xref: /freebsd/crypto/openssl/crypto/evp/e_aes.c (revision 9268022b74279434ed6300244e3f977e56a8ceb5)
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50 
51 #include <openssl/opensslconf.h>
52 #ifndef OPENSSL_NO_AES
53 #include <openssl/evp.h>
54 #include <openssl/err.h>
55 #include <string.h>
56 #include <assert.h>
57 #include <openssl/aes.h>
58 #include "evp_locl.h"
59 #ifndef OPENSSL_FIPS
60 #include "modes_lcl.h"
61 #include <openssl/rand.h>
62 
63 typedef struct
64 	{
65 	AES_KEY ks;
66 	block128_f block;
67 	union {
68 		cbc128_f cbc;
69 		ctr128_f ctr;
70 	} stream;
71 	} EVP_AES_KEY;
72 
73 typedef struct
74 	{
75 	AES_KEY ks;		/* AES key schedule to use */
76 	int key_set;		/* Set if key initialised */
77 	int iv_set;		/* Set if an iv is set */
78 	GCM128_CONTEXT gcm;
79 	unsigned char *iv;	/* Temporary IV store */
80 	int ivlen;		/* IV length */
81 	int taglen;
82 	int iv_gen;		/* It is OK to generate IVs */
83 	int tls_aad_len;	/* TLS AAD length */
84 	ctr128_f ctr;
85 	} EVP_AES_GCM_CTX;
86 
87 typedef struct
88 	{
89 	AES_KEY ks1, ks2;	/* AES key schedules to use */
90 	XTS128_CONTEXT xts;
91 	void     (*stream)(const unsigned char *in,
92 			unsigned char *out, size_t length,
93 			const AES_KEY *key1, const AES_KEY *key2,
94 			const unsigned char iv[16]);
95 	} EVP_AES_XTS_CTX;
96 
97 typedef struct
98 	{
99 	AES_KEY ks;		/* AES key schedule to use */
100 	int key_set;		/* Set if key initialised */
101 	int iv_set;		/* Set if an iv is set */
102 	int tag_set;		/* Set if tag is valid */
103 	int len_set;		/* Set if message length set */
104 	int L, M;		/* L and M parameters from RFC3610 */
105 	CCM128_CONTEXT ccm;
106 	ccm128_f str;
107 	} EVP_AES_CCM_CTX;
108 
109 #define MAXBITCHUNK	((size_t)1<<(sizeof(size_t)*8-4))
110 
111 #ifdef VPAES_ASM
112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113 			AES_KEY *key);
114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115 			AES_KEY *key);
116 
117 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118 			const AES_KEY *key);
119 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120 			const AES_KEY *key);
121 
122 void vpaes_cbc_encrypt(const unsigned char *in,
123 			unsigned char *out,
124 			size_t length,
125 			const AES_KEY *key,
126 			unsigned char *ivec, int enc);
127 #endif
128 #ifdef BSAES_ASM
129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
130 			size_t length, const AES_KEY *key,
131 			unsigned char ivec[16], int enc);
132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
133 			size_t len, const AES_KEY *key,
134 			const unsigned char ivec[16]);
135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
136 			size_t len, const AES_KEY *key1,
137 			const AES_KEY *key2, const unsigned char iv[16]);
138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
139 			size_t len, const AES_KEY *key1,
140 			const AES_KEY *key2, const unsigned char iv[16]);
141 #endif
142 #ifdef AES_CTR_ASM
143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
144 			size_t blocks, const AES_KEY *key,
145 			const unsigned char ivec[AES_BLOCK_SIZE]);
146 #endif
147 #ifdef AES_XTS_ASM
148 void AES_xts_encrypt(const char *inp,char *out,size_t len,
149 			const AES_KEY *key1, const AES_KEY *key2,
150 			const unsigned char iv[16]);
151 void AES_xts_decrypt(const char *inp,char *out,size_t len,
152 			const AES_KEY *key1, const AES_KEY *key2,
153 			const unsigned char iv[16]);
154 #endif
155 
156 #if	defined(AES_ASM) && !defined(I386_ONLY) &&	(  \
157 	((defined(__i386)	|| defined(__i386__)	|| \
158 	  defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
159 	defined(__x86_64)	|| defined(__x86_64__)	|| \
160 	defined(_M_AMD64)	|| defined(_M_X64)	|| \
161 	defined(__INTEL__)				)
162 
163 extern unsigned int OPENSSL_ia32cap_P[2];
164 
165 #ifdef VPAES_ASM
166 #define VPAES_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(41-32)))
167 #endif
168 #ifdef BSAES_ASM
169 #define BSAES_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(41-32)))
170 #endif
171 /*
172  * AES-NI section
173  */
174 #define	AESNI_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(57-32)))
175 
176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
177 			AES_KEY *key);
178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
179 			AES_KEY *key);
