783ef2f7d56ee700d7df8dd044940856562422fd
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         union { double align; AES_KEY ks; } ks;
67         block128_f block;
68         union {
69                 cbc128_f cbc;
70                 ctr128_f ctr;
71         } stream;
72         } EVP_AES_KEY;
73
74 typedef struct
75         {
76         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
77         int key_set;            /* Set if key initialised */
78         int iv_set;             /* Set if an iv is set */
79         GCM128_CONTEXT gcm;
80         unsigned char *iv;      /* Temporary IV store */
81         int ivlen;              /* IV length */
82         int taglen;
83         int iv_gen;             /* It is OK to generate IVs */
84         int tls_aad_len;        /* TLS AAD length */
85         ctr128_f ctr;
86         } EVP_AES_GCM_CTX;
87
88 typedef struct
89         {
90         union { double align; AES_KEY ks; } ks1, ks2;   /* AES key schedules to use */
91         XTS128_CONTEXT xts;
92         void     (*stream)(const unsigned char *in,
93                         unsigned char *out, size_t length,
94                         const AES_KEY *key1, const AES_KEY *key2,
95                         const unsigned char iv[16]);
96         } EVP_AES_XTS_CTX;
97
98 typedef struct
99         {
100         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
101         int key_set;            /* Set if key initialised */
102         int iv_set;             /* Set if an iv is set */
103         int tag_set;            /* Set if tag is valid */
104         int len_set;            /* Set if message length set */
105         int L, M;               /* L and M parameters from RFC3610 */
106         CCM128_CONTEXT ccm;
107         ccm128_f str;
108         } EVP_AES_CCM_CTX;
109
110 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
111
112 #ifdef VPAES_ASM
113 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
114                         AES_KEY *key);
115 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
116                         AES_KEY *key);
117
118 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
119                         const AES_KEY *key);
120 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
121                         const AES_KEY *key);
122
123 void vpaes_cbc_encrypt(const unsigned char *in,
124                         unsigned char *out,
125                         size_t length,
126                         const AES_KEY *key,
127                         unsigned char *ivec, int enc);
128 #endif
129 #ifdef BSAES_ASM
130 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
131                         size_t length, const AES_KEY *key,
132                         unsigned char ivec[16], int enc);
133 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
134                         size_t len, const AES_KEY *key,
135                         const unsigned char ivec[16]);
136 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
137                         size_t len, const AES_KEY *key1,
138                         const AES_KEY *key2, const unsigned char iv[16]);
139 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
140                         size_t len, const AES_KEY *key1,
141                         const AES_KEY *key2, const unsigned char iv[16]);
142 #endif
143 #ifdef AES_CTR_ASM
144 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
145                         size_t blocks, const AES_KEY *key,
146                         const unsigned char ivec[AES_BLOCK_SIZE]);
147 #endif
148 #ifdef AES_XTS_ASM
149 void AES_xts_encrypt(const char *inp,char *out,size_t len,
150                         const AES_KEY *key1, const AES_KEY *key2,
151                         const unsigned char iv[16]);
152 void AES_xts_decrypt(const char *inp,char *out,size_t len,
153                         const AES_KEY *key1, const AES_KEY *key2,
154                         const unsigned char iv[16]);
155 #endif
156
157 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
158         ((defined(__i386)       || defined(__i386__)    || \
159           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
160         defined(__x86_64)       || defined(__x86_64__)  || \
161         defined(_M_AMD64)       || defined(_M_X64)      || \
162         defined(__INTEL__)                              )
163
164 extern unsigned int OPENSSL_ia32cap_P[];
165
166 #ifdef VPAES_ASM
167 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
168 #endif
169 #ifdef BSAES_ASM
170 #define BSAES_CAPABLE   VPAES_CAPABLE
171 #endif
172 /*
173  * AES-NI section
174  */
175 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
176
177 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
178                         AES_KEY *key);
179 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
180                         AES_KEY *key);
181
182 void aesni_encrypt(const unsigned char *in, unsigned char *out,
183                         const AES_KEY *key);
184 void aesni_decrypt(const unsigned char *in, unsigned char *out,
185                         const AES_KEY *key);
186
187 void aesni_ecb_encrypt(const unsigned char *in,
188                         unsigned char *out,
189                         size_t length,
190                         const AES_KEY *key,
191                         int enc);
192 void aesni_cbc_encrypt(const unsigned char *in,
193                         unsigned char *out,
194                         size_t length,
195                         const AES_KEY *key,
196                         unsigned char *ivec, int enc);
197
198 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
199                         unsigned char *out,
200                         size_t blocks,
201                         const void *key,
202                         const unsigned char *ivec);
203
204 void aesni_xts_encrypt(const unsigned char *in,
205                         unsigned char *out,
206                         size_t length,
207                         const AES_KEY *key1, const AES_KEY *key2,
208                         const unsigned char iv[16]);
209
210 void aesni_xts_decrypt(const unsigned char *in,
211                         unsigned char *out,
212                         size_t length,
213                         const AES_KEY *key1, const AES_KEY *key2,
214                         const unsigned char iv[16]);
215
216 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
217                         unsigned char *out,
218                         size_t blocks,
219                         const void *key,
220                         const unsigned char ivec[16],
221                         unsigned char cmac[16]);
222
223 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
224                         unsigned char *out,
225                         size_t blocks,
226                         const void *key,
227                         const unsigned char ivec[16],
228                         unsigned char cmac[16]);
229
230 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
231                    const unsigned char *iv, int enc)
232         {
233         int ret, mode;
234         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
235
236         mode = ctx->cipher->flags & EVP_CIPH_MODE;
237         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
238             && !enc)
239                 { 
240                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
241                 dat->block      = (block128_f)aesni_decrypt;
242                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
243                                         (cbc128_f)aesni_cbc_encrypt :
244                                         NULL;
245                 }
246         else    {
247                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
248                 dat->block      = (block128_f)aesni_encrypt;
249                 if (mode==EVP_CIPH_CBC_MODE)
250                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
251                 else if (mode==EVP_CIPH_CTR_MODE)
252                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
253                 else
254                         dat->stream.cbc = NULL;
255                 }
256
257         if(ret < 0)
258                 {
259                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
260                 return 0;
261                 }
262
263         return 1;
264         }
265
