xref: /freebsd/crypto/openssl/crypto/evp/e_aes.c (revision e14ddd1f16e7e5788392c50de21ea7c927e0690c)
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50 
51 #include <openssl/opensslconf.h>
52 #ifndef OPENSSL_NO_AES
53 #include <openssl/evp.h>
54 #include <openssl/err.h>
55 #include <string.h>
56 #include <assert.h>
57 #include <openssl/aes.h>
58 #include "evp_locl.h"
59 #ifndef OPENSSL_FIPS
60 #include "modes_lcl.h"
61 #include <openssl/rand.h>
62 
63 typedef struct
64 	{
65 	AES_KEY ks;
66 	block128_f block;
67 	union {
68 		cbc128_f cbc;
69 		ctr128_f ctr;
70 	} stream;
71 	} EVP_AES_KEY;
72 
73 typedef struct
74 	{
75 	AES_KEY ks;		/* AES key schedule to use */
76 	int key_set;		/* Set if key initialised */
77 	int iv_set;		/* Set if an iv is set */
78 	GCM128_CONTEXT gcm;
79 	unsigned char *iv;	/* Temporary IV store */
80 	int ivlen;		/* IV length */
81 	int taglen;
82 	int iv_gen;		/* It is OK to generate IVs */
83 	int tls_aad_len;	/* TLS AAD length */
84 	ctr128_f ctr;
85 	} EVP_AES_GCM_CTX;
86 
87 typedef struct
88 	{
89 	AES_KEY ks1, ks2;	/* AES key schedules to use */
90 	XTS128_CONTEXT xts;
91 	void     (*stream)(const unsigned char *in,
92 			unsigned char *out, size_t length,
93 			const AES_KEY *key1, const AES_KEY *key2,
94 			const unsigned char iv[16]);
95 	} EVP_AES_XTS_CTX;
96 
97 typedef struct
98 	{
99 	AES_KEY ks;		/* AES key schedule to use */
100 	int key_set;		/* Set if key initialised */
101 	int iv_set;		/* Set if an iv is set */
102 	int tag_set;		/* Set if tag is valid */
103 	int len_set;		/* Set if message length set */
104 	int L, M;		/* L and M parameters from RFC3610 */
105 	CCM128_CONTEXT ccm;
106 	ccm128_f str;
107 	} EVP_AES_CCM_CTX;
108 
109 #define MAXBITCHUNK	((size_t)1<<(sizeof(size_t)*8-4))
110 
111 #ifdef VPAES_ASM
112 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113 			AES_KEY *key);
114 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115 			AES_KEY *key);
116 
117 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118 			const AES_KEY *key);
119 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120 			const AES_KEY *key);
121 
122 void vpaes_cbc_encrypt(const unsigned char *in,
123 			unsigned char *out,
124 			size_t length,
125 			const AES_KEY *key,
126 			unsigned char *ivec, int enc);
127 #endif
128 #ifdef BSAES_ASM
129 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
130 			size_t length, const AES_KEY *key,
131 			unsigned char ivec[16], int enc);
132 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
133 			size_t len, const AES_KEY *key,
134 			const unsigned char ivec[16]);
135 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
136 			size_t len, const AES_KEY *key1,
137 			const AES_KEY *key2, const unsigned char iv[16]);
138 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
139 			size_t len, const AES_KEY *key1,
140 			const AES_KEY *key2, const unsigned char iv[16]);
141 #endif
142 #ifdef AES_CTR_ASM
143 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
144 			size_t blocks, const AES_KEY *key,
145 			const unsigned char ivec[AES_BLOCK_SIZE]);
146 #endif
147 #ifdef AES_XTS_ASM
148 void AES_xts_encrypt(const char *inp,char *out,size_t len,
149 			const AES_KEY *key1, const AES_KEY *key2,
150 			const unsigned char iv[16]);
151 void AES_xts_decrypt(const char *inp,char *out,size_t len,
152 			const AES_KEY *key1, const AES_KEY *key2,
153 			const unsigned char iv[16]);
154 #endif
155 
156 #if	defined(AES_ASM) && !defined(I386_ONLY) &&	(  \
157 	((defined(__i386)	|| defined(__i386__)	|| \
158 	  defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
159 	defined(__x86_64)	|| defined(__x86_64__)	|| \
160 	defined(_M_AMD64)	|| defined(_M_X64)	|| \
161 	defined(__INTEL__)				)
162 
163 extern unsigned int OPENSSL_ia32cap_P[2];
164 
165 #ifdef VPAES_ASM
166 #define VPAES_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(41-32)))
167 #endif
168 #ifdef BSAES_ASM
169 #define BSAES_CAPABLE	VPAES_CAPABLE
170 #endif
171 /*
172  * AES-NI section
173  */
174 #define	AESNI_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(57-32)))
175 
176 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
177 			AES_KEY *key);
178 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
179 			AES_KEY *key);
180 
