
1521                     bulk = AES_gcm_encrypt(in + res,
1522                                            out + res, len - res,
1523                                            gctx->gcm.key, gctx->gcm.Yi.c,
1524                                            gctx->gcm.Xi.u);
1525                     gctx->gcm.len.u[1] += bulk;
1526                     bulk += res;
1527                 }
1528 # endif
1529                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1530                                           in + bulk, out + bulk, len - bulk))
1531                     return -1;
1532             }
1533         } else {
1534             if (gctx->ctr) {
1535                 size_t bulk = 0;
1536 # if defined(AES_GCM_ASM)
1537                 if (len >= 16 && AES_GCM_ASM(gctx)) {
1538                     size_t res = (16 - gctx->gcm.mres) % 16;
1539 
1540                     if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1541                         return -1;
1542 
1543                     bulk = AES_gcm_decrypt(in + res,
1544                                            out + res, len - res,
1545                                            gctx->gcm.key,
1546                                            gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1547                     gctx->gcm.len.u[1] += bulk;
1548                     bulk += res;
1549                 }
1550 # endif
1551                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1552                                                 in + bulk,
1553                                                 out + bulk,
1554                                                 len - bulk, gctx->ctr))
1555                     return -1;
1556             } else {
1557                 size_t bulk = 0;
1558 # if defined(AES_GCM_ASM2)
1559                 if (len >= 16 && AES_GCM_ASM2(gctx)) {
1560                     size_t res = (16 - gctx->gcm.mres) % 16;
1561 
1562                     if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
1563                         return -1;
1564 
1565                     bulk = AES_gcm_decrypt(in + res,
1566                                            out + res, len - res,
1567                                            gctx->gcm.key,
1568                                            gctx->gcm.Yi.c, gctx->gcm.Xi.u);
1569                     gctx->gcm.len.u[1] += bulk;
1570                     bulk += res;
1571                 }
1572 # endif
1573                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1574                                           in + bulk, out + bulk, len - bulk))
1575                     return -1;
1576             }
1577         }
1578         return len;
1579     } else {
1580         if (!ctx->encrypt) {
1581             if (gctx->taglen < 0)
1582                 return -1;
1583             if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
1584                 return -1;
1585             gctx->iv_set = 0;
1586             return 0;
1587         }
1588         CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1589         gctx->taglen = 16;
1590         /* Don't reuse the IV */
1591         gctx->iv_set = 0;
1592         return 0;
1593     }
1594 
1595 }
1596 
1597 # define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1598                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1599                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1600                 | EVP_CIPH_CUSTOM_COPY)
1601 
1602 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
1603                     EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1604                     CUSTOM_FLAGS)
1605     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
1606                     EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1607                     CUSTOM_FLAGS)
1608     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
1609                     EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
1610                     CUSTOM_FLAGS)
1611 
1612 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1613 {
1614     EVP_AES_XTS_CTX *xctx = c->cipher_data;
1615     if (type == EVP_CTRL_COPY) {
1616         EVP_CIPHER_CTX *out = ptr;
1617         EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1618         if (xctx->xts.key1) {
1619             if (xctx->xts.key1 != &xctx->ks1)
1620                 return 0;
1621             xctx_out->xts.key1 = &xctx_out->ks1;
1622         }
1623         if (xctx->xts.key2) {
1624             if (xctx->xts.key2 != &xctx->ks2)
1625                 return 0;