266 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
267         const unsigned char *in, size_t len)
268 {
269         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
270
271         return 1;
272 }
273
274 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
275         const unsigned char *in, size_t len)
276 {
277         size_t  bl = ctx->cipher->block_size;
278
279         if (len<bl)     return 1;
280
281         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
282
283         return 1;
284 }
285
286 #define aesni_ofb_cipher aes_ofb_cipher
287 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
288         const unsigned char *in,size_t len);
289
290 #define aesni_cfb_cipher aes_cfb_cipher
291 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
292         const unsigned char *in,size_t len);
293
294 #define aesni_cfb8_cipher aes_cfb8_cipher
295 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
296         const unsigned char *in,size_t len);
297
298 #define aesni_cfb1_cipher aes_cfb1_cipher
299 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
300         const unsigned char *in,size_t len);
301
302 #define aesni_ctr_cipher aes_ctr_cipher
303 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
304                 const unsigned char *in, size_t len);
305
306 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
307                         const unsigned char *iv, int enc)
308         {
309         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
310         if (!iv && !key)
311                 return 1;
312         if (key)
313                 {
314                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
315                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
316                                 (block128_f)aesni_encrypt);
317                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
318                 /* If we have an iv can set it directly, otherwise use
319                  * saved IV.
320                  */
321                 if (iv == NULL && gctx->iv_set)
322                         iv = gctx->iv;
323                 if (iv)
324                         {
325                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
326                         gctx->iv_set = 1;
327                         }
328                 gctx->key_set = 1;
329                 }
330         else
331                 {
332                 /* If key set use IV, otherwise copy */
333                 if (gctx->key_set)
334                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
335                 else
336                         memcpy(gctx->iv, iv, gctx->ivlen);
337                 gctx->iv_set = 1;
338                 gctx->iv_gen = 0;
339                 }
340         return 1;
341         }
342
343 #define aesni_gcm_cipher aes_gcm_cipher
344 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
345                 const unsigned char *in, size_t len);
346
347 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
348                         const unsigned char *iv, int enc)
349         {
350         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
351         if (!iv && !key)
352                 return 1;
353
354         if (key)
355                 {
356                 /* key_len is two AES keys */
357                 if (enc)
358                         {
359                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
360                         xctx->xts.block1 = (block128_f)aesni_encrypt;
361                         xctx->stream = aesni_xts_encrypt;
362                         }
363                 else
364                         {
365                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
366                         xctx->xts.block1 = (block128_f)aesni_decrypt;
367                         xctx->stream = aesni_xts_decrypt;
368                         }
369
370                 aesni_set_encrypt_key(key + ctx->key_len/2,
371                                                 ctx->key_len * 4, &xctx->ks2.ks);
372                 xctx->xts.block2 = (block128_f)aesni_encrypt;
373
374                 xctx->xts.key1 = &xctx->ks1;
375                 }
376
377         if (iv)
378                 {
379                 xctx->xts.key2 = &xctx->ks2;
380                 memcpy(ctx->iv, iv, 16);
381                 }
382
383         return 1;
384         }
385
386 #define aesni_xts_cipher aes_xts_cipher
387 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
388                 const unsigned char *in, size_t len);
389
390 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
391                         const unsigned char *iv, int enc)
392         {
393         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
394         if (!iv && !key)
395                 return 1;
396         if (key)
397                 {
398                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
399                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
400                                         &cctx->ks, (block128_f)aesni_encrypt);
401                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
402                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
403                 cctx->key_set = 1;
404                 }
405         if (iv)
406                 {
407                 memcpy(ctx->iv, iv, 15 - cctx->L);
408                 cctx->iv_set = 1;
409                 }
410         return 1;
411         }
412
413 #define aesni_ccm_cipher aes_ccm_cipher
414 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
415                 const unsigned char *in, size_t len);
416
417 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
418 static const EVP_CIPHER aesni_##keylen##_##mode = { \
419         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
420         flags|EVP_CIPH_##MODE##_MODE,   \
421         aesni_init_key,                 \
422         aesni_##mode##_cipher,          \
423         NULL,                           \
424         sizeof(EVP_AES_KEY),            \
425         NULL,NULL,NULL,NULL }; \
426 static const EVP_CIPHER aes_##keylen##_##mode = { \
427         nid##_##keylen##_##nmode,blocksize,     \
428         keylen/8,ivlen, \
429         flags|EVP_CIPH_##MODE##_MODE,   \
430         aes_init_key,                   \
431         aes_##mode##_cipher,            \
432         NULL,                           \
433         sizeof(EVP_AES_KEY),            \
434         NULL,NULL,NULL,NULL }; \
435 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
436 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
437
438 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
439 static const EVP_CIPHER aesni_##keylen##_##mode = { \
440         nid##_##keylen##_##mode,blocksize, \
441         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
442         flags|EVP_CIPH_##MODE##_MODE,   \
443         aesni_##mode##_init_key,        \
444         aesni_##mode##_cipher,          \
445         aes_##mode##_cleanup,           \
446         sizeof(EVP_AES_##MODE##_CTX),   \
447         NULL,NULL,aes_##mode##_ctrl,NULL }; \
448 static const EVP_CIPHER aes_##keylen##_##mode = { \
449         nid##_##keylen##_##mode,blocksize, \
450         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
451         flags|EVP_CIPH_##MODE##_MODE,   \
452         aes_##mode##_init_key,          \
453         aes_##mode##_cipher,            \
454         aes_##mode##_cleanup,           \
455         sizeof(EVP_AES_##MODE##_CTX),   \
456         NULL,NULL,aes_##mode##_ctrl,NULL }; \
457 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
458 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
459
460 #elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
461
462 #include "sparc_arch.h"
463
464 extern unsigned int OPENSSL_sparcv9cap_P[];
465
466 #define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
467
468 void    aes_t4_set_encrypt_key (const unsigned char *key, int bits,
469                                 AES_KEY *ks);
470 void    aes_t4_set_decrypt_key (const unsigned char *key, int bits,
471                                 AES_KEY *ks);
472 void    aes_t4_encrypt (const unsigned char *in, unsigned char *out,
473                                 const AES_KEY *key);
474 void    aes_t4_decrypt (const unsigned char *in, unsigned char *out,
475                                 const AES_KEY *key);
476 /*
477  * Key-length specific subroutines were chosen for following reason.