181 void aesni_encrypt(const unsigned char *in, unsigned char *out,
182 			const AES_KEY *key);
183 void aesni_decrypt(const unsigned char *in, unsigned char *out,
184 			const AES_KEY *key);
185 
186 void aesni_ecb_encrypt(const unsigned char *in,
187 			unsigned char *out,
188 			size_t length,
189 			const AES_KEY *key,
190 			int enc);
191 void aesni_cbc_encrypt(const unsigned char *in,
192 			unsigned char *out,
193 			size_t length,
194 			const AES_KEY *key,
195 			unsigned char *ivec, int enc);
196 
197 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
198 			unsigned char *out,
199 			size_t blocks,
200 			const void *key,
201 			const unsigned char *ivec);
202 
203 void aesni_xts_encrypt(const unsigned char *in,
204 			unsigned char *out,
205 			size_t length,
206 			const AES_KEY *key1, const AES_KEY *key2,
207 			const unsigned char iv[16]);
208 
209 void aesni_xts_decrypt(const unsigned char *in,
210 			unsigned char *out,
211 			size_t length,
212 			const AES_KEY *key1, const AES_KEY *key2,
213 			const unsigned char iv[16]);
214 
215 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
216 			unsigned char *out,
217 			size_t blocks,
218 			const void *key,
219 			const unsigned char ivec[16],
220 			unsigned char cmac[16]);
221 
222 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
223 			unsigned char *out,
224 			size_t blocks,
225 			const void *key,
226 			const unsigned char ivec[16],
227 			unsigned char cmac[16]);
228 
229 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
230 		   const unsigned char *iv, int enc)
231 	{
232 	int ret, mode;
233 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
234 
235 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
236 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
237 	    && !enc)
238 		{
239 		ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
240 		dat->block	= (block128_f)aesni_decrypt;
241 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
242 					(cbc128_f)aesni_cbc_encrypt :
243 					NULL;
244 		}
245 	else	{
246 		ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
247 		dat->block	= (block128_f)aesni_encrypt;
248 		if (mode==EVP_CIPH_CBC_MODE)
249 			dat->stream.cbc	= (cbc128_f)aesni_cbc_encrypt;
250 		else if (mode==EVP_CIPH_CTR_MODE)
251 			dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
252 		else
253 			dat->stream.cbc = NULL;
254 		}
255 
256 	if(ret < 0)
257 		{
258 		EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
259 		return 0;
260 		}
261 
262 	return 1;
263 	}
264 
265 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
266 	const unsigned char *in, size_t len)
267 {
268 	aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
269 
270 	return 1;
271 }
272 
273 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
274 	const unsigned char *in, size_t len)
275 {
276 	size_t	bl = ctx->cipher->block_size;
277 
278 	if (len<bl)	return 1;
279 
280 	aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
281 
282 	return 1;
283 }
284 
285 #define aesni_ofb_cipher aes_ofb_cipher
286 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
287 	const unsigned char *in,size_t len);
288 
289 #define aesni_cfb_cipher aes_cfb_cipher
290 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
291 	const unsigned char *in,size_t len);
292 
293 #define aesni_cfb8_cipher aes_cfb8_cipher
294 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
295 	const unsigned char *in,size_t len);
296 
297 #define aesni_cfb1_cipher aes_cfb1_cipher
298 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
299 	const unsigned char *in,size_t len);
300 
301 #define aesni_ctr_cipher aes_ctr_cipher
302 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
303 		const unsigned char *in, size_t len);
304 
305 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
306                         const unsigned char *iv, int enc)
307 	{
308 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
309 	if (!iv && !key)
310 		return 1;
311 	if (key)
312 		{
313 		aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
314 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
315 				(block128_f)aesni_encrypt);
316 		gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
317 		/* If we have an iv can set it directly, otherwise use
318 		 * saved IV.