1626             xctx_out->xts.key2 = &xctx_out->ks2;
1627         }
1628         return 1;
1629     } else if (type != EVP_CTRL_INIT)
1630         return -1;
1631     /* key1 and key2 are used as an indicator both key and IV are set */
1632     xctx->xts.key1 = NULL;
1633     xctx->xts.key2 = NULL;
1634     return 1;
1635 }
1636 
1637 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1638                             const unsigned char *iv, int enc)
1639 {
1640     EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1641     if (!iv && !key)
1642         return 1;
1643 
1644     if (key)
1645         do {
1646 # ifdef AES_XTS_ASM
1647             xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1648 # else
1649             xctx->stream = NULL;
1650 # endif
1651             /* key_len is two AES keys */
1652 # ifdef HWAES_CAPABLE
1653             if (HWAES_CAPABLE) {
1654                 if (enc) {
1655                     HWAES_set_encrypt_key(key, ctx->key_len * 4,
1656                                           &xctx->ks1.ks);
1657                     xctx->xts.block1 = (block128_f) HWAES_encrypt;
1658                 } else {
1659                     HWAES_set_decrypt_key(key, ctx->key_len * 4,
1660                                           &xctx->ks1.ks);
1661                     xctx->xts.block1 = (block128_f) HWAES_decrypt;
1662                 }
1663 
1664                 HWAES_set_encrypt_key(key + ctx->key_len / 2,
1665                                       ctx->key_len * 4, &xctx->ks2.ks);
1666                 xctx->xts.block2 = (block128_f) HWAES_encrypt;
1667 
1668                 xctx->xts.key1 = &xctx->ks1;
1669                 break;
1670             } else
1671 # endif
1672 # ifdef BSAES_CAPABLE
1673             if (BSAES_CAPABLE)
1674                 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1675             else
1676 # endif
1677 # ifdef VPAES_CAPABLE
1678             if (VPAES_CAPABLE) {
1679                 if (enc) {
1680                     vpaes_set_encrypt_key(key, ctx->key_len * 4,
1681                                           &xctx->ks1.ks);
1682                     xctx->xts.block1 = (block128_f) vpaes_encrypt;
1683                 } else {
1684                     vpaes_set_decrypt_key(key, ctx->key_len * 4,
1685                                           &xctx->ks1.ks);
1686                     xctx->xts.block1 = (block128_f) vpaes_decrypt;
1687                 }
1688 
1689                 vpaes_set_encrypt_key(key + ctx->key_len / 2,
1690                                       ctx->key_len * 4, &xctx->ks2.ks);
1691                 xctx->xts.block2 = (block128_f) vpaes_encrypt;
1692 
1693                 xctx->xts.key1 = &xctx->ks1;
1694                 break;
1695             } else
1696 # endif
1697                 (void)0;        /* terminate potentially open 'else' */
1698 
1699             if (enc) {
1700                 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1701                 xctx->xts.block1 = (block128_f) AES_encrypt;
1702             } else {
1703                 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1704                 xctx->xts.block1 = (block128_f) AES_decrypt;
1705             }
1706 
1707             AES_set_encrypt_key(key + ctx->key_len / 2,
1708                                 ctx->key_len * 4, &xctx->ks2.ks);
1709             xctx->xts.block2 = (block128_f) AES_encrypt;
1710 
1711             xctx->xts.key1 = &xctx->ks1;
1712         } while (0);
1713 
1714     if (iv) {
1715         xctx->xts.key2 = &xctx->ks2;
1716         memcpy(ctx->iv, iv, 16);
1717     }
1718 
1719     return 1;
1720 }
1721 
1722 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1723                           const unsigned char *in, size_t len)
1724 {
1725     EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1726     if (!xctx->xts.key1 || !xctx->xts.key2)
1727         return 0;
1728     if (!out || !in || len < AES_BLOCK_SIZE)
1729         return 0;
1730     if (xctx->stream)
1731         (*xctx->stream) (in, out, len,
1732                          xctx->xts.key1, xctx->xts.key2, ctx->iv);
1733     else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1734                                    ctx->encrypt))
1735         return 0;
1736     return 1;
1737 }
1738 
1739 # define aes_xts_cleanup NULL
1740 
1741 # define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1742                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1743                          | EVP_CIPH_CUSTOM_COPY)
1744 
1745 BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
1746                     EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