180 
181 void aesni_encrypt(const unsigned char *in, unsigned char *out,
182 			const AES_KEY *key);
183 void aesni_decrypt(const unsigned char *in, unsigned char *out,
184 			const AES_KEY *key);
185 
186 void aesni_ecb_encrypt(const unsigned char *in,
187 			unsigned char *out,
188 			size_t length,
189 			const AES_KEY *key,
190 			int enc);
191 void aesni_cbc_encrypt(const unsigned char *in,
192 			unsigned char *out,
193 			size_t length,
194 			const AES_KEY *key,
195 			unsigned char *ivec, int enc);
196 
197 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
198 			unsigned char *out,
199 			size_t blocks,
200 			const void *key,
201 			const unsigned char *ivec);
202 
203 void aesni_xts_encrypt(const unsigned char *in,
204 			unsigned char *out,
205 			size_t length,
206 			const AES_KEY *key1, const AES_KEY *key2,
207 			const unsigned char iv[16]);
208 
209 void aesni_xts_decrypt(const unsigned char *in,
210 			unsigned char *out,
211 			size_t length,
212 			const AES_KEY *key1, const AES_KEY *key2,
213 			const unsigned char iv[16]);
214 
215 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
216 			unsigned char *out,
217 			size_t blocks,
218 			const void *key,
219 			const unsigned char ivec[16],
220 			unsigned char cmac[16]);
221 
222 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
223 			unsigned char *out,
224 			size_t blocks,
225 			const void *key,
226 			const unsigned char ivec[16],
227 			unsigned char cmac[16]);
228 
229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
230 		   const unsigned char *iv, int enc)
231 	{
232 	int ret, mode;
233 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
234 
235 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
236 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
237 	    && !enc)
238 		{
239 		ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
240 		dat->block	= (block128_f)aesni_decrypt;
241 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
242 					(cbc128_f)aesni_cbc_encrypt :
243 					NULL;
244 		}
245 	else	{
246 		ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
247 		dat->block	= (block128_f)aesni_encrypt;
248 		if (mode==EVP_CIPH_CBC_MODE)
249 			dat->stream.cbc	= (cbc128_f)aesni_cbc_encrypt;
250 		else if (mode==EVP_CIPH_CTR_MODE)
251 			dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
252 		else
253 			dat->stream.cbc = NULL;
254 		}
255 
256 	if(ret < 0)
257 		{
258 		EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
259 		return 0;
260 		}
261 
262 	return 1;
263 	}
264 
265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
266 	const unsigned char *in, size_t len)
267 {
268 	aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
269 
270 	return 1;
271 }
272 
273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
274 	const unsigned char *in, size_t len)
275 {
276 	size_t	bl = ctx->cipher->block_size;
277 
278 	if (len<bl)	return 1;
279 
280 	aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
281 
282 	return 1;
283 }
284 
285 #define aesni_ofb_cipher aes_ofb_cipher
286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
287 	const unsigned char *in,size_t len);
288 
289 #define aesni_cfb_cipher aes_cfb_cipher
290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
291 	const unsigned char *in,size_t len);
292 
293 #define aesni_cfb8_cipher aes_cfb8_cipher
294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
295 	const unsigned char *in,size_t len);
296 
297 #define aesni_cfb1_cipher aes_cfb1_cipher
298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
299 	const unsigned char *in,size_t len);
300 
301 #define aesni_ctr_cipher aes_ctr_cipher
302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
303 		const unsigned char *in, size_t len);
304 
305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
306                         const unsigned char *iv, int enc)
307 	{
308 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
309 	if (!iv && !key)
310 		return 1;
311 	if (key)
312 		{
313 		aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
314 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
315 				(block128_f)aesni_encrypt);
316 		gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
317 		/* If we have an iv can set it directly, otherwise use
318 		 * saved IV.
