Fix build when BSAES_ASM is defined but VPAES_ASM is not
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2014 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         union { double align; AES_KEY ks; } ks;
67         block128_f block;
68         union {
69                 cbc128_f cbc;
70                 ctr128_f ctr;
71         } stream;
72         } EVP_AES_KEY;
73
74 typedef struct
75         {
76         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
77         int key_set;            /* Set if key initialised */
78         int iv_set;             /* Set if an iv is set */
79         GCM128_CONTEXT gcm;
80         unsigned char *iv;      /* Temporary IV store */
81         int ivlen;              /* IV length */
82         int taglen;
83         int iv_gen;             /* It is OK to generate IVs */
84         int tls_aad_len;        /* TLS AAD length */
85         ctr128_f ctr;
86         } EVP_AES_GCM_CTX;
87
88 typedef struct
89         {
90         union { double align; AES_KEY ks; } ks1, ks2;   /* AES key schedules to use */
91         XTS128_CONTEXT xts;
92         void     (*stream)(const unsigned char *in,
93                         unsigned char *out, size_t length,
94                         const AES_KEY *key1, const AES_KEY *key2,
95                         const unsigned char iv[16]);
96         } EVP_AES_XTS_CTX;
97
98 typedef struct
99         {
100         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
101         int key_set;            /* Set if key initialised */
102         int iv_set;             /* Set if an iv is set */
103         int tag_set;            /* Set if tag is valid */
104         int len_set;            /* Set if message length set */
105         int L, M;               /* L and M parameters from RFC3610 */
106         CCM128_CONTEXT ccm;
107         ccm128_f str;
108         } EVP_AES_CCM_CTX;
109
110 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
111
112 #ifdef VPAES_ASM
113 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
114                         AES_KEY *key);
115 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
116                         AES_KEY *key);
117
118 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
119                         const AES_KEY *key);
120 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
121                         const AES_KEY *key);
122
123 void vpaes_cbc_encrypt(const unsigned char *in,
124                         unsigned char *out,
125                         size_t length,
126                         const AES_KEY *key,
127                         unsigned char *ivec, int enc);
128 #endif
129 #ifdef BSAES_ASM
130 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
131                         size_t length, const AES_KEY *key,
132                         unsigned char ivec[16], int enc);
133 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
134                         size_t len, const AES_KEY *key,
135                         const unsigned char ivec[16]);
136 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
137                         size_t len, const AES_KEY *key1,
138                         const AES_KEY *key2, const unsigned char iv[16]);
139 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
140                         size_t len, const AES_KEY *key1,
141                         const AES_KEY *key2, const unsigned char iv[16]);
142 #endif
143 #ifdef AES_CTR_ASM
144 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
145                         size_t blocks, const AES_KEY *key,
146                         const unsigned char ivec[AES_BLOCK_SIZE]);
147 #endif
148 #ifdef AES_XTS_ASM
149 void AES_xts_encrypt(const char *inp,char *out,size_t len,
150                         const AES_KEY *key1, const AES_KEY *key2,
151                         const unsigned char iv[16]);
152 void AES_xts_decrypt(const char *inp,char *out,size_t len,
153                         const AES_KEY *key1, const AES_KEY *key2,
154                         const unsigned char iv[16]);
155 #endif
156
157 #if     defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
158 # include "ppc_arch.h"
159 # ifdef VPAES_ASM
160 #  define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
161 # endif
162 # define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
163 # define HWAES_set_encrypt_key aes_p8_set_encrypt_key
164 # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
165 # define HWAES_encrypt aes_p8_encrypt
166 # define HWAES_decrypt aes_p8_decrypt
167 # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
168 # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
169 #endif
170
171 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
172         ((defined(__i386)       || defined(__i386__)    || \
173           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
174         defined(__x86_64)       || defined(__x86_64__)  || \
175         defined(_M_AMD64)       || defined(_M_X64)      || \
176         defined(__INTEL__)                              )
177
178 extern unsigned int OPENSSL_ia32cap_P[];
179
180 #ifdef VPAES_ASM
181 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
182 #endif
183 #ifdef BSAES_ASM
184 #define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
185 #endif
186 /*
187  * AES-NI section
188  */
189 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
190
191 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
192                         AES_KEY *key);
193 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
194                         AES_KEY *key);
195
196 void aesni_encrypt(const unsigned char *in, unsigned char *out,
197                         const AES_KEY *key);
198 void aesni_decrypt(const unsigned char *in, unsigned char *out,
199                         const AES_KEY *key);
200
201 void aesni_ecb_encrypt(const unsigned char *in,
202                         unsigned char *out,
203                         size_t length,
204                         const AES_KEY *key,
205                         int enc);
206 void aesni_cbc_encrypt(const unsigned char *in,
207                         unsigned char *out,
208                         size_t length,
209                         const AES_KEY *key,
210                         unsigned char *ivec, int enc);
211
212 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
213                         unsigned char *out,
214                         size_t blocks,
215                         const void *key,
216                         const unsigned char *ivec);
217
218 void aesni_xts_encrypt(const unsigned char *in,
219                         unsigned char *out,
220                         size_t length,
221                         const AES_KEY *key1, const AES_KEY *key2,
222                         const unsigned char iv[16]);
223
224 void aesni_xts_decrypt(const unsigned char *in,
225                         unsigned char *out,
226                         size_t length,
227                         const AES_KEY *key1, const AES_KEY *key2,
228                         const unsigned char iv[16]);
229
230 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
231                         unsigned char *out,
232                         size_t blocks,
233                         const void *key,
234                         const unsigned char ivec[16],
235                         unsigned char cmac[16]);
236
237 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
238                         unsigned char *out,
239                         size_t blocks,
240                         const void *key,
241                         const unsigned char ivec[16],
242                         unsigned char cmac[16]);
243
244 #if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
245 size_t aesni_gcm_encrypt(const unsigned char *in,
246                         unsigned char *out,
247                         size_t len,
248                         const void *key,
249                         unsigned char ivec[16],
250                         u64 *Xi);
251 #define AES_gcm_encrypt aesni_gcm_encrypt
252 size_t aesni_gcm_decrypt(const unsigned char *in,
253                         unsigned char *out,
254                         size_t len,
255                         const void *key,
256                         unsigned char ivec[16],
257                         u64 *Xi);
258 #define AES_gcm_decrypt aesni_gcm_decrypt
259 void gcm_ghash_avx(u64 Xi[2],const u128 Htable[16],const u8 *in,size_t len);
260 #define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
261                                  gctx->gcm.ghash==gcm_ghash_avx)
262 #define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
263                                  gctx->gcm.ghash==gcm_ghash_avx)
264 #undef AES_GCM_ASM2             /* minor size optimization */
265 #endif
266
267 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
268                    const unsigned char *iv, int enc)
269         {
270         int ret, mode;
271         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
272
273         mode = ctx->cipher->flags & EVP_CIPH_MODE;
274         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
275             && !enc)
276                 { 
277                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
278                 dat->block      = (block128_f)aesni_decrypt;
279                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
280                                         (cbc128_f)aesni_cbc_encrypt :
281                                         NULL;
282                 }
283         else    {
284                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
285                 dat->block      = (block128_f)aesni_encrypt;
286                 if (mode==EVP_CIPH_CBC_MODE)
287                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
288                 else if (mode==EVP_CIPH_CTR_MODE)
289                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
290                 else
291                         dat->stream.cbc = NULL;
292                 }
293
294         if(ret < 0)
295                 {
296                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
297                 return 0;
298                 }
299
300         return 1;
301         }
302
303 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
304         const unsigned char *in, size_t len)
305 {
306         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
307
308         return 1;
309 }
310
311 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
312         const unsigned char *in, size_t len)
313 {
314         size_t  bl = ctx->cipher->block_size;
315
316         if (len<bl)     return 1;
317
318         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
319
320         return 1;
321 }
322
323 #define aesni_ofb_cipher aes_ofb_cipher
324 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
325         const unsigned char *in,size_t len);
326
327 #define aesni_cfb_cipher aes_cfb_cipher
328 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
329         const unsigned char *in,size_t len);
330
331 #define aesni_cfb8_cipher aes_cfb8_cipher
332 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
333         const unsigned char *in,size_t len);
334
335 #define aesni_cfb1_cipher aes_cfb1_cipher
336 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
337         const unsigned char *in,size_t len);
338
339 #define aesni_ctr_cipher aes_ctr_cipher
340 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
341                 const unsigned char *in, size_t len);
342
343 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
344                         const unsigned char *iv, int enc)
345         {
346         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
347         if (!iv && !key)
348                 return 1;
349         if (key)
350                 {
351                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
352                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
353                                 (block128_f)aesni_encrypt);
354                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
355                 /* If we have an iv can set it directly, otherwise use
356                  * saved IV.