1747     BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
1748                     EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
1749 
1750 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1751 {
1752     EVP_AES_CCM_CTX *cctx = c->cipher_data;
1753     switch (type) {
1754     case EVP_CTRL_INIT:
1755         cctx->key_set = 0;
1756         cctx->iv_set = 0;
1757         cctx->L = 8;
1758         cctx->M = 12;
1759         cctx->tag_set = 0;
1760         cctx->len_set = 0;
1761         return 1;
1762 
1763     case EVP_CTRL_CCM_SET_IVLEN:
1764         arg = 15 - arg;
1765     case EVP_CTRL_CCM_SET_L:
1766         if (arg < 2 || arg > 8)
1767             return 0;
1768         cctx->L = arg;
1769         return 1;
1770 
1771     case EVP_CTRL_CCM_SET_TAG:
1772         if ((arg & 1) || arg < 4 || arg > 16)
1773             return 0;
1774         if (c->encrypt && ptr)
1775             return 0;
1776         if (ptr) {
1777             cctx->tag_set = 1;
1778             memcpy(c->buf, ptr, arg);
1779         }
1780         cctx->M = arg;
1781         return 1;
1782 
1783     case EVP_CTRL_CCM_GET_TAG:
1784         if (!c->encrypt || !cctx->tag_set)
1785             return 0;
1786         if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1787             return 0;
1788         cctx->tag_set = 0;
1789         cctx->iv_set = 0;
1790         cctx->len_set = 0;
1791         return 1;
1792 
1793     case EVP_CTRL_COPY:
1794         {
1795             EVP_CIPHER_CTX *out = ptr;
1796             EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
1797             if (cctx->ccm.key) {
1798                 if (cctx->ccm.key != &cctx->ks)
1799                     return 0;
1800                 cctx_out->ccm.key = &cctx_out->ks;
1801             }
1802             return 1;
1803         }
1804 
1805     default:
1806         return -1;
1807 
1808     }
1809 }
1810 
1811 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1812                             const unsigned char *iv, int enc)
1813 {
1814     EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1815     if (!iv && !key)
1816         return 1;
1817     if (key)
1818         do {
1819 # ifdef HWAES_CAPABLE
1820             if (HWAES_CAPABLE) {
1821                 HWAES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1822 
1823                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1824                                    &cctx->ks, (block128_f) HWAES_encrypt);
1825                 cctx->str = NULL;
1826                 cctx->key_set = 1;
1827                 break;
1828             } else
1829 # endif
1830 # ifdef VPAES_CAPABLE
1831             if (VPAES_CAPABLE) {
1832                 vpaes_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1833                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1834                                    &cctx->ks, (block128_f) vpaes_encrypt);
1835                 cctx->str = NULL;
1836                 cctx->key_set = 1;
1837                 break;
1838             }
1839 # endif
1840             AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1841             CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1842                                &cctx->ks, (block128_f) AES_encrypt);
1843             cctx->str = NULL;
1844             cctx->key_set = 1;
1845         } while (0);
1846     if (iv) {
1847         memcpy(ctx->iv, iv, 15 - cctx->L);
1848         cctx->iv_set = 1;
1849     }
1850     return 1;
1851 }
1852 
1853 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1854                           const unsigned char *in, size_t len)
1855 {
1856     EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1857     CCM128_CONTEXT *ccm = &cctx->ccm;
1858     /* If not set up, return error */
1859     if (!cctx->iv_set && !cctx->key_set)
1860         return -1;
1861     if (!ctx->encrypt && !cctx->tag_set)
1862         return -1;
1863     if (!out) {
1864         if (!in) {
1865             if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1866                 return -1;
1867             cctx->len_set = 1;
1868             return len;
1869         }
1870         /* If have AAD need message length */
1871         if (!cctx->len_set && len)
1872             return -1;
1873         CRYPTO_ccm128_aad(ccm, in, len);
1874         return len;
1875     }
1876     /* EVP_*Final() doesn't return any data */
1877     if (!in)
1878         return 0;
1879     /* If not set length yet do it */
1880     if (!cctx->len_set) {
1881         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1882             return -1;