319 		 */
320 		if (iv == NULL && gctx->iv_set)
321 			iv = gctx->iv;
322 		if (iv)
323 			{
324 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
325 			gctx->iv_set = 1;
326 			}
327 		gctx->key_set = 1;
328 		}
329 	else
330 		{
331 		/* If key set use IV, otherwise copy */
332 		if (gctx->key_set)
333 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
334 		else
335 			memcpy(gctx->iv, iv, gctx->ivlen);
336 		gctx->iv_set = 1;
337 		gctx->iv_gen = 0;
338 		}
339 	return 1;
340 	}
341 
342 #define aesni_gcm_cipher aes_gcm_cipher
343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
344 		const unsigned char *in, size_t len);
345 
346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
347                         const unsigned char *iv, int enc)
348 	{
349 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
350 	if (!iv && !key)
351 		return 1;
352 
353 	if (key)
354 		{
355 		/* key_len is two AES keys */
356 		if (enc)
357 			{
358 			aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
359 			xctx->xts.block1 = (block128_f)aesni_encrypt;
360 			xctx->stream = aesni_xts_encrypt;
361 			}
362 		else
363 			{
364 			aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
365 			xctx->xts.block1 = (block128_f)aesni_decrypt;
366 			xctx->stream = aesni_xts_decrypt;
367 			}
368 
369 		aesni_set_encrypt_key(key + ctx->key_len/2,
370 						ctx->key_len * 4, &xctx->ks2);
371 		xctx->xts.block2 = (block128_f)aesni_encrypt;
372 
373 		xctx->xts.key1 = &xctx->ks1;
374 		}
375 
376 	if (iv)
377 		{
378 		xctx->xts.key2 = &xctx->ks2;
379 		memcpy(ctx->iv, iv, 16);
380 		}
381 
382 	return 1;
383 	}
384 
385 #define aesni_xts_cipher aes_xts_cipher
386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
387 		const unsigned char *in, size_t len);
388 
389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
390                         const unsigned char *iv, int enc)
391 	{
392 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
393 	if (!iv && !key)
394 		return 1;
395 	if (key)
396 		{
397 		aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
398 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
399 					&cctx->ks, (block128_f)aesni_encrypt);
400 		cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
401 				(ccm128_f)aesni_ccm64_decrypt_blocks;
402 		cctx->key_set = 1;
403 		}
404 	if (iv)
405 		{
406 		memcpy(ctx->iv, iv, 15 - cctx->L);
407 		cctx->iv_set = 1;
408 		}
409 	return 1;
410 	}
411 
412 #define aesni_ccm_cipher aes_ccm_cipher
413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414 		const unsigned char *in, size_t len);
415 
416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
417 static const EVP_CIPHER aesni_##keylen##_##mode = { \
418 	nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
419 	flags|EVP_CIPH_##MODE##_MODE,	\
420 	aesni_init_key,			\
421 	aesni_##mode##_cipher,		\
422 	NULL,				\
423 	sizeof(EVP_AES_KEY),		\
424 	NULL,NULL,NULL,NULL }; \
425 static const EVP_CIPHER aes_##keylen##_##mode = { \
426 	nid##_##keylen##_##nmode,blocksize,	\
427 	keylen/8,ivlen, \
428 	flags|EVP_CIPH_##MODE##_MODE,	\
429 	aes_init_key,			\
430 	aes_##mode##_cipher,		\
431 	NULL,				\
432 	sizeof(EVP_AES_KEY),		\
433 	NULL,NULL,NULL,NULL }; \
434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
436 
437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
438 static const EVP_CIPHER aesni_##keylen##_##mode = { \
439 	nid##_##keylen##_##mode,blocksize, \
440 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
441 	flags|EVP_CIPH_##MODE##_MODE,	\
442 	aesni_##mode##_init_key,	\
443 	aesni_##mode##_cipher,		\
444 	aes_##mode##_cleanup,		\
445 	sizeof(EVP_AES_##MODE##_CTX),	\
446 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
447 static const EVP_CIPHER aes_##keylen##_##mode = { \
448 	nid##_##keylen##_##mode,blocksize, \
449 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
450 	flags|EVP_CIPH_##MODE##_MODE,	\
451 	aes_##mode##_init_key,		\
452 	aes_##mode##_cipher,		\
453 	aes_##mode##_cleanup,		\
454 	sizeof(EVP_AES_##MODE##_CTX),	\
455 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
458 
459 #else
460 
461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
462 static const EVP_CIPHER aes_##keylen##_##mode = { \
463 	nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
464 	flags|EVP_CIPH_##MODE##_MODE,	\
465 	aes_init_key,			\
466 	aes_##mode##_cipher,		\
467 	NULL,				\
468 	sizeof(EVP_AES_KEY),		\
469 	NULL,NULL,NULL,NULL }; \
470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
471 { return &aes_##keylen##_##mode; }
472 
473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
474 static const EVP_CIPHER aes_##keylen##_##mode = { \
475 	nid##_##keylen##_##mode,blocksize, \
476 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
477 	flags|EVP_CIPH_##MODE##_MODE,	\
478 	aes_##mode##_init_key,		\
479 	aes_##mode##_cipher,		\
480 	aes_##mode##_cleanup,		\
481 	sizeof(EVP_AES_##MODE##_CTX),	\
482 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
484 { return &aes_##keylen##_##mode; }
485 #endif
486 
487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)		\
488 	BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
489 	BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
490 	BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
491 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
492 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)	\
493 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)	\
494 	BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
