crypto/evp/e_aes.c

   1 /* ====================================================================
   2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    openssl-core@openssl.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  *
  49  */
  50
  51 #define OPENSSL_FIPSAPI
  52
  53 #include <openssl/opensslconf.h>
  54 #ifndef OPENSSL_NO_AES
  55 #include <openssl/evp.h>
  56 #include <openssl/err.h>
  57 #include <string.h>
  58 #include <assert.h>
  59 #include <openssl/aes.h>
  60 #include "evp_locl.h"
  61 #include "modes_lcl.h"
  62 #include <openssl/rand.h>
  63
  64 typedef struct
  65         {
  66         union { double align; AES_KEY ks; } ks;
  67         block128_f block;
  68         union {
  69                 cbc128_f cbc;
  70                 ctr128_f ctr;
  71         } stream;
  72         } EVP_AES_KEY;
  73
  74 typedef struct
  75         {
  76         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
  77         int key_set;            /* Set if key initialised */
  78         int iv_set;             /* Set if an iv is set */
  79         GCM128_CONTEXT gcm;
  80         unsigned char *iv;      /* Temporary IV store */
  81         int ivlen;              /* IV length */
  82         int taglen;
  83         int iv_gen;             /* It is OK to generate IVs */
  84         int tls_aad_len;        /* TLS AAD length */
  85         ctr128_f ctr;
  86         } EVP_AES_GCM_CTX;
  87
  88 typedef struct
  89         {
  90         union { double align; AES_KEY ks; } ks1, ks2;   /* AES key schedules to use */
  91         XTS128_CONTEXT xts;
  92         void     (*stream)(const unsigned char *in,
  93                         unsigned char *out, size_t length,
  94                         const AES_KEY *key1, const AES_KEY *key2,
  95                         const unsigned char iv[16]);
  96         } EVP_AES_XTS_CTX;
  97
  98 typedef struct
  99         {
 100         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
 101         int key_set;            /* Set if key initialised */
 102         int iv_set;             /* Set if an iv is set */
 103         int tag_set;            /* Set if tag is valid */
 104         int len_set;            /* Set if message length set */
 105         int L, M;               /* L and M parameters from RFC3610 */
 106         CCM128_CONTEXT ccm;
 107         ccm128_f str;
 108         } EVP_AES_CCM_CTX;
 109
 110 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
 111
 112 #ifdef VPAES_ASM
 113 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
 114                         AES_KEY *key);
 115 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
 116                         AES_KEY *key);
 117
 118 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
 119                         const AES_KEY *key);
 120 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
 121                         const AES_KEY *key);
 122
 123 void vpaes_cbc_encrypt(const unsigned char *in,
 124                         unsigned char *out,
 125                         size_t length,
 126                         const AES_KEY *key,
 127                         unsigned char *ivec, int enc);
 128 #endif
 129 #ifdef BSAES_ASM
 130 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
 131                         size_t length, const AES_KEY *key,
 132                         unsigned char ivec[16], int enc);
 133 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
 134                         size_t len, const AES_KEY *key,
 135                         const unsigned char ivec[16]);
 136 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
 137                         size_t len, const AES_KEY *key1,
 138                         const AES_KEY *key2, const unsigned char iv[16]);
 139 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
 140                         size_t len, const AES_KEY *key1,
 141                         const AES_KEY *key2, const unsigned char iv[16]);
 142 #endif
 143 #ifdef AES_CTR_ASM
 144 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
 145                         size_t blocks, const AES_KEY *key,
 146                         const unsigned char ivec[AES_BLOCK_SIZE]);
 147 #endif
 148 #ifdef AES_XTS_ASM
 149 void AES_xts_encrypt(const char *inp,char *out,size_t len,
 150                         const AES_KEY *key1, const AES_KEY *key2,
 151                         const unsigned char iv[16]);
 152 void AES_xts_decrypt(const char *inp,char *out,size_t len,
 153                         const AES_KEY *key1, const AES_KEY *key2,
 154                         const unsigned char iv[16]);
 155 #endif
 156
 157 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
 158         ((defined(__i386)       || defined(__i386__)    || \
 159           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
 160         defined(__x86_64)       || defined(__x86_64__)  || \
 161         defined(_M_AMD64)       || defined(_M_X64)      || \
 162         defined(__INTEL__)                              )
 163
 164 extern unsigned int OPENSSL_ia32cap_P[];
 165
 166 #ifdef VPAES_ASM
 167 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
 168 #endif
 169 #ifdef BSAES_ASM
 170 #define BSAES_CAPABLE   VPAES_CAPABLE
 171 #endif
 172 /*
 173  * AES-NI section
 174  */
 175 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
 176
 177 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
 178                         AES_KEY *key);
 179 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
 180                         AES_KEY *key);
 181
 182 void aesni_encrypt(const unsigned char *in, unsigned char *out,