478  * Each SPARC T4 core can execute up to 8 threads which share core's
479  * resources. Loading as much key material to registers allows to
480  * minimize references to shared memory interface, as well as amount
481  * of instructions in inner loops [much needed on T4]. But then having
482  * non-key-length specific routines would require conditional branches
483  * either in inner loops or on subroutines' entries. Former is hardly
484  * acceptable, while latter means code size increase to size occupied
485  * by multiple key-length specfic subroutines, so why fight?
486  */
487 void    aes128_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
488                                 size_t len, const AES_KEY *key,
489                                 unsigned char *ivec);
490 void    aes128_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
491                                 size_t len, const AES_KEY *key,
492                                 unsigned char *ivec);
493 void    aes192_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
494                                 size_t len, const AES_KEY *key,
495                                 unsigned char *ivec);
496 void    aes192_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
497                                 size_t len, const AES_KEY *key,
498                                 unsigned char *ivec);
499 void    aes256_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
500                                 size_t len, const AES_KEY *key,
501                                 unsigned char *ivec);
502 void    aes256_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
503                                 size_t len, const AES_KEY *key,
504                                 unsigned char *ivec);
505 void    aes128_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
506                                 size_t blocks, const AES_KEY *key,
507                                 unsigned char *ivec);
508 void    aes192_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
509                                 size_t blocks, const AES_KEY *key,
510                                 unsigned char *ivec);
511 void    aes256_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
512                                 size_t blocks, const AES_KEY *key,
513                                 unsigned char *ivec);
514
515 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
516                    const unsigned char *iv, int enc)
517         {
518         int ret, mode, bits;
519         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
520
521         mode = ctx->cipher->flags & EVP_CIPH_MODE;
522         bits = ctx->key_len*8;
523         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
524             && !enc)
525                 {
526                     ret = 0;
527                     aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
528                     dat->block  = (block128_f)aes_t4_decrypt;
529                     switch (bits) {
530                     case 128:
531                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
532                                                 (cbc128_f)aes128_t4_cbc_decrypt :
533                                                 NULL;
534                         break;
535                     case 192:
536                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
537                                                 (cbc128_f)aes192_t4_cbc_decrypt :
538                                                 NULL;
539                         break;
540                     case 256:
541                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
542                                                 (cbc128_f)aes256_t4_cbc_decrypt :
543                                                 NULL;
544                         break;
545                     default:
546                         ret = -1;
547                     }
548                 }
549         else    {
550                     ret = 0;
551                     aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
552                     dat->block  = (block128_f)aes_t4_encrypt;
553                     switch (bits) {
554                     case 128:
555                         if (mode==EVP_CIPH_CBC_MODE)
556                                 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
557                         else if (mode==EVP_CIPH_CTR_MODE)
558                                 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
559                         else
560                                 dat->stream.cbc = NULL;
561                         break;
562                     case 192:
563                         if (mode==EVP_CIPH_CBC_MODE)
564                                 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
565                         else if (mode==EVP_CIPH_CTR_MODE)
566                                 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
567                         else
568                                 dat->stream.cbc = NULL;
569                         break;
570                     case 256:
571                         if (mode==EVP_CIPH_CBC_MODE)
572                                 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
573                         else if (mode==EVP_CIPH_CTR_MODE)
574                                 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
575                         else
576                                 dat->stream.cbc = NULL;
577                         break;
578                     default:
579                         ret = -1;
580                     }
581                 }
582
583         if(ret < 0)
584                 {
585                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
586                 return 0;
587                 }
588
589         return 1;
590         }
591
592 #define aes_t4_cbc_cipher aes_cbc_cipher
593 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
594         const unsigned char *in, size_t len);
595
596 #define aes_t4_ecb_cipher aes_ecb_cipher 
597 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
598         const unsigned char *in, size_t len);
599
600 #define aes_t4_ofb_cipher aes_ofb_cipher
601 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
602         const unsigned char *in,size_t len);
603
604 #define aes_t4_cfb_cipher aes_cfb_cipher
605 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
606         const unsigned char *in,size_t len);
607
608 #define aes_t4_cfb8_cipher aes_cfb8_cipher
609 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
610         const unsigned char *in,size_t len);
611
612 #define aes_t4_cfb1_cipher aes_cfb1_cipher
613 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
614         const unsigned char *in,size_t len);
615
616 #define aes_t4_ctr_cipher aes_ctr_cipher
617 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
618                 const unsigned char *in, size_t len);
619
620 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
621                         const unsigned char *iv, int enc)
622         {
623         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
624         if (!iv && !key)
625                 return 1;
626         if (key)
627                 {
628                 int bits = ctx->key_len * 8;
629                 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
630                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
631                                 (block128_f)aes_t4_encrypt);
632                 switch (bits) {
633                     case 128:
634                         gctx->ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
635                         break;
636                     case 192:
637                         gctx->ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
638                         break;
639                     case 256:
640                         gctx->ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
641                         break;
642                     default:
643                         return 0;
644                 }
645                 /* If we have an iv can set it directly, otherwise use
646                  * saved IV.