357                  */
358                 if (iv == NULL && gctx->iv_set)
359                         iv = gctx->iv;
360                 if (iv)
361                         {
362                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
363                         gctx->iv_set = 1;
364                         }
365                 gctx->key_set = 1;
366                 }
367         else
368                 {
369                 /* If key set use IV, otherwise copy */
370                 if (gctx->key_set)
371                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
372                 else
373                         memcpy(gctx->iv, iv, gctx->ivlen);
374                 gctx->iv_set = 1;
375                 gctx->iv_gen = 0;
376                 }
377         return 1;
378         }
379
380 #define aesni_gcm_cipher aes_gcm_cipher
381 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
382                 const unsigned char *in, size_t len);
383
384 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
385                         const unsigned char *iv, int enc)
386         {
387         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
388         if (!iv && !key)
389                 return 1;
390
391         if (key)
392                 {
393                 /* key_len is two AES keys */
394                 if (enc)
395                         {
396                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
397                         xctx->xts.block1 = (block128_f)aesni_encrypt;
398                         xctx->stream = aesni_xts_encrypt;
399                         }
400                 else
401                         {
402                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
403                         xctx->xts.block1 = (block128_f)aesni_decrypt;
404                         xctx->stream = aesni_xts_decrypt;
405                         }
406
407                 aesni_set_encrypt_key(key + ctx->key_len/2,
408                                                 ctx->key_len * 4, &xctx->ks2.ks);
409                 xctx->xts.block2 = (block128_f)aesni_encrypt;
410
411                 xctx->xts.key1 = &xctx->ks1;
412                 }
413
414         if (iv)
415                 {
416                 xctx->xts.key2 = &xctx->ks2;
417                 memcpy(ctx->iv, iv, 16);
418                 }
419
420         return 1;
421         }
422
423 #define aesni_xts_cipher aes_xts_cipher
424 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
425                 const unsigned char *in, size_t len);
426
427 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
428                         const unsigned char *iv, int enc)
429         {
430         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
431         if (!iv && !key)
432                 return 1;
433         if (key)
434                 {
435                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
436                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
437                                         &cctx->ks, (block128_f)aesni_encrypt);
438                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
439                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
440                 cctx->key_set = 1;
441                 }
442         if (iv)
443                 {
444                 memcpy(ctx->iv, iv, 15 - cctx->L);
445                 cctx->iv_set = 1;
446                 }
447         return 1;
448         }
449
450 #define aesni_ccm_cipher aes_ccm_cipher
451 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
452                 const unsigned char *in, size_t len);
453
454 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
455 static const EVP_CIPHER aesni_##keylen##_##mode = { \
456         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
457         flags|EVP_CIPH_##MODE##_MODE,   \
458         aesni_init_key,                 \
459         aesni_##mode##_cipher,          \
460         NULL,                           \
461         sizeof(EVP_AES_KEY),            \
462         NULL,NULL,NULL,NULL }; \
463 static const EVP_CIPHER aes_##keylen##_##mode = { \
464         nid##_##keylen##_##nmode,blocksize,     \
465         keylen/8,ivlen, \
466         flags|EVP_CIPH_##MODE##_MODE,   \
467         aes_init_key,                   \
468         aes_##mode##_cipher,            \
469         NULL,                           \
470         sizeof(EVP_AES_KEY),            \
471         NULL,NULL,NULL,NULL }; \
472 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
473 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
474
475 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
476 static const EVP_CIPHER aesni_##keylen##_##mode = { \
477         nid##_##keylen##_##mode,blocksize, \
478         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
479         flags|EVP_CIPH_##MODE##_MODE,   \
480         aesni_##mode##_init_key,        \
481         aesni_##mode##_cipher,          \
482         aes_##mode##_cleanup,           \
483         sizeof(EVP_AES_##MODE##_CTX),   \
484         NULL,NULL,aes_##mode##_ctrl,NULL }; \
485 static const EVP_CIPHER aes_##keylen##_##mode = { \
486         nid##_##keylen##_##mode,blocksize, \
487         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
488         flags|EVP_CIPH_##MODE##_MODE,   \
489         aes_##mode##_init_key,          \
490         aes_##mode##_cipher,            \
491         aes_##mode##_cleanup,           \
492         sizeof(EVP_AES_##MODE##_CTX),   \
493         NULL,NULL,aes_##mode##_ctrl,NULL }; \
494 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
495 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
496
497 #elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
498
499 #include "sparc_arch.h"
500
501 extern unsigned int OPENSSL_sparcv9cap_P[];
502
503 #define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
504
505 void    aes_t4_set_encrypt_key (const unsigned char *key, int bits,
506                                 AES_KEY *ks);
507 void    aes_t4_set_decrypt_key (const unsigned char *key, int bits,
508                                 AES_KEY *ks);
509 void    aes_t4_encrypt (const unsigned char *in, unsigned char *out,
510                                 const AES_KEY *key);
511 void    aes_t4_decrypt (const unsigned char *in, unsigned char *out,
512                                 const AES_KEY *key);
513 /*
514  * Key-length specific subroutines were chosen for following reason.
515  * Each SPARC T4 core can execute up to 8 threads which share core's
516  * resources. Loading as much key material to registers allows to
517  * minimize references to shared memory interface, as well as amount
518  * of instructions in inner loops [much needed on T4]. But then having
519  * non-key-length specific routines would require conditional branches
520  * either in inner loops or on subroutines' entries. Former is hardly
521  * acceptable, while latter means code size increase to size occupied
522  * by multiple key-length specfic subroutines, so why fight?