495 
496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
497 		   const unsigned char *iv, int enc)
498 	{
499 	int ret, mode;
500 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
501 
502 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
503 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
504 	    && !enc)
505 #ifdef BSAES_CAPABLE
506 	    if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
507 		{
508 		ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
509 		dat->block	= (block128_f)AES_decrypt;
510 		dat->stream.cbc	= (cbc128_f)bsaes_cbc_encrypt;
511 		}
512 	    else
513 #endif
514 #ifdef VPAES_CAPABLE
515 	    if (VPAES_CAPABLE)
516 		{
517 		ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
518 		dat->block	= (block128_f)vpaes_decrypt;
519 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
520 					(cbc128_f)vpaes_cbc_encrypt :
521 					NULL;
522 		}
523 	    else
524 #endif
525 		{
526 		ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
527 		dat->block	= (block128_f)AES_decrypt;
528 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
529 					(cbc128_f)AES_cbc_encrypt :
530 					NULL;
531 		}
532 	else
533 #ifdef BSAES_CAPABLE
534 	    if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
535 		{
536 		ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
537 		dat->block	= (block128_f)AES_encrypt;
538 		dat->stream.ctr	= (ctr128_f)bsaes_ctr32_encrypt_blocks;
539 		}
540 	    else
541 #endif
542 #ifdef VPAES_CAPABLE
543 	    if (VPAES_CAPABLE)
544 		{
545 		ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
546 		dat->block	= (block128_f)vpaes_encrypt;
547 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
548 					(cbc128_f)vpaes_cbc_encrypt :
549 					NULL;
550 		}
551 	    else
552 #endif
553 		{
554 		ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
555 		dat->block	= (block128_f)AES_encrypt;
556 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
557 					(cbc128_f)AES_cbc_encrypt :
558 					NULL;
559 #ifdef AES_CTR_ASM
560 		if (mode==EVP_CIPH_CTR_MODE)
561 			dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
562 #endif
563 		}
564 
565 	if(ret < 0)
566 		{
567 		EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
568 		return 0;
569 		}
570 
571 	return 1;
572 	}
573 
574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
575 	const unsigned char *in, size_t len)
576 {
577 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
578 
579 	if (dat->stream.cbc)
580 		(*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
581 	else if (ctx->encrypt)
582 		CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
583 	else
584 		CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
585 
586 	return 1;
587 }
588 
589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
590 	const unsigned char *in, size_t len)
591 {
592 	size_t	bl = ctx->cipher->block_size;
593 	size_t	i;
594 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
595 
596 	if (len<bl)	return 1;
597 
598 	for (i=0,len-=bl;i<=len;i+=bl)
599 		(*dat->block)(in+i,out+i,&dat->ks);
600 
601 	return 1;
602 }
603 
604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
605 	const unsigned char *in,size_t len)
606 {
607 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
608 
609 	CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
610 			ctx->iv,&ctx->num,dat->block);
611 	return 1;
612 }
613 
614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
615 	const unsigned char *in,size_t len)
616 {
617 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
618 
619 	CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
620 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
621 	return 1;
622 }
623 
624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
625 	const unsigned char *in,size_t len)
626 {
627 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
628 
629 	CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
630 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
631 	return 1;
632 }
633 
634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
635 	const unsigned char *in,size_t len)
636 {
637 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
638 
639 	if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
640 		CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
641 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
642 		return 1;
643 	}
644 
645 	while (len>=MAXBITCHUNK) {
646 		CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
647 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
648 		len-=MAXBITCHUNK;
649 	}
650 	if (len)
651 		CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
652 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
653 
654 	return 1;
655 }
656 
657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
658 		const unsigned char *in, size_t len)
659 {
660 	unsigned int num = ctx->num;
661 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
662 
663 	if (dat->stream.ctr)
664 		CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
665 			ctx->iv,ctx->buf,&num,dat->stream.ctr);
666 	else
667 		CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
668 			ctx->iv,ctx->buf,&num,dat->block);
669 	ctx->num = (size_t)num;
670 	return 1;
671 }
672 
673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
676 
677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
678 	{
679 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
680 	OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
681 	if (gctx->iv != c->iv)