647                  */
648                 if (iv == NULL && gctx->iv_set)
649                         iv = gctx->iv;
650                 if (iv)
651                         {
652                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
653                         gctx->iv_set = 1;
654                         }
655                 gctx->key_set = 1;
656                 }
657         else
658                 {
659                 /* If key set use IV, otherwise copy */
660                 if (gctx->key_set)
661                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
662                 else
663                         memcpy(gctx->iv, iv, gctx->ivlen);
664                 gctx->iv_set = 1;
665                 gctx->iv_gen = 0;
666                 }
667         return 1;
668         }
669
670 #define aes_t4_gcm_cipher aes_gcm_cipher
671 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
672                 const unsigned char *in, size_t len);
673
674 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
675                         const unsigned char *iv, int enc)
676         {
677         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
678         if (!iv && !key)
679                 return 1;
680
681         if (key)
682                 {
683                 int bits = ctx->key_len * 4;
684                 /* key_len is two AES keys */
685                 if (enc)
686                         {
687                         aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
688                         xctx->xts.block1 = (block128_f)aes_t4_encrypt;
689 #if 0 /* not yet */
690                         switch (bits) {
691                             case 128:
692                                 xctx->stream = aes128_t4_xts_encrypt;
693                                 break;
694                             case 192:
695                                 xctx->stream = aes192_t4_xts_encrypt;
696                                 break;
697                             case 256:
698                                 xctx->stream = aes256_t4_xts_encrypt;
699                                 break;
700                             default:
701                                 return 0;
702                             }
703 #endif
704                         }
705                 else
706                         {
707                         aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
708                         xctx->xts.block1 = (block128_f)aes_t4_decrypt;
709 #if 0 /* not yet */
710                         switch (bits) {
711                             case 128:
712                                 xctx->stream = aes128_t4_xts_decrypt;
713                                 break;
714                             case 192:
715                                 xctx->stream = aes192_t4_xts_decrypt;
716                                 break;
717                             case 256:
718                                 xctx->stream = aes256_t4_xts_decrypt;
719                                 break;
720                             default:
721                                 return 0;
722                             }
723 #endif
724                         }
725
726                 aes_t4_set_encrypt_key(key + ctx->key_len/2,
727                                                 ctx->key_len * 4, &xctx->ks2.ks);
728                 xctx->xts.block2 = (block128_f)aes_t4_encrypt;
729
730                 xctx->xts.key1 = &xctx->ks1;
731                 }
732
733         if (iv)
734                 {
735                 xctx->xts.key2 = &xctx->ks2;
736                 memcpy(ctx->iv, iv, 16);
737                 }
738
739         return 1;
740         }
741
742 #define aes_t4_xts_cipher aes_xts_cipher
743 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
744                 const unsigned char *in, size_t len);
745
746 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
747                         const unsigned char *iv, int enc)
748         {
749         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
750         if (!iv && !key)
751                 return 1;
752         if (key)
753                 {
754                 int bits = ctx->key_len * 8;
755                 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
756                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
757                                         &cctx->ks, (block128_f)aes_t4_encrypt);
758 #if 0 /* not yet */
759                 switch (bits) {
760                     case 128:
761                         cctx->str = enc?(ccm128_f)aes128_t4_ccm64_encrypt :
762                                 (ccm128_f)ae128_t4_ccm64_decrypt;
763                         break;
764                     case 192:
765                         cctx->str = enc?(ccm128_f)aes192_t4_ccm64_encrypt :
766                                 (ccm128_f)ae192_t4_ccm64_decrypt;
767                         break;
768                     case 256:
769                         cctx->str = enc?(ccm128_f)aes256_t4_ccm64_encrypt :
770                                 (ccm128_f)ae256_t4_ccm64_decrypt;
771                         break;
772                     default:
773                         return 0;
774                     }
775 #endif
776                 cctx->key_set = 1;
777                 }
778         if (iv)
779                 {
780                 memcpy(ctx->iv, iv, 15 - cctx->L);
781                 cctx->iv_set = 1;
782                 }
783         return 1;
784         }
785
786 #define aes_t4_ccm_cipher aes_ccm_cipher
787 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
788                 const unsigned char *in, size_t len);
789
790 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
791 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
792         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
793         flags|EVP_CIPH_##MODE##_MODE,   \
794         aes_t4_init_key,                \
795         aes_t4_##mode##_cipher,         \
796         NULL,                           \
797         sizeof(EVP_AES_KEY),            \
798         NULL,NULL,NULL,NULL }; \
799 static const EVP_CIPHER aes_##keylen##_##mode = { \
800         nid##_##keylen##_##nmode,blocksize,     \
801         keylen/8,ivlen, \
802         flags|EVP_CIPH_##MODE##_MODE,   \
803         aes_init_key,                   \
804         aes_##mode##_cipher,            \
805         NULL,                           \
806         sizeof(EVP_AES_KEY),            \
807         NULL,NULL,NULL,NULL }; \
808 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
809 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
810
811 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
812 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
813         nid##_##keylen##_##mode,blocksize, \
814         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
815         flags|EVP_CIPH_##MODE##_MODE,   \
816         aes_t4_##mode##_init_key,       \
817         aes_t4_##mode##_cipher,         \
818         aes_##mode##_cleanup,           \
819         sizeof(EVP_AES_##MODE##_CTX),   \
820         NULL,NULL,aes_##mode##_ctrl,NULL }; \
821 static const EVP_CIPHER aes_##keylen##_##mode = { \
822         nid##_##keylen##_##mode,blocksize, \
823         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
824         flags|EVP_CIPH_##MODE##_MODE,   \
825         aes_##mode##_init_key,          \
826         aes_##mode##_cipher,            \
827         aes_##mode##_cleanup,           \
828         sizeof(EVP_AES_##MODE##_CTX),   \
829         NULL,NULL,aes_##mode##_ctrl,NULL }; \
830 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
831 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
832
833 #else
834
835 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
836 static const EVP_CIPHER aes_##keylen##_##mode = { \
837         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