319 		 */
320 		if (iv == NULL && gctx->iv_set)
321 			iv = gctx->iv;
322 		if (iv)
323 			{
324 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
325 			gctx->iv_set = 1;
326 			}
327 		gctx->key_set = 1;
328 		}
329 	else
330 		{
331 		/* If key set use IV, otherwise copy */
332 		if (gctx->key_set)
333 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
334 		else
335 			memcpy(gctx->iv, iv, gctx->ivlen);
336 		gctx->iv_set = 1;
337 		gctx->iv_gen = 0;
338 		}
339 	return 1;
340 	}
341 
342 #define aesni_gcm_cipher aes_gcm_cipher
343 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
344 		const unsigned char *in, size_t len);
345 
346 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
347                         const unsigned char *iv, int enc)
348 	{
349 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
350 	if (!iv && !key)
351 		return 1;
352 
353 	if (key)
354 		{
355 		/* key_len is two AES keys */
356 		if (enc)
357 			{
358 			aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
359 			xctx->xts.block1 = (block128_f)aesni_encrypt;
360 			xctx->stream = aesni_xts_encrypt;
361 			}
362 		else
363 			{
364 			aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
365 			xctx->xts.block1 = (block128_f)aesni_decrypt;
366 			xctx->stream = aesni_xts_decrypt;
367 			}
368 
369 		aesni_set_encrypt_key(key + ctx->key_len/2,
370 						ctx->key_len * 4, &xctx->ks2);
371 		xctx->xts.block2 = (block128_f)aesni_encrypt;
372 
373 		xctx->xts.key1 = &xctx->ks1;
374 		}
375 
376 	if (iv)
377 		{
378 		xctx->xts.key2 = &xctx->ks2;
379 		memcpy(ctx->iv, iv, 16);
380 		}
381 
382 	return 1;
383 	}
384 
385 #define aesni_xts_cipher aes_xts_cipher
386 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
387 		const unsigned char *in, size_t len);
388 
389 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
390                         const unsigned char *iv, int enc)
391 	{
392 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
393 	if (!iv && !key)
394 		return 1;
395 	if (key)
396 		{
397 		aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
398 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
399 					&cctx->ks, (block128_f)aesni_encrypt);
400 		cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
401 				(ccm128_f)aesni_ccm64_decrypt_blocks;
402 		cctx->key_set = 1;
403 		}
404 	if (iv)
405 		{
406 		memcpy(ctx->iv, iv, 15 - cctx->L);
407 		cctx->iv_set = 1;
408 		}
409 	return 1;
410 	}
411 
412 #define aesni_ccm_cipher aes_ccm_cipher
413 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414 		const unsigned char *in, size_t len);
415 
416 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
417 static const EVP_CIPHER aesni_##keylen##_##mode = { \
418 	nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
419 	flags|EVP_CIPH_##MODE##_MODE,	\
420 	aesni_init_key,			\
421 	aesni_##mode##_cipher,		\
422 	NULL,				\
423 	sizeof(EVP_AES_KEY),		\
424 	NULL,NULL,NULL,NULL }; \
425 static const EVP_CIPHER aes_##keylen##_##mode = { \
426 	nid##_##keylen##_##nmode,blocksize,	\
427 	keylen/8,ivlen, \
428 	flags|EVP_CIPH_##MODE##_MODE,	\
429 	aes_init_key,			\
430 	aes_##mode##_cipher,		\
431 	NULL,				\
432 	sizeof(EVP_AES_KEY),		\
433 	NULL,NULL,NULL,NULL }; \
434 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
435 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
436 
437 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
438 static const EVP_CIPHER aesni_##keylen##_##mode = { \
439 	nid##_##keylen##_##mode,blocksize, \
440 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
441 	flags|EVP_CIPH_##MODE##_MODE,	\
442 	aesni_##mode##_init_key,	\
443 	aesni_##mode##_cipher,		\
444 	aes_##mode##_cleanup,		\
445 	sizeof(EVP_AES_##MODE##_CTX),	\
446 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
447 static const EVP_CIPHER aes_##keylen##_##mode = { \
448 	nid##_##keylen##_##mode,blocksize, \
449 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
450 	flags|EVP_CIPH_##MODE##_MODE,	\
451 	aes_##mode##_init_key,		\
452 	aes_##mode##_cipher,		\
453 	aes_##mode##_cleanup,		\
454 	sizeof(EVP_AES_##MODE##_CTX),	\
455 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
456 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
457 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
458 
459 #else
460 
461 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
462 static const EVP_CIPHER aes_##keylen##_##mode = { \
463 	nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
464 	flags|EVP_CIPH_##MODE##_MODE,	\
465 	aes_init_key,			\
466 	aes_##mode##_cipher,		\
467 	NULL,				\
468 	sizeof(EVP_AES_KEY),		\
469 	NULL,NULL,NULL,NULL }; \