682 		OPENSSL_free(gctx->iv);
683 	return 1;
684 	}
685 
686 /* increment counter (64-bit int) by 1 */
687 static void ctr64_inc(unsigned char *counter) {
688 	int n=8;
689 	unsigned char  c;
690 
691 	do {
692 		--n;
693 		c = counter[n];
694 		++c;
695 		counter[n] = c;
696 		if (c) return;
697 	} while (n);
698 }
699 
700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
701 	{
702 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
703 	switch (type)
704 		{
705 	case EVP_CTRL_INIT:
706 		gctx->key_set = 0;
707 		gctx->iv_set = 0;
708 		gctx->ivlen = c->cipher->iv_len;
709 		gctx->iv = c->iv;
710 		gctx->taglen = -1;
711 		gctx->iv_gen = 0;
712 		gctx->tls_aad_len = -1;
713 		return 1;
714 
715 	case EVP_CTRL_GCM_SET_IVLEN:
716 		if (arg <= 0)
717 			return 0;
718 #ifdef OPENSSL_FIPS
719 		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
720 						 && arg < 12)
721 			return 0;
722 #endif
723 		/* Allocate memory for IV if needed */
724 		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
725 			{
726 			if (gctx->iv != c->iv)
727 				OPENSSL_free(gctx->iv);
728 			gctx->iv = OPENSSL_malloc(arg);
729 			if (!gctx->iv)
730 				return 0;
731 			}
732 		gctx->ivlen = arg;
733 		return 1;
734 
735 	case EVP_CTRL_GCM_SET_TAG:
736 		if (arg <= 0 || arg > 16 || c->encrypt)
737 			return 0;
738 		memcpy(c->buf, ptr, arg);
739 		gctx->taglen = arg;
740 		return 1;
741 
742 	case EVP_CTRL_GCM_GET_TAG:
743 		if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
744 			return 0;
745 		memcpy(ptr, c->buf, arg);
746 		return 1;
747 
748 	case EVP_CTRL_GCM_SET_IV_FIXED:
749 		/* Special case: -1 length restores whole IV */
750 		if (arg == -1)
751 			{
752 			memcpy(gctx->iv, ptr, gctx->ivlen);
753 			gctx->iv_gen = 1;
754 			return 1;
755 			}
756 		/* Fixed field must be at least 4 bytes and invocation field
757 		 * at least 8.
758 		 */
759 		if ((arg < 4) || (gctx->ivlen - arg) < 8)
760 			return 0;
761 		if (arg)
762 			memcpy(gctx->iv, ptr, arg);
763 		if (c->encrypt &&
764 			RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
765 			return 0;
766 		gctx->iv_gen = 1;
767 		return 1;
768 
769 	case EVP_CTRL_GCM_IV_GEN:
770 		if (gctx->iv_gen == 0 || gctx->key_set == 0)
771 			return 0;
772 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
773 		if (arg <= 0 || arg > gctx->ivlen)
774 			arg = gctx->ivlen;
775 		memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
776 		/* Invocation field will be at least 8 bytes in size and
777 		 * so no need to check wrap around or increment more than
778 		 * last 8 bytes.
779 		 */
780 		ctr64_inc(gctx->iv + gctx->ivlen - 8);
781 		gctx->iv_set = 1;
782 		return 1;
783 
784 	case EVP_CTRL_GCM_SET_IV_INV:
785 		if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
786 			return 0;
787 		memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
788 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
789 		gctx->iv_set = 1;
790 		return 1;
791 
792 	case EVP_CTRL_AEAD_TLS1_AAD:
793 		/* Save the AAD for later use */
794 		if (arg != 13)
795 			return 0;
796 		memcpy(c->buf, ptr, arg);
797 		gctx->tls_aad_len = arg;
798 			{
799 			unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
800 			/* Correct length for explicit IV */
801 			len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
802 			/* If decrypting correct for tag too */
803 			if (!c->encrypt)
804 				len -= EVP_GCM_TLS_TAG_LEN;
805                         c->buf[arg-2] = len>>8;
806                         c->buf[arg-1] = len & 0xff;
807 			}
808 		/* Extra padding: tag appended to record */
809 		return EVP_GCM_TLS_TAG_LEN;
810 
811 	case EVP_CTRL_COPY:
812 		{
813 			EVP_CIPHER_CTX *out = ptr;
814 			EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
815 			if (gctx->gcm.key)
816 				{
817 				if (gctx->gcm.key != &gctx->ks)
818 					return 0;
819 				gctx_out->gcm.key = &gctx_out->ks;
820 				}
821 			if (gctx->iv == c->iv)
822 				gctx_out->iv = out->iv;
823 			else
824 			{
825 				gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
826 				if (!gctx_out->iv)
827 					return 0;
828 				memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
829 			}
830 			return 1;
831 		}
832 
833 	default:
834 		return -1;
835 
836 		}
837 	}
838 
839 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
840                         const unsigned char *iv, int enc)
841 	{
842 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
843 	if (!iv && !key)
844 		return 1;
845 	if (key)
846 		{ do {
847 #ifdef BSAES_CAPABLE
848 		if (BSAES_CAPABLE)
849 			{
850 			AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
851 			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
852 					(block128_f)AES_encrypt);
853 			gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
854 			break;
855 			}
856 		else
857 #endif
858 #ifdef VPAES_CAPABLE
859 		if (VPAES_CAPABLE)
860 			{
861 			vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
862 			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
863 					(block128_f)vpaes_encrypt);
864 			gctx->ctr = NULL;
865 			break;
866 			}
867 		else
868 #endif
869 		(void)0;	/* terminate potentially open 'else' */
870 
871 		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
872 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
873 #ifdef AES_CTR_ASM
874 		gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
875 #else
876 		gctx->ctr = NULL;
877 #endif
878 		} while (0);
879 
880 		/* If we have an iv can set it directly, otherwise use
881 		 * saved IV.