838         flags|EVP_CIPH_##MODE##_MODE,   \
839         aes_init_key,                   \
840         aes_##mode##_cipher,            \
841         NULL,                           \
842         sizeof(EVP_AES_KEY),            \
843         NULL,NULL,NULL,NULL }; \
844 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
845 { return &aes_##keylen##_##mode; }
846
847 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
848 static const EVP_CIPHER aes_##keylen##_##mode = { \
849         nid##_##keylen##_##mode,blocksize, \
850         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
851         flags|EVP_CIPH_##MODE##_MODE,   \
852         aes_##mode##_init_key,          \
853         aes_##mode##_cipher,            \
854         aes_##mode##_cleanup,           \
855         sizeof(EVP_AES_##MODE##_CTX),   \
856         NULL,NULL,aes_##mode##_ctrl,NULL }; \
857 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
858 { return &aes_##keylen##_##mode; }
859 #endif
860
861 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
862         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
863         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
864         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
865         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
866         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
867         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
868         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
869
870 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
871                    const unsigned char *iv, int enc)
872         {
873         int ret, mode;
874         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
875
876         mode = ctx->cipher->flags & EVP_CIPH_MODE;
877         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
878             && !enc)
879 #ifdef BSAES_CAPABLE
880             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
881                 {
882                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
883                 dat->block      = (block128_f)AES_decrypt;
884                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
885                 }
886             else
887 #endif
888 #ifdef VPAES_CAPABLE
889             if (VPAES_CAPABLE)
890                 {
891                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
892                 dat->block      = (block128_f)vpaes_decrypt;
893                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
894                                         (cbc128_f)vpaes_cbc_encrypt :
895                                         NULL;
896                 }
897             else
898 #endif
899                 {
900                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
901                 dat->block      = (block128_f)AES_decrypt;
902                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
903                                         (cbc128_f)AES_cbc_encrypt :
904                                         NULL;
905                 }
906         else
907 #ifdef BSAES_CAPABLE
908             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
909                 {
910                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
911                 dat->block      = (block128_f)AES_encrypt;
912                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
913                 }
914             else
915 #endif
916 #ifdef VPAES_CAPABLE
917             if (VPAES_CAPABLE)
918                 {
919                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
920                 dat->block      = (block128_f)vpaes_encrypt;
921                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
922                                         (cbc128_f)vpaes_cbc_encrypt :
923                                         NULL;
924                 }
925             else
926 #endif
927                 {
928                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
929                 dat->block      = (block128_f)AES_encrypt;
930                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
931                                         (cbc128_f)AES_cbc_encrypt :
932                                         NULL;
933 #ifdef AES_CTR_ASM
934                 if (mode==EVP_CIPH_CTR_MODE)
935                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
936 #endif
937                 }
938
939         if(ret < 0)
940                 {
941                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
942                 return 0;
943                 }
944
945         return 1;
946         }
947
948 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
949         const unsigned char *in, size_t len)
950 {
951         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
952
953         if (dat->stream.cbc)
954                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
955         else if (ctx->encrypt)
956                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
957         else
958                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
959
960         return 1;
961 }
962
963 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
964         const unsigned char *in, size_t len)
965 {
966         size_t  bl = ctx->cipher->block_size;
967         size_t  i;
968         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
969
970         if (len<bl)     return 1;
971
972         for (i=0,len-=bl;i<=len;i+=bl)
973                 (*dat->block)(in+i,out+i,&dat->ks);
974
975         return 1;
976 }
977
978 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
979         const unsigned char *in,size_t len)
980 {
981         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
982
983         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
984                         ctx->iv,&ctx->num,dat->block);
985         return 1;
986 }
987
988 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
989         const unsigned char *in,size_t len)
990 {
991         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
992
993         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
994                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
995         return 1;
996 }
997
998 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
999         const unsigned char *in,size_t len)
1000 {
1001         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1002
1003         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
1004                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1005         return 1;
1006 }
1007
1008 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1009         const unsigned char *in,size_t len)
1010 {
1011         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1012
1013         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
1014                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
1015                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1016                 return 1;
1017         }
1018
1019         while (len>=MAXBITCHUNK) {
1020                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
1021                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1022                 len-=MAXBITCHUNK;
1023         }
1024         if (len)
1025                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
1026                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1027         
1028         return 1;
1029 }
1030
1031 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
1032                 const unsigned char *in, size_t len)
1033 {
1034         unsigned int num = ctx->num;
1035         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1036
1037         if (dat->stream.ctr)
1038                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