523  */
524 void    aes128_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
525                                 size_t len, const AES_KEY *key,
526                                 unsigned char *ivec);
527 void    aes128_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
528                                 size_t len, const AES_KEY *key,
529                                 unsigned char *ivec);
530 void    aes192_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
531                                 size_t len, const AES_KEY *key,
532                                 unsigned char *ivec);
533 void    aes192_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
534                                 size_t len, const AES_KEY *key,
535                                 unsigned char *ivec);
536 void    aes256_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
537                                 size_t len, const AES_KEY *key,
538                                 unsigned char *ivec);
539 void    aes256_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
540                                 size_t len, const AES_KEY *key,
541                                 unsigned char *ivec);
542 void    aes128_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
543                                 size_t blocks, const AES_KEY *key,
544                                 unsigned char *ivec);
545 void    aes192_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
546                                 size_t blocks, const AES_KEY *key,
547                                 unsigned char *ivec);
548 void    aes256_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
549                                 size_t blocks, const AES_KEY *key,
550                                 unsigned char *ivec);
551 void    aes128_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
552                                 size_t blocks, const AES_KEY *key1,
553                                 const AES_KEY *key2, const unsigned char *ivec);
554 void    aes128_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
555                                 size_t blocks, const AES_KEY *key1,
556                                 const AES_KEY *key2, const unsigned char *ivec);
557 void    aes256_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
558                                 size_t blocks, const AES_KEY *key1,
559                                 const AES_KEY *key2, const unsigned char *ivec);
560 void    aes256_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
561                                 size_t blocks, const AES_KEY *key1,
562                                 const AES_KEY *key2, const unsigned char *ivec);
563
564 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
565                    const unsigned char *iv, int enc)
566         {
567         int ret, mode, bits;
568         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
569
570         mode = ctx->cipher->flags & EVP_CIPH_MODE;
571         bits = ctx->key_len*8;
572         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
573             && !enc)
574                 {
575                     ret = 0;
576                     aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
577                     dat->block  = (block128_f)aes_t4_decrypt;
578                     switch (bits) {
579                     case 128:
580                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
581                                                 (cbc128_f)aes128_t4_cbc_decrypt :
582                                                 NULL;
583                         break;
584                     case 192:
585                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
586                                                 (cbc128_f)aes192_t4_cbc_decrypt :
587                                                 NULL;
588                         break;
589                     case 256:
590                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
591                                                 (cbc128_f)aes256_t4_cbc_decrypt :
592                                                 NULL;
593                         break;
594                     default:
595                         ret = -1;
596                     }
597                 }
598         else    {
599                     ret = 0;
600                     aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
601                     dat->block  = (block128_f)aes_t4_encrypt;
602                     switch (bits) {
603                     case 128:
604                         if (mode==EVP_CIPH_CBC_MODE)
605                                 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
606                         else if (mode==EVP_CIPH_CTR_MODE)
607                                 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
608                         else
609                                 dat->stream.cbc = NULL;
610                         break;
611                     case 192:
612                         if (mode==EVP_CIPH_CBC_MODE)
613                                 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
614                         else if (mode==EVP_CIPH_CTR_MODE)
615                                 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
616                         else
617                                 dat->stream.cbc = NULL;
618                         break;
619                     case 256:
620                         if (mode==EVP_CIPH_CBC_MODE)
621                                 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
622                         else if (mode==EVP_CIPH_CTR_MODE)
623                                 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
624                         else
625                                 dat->stream.cbc = NULL;
626                         break;
627                     default:
628                         ret = -1;
629                     }
630                 }
631
632         if(ret < 0)
633                 {
634                 EVPerr(EVP_F_AES_T4_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
635                 return 0;
636                 }
637
638         return 1;
639         }
640
641 #define aes_t4_cbc_cipher aes_cbc_cipher
642 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
643         const unsigned char *in, size_t len);
644
645 #define aes_t4_ecb_cipher aes_ecb_cipher 
646 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
647         const unsigned char *in, size_t len);
648
649 #define aes_t4_ofb_cipher aes_ofb_cipher
650 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
651         const unsigned char *in,size_t len);
652
653 #define aes_t4_cfb_cipher aes_cfb_cipher
654 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
655         const unsigned char *in,size_t len);
656
657 #define aes_t4_cfb8_cipher aes_cfb8_cipher
658 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
659         const unsigned char *in,size_t len);
660
661 #define aes_t4_cfb1_cipher aes_cfb1_cipher
662 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
663         const unsigned char *in,size_t len);
664
665 #define aes_t4_ctr_cipher aes_ctr_cipher
666 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
667                 const unsigned char *in, size_t len);
668
669 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
670                         const unsigned char *iv, int enc)
671         {
672         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
673         if (!iv && !key)
674                 return 1;
675         if (key)
676                 {
677                 int bits = ctx->key_len * 8;
678                 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
679                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
680                                 (block128_f)aes_t4_encrypt);
681                 switch (bits) {
682                     case 128:
683                         gctx->ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
684                         break;
685                     case 192:
686                         gctx->ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
687                         break;
688                     case 256:
689                         gctx->ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
690                         break;
691                     default:
692                         return 0;
693                 }
694                 /* If we have an iv can set it directly, otherwise use
695                  * saved IV.
696                  */
697                 if (iv == NULL && gctx->iv_set)
698                         iv = gctx->iv;
699                 if (iv)
700                         {
701                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
702                         gctx->iv_set = 1;
703                         }
704                 gctx->key_set = 1;
705                 }
706         else
707                 {
708                 /* If key set use IV, otherwise copy */
709                 if (gctx->key_set)
710                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
711                 else
712                         memcpy(gctx->iv, iv, gctx->ivlen);
713                 gctx->iv_set = 1;
714                 gctx->iv_gen = 0;
715                 }
716         return 1;
717         }
718
719 #define aes_t4_gcm_cipher aes_gcm_cipher
720 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
721                 const unsigned char *in, size_t len);
722
723 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
724                         const unsigned char *iv, int enc)
725         {
726         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
727         if (!iv && !key)
728                 return 1;
729
730         if (key)
731                 {
732                 int bits = ctx->key_len * 4;
733                 xctx->stream = NULL;
734                 /* key_len is two AES keys */
735                 if (enc)
736                         {
737                         aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
738                         xctx->xts.block1 = (block128_f)aes_t4_encrypt;
739                         switch (bits) {
740                             case 128:
741                                 xctx->stream = aes128_t4_xts_encrypt;
742                                 break;
743 #if 0 /* not yet */
744                             case 192:
745                                 xctx->stream = aes192_t4_xts_encrypt;
746                                 break;
747 #endif
748                             case 256:
749                                 xctx->stream = aes256_t4_xts_encrypt;
750                                 break;
751                             default:
752                                 return 0;
753                             }
754                         }
755                 else
756                         {
757                         aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
758                         xctx->xts.block1 = (block128_f)aes_t4_decrypt;
759                         switch (bits) {
760                             case 128:
761                                 xctx->stream = aes128_t4_xts_decrypt;
762                                 break;
763 #if 0 /* not yet */
764                             case 192:
765                                 xctx->stream = aes192_t4_xts_decrypt;
766                                 break;
767 #endif
768                             case 256:
769                                 xctx->stream = aes256_t4_xts_decrypt;
770                                 break;
771                             default:
772                                 return 0;
773                             }
774                         }
775
776                 aes_t4_set_encrypt_key(key + ctx->key_len/2,
777                                                 ctx->key_len * 4, &xctx->ks2.ks);
778                 xctx->xts.block2 = (block128_f)aes_t4_encrypt;
779
780                 xctx->xts.key1 = &xctx->ks1;
781                 }
782
783         if (iv)
784                 {
785                 xctx->xts.key2 = &xctx->ks2;
786                 memcpy(ctx->iv, iv, 16);
787                 }
788
789         return 1;
790         }
791
792 #define aes_t4_xts_cipher aes_xts_cipher
793 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
794                 const unsigned char *in, size_t len);
795
796 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
797                         const unsigned char *iv, int enc)
798         {
799         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
800         if (!iv && !key)
801                 return 1;
802         if (key)