470 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
471 { return &aes_##keylen##_##mode; }
472 
473 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
474 static const EVP_CIPHER aes_##keylen##_##mode = { \
475 	nid##_##keylen##_##mode,blocksize, \
476 	(EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
477 	flags|EVP_CIPH_##MODE##_MODE,	\
478 	aes_##mode##_init_key,		\
479 	aes_##mode##_cipher,		\
480 	aes_##mode##_cleanup,		\
481 	sizeof(EVP_AES_##MODE##_CTX),	\
482 	NULL,NULL,aes_##mode##_ctrl,NULL }; \
483 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
484 { return &aes_##keylen##_##mode; }
485 #endif
486 
487 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)		\
488 	BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
489 	BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
490 	BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
491 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)	\
492 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)	\
493 	BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)	\
494 	BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
495 
496 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
497 		   const unsigned char *iv, int enc)
498 	{
499 	int ret, mode;
500 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
501 
502 	mode = ctx->cipher->flags & EVP_CIPH_MODE;
503 	if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
504 	    && !enc)
505 #ifdef BSAES_CAPABLE
506 	    if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
507 		{
508 		ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
509 		dat->block	= (block128_f)AES_decrypt;
510 		dat->stream.cbc	= (cbc128_f)bsaes_cbc_encrypt;
511 		}
512 	    else
513 #endif
514 #ifdef VPAES_CAPABLE
515 	    if (VPAES_CAPABLE)
516 		{
517 		ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
518 		dat->block	= (block128_f)vpaes_decrypt;
519 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
520 					(cbc128_f)vpaes_cbc_encrypt :
521 					NULL;
522 		}
523 	    else
524 #endif
525 		{
526 		ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
527 		dat->block	= (block128_f)AES_decrypt;
528 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
529 					(cbc128_f)AES_cbc_encrypt :
530 					NULL;
531 		}
532 	else
533 #ifdef BSAES_CAPABLE
534 	    if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
535 		{
536 		ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
537 		dat->block	= (block128_f)AES_encrypt;
538 		dat->stream.ctr	= (ctr128_f)bsaes_ctr32_encrypt_blocks;
539 		}
540 	    else
541 #endif
542 #ifdef VPAES_CAPABLE
543 	    if (VPAES_CAPABLE)
544 		{
545 		ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
546 		dat->block	= (block128_f)vpaes_encrypt;
547 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
548 					(cbc128_f)vpaes_cbc_encrypt :
549 					NULL;
550 		}
551 	    else
552 #endif
553 		{
554 		ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
555 		dat->block	= (block128_f)AES_encrypt;
556 		dat->stream.cbc	= mode==EVP_CIPH_CBC_MODE ?
557 					(cbc128_f)AES_cbc_encrypt :
558 					NULL;
559 #ifdef AES_CTR_ASM
560 		if (mode==EVP_CIPH_CTR_MODE)
561 			dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
562 #endif
563 		}
564 
565 	if(ret < 0)
566 		{
567 		EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
568 		return 0;
569 		}
570 
571 	return 1;
572 	}
573 
574 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
575 	const unsigned char *in, size_t len)
576 {
577 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
578 
579 	if (dat->stream.cbc)
580 		(*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
581 	else if (ctx->encrypt)
582 		CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
583 	else
584 		CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
585 
586 	return 1;
587 }
588 
589 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
590 	const unsigned char *in, size_t len)
591 {
592 	size_t	bl = ctx->cipher->block_size;
593 	size_t	i;
594 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
595 
596 	if (len<bl)	return 1;
597 
598 	for (i=0,len-=bl;i<=len;i+=bl)
599 		(*dat->block)(in+i,out+i,&dat->ks);
600 
601 	return 1;
602 }
603 
604 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
605 	const unsigned char *in,size_t len)
606 {
607 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
608 
609 	CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
610 			ctx->iv,&ctx->num,dat->block);
611 	return 1;
612 }
613 
614 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
615 	const unsigned char *in,size_t len)
616 {
617 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