1039                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
1040         else
1041                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
1042                         ctx->iv,ctx->buf,&num,dat->block);
1043         ctx->num = (size_t)num;
1044         return 1;
1045 }
1046
1047 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
1048 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
1049 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
1050
1051 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1052         {
1053         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1054         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1055         if (gctx->iv != c->iv)
1056                 OPENSSL_free(gctx->iv);
1057         return 1;
1058         }
1059
1060 /* increment counter (64-bit int) by 1 */
1061 static void ctr64_inc(unsigned char *counter) {
1062         int n=8;
1063         unsigned char  c;
1064
1065         do {
1066                 --n;
1067                 c = counter[n];
1068                 ++c;
1069                 counter[n] = c;
1070                 if (c) return;
1071         } while (n);
1072 }
1073
1074 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1075         {
1076         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1077         switch (type)
1078                 {
1079         case EVP_CTRL_INIT:
1080                 gctx->key_set = 0;
1081                 gctx->iv_set = 0;
1082                 gctx->ivlen = c->cipher->iv_len;
1083                 gctx->iv = c->iv;
1084                 gctx->taglen = -1;
1085                 gctx->iv_gen = 0;
1086                 gctx->tls_aad_len = -1;
1087                 return 1;
1088
1089         case EVP_CTRL_GCM_SET_IVLEN:
1090                 if (arg <= 0)
1091                         return 0;
1092 #ifdef OPENSSL_FIPS
1093                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1094                                                  && arg < 12)
1095                         return 0;
1096 #endif
1097                 /* Allocate memory for IV if needed */
1098                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
1099                         {
1100                         if (gctx->iv != c->iv)
1101                                 OPENSSL_free(gctx->iv);
1102                         gctx->iv = OPENSSL_malloc(arg);
1103                         if (!gctx->iv)
1104                                 return 0;
1105                         }
1106                 gctx->ivlen = arg;
1107                 return 1;
1108
1109         case EVP_CTRL_GCM_SET_TAG:
1110                 if (arg <= 0 || arg > 16 || c->encrypt)
1111                         return 0;
1112                 memcpy(c->buf, ptr, arg);
1113                 gctx->taglen = arg;
1114                 return 1;
1115
1116         case EVP_CTRL_GCM_GET_TAG:
1117                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1118                         return 0;
1119                 memcpy(ptr, c->buf, arg);
1120                 return 1;
1121
1122         case EVP_CTRL_GCM_SET_IV_FIXED:
1123                 /* Special case: -1 length restores whole IV */
1124                 if (arg == -1)
1125                         {
1126                         memcpy(gctx->iv, ptr, gctx->ivlen);
1127                         gctx->iv_gen = 1;
1128                         return 1;
1129                         }
1130                 /* Fixed field must be at least 4 bytes and invocation field
1131                  * at least 8.
1132                  */
1133                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1134                         return 0;
1135                 if (arg)
1136                         memcpy(gctx->iv, ptr, arg);
1137                 if (c->encrypt &&
1138                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1139                         return 0;
1140                 gctx->iv_gen = 1;
1141                 return 1;
1142
1143         case EVP_CTRL_GCM_IV_GEN:
1144                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1145                         return 0;
1146                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1147                 if (arg <= 0 || arg > gctx->ivlen)
1148                         arg = gctx->ivlen;
1149                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1150                 /* Invocation field will be at least 8 bytes in size and
1151                  * so no need to check wrap around or increment more than
1152                  * last 8 bytes.
1153                  */
1154                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1155                 gctx->iv_set = 1;
1156                 return 1;
1157
1158         case EVP_CTRL_GCM_SET_IV_INV:
1159                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1160                         return 0;
1161                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1162                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1163                 gctx->iv_set = 1;
1164                 return 1;
1165
1166         case EVP_CTRL_AEAD_TLS1_AAD:
1167                 /* Save the AAD for later use */
1168                 if (arg != 13)
1169                         return 0;
1170                 memcpy(c->buf, ptr, arg);
1171                 gctx->tls_aad_len = arg;
1172                         {
1173                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
1174                         /* Correct length for explicit IV */
1175                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1176                         /* If decrypting correct for tag too */
1177                         if (!c->encrypt)
1178                                 len -= EVP_GCM_TLS_TAG_LEN;
1179                         c->buf[arg-2] = len>>8;
1180                         c->buf[arg-1] = len & 0xff;
1181                         }
1182                 /* Extra padding: tag appended to record */
1183                 return EVP_GCM_TLS_TAG_LEN;
1184
1185         default:
1186                 return -1;
1187
1188                 }
1189         }
1190
1191 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1192                         const unsigned char *iv, int enc)
1193         {
1194         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1195         if (!iv && !key)
1196                 return 1;
1197         if (key)
1198                 { do {
1199 #ifdef BSAES_CAPABLE
1200                 if (BSAES_CAPABLE)
1201                         {
1202                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1203                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1204                                         (block128_f)AES_encrypt);
1205                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1206                         break;
1207                         }
1208                 else
1209 #endif
1210 #ifdef VPAES_CAPABLE
1211                 if (VPAES_CAPABLE)
1212                         {
1213                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1214                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1215                                         (block128_f)vpaes_encrypt);
1216                         gctx->ctr = NULL;
1217                         break;
1218                         }
1219 #endif
1220                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1221                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1222 #ifdef AES_CTR_ASM
1223                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
1224 #else
1225                 gctx->ctr = NULL;
1226 #endif
1227                 } while (0);
1228
1229                 /* If we have an iv can set it directly, otherwise use
1230                  * saved IV.