803                 {
804                 int bits = ctx->key_len * 8;
805                 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
806                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
807                                         &cctx->ks, (block128_f)aes_t4_encrypt);
808 #if 0 /* not yet */
809                 switch (bits) {
810                     case 128:
811                         cctx->str = enc?(ccm128_f)aes128_t4_ccm64_encrypt :
812                                 (ccm128_f)ae128_t4_ccm64_decrypt;
813                         break;
814                     case 192:
815                         cctx->str = enc?(ccm128_f)aes192_t4_ccm64_encrypt :
816                                 (ccm128_f)ae192_t4_ccm64_decrypt;
817                         break;
818                     case 256:
819                         cctx->str = enc?(ccm128_f)aes256_t4_ccm64_encrypt :
820                                 (ccm128_f)ae256_t4_ccm64_decrypt;
821                         break;
822                     default:
823                         return 0;
824                     }
825 #endif
826                 cctx->key_set = 1;
827                 }
828         if (iv)
829                 {
830                 memcpy(ctx->iv, iv, 15 - cctx->L);
831                 cctx->iv_set = 1;
832                 }
833         return 1;
834         }
835
836 #define aes_t4_ccm_cipher aes_ccm_cipher
837 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
838                 const unsigned char *in, size_t len);
839
840 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
841 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
842         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
843         flags|EVP_CIPH_##MODE##_MODE,   \
844         aes_t4_init_key,                \
845         aes_t4_##mode##_cipher,         \
846         NULL,                           \
847         sizeof(EVP_AES_KEY),            \
848         NULL,NULL,NULL,NULL }; \
849 static const EVP_CIPHER aes_##keylen##_##mode = { \
850         nid##_##keylen##_##nmode,blocksize,     \
851         keylen/8,ivlen, \
852         flags|EVP_CIPH_##MODE##_MODE,   \
853         aes_init_key,                   \
854         aes_##mode##_cipher,            \
855         NULL,                           \
856         sizeof(EVP_AES_KEY),            \
857         NULL,NULL,NULL,NULL }; \
858 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
859 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
860
861 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
862 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
863         nid##_##keylen##_##mode,blocksize, \
864         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
865         flags|EVP_CIPH_##MODE##_MODE,   \
866         aes_t4_##mode##_init_key,       \
867         aes_t4_##mode##_cipher,         \
868         aes_##mode##_cleanup,           \
869         sizeof(EVP_AES_##MODE##_CTX),   \
870         NULL,NULL,aes_##mode##_ctrl,NULL }; \
871 static const EVP_CIPHER aes_##keylen##_##mode = { \
872         nid##_##keylen##_##mode,blocksize, \
873         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
874         flags|EVP_CIPH_##MODE##_MODE,   \
875         aes_##mode##_init_key,          \
876         aes_##mode##_cipher,            \
877         aes_##mode##_cleanup,           \
878         sizeof(EVP_AES_##MODE##_CTX),   \
879         NULL,NULL,aes_##mode##_ctrl,NULL }; \
880 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
881 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
882
883 #else
884
885 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
886 static const EVP_CIPHER aes_##keylen##_##mode = { \
887         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
888         flags|EVP_CIPH_##MODE##_MODE,   \
889         aes_init_key,                   \
890         aes_##mode##_cipher,            \
891         NULL,                           \
892         sizeof(EVP_AES_KEY),            \
893         NULL,NULL,NULL,NULL }; \
894 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
895 { return &aes_##keylen##_##mode; }
896
897 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
898 static const EVP_CIPHER aes_##keylen##_##mode = { \
899         nid##_##keylen##_##mode,blocksize, \
900         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
901         flags|EVP_CIPH_##MODE##_MODE,   \
902         aes_##mode##_init_key,          \
903         aes_##mode##_cipher,            \
904         aes_##mode##_cleanup,           \
905         sizeof(EVP_AES_##MODE##_CTX),   \
906         NULL,NULL,aes_##mode##_ctrl,NULL }; \
907 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
908 { return &aes_##keylen##_##mode; }
909
910 #endif
911
912 #if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
913 #include "arm_arch.h"
914 #if __ARM_ARCH__>=7
915 # if defined(BSAES_ASM)
916 #  define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
917 # endif
918 # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
919 # define HWAES_set_encrypt_key aes_v8_set_encrypt_key
920 # define HWAES_set_decrypt_key aes_v8_set_decrypt_key
921 # define HWAES_encrypt aes_v8_encrypt
922 # define HWAES_decrypt aes_v8_decrypt
923 # define HWAES_cbc_encrypt aes_v8_cbc_encrypt
924 # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
925 #endif
926 #endif
927
928 #if defined(HWAES_CAPABLE)
929 int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
930         AES_KEY *key);
931 int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
932         AES_KEY *key);
933 void HWAES_encrypt(const unsigned char *in, unsigned char *out,
934         const AES_KEY *key);
935 void HWAES_decrypt(const unsigned char *in, unsigned char *out,
936         const AES_KEY *key);
937 void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
938         size_t length, const AES_KEY *key,
939         unsigned char *ivec, const int enc);
940 void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
941         size_t len, const AES_KEY *key, const unsigned char ivec[16]);
942 #endif
943
944 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
945         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
946         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
947         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
948         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
949         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
950         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
951         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
952
953 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
954                    const unsigned char *iv, int enc)
955         {
956         int ret, mode;
957         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
958
959         mode = ctx->cipher->flags & EVP_CIPH_MODE;
960         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
961             && !enc)
962 #ifdef HWAES_CAPABLE
963             if (HWAES_CAPABLE)
964                 {
965                 ret = HWAES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
966                 dat->block      = (block128_f)HWAES_decrypt;
967                 dat->stream.cbc = NULL;
968 #ifdef HWAES_cbc_encrypt
969                 if (mode==EVP_CIPH_CBC_MODE)
970                     dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
971 #endif
972                 }
973             else
974 #endif
975 #ifdef BSAES_CAPABLE
976             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
977                 {
978                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
979                 dat->block      = (block128_f)AES_decrypt;
980                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
981                 }
982             else
983 #endif
984 #ifdef VPAES_CAPABLE
985             if (VPAES_CAPABLE)
986                 {
987                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
988                 dat->block      = (block128_f)vpaes_decrypt;
989                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
990                                         (cbc128_f)vpaes_cbc_encrypt :
991                                         NULL;
992                 }
993             else
994 #endif
995                 {
996                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
997                 dat->block      = (block128_f)AES_decrypt;
998                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
999                                         (cbc128_f)AES_cbc_encrypt :
1000                                         NULL;
1001                 }
1002         else
1003 #ifdef HWAES_CAPABLE
1004             if (HWAES_CAPABLE)
1005                 {
1006                 ret = HWAES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1007                 dat->block      = (block128_f)HWAES_encrypt;
1008                 dat->stream.cbc = NULL;
1009 #ifdef HWAES_cbc_encrypt
1010                 if (mode==EVP_CIPH_CBC_MODE)
1011                     dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
1012                 else
1013 #endif
1014 #ifdef HWAES_ctr32_encrypt_blocks
1015                 if (mode==EVP_CIPH_CTR_MODE)
1016                     dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
1017                 else
1018 #endif
1019                 (void)0;        /* terminate potentially open 'else' */
1020                 }
1021             else
1022 #endif
1023 #ifdef BSAES_CAPABLE
1024             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
1025                 {
1026                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1027                 dat->block      = (block128_f)AES_encrypt;
1028                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1029                 }
1030             else
1031 #endif
1032 #ifdef VPAES_CAPABLE
1033             if (VPAES_CAPABLE)
1034                 {
1035                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1036                 dat->block      = (block128_f)vpaes_encrypt;
1037                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
1038                                         (cbc128_f)vpaes_cbc_encrypt :
1039                                         NULL;
1040                 }
1041             else
1042 #endif
1043                 {
1044                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1045                 dat->block      = (block128_f)AES_encrypt;
1046                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
1047                                         (cbc128_f)AES_cbc_encrypt :
1048                                         NULL;
1049 #ifdef AES_CTR_ASM
1050                 if (mode==EVP_CIPH_CTR_MODE)
1051                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
1052 #endif
1053                 }
1054
1055         if(ret < 0)
1056                 {
1057                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
1058                 return 0;
1059                 }
1060
1061         return 1;
1062         }
1063
1064 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1065         const unsigned char *in, size_t len)
1066 {
1067         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1068
1069         if (dat->stream.cbc)
1070                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
1071         else if (ctx->encrypt)
1072                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1073         else
1074                 CRYPTO_cbc128_decrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1075
1076         return 1;
1077 }
1078
1079 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1080         const unsigned char *in, size_t len)
1081 {
1082         size_t  bl = ctx->cipher->block_size;
1083         size_t  i;
1084         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1085
1086         if (len<bl)     return 1;
1087
1088         for (i=0,len-=bl;i<=len;i+=bl)
1089                 (*dat->block)(in+i,out+i,&dat->ks);
1090
1091         return 1;
1092 }
1093
1094 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1095         const unsigned char *in,size_t len)
1096 {
1097         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1098
1099         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
1100                         ctx->iv,&ctx->num,dat->block);
1101         return 1;
1102 }
1103
1104 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1105         const unsigned char *in,size_t len)
1106 {
1107         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1108
1109         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
1110                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1111         return 1;
1112 }
1113