 183                         const AES_KEY *key);
 184 void aesni_decrypt(const unsigned char *in, unsigned char *out,
 185                         const AES_KEY *key);
 186
 187 void aesni_ecb_encrypt(const unsigned char *in,
 188                         unsigned char *out,
 189                         size_t length,
 190                         const AES_KEY *key,
 191                         int enc);
 192 void aesni_cbc_encrypt(const unsigned char *in,
 193                         unsigned char *out,
 194                         size_t length,
 195                         const AES_KEY *key,
 196                         unsigned char *ivec, int enc);
 197
 198 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
 199                         unsigned char *out,
 200                         size_t blocks,
 201                         const void *key,
 202                         const unsigned char *ivec);
 203
 204 void aesni_xts_encrypt(const unsigned char *in,
 205                         unsigned char *out,
 206                         size_t length,
 207                         const AES_KEY *key1, const AES_KEY *key2,
 208                         const unsigned char iv[16]);
 209
 210 void aesni_xts_decrypt(const unsigned char *in,
 211                         unsigned char *out,
 212                         size_t length,
 213                         const AES_KEY *key1, const AES_KEY *key2,
 214                         const unsigned char iv[16]);
 215
 216 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
 217                         unsigned char *out,
 218                         size_t blocks,
 219                         const void *key,
 220                         const unsigned char ivec[16],
 221                         unsigned char cmac[16]);
 222
 223 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
 224                         unsigned char *out,
 225                         size_t blocks,
 226                         const void *key,
 227                         const unsigned char ivec[16],
 228                         unsigned char cmac[16]);
 229
 230 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 231                    const unsigned char *iv, int enc)
 232         {
 233         int ret, mode;
 234         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 235
 236         mode = ctx->cipher->flags & EVP_CIPH_MODE;
 237         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
 238             && !enc)
 239                 {
 240                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
 241                 dat->block      = (block128_f)aesni_decrypt;
 242                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 243                                         (cbc128_f)aesni_cbc_encrypt :
 244                                         NULL;
 245                 }
 246         else    {
 247                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
 248                 dat->block      = (block128_f)aesni_encrypt;
 249                 if (mode==EVP_CIPH_CBC_MODE)
 250                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
 251                 else if (mode==EVP_CIPH_CTR_MODE)
 252                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
 253                 else
 254                         dat->stream.cbc = NULL;
 255                 }
 256
 257         if(ret < 0)
 258                 {
 259                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
 260                 return 0;
 261                 }
 262
 263         return 1;
 264         }
 265
 266 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 267         const unsigned char *in, size_t len)
 268 {
 269         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
 270
 271         return 1;
 272 }
 273
 274 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 275         const unsigned char *in, size_t len)
 276 {
 277         size_t  bl = ctx->cipher->block_size;
 278
 279         if (len<bl)     return 1;
 280
 281         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
 282
 283         return 1;
 284 }
 285
 286 #define aesni_ofb_cipher aes_ofb_cipher
 287 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 288         const unsigned char *in,size_t len);
 289
 290 #define aesni_cfb_cipher aes_cfb_cipher
 291 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 292         const unsigned char *in,size_t len);
 293
 294 #define aesni_cfb8_cipher aes_cfb8_cipher
 295 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 296         const unsigned char *in,size_t len);
 297
 298 #define aesni_cfb1_cipher aes_cfb1_cipher
 299 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 300         const unsigned char *in,size_t len);
 301
 302 #define aesni_ctr_cipher aes_ctr_cipher
 303 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 304                 const unsigned char *in, size_t len);
 305
 306 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 307                         const unsigned char *iv, int enc)
 308         {
 309         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
 310         if (!iv && !key)
 311                 return 1;
 312         if (key)
 313                 {
 314                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
 315                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
 316                                 (block128_f)aesni_encrypt);
 317                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
 318                 /* If we have an iv can set it directly, otherwise use
 319                  * saved IV.