1231                  */
1232                 if (iv == NULL && gctx->iv_set)
1233                         iv = gctx->iv;
1234                 if (iv)
1235                         {
1236                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1237                         gctx->iv_set = 1;
1238                         }
1239                 gctx->key_set = 1;
1240                 }
1241         else
1242                 {
1243                 /* If key set use IV, otherwise copy */
1244                 if (gctx->key_set)
1245                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1246                 else
1247                         memcpy(gctx->iv, iv, gctx->ivlen);
1248                 gctx->iv_set = 1;
1249                 gctx->iv_gen = 0;
1250                 }
1251         return 1;
1252         }
1253
1254 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1255  * followed by the payload and finally the tag. On encrypt generate IV,
1256  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1257  * and verify tag.
1258  */
1259
1260 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1261                 const unsigned char *in, size_t len)
1262         {
1263         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1264         int rv = -1;
1265         /* Encrypt/decrypt must be performed in place */
1266         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
1267                 return -1;
1268         /* Set IV from start of buffer or generate IV and write to start
1269          * of buffer.
1270          */
1271         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1272                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1273                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1274                 goto err;
1275         /* Use saved AAD */
1276         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1277                 goto err;
1278         /* Fix buffer and length to point to payload */
1279         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1280         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1281         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1282         if (ctx->encrypt)
1283                 {
1284                 /* Encrypt payload */
1285                 if (gctx->ctr)
1286                         {
1287                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1288                                                         in, out, len,
1289                                                         gctx->ctr))
1290                                 goto err;
1291                         }
1292                 else    {
1293                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1294                                 goto err;
1295                         }
1296                 out += len;
1297                 /* Finally write tag */
1298                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1299                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1300                 }
1301         else
1302                 {
1303                 /* Decrypt */
1304                 if (gctx->ctr)
1305                         {
1306                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1307                                                         in, out, len,
1308                                                         gctx->ctr))
1309                                 goto err;
1310                         }
1311                 else    {
1312                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1313                                 goto err;
1314                         }
1315                 /* Retrieve tag */
1316                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1317                                         EVP_GCM_TLS_TAG_LEN);
1318                 /* If tag mismatch wipe buffer */
1319                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1320                         {
1321                         OPENSSL_cleanse(out, len);
1322                         goto err;
1323                         }
1324                 rv = len;
1325                 }
1326
1327         err:
1328         gctx->iv_set = 0;
1329         gctx->tls_aad_len = -1;
1330         return rv;
1331         }
1332
1333 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1334                 const unsigned char *in, size_t len)
1335         {
1336         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1337         /* If not set up, return error */
1338         if (!gctx->key_set)
1339                 return -1;
1340
1341         if (gctx->tls_aad_len >= 0)
1342                 return aes_gcm_tls_cipher(ctx, out, in, len);
1343
1344         if (!gctx->iv_set)
1345                 return -1;
1346         if (in)
1347                 {
1348                 if (out == NULL)
1349                         {
1350                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1351                                 return -1;
1352                         }
1353                 else if (ctx->encrypt)
1354                         {
1355                         if (gctx->ctr)
1356                                 {
1357                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1358                                                         in, out, len,
1359                                                         gctx->ctr))
1360                                         return -1;
1361                                 }
1362                         else    {
1363                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1364                                         return -1;
1365                                 }
1366                         }
1367                 else
1368                         {
1369                         if (gctx->ctr)
1370                                 {
1371                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1372                                                         in, out, len,
1373                                                         gctx->ctr))
1374                                         return -1;
1375                                 }
1376                         else    {
1377                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1378                                         return -1;
1379                                 }
1380                         }
1381                 return len;
1382                 }
1383         else
1384                 {
1385                 if (!ctx->encrypt)
1386                         {
1387                         if (gctx->taglen < 0)
1388                                 return -1;
1389                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1390                                         ctx->buf, gctx->taglen) != 0)
1391                                 return -1;
1392                         gctx->iv_set = 0;
1393                         return 0;
1394                         }
1395                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1396                 gctx->taglen = 16;
1397                 /* Don't reuse the IV */
1398                 gctx->iv_set = 0;
1399                 return 0;
1400                 }
1401
1402         }
1403
1404 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1405                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1406                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1407
1408 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1409                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1410 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1411                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1412 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1413                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1414
1415 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1416         {
1417         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1418         if (type != EVP_CTRL_INIT)
1419                 return -1;
1420         /* key1 and key2 are used as an indicator both key and IV are set */
1421         xctx->xts.key1 = NULL;
1422         xctx->xts.key2 = NULL;
1423         return 1;
1424         }
1425
1426 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1427                         const unsigned char *iv, int enc)
1428         {
1429         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1430         if (!iv && !key)
1431                 return 1;
1432
1433         if (key) do
1434                 {
1435 #ifdef AES_XTS_ASM
1436                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1437 #else
1438                 xctx->stream = NULL;
1439 #endif
1440                 /* key_len is two AES keys */
1441 #ifdef BSAES_CAPABLE
1442                 if (BSAES_CAPABLE)
1443                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1444                 else
1445 #endif
1446 #ifdef VPAES_CAPABLE
1447                 if (VPAES_CAPABLE)
1448                     {
1449                     if (enc)
1450                         {