618 
619 	CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
620 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
621 	return 1;
622 }
623 
624 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
625 	const unsigned char *in,size_t len)
626 {
627 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
628 
629 	CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
630 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
631 	return 1;
632 }
633 
634 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
635 	const unsigned char *in,size_t len)
636 {
637 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
638 
639 	if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
640 		CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
641 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
642 		return 1;
643 	}
644 
645 	while (len>=MAXBITCHUNK) {
646 		CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
647 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
648 		len-=MAXBITCHUNK;
649 	}
650 	if (len)
651 		CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
652 			ctx->iv,&ctx->num,ctx->encrypt,dat->block);
653 
654 	return 1;
655 }
656 
657 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
658 		const unsigned char *in, size_t len)
659 {
660 	unsigned int num = ctx->num;
661 	EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
662 
663 	if (dat->stream.ctr)
664 		CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
665 			ctx->iv,ctx->buf,&num,dat->stream.ctr);
666 	else
667 		CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
668 			ctx->iv,ctx->buf,&num,dat->block);
669 	ctx->num = (size_t)num;
670 	return 1;
671 }
672 
673 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
674 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
675 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
676 
677 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
678 	{
679 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
680 	OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
681 	if (gctx->iv != c->iv)
682 		OPENSSL_free(gctx->iv);
683 	return 1;
684 	}
685 
686 /* increment counter (64-bit int) by 1 */
687 static void ctr64_inc(unsigned char *counter) {
688 	int n=8;
689 	unsigned char  c;
690 
691 	do {
692 		--n;
693 		c = counter[n];
694 		++c;
695 		counter[n] = c;
696 		if (c) return;
697 	} while (n);
698 }
699 
700 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
701 	{
702 	EVP_AES_GCM_CTX *gctx = c->cipher_data;
703 	switch (type)
704 		{
705 	case EVP_CTRL_INIT:
706 		gctx->key_set = 0;
707 		gctx->iv_set = 0;
708 		gctx->ivlen = c->cipher->iv_len;
709 		gctx->iv = c->iv;
710 		gctx->taglen = -1;
711 		gctx->iv_gen = 0;
712 		gctx->tls_aad_len = -1;
713 		return 1;
714 
715 	case EVP_CTRL_GCM_SET_IVLEN:
716 		if (arg <= 0)
717 			return 0;
718 #ifdef OPENSSL_FIPS
719 		if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
720 						 && arg < 12)
721 			return 0;
722 #endif
723 		/* Allocate memory for IV if needed */
724 		if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
725 			{
726 			if (gctx->iv != c->iv)
727 				OPENSSL_free(gctx->iv);
728 			gctx->iv = OPENSSL_malloc(arg);
729 			if (!gctx->iv)
730 				return 0;
731 			}
732 		gctx->ivlen = arg;
733 		return 1;
734 
735 	case EVP_CTRL_GCM_SET_TAG:
736 		if (arg <= 0 || arg > 16 || c->encrypt)
737 			return 0;
738 		memcpy(c->buf, ptr, arg);
739 		gctx->taglen = arg;
740 		return 1;
741 
742 	case EVP_CTRL_GCM_GET_TAG:
743 		if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
744 			return 0;
745 		memcpy(ptr, c->buf, arg);
746 		return 1;
747 
748 	case EVP_CTRL_GCM_SET_IV_FIXED:
749 		/* Special case: -1 length restores whole IV */
750 		if (arg == -1)
751 			{
752 			memcpy(gctx->iv, ptr, gctx->ivlen);
753 			gctx->iv_gen = 1;
754 			return 1;
755 			}
756 		/* Fixed field must be at least 4 bytes and invocation field
757 		 * at least 8.
758 		 */
759 		if ((arg < 4) || (gctx->ivlen - arg) < 8)
760 			return 0;
761 		if (arg)
762 			memcpy(gctx->iv, ptr, arg);
763 		if (c->encrypt &&
764 			RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
765 			return 0;
766 		gctx->iv_gen = 1;
767 		return 1;
768 
769 	case EVP_CTRL_GCM_IV_GEN:
770 		if (gctx->iv_gen == 0 || gctx->key_set == 0)
771 			return 0;
772 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
773 		if (arg <= 0 || arg > gctx->ivlen)
774 			arg = gctx->ivlen;
775 		memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
776 		/* Invocation field will be at least 8 bytes in size and
777 		 * so no need to check wrap around or increment more than
778 		 * last 8 bytes.