 320                  */
 321                 if (iv == NULL && gctx->iv_set)
 322                         iv = gctx->iv;
 323                 if (iv)
 324                         {
 325                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
 326                         gctx->iv_set = 1;
 327                         }
 328                 gctx->key_set = 1;
 329                 }
 330         else
 331                 {
 332                 /* If key set use IV, otherwise copy */
 333                 if (gctx->key_set)
 334                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
 335                 else
 336                         memcpy(gctx->iv, iv, gctx->ivlen);
 337                 gctx->iv_set = 1;
 338                 gctx->iv_gen = 0;
 339                 }
 340         return 1;
 341         }
 342
 343 #define aesni_gcm_cipher aes_gcm_cipher
 344 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 345                 const unsigned char *in, size_t len);
 346
 347 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 348                         const unsigned char *iv, int enc)
 349         {
 350         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
 351         if (!iv && !key)
 352                 return 1;
 353
 354         if (key)
 355                 {
 356                 /* key_len is two AES keys */
 357                 if (enc)
 358                         {
 359                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
 360                         xctx->xts.block1 = (block128_f)aesni_encrypt;
 361                         xctx->stream = aesni_xts_encrypt;
 362                         }
 363                 else
 364                         {
 365                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
 366                         xctx->xts.block1 = (block128_f)aesni_decrypt;
 367                         xctx->stream = aesni_xts_decrypt;
 368                         }
 369
 370                 aesni_set_encrypt_key(key + ctx->key_len/2,
 371                                                 ctx->key_len * 4, &xctx->ks2.ks);
 372                 xctx->xts.block2 = (block128_f)aesni_encrypt;
 373
 374                 xctx->xts.key1 = &xctx->ks1;
 375                 }
 376
 377         if (iv)
 378                 {
 379                 xctx->xts.key2 = &xctx->ks2;
 380                 memcpy(ctx->iv, iv, 16);
 381                 }
 382
 383         return 1;
 384         }
 385
 386 #define aesni_xts_cipher aes_xts_cipher
 387 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 388                 const unsigned char *in, size_t len);
 389
 390 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 391                         const unsigned char *iv, int enc)
 392         {
 393         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
 394         if (!iv && !key)
 395                 return 1;
 396         if (key)
 397                 {
 398                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
 399                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
 400                                         &cctx->ks, (block128_f)aesni_encrypt);
 401                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
 402                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
 403                 cctx->key_set = 1;
 404                 }
 405         if (iv)
 406                 {
 407                 memcpy(ctx->iv, iv, 15 - cctx->L);
 408                 cctx->iv_set = 1;
 409                 }
 410         return 1;
 411         }
 412
 413 #define aesni_ccm_cipher aes_ccm_cipher
 414 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 415                 const unsigned char *in, size_t len);
 416
 417 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 418 static const EVP_CIPHER aesni_##keylen##_##mode = { \
 419         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
 420         flags|EVP_CIPH_##MODE##_MODE,   \
 421         aesni_init_key,                 \
 422         aesni_##mode##_cipher,          \
 423         NULL,                           \
 424         sizeof(EVP_AES_KEY),            \
 425         NULL,NULL,NULL,NULL }; \
 426 static const EVP_CIPHER aes_##keylen##_##mode = { \
 427         nid##_##keylen##_##nmode,blocksize,     \
 428         keylen/8,ivlen, \
 429         flags|EVP_CIPH_##MODE##_MODE,   \
 430         aes_init_key,                   \
 431         aes_##mode##_cipher,            \
 432         NULL,                           \
 433         sizeof(EVP_AES_KEY),            \
 434         NULL,NULL,NULL,NULL }; \
 435 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 436 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
 437
 438 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 439 static const EVP_CIPHER aesni_##keylen##_##mode = { \
 440         nid##_##keylen##_##mode,blocksize, \
 441         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
 442         flags|EVP_CIPH_##MODE##_MODE,   \