1451                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1452                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1453                         }
1454                     else
1455                         {
1456                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1457                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1458                         }
1459
1460                 vpaes_set_encrypt_key(key + ctx->key_len/2,
1461                                                 ctx->key_len * 4, &xctx->ks2.ks);
1462                 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1463
1464                 xctx->xts.key1 = &xctx->ks1;
1465                 break;
1466                 }
1467 #endif
1468                 if (enc)
1469                         {
1470                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1471                         xctx->xts.block1 = (block128_f)AES_encrypt;
1472                         }
1473                 else
1474                         {
1475                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1476                         xctx->xts.block1 = (block128_f)AES_decrypt;
1477                         }
1478
1479                 AES_set_encrypt_key(key + ctx->key_len/2,
1480                                                 ctx->key_len * 4, &xctx->ks2.ks);
1481                 xctx->xts.block2 = (block128_f)AES_encrypt;
1482
1483                 xctx->xts.key1 = &xctx->ks1;
1484                 } while (0);
1485
1486         if (iv)
1487                 {
1488                 xctx->xts.key2 = &xctx->ks2;
1489                 memcpy(ctx->iv, iv, 16);
1490                 }
1491
1492         return 1;
1493         }
1494
1495 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1496                 const unsigned char *in, size_t len)
1497         {
1498         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1499         if (!xctx->xts.key1 || !xctx->xts.key2)
1500                 return 0;
1501         if (!out || !in || len<AES_BLOCK_SIZE)
1502                 return 0;
1503 #ifdef OPENSSL_FIPS
1504         /* Requirement of SP800-38E */
1505         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1506                         (len > (1UL<<20)*16))
1507                 {
1508                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1509                 return 0;
1510                 }
1511 #endif
1512         if (xctx->stream)
1513                 (*xctx->stream)(in, out, len,
1514                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1515         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1516                                                                 ctx->encrypt))
1517                 return 0;
1518         return 1;
1519         }
1520
1521 #define aes_xts_cleanup NULL
1522
1523 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1524                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1525
1526 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1527 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1528
1529 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1530         {
1531         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1532         switch (type)
1533                 {
1534         case EVP_CTRL_INIT:
1535                 cctx->key_set = 0;
1536                 cctx->iv_set = 0;
1537                 cctx->L = 8;
1538                 cctx->M = 12;
1539                 cctx->tag_set = 0;
1540                 cctx->len_set = 0;
1541                 return 1;
1542
1543         case EVP_CTRL_CCM_SET_IVLEN:
1544                 arg = 15 - arg;
1545         case EVP_CTRL_CCM_SET_L:
1546                 if (arg < 2 || arg > 8)
1547                         return 0;
1548                 cctx->L = arg;
1549                 return 1;
1550
1551         case EVP_CTRL_CCM_SET_TAG:
1552                 if ((arg & 1) || arg < 4 || arg > 16)
1553                         return 0;
1554                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1555                         return 0;
1556                 if (ptr)
1557                         {
1558                         cctx->tag_set = 1;
1559                         memcpy(c->buf, ptr, arg);
1560                         }
1561                 cctx->M = arg;
1562                 return 1;
1563
1564         case EVP_CTRL_CCM_GET_TAG:
1565                 if (!c->encrypt || !cctx->tag_set)
1566                         return 0;
1567                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1568                         return 0;
1569                 cctx->tag_set = 0;
1570                 cctx->iv_set = 0;
1571                 cctx->len_set = 0;
1572                 return 1;
1573
1574         default:
1575                 return -1;
1576
1577                 }
1578         }
1579
1580 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1581                         const unsigned char *iv, int enc)
1582         {
1583         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1584         if (!iv && !key)
1585                 return 1;
1586         if (key) do
1587                 {
1588 #ifdef VPAES_CAPABLE
1589                 if (VPAES_CAPABLE)
1590                         {
1591                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks);
1592                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1593                                         &cctx->ks, (block128_f)vpaes_encrypt);
1594                         cctx->str = NULL;
1595                         cctx->key_set = 1;
1596                         break;
1597                         }
1598 #endif
1599                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1600                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1601                                         &cctx->ks, (block128_f)AES_encrypt);
1602                 cctx->str = NULL;
1603                 cctx->key_set = 1;
1604                 } while (0);
1605         if (iv)
1606                 {
1607                 memcpy(ctx->iv, iv, 15 - cctx->L);
1608                 cctx->iv_set = 1;
1609                 }
1610         return 1;
1611         }
1612
1613 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1614                 const unsigned char *in, size_t len)
1615         {
1616         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1617         CCM128_CONTEXT *ccm = &cctx->ccm;
1618         /* If not set up, return error */
1619         if (!cctx->iv_set && !cctx->key_set)
1620                 return -1;
1621         if (!ctx->encrypt && !cctx->tag_set)
1622                 return -1;
1623         if (!out)
1624                 {
1625                 if (!in)
1626                         {
1627                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1628                                 return -1;
1629                         cctx->len_set = 1;
1630                         return len;
1631                         }
1632                 /* If have AAD need message length */
1633                 if (!cctx->len_set && len)
1634                         return -1;
1635                 CRYPTO_ccm128_aad(ccm, in, len);
1636                 return len;
1637                 }
1638         /* EVP_*Final() doesn't return any data */
1639         if (!in)
1640                 return 0;
1641         /* If not set length yet do it */
1642         if (!cctx->len_set)
1643                 {
1644                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1645                         return -1;
1646                 cctx->len_set = 1;
1647                 }
1648         if (ctx->encrypt)
1649                 {
1650                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1651                                                 cctx->str) :
1652                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1653                         return -1;
1654                 cctx->tag_set = 1;
1655                 return len;
1656                 }
1657         else
1658                 {
1659                 int rv = -1;
1660                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1661                                                 cctx->str) :
1662                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1663                         {
1664                         unsigned char tag[16];
1665                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1666                                 {
1667                                 if (!memcmp(tag, ctx->buf, cctx->M))
1668                                         rv = len;
1669                                 }
1670                         }
1671                 if (rv == -1)
1672                         OPENSSL_cleanse(out, len);
1673                 cctx->iv_set = 0;
1674                 cctx->tag_set = 0;
1675                 cctx->len_set = 0;
1676                 return rv;
1677                 }
1678
1679         }
1680
1681 #define aes_ccm_cleanup NULL
1682
1683 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1684 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1685 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1686
1687 #endif