882 		 */
883 		if (iv == NULL && gctx->iv_set)
884 			iv = gctx->iv;
885 		if (iv)
886 			{
887 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
888 			gctx->iv_set = 1;
889 			}
890 		gctx->key_set = 1;
891 		}
892 	else
893 		{
894 		/* If key set use IV, otherwise copy */
895 		if (gctx->key_set)
896 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
897 		else
898 			memcpy(gctx->iv, iv, gctx->ivlen);
899 		gctx->iv_set = 1;
900 		gctx->iv_gen = 0;
901 		}
902 	return 1;
903 	}
904 
905 /* Handle TLS GCM packet format. This consists of the last portion of the IV
906  * followed by the payload and finally the tag. On encrypt generate IV,
907  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
908  * and verify tag.
909  */
910 
911 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
912 		const unsigned char *in, size_t len)
913 	{
914 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
915 	int rv = -1;
916 	/* Encrypt/decrypt must be performed in place */
917 	if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
918 		return -1;
919 	/* Set IV from start of buffer or generate IV and write to start
920 	 * of buffer.
921 	 */
922 	if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
923 				EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
924 				EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
925 		goto err;
926 	/* Use saved AAD */
927 	if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
928 		goto err;
929 	/* Fix buffer and length to point to payload */
930 	in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
931 	out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
932 	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
933 	if (ctx->encrypt)
934 		{
935 		/* Encrypt payload */
936 		if (gctx->ctr)
937 			{
938 			if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
939 							in, out, len,
940 							gctx->ctr))
941 				goto err;
942 			}
943 		else	{
944 			if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
945 				goto err;
946 			}
947 		out += len;
948 		/* Finally write tag */
949 		CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
950 		rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
951 		}
952 	else
953 		{
954 		/* Decrypt */
955 		if (gctx->ctr)
956 			{
957 			if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
958 							in, out, len,
959 							gctx->ctr))
960 				goto err;
961 			}
962 		else	{
963 			if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
964 				goto err;
965 			}
966 		/* Retrieve tag */
967 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
968 					EVP_GCM_TLS_TAG_LEN);
969 		/* If tag mismatch wipe buffer */
970 		if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
971 			{
972 			OPENSSL_cleanse(out, len);
973 			goto err;
974 			}
975 		rv = len;
976 		}
977 
978 	err:
979 	gctx->iv_set = 0;
980 	gctx->tls_aad_len = -1;
981 	return rv;
982 	}
983 
984 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
985 		const unsigned char *in, size_t len)
986 	{
987 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
988 	/* If not set up, return error */
989 	if (!gctx->key_set)
990 		return -1;
991 
992 	if (gctx->tls_aad_len >= 0)
993 		return aes_gcm_tls_cipher(ctx, out, in, len);
994 
995 	if (!gctx->iv_set)
996 		return -1;
997 	if (in)
998 		{
999 		if (out == NULL)
1000 			{
1001 			if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1002 				return -1;
1003 			}
1004 		else if (ctx->encrypt)
1005 			{
1006 			if (gctx->ctr)
1007 				{
1008 				if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1009 							in, out, len,
1010 							gctx->ctr))
1011 					return -1;
1012 				}
1013 			else	{
1014 				if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1015 					return -1;
1016 				}
1017 			}
1018 		else
1019 			{
1020 			if (gctx->ctr)
1021 				{
1022 				if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1023 							in, out, len,
1024 							gctx->ctr))
1025 					return -1;
1026 				}
1027 			else	{
1028 				if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1029 					return -1;
1030 				}
1031 			}
1032 		return len;
1033 		}
1034 	else
1035 		{
1036 		if (!ctx->encrypt)
1037 			{
1038 			if (gctx->taglen < 0)
1039 				return -1;
1040 			if (CRYPTO_gcm128_finish(&gctx->gcm,
1041 					ctx->buf, gctx->taglen) != 0)
1042 				return -1;
1043 			gctx->iv_set = 0;
1044 			return 0;
1045 			}
1046 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1047 		gctx->taglen = 16;