779 		 */
780 		ctr64_inc(gctx->iv + gctx->ivlen - 8);
781 		gctx->iv_set = 1;
782 		return 1;
783 
784 	case EVP_CTRL_GCM_SET_IV_INV:
785 		if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
786 			return 0;
787 		memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
788 		CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
789 		gctx->iv_set = 1;
790 		return 1;
791 
792 	case EVP_CTRL_AEAD_TLS1_AAD:
793 		/* Save the AAD for later use */
794 		if (arg != 13)
795 			return 0;
796 		memcpy(c->buf, ptr, arg);
797 		gctx->tls_aad_len = arg;
798 			{
799 			unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
800 			/* Correct length for explicit IV */
801 			len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
802 			/* If decrypting correct for tag too */
803 			if (!c->encrypt)
804 				len -= EVP_GCM_TLS_TAG_LEN;
805                         c->buf[arg-2] = len>>8;
806                         c->buf[arg-1] = len & 0xff;
807 			}
808 		/* Extra padding: tag appended to record */
809 		return EVP_GCM_TLS_TAG_LEN;
810 
811 	default:
812 		return -1;
813 
814 		}
815 	}
816 
817 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
818                         const unsigned char *iv, int enc)
819 	{
820 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
821 	if (!iv && !key)
822 		return 1;
823 	if (key)
824 		{ do {
825 #ifdef BSAES_CAPABLE
826 		if (BSAES_CAPABLE)
827 			{
828 			AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
829 			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
830 					(block128_f)AES_encrypt);
831 			gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
832 			break;
833 			}
834 		else
835 #endif
836 #ifdef VPAES_CAPABLE
837 		if (VPAES_CAPABLE)
838 			{
839 			vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
840 			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
841 					(block128_f)vpaes_encrypt);
842 			gctx->ctr = NULL;
843 			break;
844 			}
845 #endif
846 		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
847 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
848 #ifdef AES_CTR_ASM
849 		gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
850 #else
851 		gctx->ctr = NULL;
852 #endif
853 		} while (0);
854 
855 		/* If we have an iv can set it directly, otherwise use
856 		 * saved IV.
857 		 */
858 		if (iv == NULL && gctx->iv_set)
859 			iv = gctx->iv;
860 		if (iv)
861 			{
862 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
863 			gctx->iv_set = 1;
864 			}
865 		gctx->key_set = 1;
866 		}
867 	else
868 		{
869 		/* If key set use IV, otherwise copy */
870 		if (gctx->key_set)
871 			CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
872 		else
873 			memcpy(gctx->iv, iv, gctx->ivlen);
874 		gctx->iv_set = 1;
875 		gctx->iv_gen = 0;
876 		}
877 	return 1;
878 	}
879 
880 /* Handle TLS GCM packet format. This consists of the last portion of the IV
881  * followed by the payload and finally the tag. On encrypt generate IV,
882  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
883  * and verify tag.
884  */
885 
886 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
887 		const unsigned char *in, size_t len)
888 	{
889 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
890 	int rv = -1;
891 	/* Encrypt/decrypt must be performed in place */
892 	if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
893 		return -1;
894 	/* Set IV from start of buffer or generate IV and write to start
895 	 * of buffer.
896 	 */
897 	if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
898 				EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
899 				EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
900 		goto err;
901 	/* Use saved AAD */
902 	if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
903 		goto err;
904 	/* Fix buffer and length to point to payload */
905 	in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
906 	out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
907 	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
908 	if (ctx->encrypt)
909 		{
910 		/* Encrypt payload */
911 		if (gctx->ctr)
912 			{
913 			if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
914 							in, out, len,
915 							gctx->ctr))
916 				goto err;
917 			}
918 		else	{
919 			if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
920 				goto err;
921 			}
922 		out += len;
923 		/* Finally write tag */
924 		CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
925 		rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
926 		}
927 	else
928 		{
929 		/* Decrypt */
930 		if (gctx->ctr)
931 			{
932 			if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
933 							in, out, len,
934 							gctx->ctr))
935 				goto err;
936 			}
937 		else	{
938 			if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
939 				goto err;
940 			}
941 		/* Retrieve tag */
942 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
943 					EVP_GCM_TLS_TAG_LEN);