1114 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1115         const unsigned char *in,size_t len)
1116 {
1117         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1118
1119         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
1120                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1121         return 1;
1122 }
1123
1124 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1125         const unsigned char *in,size_t len)
1126 {
1127         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1128
1129         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
1130                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
1131                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1132                 return 1;
1133         }
1134
1135         while (len>=MAXBITCHUNK) {
1136                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
1137                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1138                 len-=MAXBITCHUNK;
1139         }
1140         if (len)
1141                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
1142                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1143         
1144         return 1;
1145 }
1146
1147 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
1148                 const unsigned char *in, size_t len)
1149 {
1150         unsigned int num = ctx->num;
1151         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1152
1153         if (dat->stream.ctr)
1154                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
1155                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
1156         else
1157                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
1158                         ctx->iv,ctx->buf,&num,dat->block);
1159         ctx->num = (size_t)num;
1160         return 1;
1161 }
1162
1163 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
1164 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
1165 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
1166
1167 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1168         {
1169         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1170         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1171         if (gctx->iv != c->iv)
1172                 OPENSSL_free(gctx->iv);
1173         return 1;
1174         }
1175
1176 /* increment counter (64-bit int) by 1 */
1177 static void ctr64_inc(unsigned char *counter) {
1178         int n=8;
1179         unsigned char  c;
1180
1181         do {
1182                 --n;
1183                 c = counter[n];
1184                 ++c;
1185                 counter[n] = c;
1186                 if (c) return;
1187         } while (n);
1188 }
1189
1190 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1191         {
1192         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1193         switch (type)
1194                 {
1195         case EVP_CTRL_INIT:
1196                 gctx->key_set = 0;
1197                 gctx->iv_set = 0;
1198                 gctx->ivlen = c->cipher->iv_len;
1199                 gctx->iv = c->iv;
1200                 gctx->taglen = -1;
1201                 gctx->iv_gen = 0;
1202                 gctx->tls_aad_len = -1;
1203                 return 1;
1204
1205         case EVP_CTRL_GCM_SET_IVLEN:
1206                 if (arg <= 0)
1207                         return 0;
1208 #ifdef OPENSSL_FIPS
1209                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1210                                                  && arg < 12)
1211                         return 0;
1212 #endif
1213                 /* Allocate memory for IV if needed */
1214                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
1215                         {
1216                         if (gctx->iv != c->iv)
1217                                 OPENSSL_free(gctx->iv);
1218                         gctx->iv = OPENSSL_malloc(arg);
1219                         if (!gctx->iv)
1220                                 return 0;
1221                         }
1222                 gctx->ivlen = arg;
1223                 return 1;
1224
1225         case EVP_CTRL_GCM_SET_TAG:
1226                 if (arg <= 0 || arg > 16 || c->encrypt)
1227                         return 0;
1228                 memcpy(c->buf, ptr, arg);
1229                 gctx->taglen = arg;
1230                 return 1;
1231
1232         case EVP_CTRL_GCM_GET_TAG:
1233                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1234                         return 0;
1235                 memcpy(ptr, c->buf, arg);
1236                 return 1;
1237
1238         case EVP_CTRL_GCM_SET_IV_FIXED:
1239                 /* Special case: -1 length restores whole IV */
1240                 if (arg == -1)
1241                         {
1242                         memcpy(gctx->iv, ptr, gctx->ivlen);
1243                         gctx->iv_gen = 1;
1244                         return 1;
1245                         }
1246                 /* Fixed field must be at least 4 bytes and invocation field
1247                  * at least 8.
1248                  */
1249                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1250                         return 0;
1251                 if (arg)
1252                         memcpy(gctx->iv, ptr, arg);
1253                 if (c->encrypt &&
1254                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1255                         return 0;
1256                 gctx->iv_gen = 1;
1257                 return 1;
1258
1259         case EVP_CTRL_GCM_IV_GEN:
1260                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1261                         return 0;
1262                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1263                 if (arg <= 0 || arg > gctx->ivlen)
1264                         arg = gctx->ivlen;
1265                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1266                 /* Invocation field will be at least 8 bytes in size and
1267                  * so no need to check wrap around or increment more than
1268                  * last 8 bytes.
1269                  */
1270                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1271                 gctx->iv_set = 1;
1272                 return 1;
1273
1274         case EVP_CTRL_GCM_SET_IV_INV:
1275                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1276                         return 0;
1277                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1278                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1279                 gctx->iv_set = 1;
1280                 return 1;
1281
1282         case EVP_CTRL_AEAD_TLS1_AAD:
1283                 /* Save the AAD for later use */
1284                 if (arg != 13)
1285                         return 0;
1286                 memcpy(c->buf, ptr, arg);
1287                 gctx->tls_aad_len = arg;
1288                         {
1289                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
1290                         /* Correct length for explicit IV */
1291                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1292                         /* If decrypting correct for tag too */
1293                         if (!c->encrypt)
1294                                 len -= EVP_GCM_TLS_TAG_LEN;
1295                         c->buf[arg-2] = len>>8;
1296                         c->buf[arg-1] = len & 0xff;
1297                         }
1298                 /* Extra padding: tag appended to record */
1299                 return EVP_GCM_TLS_TAG_LEN;
1300
1301         case EVP_CTRL_COPY:
1302                 {
1303                         EVP_CIPHER_CTX *out = ptr;
1304                         EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
1305                         if (gctx->gcm.key)
1306                                 {
1307                                 if (gctx->gcm.key != &gctx->ks)
1308                                         return 0;
1309                                 gctx_out->gcm.key = &gctx_out->ks;
1310                                 }
1311                         if (gctx->iv == c->iv)
1312                                 gctx_out->iv = out->iv;
1313                         else
1314                         {
1315                                 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
1316                                 if (!gctx_out->iv)
1317                                         return 0;
1318                                 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
1319                         }
1320                         return 1;
1321                 }
1322
1323         default:
1324                 return -1;
1325
1326                 }
1327         }
1328
1329 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1330                         const unsigned char *iv, int enc)
1331         {
1332         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1333         if (!iv && !key)
1334                 return 1;
1335         if (key)
1336                 { do {
1337 #ifdef HWAES_CAPABLE
1338                 if (HWAES_CAPABLE)
1339                         {
1340                         HWAES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1341                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1342                                         (block128_f)HWAES_encrypt);
1343 #ifdef HWAES_ctr32_encrypt_blocks
1344                         gctx->ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
1345 #else
1346                         gctx->ctr = NULL;
1347 #endif
1348                         break;
1349                         }
1350                 else
1351 #endif
1352 #ifdef BSAES_CAPABLE
1353                 if (BSAES_CAPABLE)
1354                         {
1355                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1356                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1357                                         (block128_f)AES_encrypt);
1358                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1359                         break;
1360                         }
1361                 else
1362 #endif
1363 #ifdef VPAES_CAPABLE
1364                 if (VPAES_CAPABLE)
1365                         {
1366                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1367                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1368                                         (block128_f)vpaes_encrypt);
1369                         gctx->ctr = NULL;
1370                         break;
1371                         }
1372                 else
1373 #endif
1374                 (void)0;        /* terminate potentially open 'else' */
1375
1376                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1377                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1378 #ifdef AES_CTR_ASM
1379                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
1380 #else
1381                 gctx->ctr = NULL;
1382 #endif
1383                 } while (0);
1384
1385                 /* If we have an iv can set it directly, otherwise use
1386                  * saved IV.
1387                  */
1388                 if (iv == NULL && gctx->iv_set)
1389                         iv = gctx->iv;
1390                 if (iv)
1391                         {
1392                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1393                         gctx->iv_set = 1;
1394                         }
1395                 gctx->key_set = 1;
1396                 }
1397         else
1398                 {
1399                 /* If key set use IV, otherwise copy */
1400                 if (gctx->key_set)
1401                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1402                 else
1403                         memcpy(gctx->iv, iv, gctx->ivlen);
1404                 gctx->iv_set = 1;
1405                 gctx->iv_gen = 0;
1406                 }
1407         return 1;
1408         }
1409
1410 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1411  * followed by the payload and finally the tag. On encrypt generate IV,
1412  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1413  * and verify tag.
1414  */
1415
1416 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1417                 const unsigned char *in, size_t len)
1418         {
1419         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1420         int rv = -1;
1421         /* Encrypt/decrypt must be performed in place */
1422         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
1423                 return -1;
1424         /* Set IV from start of buffer or generate IV and write to start
1425          * of buffer.