1048 		/* Don't reuse the IV */
1049 		gctx->iv_set = 0;
1050 		return 0;
1051 		}
1052 
1053 	}
1054 
1055 #define CUSTOM_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 \
1056 		| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1057 		| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1058 		| EVP_CIPH_CUSTOM_COPY)
1059 
1060 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1061 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1062 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1063 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1064 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1065 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1066 
1067 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1068 	{
1069 	EVP_AES_XTS_CTX *xctx = c->cipher_data;
1070 	if (type == EVP_CTRL_COPY)
1071 		{
1072 		EVP_CIPHER_CTX *out = ptr;
1073 		EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1074 		if (xctx->xts.key1)
1075 			{
1076 			if (xctx->xts.key1 != &xctx->ks1)
1077 				return 0;
1078 			xctx_out->xts.key1 = &xctx_out->ks1;
1079 			}
1080 		if (xctx->xts.key2)
1081 			{
1082 			if (xctx->xts.key2 != &xctx->ks2)
1083 				return 0;
1084 			xctx_out->xts.key2 = &xctx_out->ks2;
1085 			}
1086 		return 1;
1087 		}
1088 	else if (type != EVP_CTRL_INIT)
1089 		return -1;
1090 	/* key1 and key2 are used as an indicator both key and IV are set */
1091 	xctx->xts.key1 = NULL;
1092 	xctx->xts.key2 = NULL;
1093 	return 1;
1094 	}
1095 
1096 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1097                         const unsigned char *iv, int enc)
1098 	{
1099 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1100 	if (!iv && !key)
1101 		return 1;
1102 
1103 	if (key) do
1104 		{
1105 #ifdef AES_XTS_ASM
1106 		xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1107 #else
1108 		xctx->stream = NULL;
1109 #endif
1110 		/* key_len is two AES keys */
1111 #ifdef BSAES_CAPABLE
1112 		if (BSAES_CAPABLE)
1113 			xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1114 		else
1115 #endif
1116 #ifdef VPAES_CAPABLE
1117 		if (VPAES_CAPABLE)
1118 		    {
1119 		    if (enc)
1120 			{
1121 			vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1122 			xctx->xts.block1 = (block128_f)vpaes_encrypt;
1123 			}
1124 		    else
1125 			{
1126 			vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1127 			xctx->xts.block1 = (block128_f)vpaes_decrypt;
1128 			}
1129 
1130 		    vpaes_set_encrypt_key(key + ctx->key_len/2,
1131 						ctx->key_len * 4, &xctx->ks2);
1132 		    xctx->xts.block2 = (block128_f)vpaes_encrypt;
1133 
1134 		    xctx->xts.key1 = &xctx->ks1;
1135 		    break;
1136 		    }
1137 		else
1138 #endif
1139 		(void)0;	/* terminate potentially open 'else' */
1140 
1141 		if (enc)
1142 			{
1143 			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1144 			xctx->xts.block1 = (block128_f)AES_encrypt;
1145 			}
1146 		else
1147 			{
1148 			AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1149 			xctx->xts.block1 = (block128_f)AES_decrypt;
1150 			}
1151 
1152 		AES_set_encrypt_key(key + ctx->key_len/2,
1153 						ctx->key_len * 4, &xctx->ks2);
1154 		xctx->xts.block2 = (block128_f)AES_encrypt;
1155 
1156 		xctx->xts.key1 = &xctx->ks1;
1157 		} while (0);
1158 
1159 	if (iv)
1160 		{
1161 		xctx->xts.key2 = &xctx->ks2;
1162 		memcpy(ctx->iv, iv, 16);
1163 		}
1164 
1165 	return 1;
1166 	}
1167 
1168 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1169 		const unsigned char *in, size_t len)
1170 	{
1171 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1172 	if (!xctx->xts.key1 || !xctx->xts.key2)
1173 		return 0;
1174 	if (!out || !in || len<AES_BLOCK_SIZE)
1175 		return 0;
1176 #ifdef OPENSSL_FIPS
1177 	/* Requirement of SP800-38E */
1178 	if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1179 			(len > (1UL<<20)*16))
1180 		{
1181 		EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1182 		return 0;
1183 		}
1184 #endif
1185 	if (xctx->stream)
1186 		(*xctx->stream)(in, out, len,
1187 				xctx->xts.key1, xctx->xts.key2, ctx->iv);
1188 	else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1189 								ctx->encrypt))
1190 		return 0;
1191 	return 1;
1192 	}
1193 
1194 #define aes_xts_cleanup NULL
1195 
1196 #define XTS_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1197 			 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1198 			 | EVP_CIPH_CUSTOM_COPY)
1199 
1200 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1201 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1202 