944 		/* If tag mismatch wipe buffer */
945 		if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
946 			{
947 			OPENSSL_cleanse(out, len);
948 			goto err;
949 			}
950 		rv = len;
951 		}
952 
953 	err:
954 	gctx->iv_set = 0;
955 	gctx->tls_aad_len = -1;
956 	return rv;
957 	}
958 
959 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
960 		const unsigned char *in, size_t len)
961 	{
962 	EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
963 	/* If not set up, return error */
964 	if (!gctx->key_set)
965 		return -1;
966 
967 	if (gctx->tls_aad_len >= 0)
968 		return aes_gcm_tls_cipher(ctx, out, in, len);
969 
970 	if (!gctx->iv_set)
971 		return -1;
972 	if (in)
973 		{
974 		if (out == NULL)
975 			{
976 			if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
977 				return -1;
978 			}
979 		else if (ctx->encrypt)
980 			{
981 			if (gctx->ctr)
982 				{
983 				if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
984 							in, out, len,
985 							gctx->ctr))
986 					return -1;
987 				}
988 			else	{
989 				if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
990 					return -1;
991 				}
992 			}
993 		else
994 			{
995 			if (gctx->ctr)
996 				{
997 				if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
998 							in, out, len,
999 							gctx->ctr))
1000 					return -1;
1001 				}
1002 			else	{
1003 				if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1004 					return -1;
1005 				}
1006 			}
1007 		return len;
1008 		}
1009 	else
1010 		{
1011 		if (!ctx->encrypt)
1012 			{
1013 			if (gctx->taglen < 0)
1014 				return -1;
1015 			if (CRYPTO_gcm128_finish(&gctx->gcm,
1016 					ctx->buf, gctx->taglen) != 0)
1017 				return -1;
1018 			gctx->iv_set = 0;
1019 			return 0;
1020 			}
1021 		CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1022 		gctx->taglen = 16;
1023 		/* Don't reuse the IV */
1024 		gctx->iv_set = 0;
1025 		return 0;
1026 		}
1027 
1028 	}
1029 
1030 #define CUSTOM_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 \
1031 		| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1032 		| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1033 
1034 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1035 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1036 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1037 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1038 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1039 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1040 
1041 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1042 	{
1043 	EVP_AES_XTS_CTX *xctx = c->cipher_data;
1044 	if (type != EVP_CTRL_INIT)
1045 		return -1;
1046 	/* key1 and key2 are used as an indicator both key and IV are set */
1047 	xctx->xts.key1 = NULL;
1048 	xctx->xts.key2 = NULL;
1049 	return 1;
1050 	}
1051 
1052 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1053                         const unsigned char *iv, int enc)
1054 	{
1055 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1056 	if (!iv && !key)
1057 		return 1;
1058 
1059 	if (key) do
1060 		{
1061 #ifdef AES_XTS_ASM
1062 		xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1063 #else
1064 		xctx->stream = NULL;
1065 #endif
1066 		/* key_len is two AES keys */
1067 #ifdef BSAES_CAPABLE
1068 		if (BSAES_CAPABLE)
1069 			xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1070 		else
1071 #endif
1072 #ifdef VPAES_CAPABLE
1073 		if (VPAES_CAPABLE)
1074 		    {
1075 		    if (enc)
1076 			{
1077 			vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1078 			xctx->xts.block1 = (block128_f)vpaes_encrypt;
1079 			}
1080 		    else
1081 			{
1082 			vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1083 			xctx->xts.block1 = (block128_f)vpaes_decrypt;
1084 			}
1085 
1086 		vpaes_set_encrypt_key(key + ctx->key_len/2,
1087 						ctx->key_len * 4, &xctx->ks2);
1088 		xctx->xts.block2 = (block128_f)vpaes_encrypt;
1089 
1090 		xctx->xts.key1 = &xctx->ks1;
1091 		break;
1092 		}
1093 #endif
1094 		if (enc)
1095 			{
1096 			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1097 			xctx->xts.block1 = (block128_f)AES_encrypt;
1098 			}
1099 		else
1100 			{
1101 			AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1102 			xctx->xts.block1 = (block128_f)AES_decrypt;
1103 			}
1104 
1105 		AES_set_encrypt_key(key + ctx->key_len/2,
1106 						ctx->key_len * 4, &xctx->ks2);
1107 		xctx->xts.block2 = (block128_f)AES_encrypt;
1108 
1109 		xctx->xts.key1 = &xctx->ks1;
1110 		} while (0);
1111 
1112 	if (iv)
1113 		{
1114 		xctx->xts.key2 = &xctx->ks2;
1115 		memcpy(ctx->iv, iv, 16);
1116 		}
1117 
1118 	return 1;
1119 	}
1120 
1121 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1122 		const unsigned char *in, size_t len)
1123 	{
1124 	EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1125 	if (!xctx->xts.key1 || !xctx->xts.key2)
1126 		return 0;
1127 	if (!out || !in || len<AES_BLOCK_SIZE)
1128 		return 0;
1129 #ifdef OPENSSL_FIPS