1426          */
1427         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1428                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1429                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1430                 goto err;
1431         /* Use saved AAD */
1432         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1433                 goto err;
1434         /* Fix buffer and length to point to payload */
1435         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1436         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1437         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1438         if (ctx->encrypt)
1439                 {
1440                 /* Encrypt payload */
1441                 if (gctx->ctr)
1442                         {
1443                         size_t bulk=0;
1444 #if defined(AES_GCM_ASM)
1445                         if (len>=32 && AES_GCM_ASM(gctx))
1446                                 {
1447                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1448                                         return -1;
1449
1450                                 bulk = AES_gcm_encrypt(in,out,len,
1451                                                         gctx->gcm.key,
1452                                                         gctx->gcm.Yi.c,
1453                                                         gctx->gcm.Xi.u);
1454                                 gctx->gcm.len.u[1] += bulk;
1455                                 }
1456 #endif
1457                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1458                                                         in +bulk,
1459                                                         out+bulk,
1460                                                         len-bulk,
1461                                                         gctx->ctr))
1462                                 goto err;
1463                         }
1464                 else    {
1465                         size_t bulk=0;
1466 #if defined(AES_GCM_ASM2)
1467                         if (len>=32 && AES_GCM_ASM2(gctx))
1468                                 {
1469                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1470                                         return -1;
1471
1472                                 bulk = AES_gcm_encrypt(in,out,len,
1473                                                         gctx->gcm.key,
1474                                                         gctx->gcm.Yi.c,
1475                                                         gctx->gcm.Xi.u);
1476                                 gctx->gcm.len.u[1] += bulk;
1477                                 }
1478 #endif
1479                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1480                                                         in +bulk,
1481                                                         out+bulk,
1482                                                         len-bulk))
1483                                 goto err;
1484                         }
1485                 out += len;
1486                 /* Finally write tag */
1487                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1488                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1489                 }
1490         else
1491                 {
1492                 /* Decrypt */
1493                 if (gctx->ctr)
1494                         {
1495                         size_t bulk=0;
1496 #if defined(AES_GCM_ASM)
1497                         if (len>=16 && AES_GCM_ASM(gctx))
1498                                 {
1499                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1500                                         return -1;
1501
1502                                 bulk = AES_gcm_decrypt(in,out,len,
1503                                                         gctx->gcm.key,
1504                                                         gctx->gcm.Yi.c,
1505                                                         gctx->gcm.Xi.u);
1506                                 gctx->gcm.len.u[1] += bulk;
1507                                 }
1508 #endif
1509                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1510                                                         in +bulk,
1511                                                         out+bulk,
1512                                                         len-bulk,
1513                                                         gctx->ctr))
1514                                 goto err;
1515                         }
1516                 else    {
1517                         size_t bulk=0;
1518 #if defined(AES_GCM_ASM2)
1519                         if (len>=16 && AES_GCM_ASM2(gctx))
1520                                 {
1521                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1522                                         return -1;
1523
1524                                 bulk = AES_gcm_decrypt(in,out,len,
1525                                                         gctx->gcm.key,
1526                                                         gctx->gcm.Yi.c,
1527                                                         gctx->gcm.Xi.u);
1528                                 gctx->gcm.len.u[1] += bulk;
1529                                 }
1530 #endif
1531                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1532                                                         in +bulk,
1533                                                         out+bulk,
1534                                                         len-bulk))
1535                                 goto err;
1536                         }
1537                 /* Retrieve tag */
1538                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1539                                         EVP_GCM_TLS_TAG_LEN);
1540                 /* If tag mismatch wipe buffer */
1541                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1542                         {
1543                         OPENSSL_cleanse(out, len);
1544                         goto err;
1545                         }
1546                 rv = len;
1547                 }
1548
1549         err:
1550         gctx->iv_set = 0;
1551         gctx->tls_aad_len = -1;
1552         return rv;
1553         }
1554
1555 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1556                 const unsigned char *in, size_t len)
1557         {
1558         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1559         /* If not set up, return error */
1560         if (!gctx->key_set)
1561                 return -1;
1562
1563         if (gctx->tls_aad_len >= 0)
1564                 return aes_gcm_tls_cipher(ctx, out, in, len);
1565
1566         if (!gctx->iv_set)
1567                 return -1;
1568         if (in)
1569                 {
1570                 if (out == NULL)
1571                         {
1572                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1573                                 return -1;
1574                         }
1575                 else if (ctx->encrypt)
1576                         {
1577                         if (gctx->ctr)
1578                                 {
1579                                 size_t bulk=0;
1580 #if defined(AES_GCM_ASM)
1581                                 if (len>=32 && AES_GCM_ASM(gctx))
1582                                         {
1583                                         size_t res = (16-gctx->gcm.mres)%16;
1584
1585                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1586                                                         in,out,res))
1587                                                 return -1;
1588
1589                                         bulk = AES_gcm_encrypt(in+res,
1590                                                         out+res,len-res,                                                                gctx->gcm.key,
1591                                                         gctx->gcm.Yi.c,
1592                                                         gctx->gcm.Xi.u);
1593                                         gctx->gcm.len.u[1] += bulk;
1594                                         bulk += res;
1595                                         }
1596 #endif
1597                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1598                                                         in +bulk,
1599                                                         out+bulk,
1600                                                         len-bulk,
1601                                                         gctx->ctr))
1602                                         return -1;
1603                                 }
1604                         else    {
1605                                 size_t bulk=0;
1606 #if defined(AES_GCM_ASM2)
1607                                 if (len>=32 && AES_GCM_ASM2(gctx))
1608                                         {
1609                                         size_t res = (16-gctx->gcm.mres)%16;
1610
1611                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1612                                                         in,out,res))
1613                                                 return -1;
1614
1615                                         bulk = AES_gcm_encrypt(in+res,
1616                                                         out+res,len-res,                                                                gctx->gcm.key,
1617                                                         gctx->gcm.Yi.c,
1618                                                         gctx->gcm.Xi.u);
1619                                         gctx->gcm.len.u[1] += bulk;
1620                                         bulk += res;
1621                                         }
1622 #endif
1623                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1624                                                         in +bulk,
1625                                                         out+bulk,
1626                                                         len-bulk))
1627                                         return -1;
1628                                 }
1629                         }
1630                 else
1631                         {
1632                         if (gctx->ctr)
1633                                 {
1634                                 size_t bulk=0;
1635 #if defined(AES_GCM_ASM)
1636                                 if (len>=16 && AES_GCM_ASM(gctx))
1637                                         {
1638                                         size_t res = (16-gctx->gcm.mres)%16;
1639
1640                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1641                                                         in,out,res))
1642                                                 return -1;
1643
1644                                         bulk = AES_gcm_decrypt(in+res,
1645                                                         out+res,len-res,
1646                                                         gctx->gcm.key,
1647                                                         gctx->gcm.Yi.c,
1648                                                         gctx->gcm.Xi.u);
1649                                         gctx->gcm.len.u[1] += bulk;
1650                                         bulk += res;
1651                                         }
1652 #endif
1653                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1654                                                         in +bulk,
1655                                                         out+bulk,