1883         cctx->len_set = 1;
1884     }
1885     if (ctx->encrypt) {
1886         if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1887                                                     cctx->str) :
1888             CRYPTO_ccm128_encrypt(ccm, in, out, len))
1889             return -1;
1890         cctx->tag_set = 1;
1891         return len;
1892     } else {
1893         int rv = -1;
1894         if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1895                                                      cctx->str) :
1896             !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
1897             unsigned char tag[16];
1898             if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
1899                 if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))
1900                     rv = len;
1901             }
1902         }
1903         if (rv == -1)
1904             OPENSSL_cleanse(out, len);
1905         cctx->iv_set = 0;
1906         cctx->tag_set = 0;
1907         cctx->len_set = 0;
1908         return rv;
1909     }
1910 
1911 }
1912 
1913 # define aes_ccm_cleanup NULL
1914 
1915 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
1916                     EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1917     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
1918                     EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1919     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
1920                     EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
1921 #endif
1922 typedef struct {
1923     union {
1924         double align;
1925         AES_KEY ks;
1926     } ks;
1927     /* Indicates if IV has been set */
1928     unsigned char *iv;
1929 } EVP_AES_WRAP_CTX;
1930 
1931 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1932                              const unsigned char *iv, int enc)
1933 {
1934     EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1935     if (!iv && !key)
1936         return 1;
1937     if (key) {
1938         if (ctx->encrypt)
1939             AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1940         else
1941             AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1942         if (!iv)
1943             wctx->iv = NULL;
1944     }
1945     if (iv) {
1946         memcpy(ctx->iv, iv, 8);
1947         wctx->iv = ctx->iv;
1948     }
1949     return 1;
1950 }
1951 
1952 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1953                            const unsigned char *in, size_t inlen)
1954 {
1955     EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1956     size_t rv;
1957     if (!in)
1958         return 0;
1959     if (inlen % 8)
1960         return -1;
1961     if (ctx->encrypt && inlen < 8)
1962         return -1;
1963     if (!ctx->encrypt && inlen < 16)
1964         return -1;
1965     if (!out) {
1966         if (ctx->encrypt)
1967             return inlen + 8;
1968         else
1969             return inlen - 8;
1970     }
1971     if (ctx->encrypt)
1972         rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1973                              (block128_f) AES_encrypt);
1974     else
1975         rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1976                                (block128_f) AES_decrypt);
1977     return rv ? (int)rv : -1;
1978 }
1979 
1980 #define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
1981                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1982                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
1983 
1984 static const EVP_CIPHER aes_128_wrap = {
1985     NID_id_aes128_wrap,
1986     8, 16, 8, WRAP_FLAGS,
1987     aes_wrap_init_key, aes_wrap_cipher,
1988     NULL,
1989     sizeof(EVP_AES_WRAP_CTX),
1990     NULL, NULL, NULL, NULL
1991 };
1992 
1993 const EVP_CIPHER *EVP_aes_128_wrap(void)
1994 {
1995     return &aes_128_wrap;
1996 }
1997 
1998 static const EVP_CIPHER aes_192_wrap = {
1999     NID_id_aes192_wrap,
2000     8, 24, 8, WRAP_FLAGS,
2001     aes_wrap_init_key, aes_wrap_cipher,
2002     NULL,
2003     sizeof(EVP_AES_WRAP_CTX),
2004     NULL, NULL, NULL, NULL
2005 };
2006 
2007 const EVP_CIPHER *EVP_aes_192_wrap(void)
2008 {
2009     return &aes_192_wrap;
2010 }
2011 
2012 static const EVP_CIPHER aes_256_wrap = {
2013     NID_id_aes256_wrap,
2014     8, 32, 8, WRAP_FLAGS,
2015     aes_wrap_init_key, aes_wrap_cipher,
2016     NULL,
2017     sizeof(EVP_AES_WRAP_CTX),
2018     NULL, NULL, NULL, NULL
2019 };
2020 
2021 const EVP_CIPHER *EVP_aes_256_wrap(void)
2022 {
2023     return &aes_256_wrap;
2024 }
2025