1130 	/* Requirement of SP800-38E */
1131 	if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1132 			(len > (1UL<<20)*16))
1133 		{
1134 		EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1135 		return 0;
1136 		}
1137 #endif
1138 	if (xctx->stream)
1139 		(*xctx->stream)(in, out, len,
1140 				xctx->xts.key1, xctx->xts.key2, ctx->iv);
1141 	else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1142 								ctx->encrypt))
1143 		return 0;
1144 	return 1;
1145 	}
1146 
1147 #define aes_xts_cleanup NULL
1148 
1149 #define XTS_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1150 			 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1151 
1152 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1153 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1154 
1155 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1156 	{
1157 	EVP_AES_CCM_CTX *cctx = c->cipher_data;
1158 	switch (type)
1159 		{
1160 	case EVP_CTRL_INIT:
1161 		cctx->key_set = 0;
1162 		cctx->iv_set = 0;
1163 		cctx->L = 8;
1164 		cctx->M = 12;
1165 		cctx->tag_set = 0;
1166 		cctx->len_set = 0;
1167 		return 1;
1168 
1169 	case EVP_CTRL_CCM_SET_IVLEN:
1170 		arg = 15 - arg;
1171 	case EVP_CTRL_CCM_SET_L:
1172 		if (arg < 2 || arg > 8)
1173 			return 0;
1174 		cctx->L = arg;
1175 		return 1;
1176 
1177 	case EVP_CTRL_CCM_SET_TAG:
1178 		if ((arg & 1) || arg < 4 || arg > 16)
1179 			return 0;
1180 		if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1181 			return 0;
1182 		if (ptr)
1183 			{
1184 			cctx->tag_set = 1;
1185 			memcpy(c->buf, ptr, arg);
1186 			}
1187 		cctx->M = arg;
1188 		return 1;
1189 
1190 	case EVP_CTRL_CCM_GET_TAG:
1191 		if (!c->encrypt || !cctx->tag_set)
1192 			return 0;
1193 		if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1194 			return 0;
1195 		cctx->tag_set = 0;
1196 		cctx->iv_set = 0;
1197 		cctx->len_set = 0;
1198 		return 1;
1199 
1200 	default:
1201 		return -1;
1202 
1203 		}
1204 	}
1205 
1206 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1207                         const unsigned char *iv, int enc)
1208 	{
1209 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1210 	if (!iv && !key)
1211 		return 1;
1212 	if (key) do
1213 		{
1214 #ifdef VPAES_CAPABLE
1215 		if (VPAES_CAPABLE)
1216 			{
1217 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1218 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1219 					&cctx->ks, (block128_f)vpaes_encrypt);
1220 			cctx->str = NULL;
1221 			cctx->key_set = 1;
1222 			break;
1223 			}
1224 #endif
1225 		AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1226 		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1227 					&cctx->ks, (block128_f)AES_encrypt);
1228 		cctx->str = NULL;
1229 		cctx->key_set = 1;
1230 		} while (0);
1231 	if (iv)
1232 		{
1233 		memcpy(ctx->iv, iv, 15 - cctx->L);
1234 		cctx->iv_set = 1;
1235 		}
1236 	return 1;
1237 	}
1238 
1239 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1240 		const unsigned char *in, size_t len)
1241 	{
1242 	EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1243 	CCM128_CONTEXT *ccm = &cctx->ccm;
1244 	/* If not set up, return error */
1245 	if (!cctx->iv_set && !cctx->key_set)
1246 		return -1;
1247 	if (!ctx->encrypt && !cctx->tag_set)
1248 		return -1;
1249 	if (!out)
1250 		{
1251 		if (!in)
1252 			{
1253 			if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1254 				return -1;
1255 			cctx->len_set = 1;
1256 			return len;
1257 			}
1258 		/* If have AAD need message length */
1259 		if (!cctx->len_set && len)
1260 			return -1;
1261 		CRYPTO_ccm128_aad(ccm, in, len);
1262 		return len;
1263 		}
1264 	/* EVP_*Final() doesn't return any data */
1265 	if (!in)
1266 		return 0;
1267 	/* If not set length yet do it */
1268 	if (!cctx->len_set)
1269 		{
1270 		if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1271 			return -1;
1272 		cctx->len_set = 1;
1273 		}
1274 	if (ctx->encrypt)
1275 		{
1276 		if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1277 						cctx->str) :
1278 				CRYPTO_ccm128_encrypt(ccm, in, out, len))
1279 			return -1;
1280 		cctx->tag_set = 1;
1281 		return len;
1282 		}
1283 	else
1284 		{
1285 		int rv = -1;
1286 		if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1287 						cctx->str) :
1288 				!CRYPTO_ccm128_decrypt(ccm, in, out, len))
1289 			{
1290 			unsigned char tag[16];
1291 			if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1292 				{
1293 				if (!memcmp(tag, ctx->buf, cctx->M))
1294 					rv = len;
1295 				}
1296 			}
1297 		if (rv == -1)
1298 			OPENSSL_cleanse(out, len);
1299 		cctx->iv_set = 0;
1300 		cctx->tag_set = 0;
1301 		cctx->len_set = 0;
1302 		return rv;
1303 		}
1304 
1305 	}
1306 
1307 #define aes_ccm_cleanup NULL
1308 
1309 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1310 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1311 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1312 
1313 #endif
1314 #endif
1315