1656                                                         len-bulk,
1657                                                         gctx->ctr))
1658                                         return -1;
1659                                 }
1660                         else    {
1661                                 size_t bulk=0;
1662 #if defined(AES_GCM_ASM2)
1663                                 if (len>=16 && AES_GCM_ASM2(gctx))
1664                                         {
1665                                         size_t res = (16-gctx->gcm.mres)%16;
1666
1667                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1668                                                         in,out,res))
1669                                                 return -1;
1670
1671                                         bulk = AES_gcm_decrypt(in+res,
1672                                                         out+res,len-res,
1673                                                         gctx->gcm.key,
1674                                                         gctx->gcm.Yi.c,
1675                                                         gctx->gcm.Xi.u);
1676                                         gctx->gcm.len.u[1] += bulk;
1677                                         bulk += res;
1678                                         }
1679 #endif
1680                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1681                                                         in +bulk,
1682                                                         out+bulk,
1683                                                         len-bulk))
1684                                         return -1;
1685                                 }
1686                         }
1687                 return len;
1688                 }
1689         else
1690                 {
1691                 if (!ctx->encrypt)
1692                         {
1693                         if (gctx->taglen < 0)
1694                                 return -1;
1695                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1696                                         ctx->buf, gctx->taglen) != 0)
1697                                 return -1;
1698                         gctx->iv_set = 0;
1699                         return 0;
1700                         }
1701                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1702                 gctx->taglen = 16;
1703                 /* Don't reuse the IV */
1704                 gctx->iv_set = 0;
1705                 return 0;
1706                 }
1707
1708         }
1709
1710 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1711                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1712                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1713                 | EVP_CIPH_CUSTOM_COPY)
1714
1715 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1716                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1717 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1718                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1719 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1720                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1721
1722 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1723         {
1724         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1725         if (type == EVP_CTRL_COPY)
1726                 {
1727                 EVP_CIPHER_CTX *out = ptr;
1728                 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
1729                 if (xctx->xts.key1)
1730                         {
1731                         if (xctx->xts.key1 != &xctx->ks1)
1732                                 return 0;
1733                         xctx_out->xts.key1 = &xctx_out->ks1;
1734                         }
1735                 if (xctx->xts.key2)
1736                         {
1737                         if (xctx->xts.key2 != &xctx->ks2)
1738                                 return 0;
1739                         xctx_out->xts.key2 = &xctx_out->ks2;
1740                         }
1741                 return 1;
1742                 }
1743         else if (type != EVP_CTRL_INIT)
1744                 return -1;
1745         /* key1 and key2 are used as an indicator both key and IV are set */
1746         xctx->xts.key1 = NULL;
1747         xctx->xts.key2 = NULL;
1748         return 1;
1749         }
1750
1751 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1752                         const unsigned char *iv, int enc)
1753         {
1754         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1755         if (!iv && !key)
1756                 return 1;
1757
1758         if (key) do
1759                 {
1760 #ifdef AES_XTS_ASM
1761                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1762 #else
1763                 xctx->stream = NULL;
1764 #endif
1765                 /* key_len is two AES keys */
1766 #ifdef HWAES_CAPABLE
1767                 if (HWAES_CAPABLE)
1768                         {
1769                         if (enc)
1770                             {
1771                             HWAES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1772                             xctx->xts.block1 = (block128_f)HWAES_encrypt;
1773                             }
1774                         else
1775                             {
1776                             HWAES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1777                             xctx->xts.block1 = (block128_f)HWAES_decrypt;
1778                             }
1779
1780                         HWAES_set_encrypt_key(key + ctx->key_len/2,
1781                                                     ctx->key_len * 4, &xctx->ks2.ks);
1782                         xctx->xts.block2 = (block128_f)HWAES_encrypt;
1783
1784                         xctx->xts.key1 = &xctx->ks1;
1785                         break;
1786                         }
1787                 else
1788 #endif
1789 #ifdef BSAES_CAPABLE
1790                 if (BSAES_CAPABLE)
1791                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1792                 else
1793 #endif
1794 #ifdef VPAES_CAPABLE
1795                 if (VPAES_CAPABLE)
1796                     {
1797                     if (enc)
1798                         {
1799                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1800                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1801                         }
1802                     else
1803                         {
1804                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1805                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1806                         }
1807
1808                     vpaes_set_encrypt_key(key + ctx->key_len/2,
1809                                                 ctx->key_len * 4, &xctx->ks2.ks);
1810                     xctx->xts.block2 = (block128_f)vpaes_encrypt;
1811
1812                     xctx->xts.key1 = &xctx->ks1;
1813                     break;
1814                     }
1815                 else
1816 #endif
1817                 (void)0;        /* terminate potentially open 'else' */
1818
1819                 if (enc)
1820                         {
1821                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1822                         xctx->xts.block1 = (block128_f)AES_encrypt;
1823                         }
1824                 else
1825                         {
1826                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1827                         xctx->xts.block1 = (block128_f)AES_decrypt;
1828                         }
1829
1830                 AES_set_encrypt_key(key + ctx->key_len/2,
1831                                                 ctx->key_len * 4, &xctx->ks2.ks);
1832                 xctx->xts.block2 = (block128_f)AES_encrypt;
1833
1834                 xctx->xts.key1 = &xctx->ks1;
1835                 } while (0);
1836
1837         if (iv)
1838                 {
1839                 xctx->xts.key2 = &xctx->ks2;
1840                 memcpy(ctx->iv, iv, 16);
1841                 }
1842
1843         return 1;
1844         }
1845
1846 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1847                 const unsigned char *in, size_t len)
1848         {
1849         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1850         if (!xctx->xts.key1 || !xctx->xts.key2)
1851                 return 0;
1852         if (!out || !in || len<AES_BLOCK_SIZE)
1853                 return 0;
1854 #ifdef OPENSSL_FIPS
1855         /* Requirement of SP800-38E */
1856         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1857                         (len > (1UL<<20)*16))
1858                 {
1859                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1860                 return 0;
1861                 }
1862 #endif
1863         if (xctx->stream)
1864                 (*xctx->stream)(in, out, len,
1865                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1866         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1867                                                                 ctx->encrypt))
1868                 return 0;
1869         return 1;
1870         }
1871
1872 #define aes_xts_cleanup NULL
1873
1874 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1875                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
1876                          | EVP_CIPH_CUSTOM_COPY)
1877
1878 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1879 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1880
1881 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1882         {
1883         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1884         switch (type)
1885                 {
1886         case EVP_CTRL_INIT:
1887                 cctx->key_set = 0;
1888                 cctx->iv_set = 0;
1889                 cctx->L = 8;
1890                 cctx->M = 12;
1891                 cctx->tag_set = 0;
1892                 cctx->len_set = 0;
1893                 return 1;
1894
1895         case EVP_CTRL_CCM_SET_IVLEN:
1896                 arg = 15 - arg;
1897         case EVP_CTRL_CCM_SET_L:
1898                 if (arg < 2 || arg > 8)
1899                         return 0;
1900                 cctx->L = arg;
1901                 return 1;
1902
1903         case EVP_CTRL_CCM_SET_TAG:
1904                 if ((arg & 1) || arg < 4 || arg > 16)
1905                         return 0;
1906                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1907                         return 0;
1908                 if (ptr)
1909                         {
1910                         cctx->tag_set = 1;
1911                         memcpy(c->buf, ptr, arg);
1912                         }
1913                 cctx->M = arg;
1914                 return 1;
1915
1916         case EVP_CTRL_CCM_GET_TAG:
1917                 if (!c->encrypt || !cctx->tag_set)
1918                         return 0;
1919                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1920                         return 0;
1921                 cctx->tag_set = 0;
1922                 cctx->iv_set = 0;
1923                 cctx->len_set = 0;
1924                 return 1;
1925
1926         case EVP_CTRL_COPY:
1927                 {
1928                         EVP_CIPHER_CTX *out = ptr;
1929                         EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
1930                         if (cctx->ccm.key)
1931                                 {
1932                                 if (cctx->ccm.key != &cctx->ks)
1933                                         return 0;
1934                                 cctx_out->ccm.key = &cctx_out->ks;