1203 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1204 	{
1205 	EVP_AES_CCM_CTX *cctx = c->cipher_data;
1206 	switch (type)
1207 		{
1208 	case EVP_CTRL_INIT:
1209 		cctx->key_set = 0;
1210 		cctx->iv_set = 0;
1211 		cctx->L = 8;
1212 		cctx->M = 12;
1213 		cctx->tag_set = 0;
1214 		cctx->len_set = 0;
1215 		return 1;
1216 
1217 	case EVP_CTRL_CCM_SET_IVLEN:
1218 		arg = 15 - arg;
1219 	case EVP_CTRL_CCM_SET_L:
1220 		if (arg < 2 || arg > 8)
1221 			return 0;
1222 		cctx->L = arg;
1223 		return 1;
1224 
1225 	case EVP_CTRL_CCM_SET_TAG:
1226 		if ((arg & 1) || arg < 4 || arg > 16)
1227 			return 0;
1228 		if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1229 			return 0;
1230 		if (ptr)
1231 			{
1232 			cctx->tag_set = 1;
1233 			memcpy(c->buf, ptr, arg);
1234 			}
1235 		cctx->M = arg;
1236 		return 1;
1237 
1238 	case EVP_CTRL_CCM_GET_TAG:
1239 		if (!c->encrypt || !cctx->tag_set)
1240 			return 0;
1241 		if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1242 			return 0;
1243 		cctx->tag_set = 0;
1244 		cctx->iv_set = 0;
1245 		cctx->len_set = 0;
1246 		return 1;
1247 
1248 	case EVP_CTRL_COPY:
1249 		{
1250 			EVP_CIPHER_CTX *out = ptr;
1251 			EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
1252 			if (cctx->ccm.key)
1253 				{
1254 				if (cctx->ccm.key != &cctx->ks)
1255 					return 0;
1256 				cctx_out->ccm.key = &cctx_out->ks;
1257 				}
1258 			return 1;
1259 		}
1260 
1261 	default:
1262 		return -1;
1263 
1264 		}
1265 	}
1266 
1267 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1268                         const unsigned char *iv, int enc)
1269 	{
1270 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1271 	if (!iv && !key)
1272 		return 1;
1273 	if (key) do
1274 		{
1275 #ifdef VPAES_CAPABLE
1276 		if (VPAES_CAPABLE)
1277 			{
1278 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1279 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1280 					&cctx->ks, (block128_f)vpaes_encrypt);
1281 			cctx->str = NULL;
1282 			cctx->key_set = 1;
1283 			break;
1284 			}
1285 #endif
1286 		AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1287 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1288 					&cctx->ks, (block128_f)AES_encrypt);
1289 		cctx->str = NULL;
1290 		cctx->key_set = 1;
1291 		} while (0);
1292 	if (iv)
1293 		{
1294 		memcpy(ctx->iv, iv, 15 - cctx->L);
1295 		cctx->iv_set = 1;
1296 		}
1297 	return 1;
1298 	}
1299 
1300 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1301 		const unsigned char *in, size_t len)
1302 	{
1303 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1304 	CCM128_CONTEXT *ccm = &cctx->ccm;
1305 	/* If not set up, return error */
1306 	if (!cctx->iv_set && !cctx->key_set)
1307 		return -1;
1308 	if (!ctx->encrypt && !cctx->tag_set)
1309 		return -1;
1310 	if (!out)
1311 		{
1312 		if (!in)
1313 			{
1314 			if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1315 				return -1;
1316 			cctx->len_set = 1;
1317 			return len;
1318 			}
1319 		/* If have AAD need message length */
1320 		if (!cctx->len_set && len)
1321 			return -1;
1322 		CRYPTO_ccm128_aad(ccm, in, len);
1323 		return len;
1324 		}
1325 	/* EVP_*Final() doesn't return any data */
1326 	if (!in)
1327 		return 0;
1328 	/* If not set length yet do it */
1329 	if (!cctx->len_set)
1330 		{
1331 		if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1332 			return -1;
1333 		cctx->len_set = 1;
1334 		}
1335 	if (ctx->encrypt)
1336 		{
1337 		if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1338 						cctx->str) :
1339 				CRYPTO_ccm128_encrypt(ccm, in, out, len))
1340 			return -1;
1341 		cctx->tag_set = 1;
1342 		return len;
1343 		}
1344 	else
1345 		{
1346 		int rv = -1;
1347 		if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1348 						cctx->str) :
1349 				!CRYPTO_ccm128_decrypt(ccm, in, out, len))
1350 			{
1351 			unsigned char tag[16];
1352 			if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1353 				{
1354 				if (!memcmp(tag, ctx->buf, cctx->M))
1355 					rv = len;
1356 				}
1357 			}
1358 		if (rv == -1)
1359 			OPENSSL_cleanse(out, len);
1360 		cctx->iv_set = 0;
1361 		cctx->tag_set = 0;
1362 		cctx->len_set = 0;
1363 		return rv;
1364 		}
1365 
1366 	}
1367 
1368 #define aes_ccm_cleanup NULL
1369 
1370 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1371 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1372 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1373 
1374 #endif
1375 #endif
1376