1935                                 }
1936                         return 1;
1937                 }
1938
1939         default:
1940                 return -1;
1941
1942                 }
1943         }
1944
1945 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1946                         const unsigned char *iv, int enc)
1947         {
1948         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1949         if (!iv && !key)
1950                 return 1;
1951         if (key) do
1952                 {
1953 #ifdef HWAES_CAPABLE
1954                 if (HWAES_CAPABLE)
1955                         {
1956                         HWAES_set_encrypt_key(key,ctx->key_len*8,&cctx->ks.ks);
1957
1958                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1959                                         &cctx->ks, (block128_f)HWAES_encrypt);
1960                         cctx->str = NULL;
1961                         cctx->key_set = 1;
1962                         break;
1963                         }
1964                 else
1965 #endif
1966 #ifdef VPAES_CAPABLE
1967                 if (VPAES_CAPABLE)
1968                         {
1969                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks);
1970                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1971                                         &cctx->ks, (block128_f)vpaes_encrypt);
1972                         cctx->str = NULL;
1973                         cctx->key_set = 1;
1974                         break;
1975                         }
1976 #endif
1977                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1978                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1979                                         &cctx->ks, (block128_f)AES_encrypt);
1980                 cctx->str = NULL;
1981                 cctx->key_set = 1;
1982                 } while (0);
1983         if (iv)
1984                 {
1985                 memcpy(ctx->iv, iv, 15 - cctx->L);
1986                 cctx->iv_set = 1;
1987                 }
1988         return 1;
1989         }
1990
1991 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1992                 const unsigned char *in, size_t len)
1993         {
1994         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1995         CCM128_CONTEXT *ccm = &cctx->ccm;
1996         /* If not set up, return error */
1997         if (!cctx->iv_set && !cctx->key_set)
1998                 return -1;
1999         if (!ctx->encrypt && !cctx->tag_set)
2000                 return -1;
2001         if (!out)
2002                 {
2003                 if (!in)
2004                         {
2005                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
2006                                 return -1;
2007                         cctx->len_set = 1;
2008                         return len;
2009                         }
2010                 /* If have AAD need message length */
2011                 if (!cctx->len_set && len)
2012                         return -1;
2013                 CRYPTO_ccm128_aad(ccm, in, len);
2014                 return len;
2015                 }
2016         /* EVP_*Final() doesn't return any data */
2017         if (!in)
2018                 return 0;
2019         /* If not set length yet do it */
2020         if (!cctx->len_set)
2021                 {
2022                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
2023                         return -1;
2024                 cctx->len_set = 1;
2025                 }
2026         if (ctx->encrypt)
2027                 {
2028                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
2029                                                 cctx->str) :
2030                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
2031                         return -1;
2032                 cctx->tag_set = 1;
2033                 return len;
2034                 }
2035         else
2036                 {
2037                 int rv = -1;
2038                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
2039                                                 cctx->str) :
2040                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
2041                         {
2042                         unsigned char tag[16];
2043                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
2044                                 {
2045                                 if (!memcmp(tag, ctx->buf, cctx->M))
2046                                         rv = len;
2047                                 }
2048                         }
2049                 if (rv == -1)
2050                         OPENSSL_cleanse(out, len);
2051                 cctx->iv_set = 0;
2052                 cctx->tag_set = 0;
2053                 cctx->len_set = 0;
2054                 return rv;
2055                 }
2056
2057         }
2058
2059 #define aes_ccm_cleanup NULL
2060
2061 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
2062 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
2063 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
2064
2065 typedef struct
2066         {
2067         union { double align; AES_KEY ks; } ks;
2068         /* Indicates if IV has been set */
2069         unsigned char *iv;
2070         } EVP_AES_WRAP_CTX;
2071
2072 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
2073                         const unsigned char *iv, int enc)
2074         {
2075         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2076         if (!iv && !key)
2077                 return 1;
2078         if (key)
2079                 {
2080                 if (ctx->encrypt)
2081                         AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
2082                 else
2083                         AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
2084                 if (!iv)
2085                         wctx->iv = NULL;
2086                 }
2087         if (iv)
2088                 {
2089                 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
2090                 wctx->iv = ctx->iv;
2091                 }
2092         return 1;
2093         }
2094
2095 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
2096                 const unsigned char *in, size_t inlen)
2097         {
2098         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
2099         size_t rv;
2100         /* AES wrap with padding has IV length of 4, without padding 8 */
2101         int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
2102         /* No final operation so always return zero length */
2103         if (!in)
2104                 return 0;
2105         /* Input length must always be non-zero */
2106         if (!inlen)
2107                 return -1;
2108         /* If decrypting need at least 16 bytes and multiple of 8 */
2109         if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
2110                 return -1;
2111         /* If not padding input must be multiple of 8 */
2112         if (!pad && inlen & 0x7)
2113                 return -1;
2114         if (!out)
2115                 {
2116                 if (ctx->encrypt)
2117                         {
2118                         /* If padding round up to multiple of 8 */
2119                         if (pad)
2120                                 inlen = (inlen + 7)/8 * 8;
2121                         /* 8 byte prefix */
2122                         return inlen + 8;
2123                         }
2124                 else
2125                         {
2126                         /* If not padding output will be exactly 8 bytes
2127                          * smaller than input. If padding it will be at
2128                          * least 8 bytes smaller but we don't know how
2129                          * much.
2130                          */
2131                         return inlen - 8;
2132                         }
2133                 }
2134         if (pad)
2135                 {
2136                 if (ctx->encrypt)
2137                         rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
2138                                                 out, in, inlen,
2139                                                 (block128_f)AES_encrypt);
2140                 else
2141                         rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
2142                                                 out, in, inlen,
2143                                                 (block128_f)AES_decrypt);
2144                 }
2145         else
2146                 {
2147                 if (ctx->encrypt)
2148                         rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
2149                                                 out, in, inlen,
2150                                                 (block128_f)AES_encrypt);
2151                 else
2152                         rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
2153                                                 out, in, inlen,
2154                                                 (block128_f)AES_decrypt);
2155                 }
2156         return rv ? (int)rv : -1;
2157         }
2158
2159 #define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
2160                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
2161                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
2162
2163 static const EVP_CIPHER aes_128_wrap = {
2164         NID_id_aes128_wrap,
2165         8, 16, 8, WRAP_FLAGS,
2166         aes_wrap_init_key, aes_wrap_cipher,
2167         NULL,
2168         sizeof(EVP_AES_WRAP_CTX),
2169         NULL,NULL,NULL,NULL };
2170
2171 const EVP_CIPHER *EVP_aes_128_wrap(void)
2172         {
2173         return &aes_128_wrap;
2174         }
2175
2176 static const EVP_CIPHER aes_192_wrap = {
2177         NID_id_aes192_wrap,
2178         8, 24, 8, WRAP_FLAGS,
2179         aes_wrap_init_key, aes_wrap_cipher,
2180         NULL,
2181         sizeof(EVP_AES_WRAP_CTX),
2182         NULL,NULL,NULL,NULL };
2183
2184 const EVP_CIPHER *EVP_aes_192_wrap(void)
2185         {
2186         return &aes_192_wrap;
2187         }
2188
2189 static const EVP_CIPHER aes_256_wrap = {
2190         NID_id_aes256_wrap,
2191         8, 32, 8, WRAP_FLAGS,
2192         aes_wrap_init_key, aes_wrap_cipher,
2193         NULL,
2194         sizeof(EVP_AES_WRAP_CTX),
2195         NULL,NULL,NULL,NULL };
2196
2197 const EVP_CIPHER *EVP_aes_256_wrap(void)
2198         {
2199         return &aes_256_wrap;
2200         }
2201
2202 static const EVP_CIPHER aes_128_wrap_pad = {
2203         NID_id_aes128_wrap_pad,
2204         8, 16, 4, WRAP_FLAGS,
2205         aes_wrap_init_key, aes_wrap_cipher,
2206         NULL,
2207         sizeof(EVP_AES_WRAP_CTX),
2208         NULL,NULL,NULL,NULL };
2209
2210 const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
2211         {
2212         return &aes_128_wrap_pad;
2213         }
2214
2215 static const EVP_CIPHER aes_192_wrap_pad = {
2216         NID_id_aes192_wrap_pad,
2217         8, 24, 4, WRAP_FLAGS,
2218         aes_wrap_init_key, aes_wrap_cipher,
2219         NULL,
2220         sizeof(EVP_AES_WRAP_CTX),
2221         NULL,NULL,NULL,NULL };
2222
2223 const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
2224         {
2225         return &aes_192_wrap_pad;
2226         }
2227
2228 static const EVP_CIPHER aes_256_wrap_pad = {
2229         NID_id_aes256_wrap_pad,
2230         8, 32, 4, WRAP_FLAGS,
2231         aes_wrap_init_key, aes_wrap_cipher,
2232         NULL,
2233         sizeof(EVP_AES_WRAP_CTX),
2234         NULL,NULL,NULL,NULL };
2235
2236 const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
2237         {
2238         return &aes_256_wrap_pad;
2239         }
2240
2241 #endif