 443         aesni_##mode##_init_key,        \
 444         aesni_##mode##_cipher,          \
 445         aes_##mode##_cleanup,           \
 446         sizeof(EVP_AES_##MODE##_CTX),   \
 447         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 448 static const EVP_CIPHER aes_##keylen##_##mode = { \
 449         nid##_##keylen##_##mode,blocksize, \
 450         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
 451         flags|EVP_CIPH_##MODE##_MODE,   \
 452         aes_##mode##_init_key,          \
 453         aes_##mode##_cipher,            \
 454         aes_##mode##_cleanup,           \
 455         sizeof(EVP_AES_##MODE##_CTX),   \
 456         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 457 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 458 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
 459
 460 #elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
 461
 462 #include "sparc_arch.h"
 463
 464 extern unsigned int OPENSSL_sparcv9cap_P[];
 465
 466 #define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
 467
 468 void    aes_t4_set_encrypt_key (const unsigned char *key, int bits,
 469                                 AES_KEY *ks);
 470 void    aes_t4_set_decrypt_key (const unsigned char *key, int bits,
 471                                 AES_KEY *ks);
 472 void    aes_t4_encrypt (const unsigned char *in, unsigned char *out,
 473                                 const AES_KEY *key);
 474 void    aes_t4_decrypt (const unsigned char *in, unsigned char *out,
 475                                 const AES_KEY *key);
 476 /*
 477  * Key-length specific subroutines were chosen for following reason.
 478  * Each SPARC T4 core can execute up to 8 threads which share core's
 479  * resources. Loading as much key material to registers allows to
 480  * minimize references to shared memory interface, as well as amount
 481  * of instructions in inner loops [much needed on T4]. But then having
 482  * non-key-length specific routines would require conditional branches
 483  * either in inner loops or on subroutines' entries. Former is hardly
 484  * acceptable, while latter means code size increase to size occupied
 485  * by multiple key-length specfic subroutines, so why fight?
 486  */
 487 void    aes128_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
 488                                 size_t len, const AES_KEY *key,
 489                                 unsigned char *ivec);
 490 void    aes128_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
 491                                 size_t len, const AES_KEY *key,
 492                                 unsigned char *ivec);
 493 void    aes192_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
 494                                 size_t len, const AES_KEY *key,
 495                                 unsigned char *ivec);
 496 void    aes192_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
 497                                 size_t len, const AES_KEY *key,
 498                                 unsigned char *ivec);
 499 void    aes256_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
 500                                 size_t len, const AES_KEY *key,
 501                                 unsigned char *ivec);
 502 void    aes256_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
 503                                 size_t len, const AES_KEY *key,
 504                                 unsigned char *ivec);
 505 void    aes128_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
 506                                 size_t blocks, const AES_KEY *key,
 507                                 unsigned char *ivec);
 508 void    aes192_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
 509                                 size_t blocks, const AES_KEY *key,
 510                                 unsigned char *ivec);
 511 void    aes256_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
 512                                 size_t blocks, const AES_KEY *key,
 513                                 unsigned char *ivec);
 514
 515 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 516                    const unsigned char *iv, int enc)
 517         {
 518         int ret, mode, bits;
 519         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 520
 521         mode = ctx->cipher->flags & EVP_CIPH_MODE;
 522         bits = ctx->key_len*8;
 523         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
 524             && !enc)
 525                 {
 526                     ret = 0;
 527                     aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
 528                     dat->block  = (block128_f)aes_t4_decrypt;
 529                     switch (bits) {
 530                     case 128:
 531                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 532                                                 (cbc128_f)aes128_t4_cbc_decrypt :
 533                                                 NULL;
 534                         break;
 535                     case 192:
 536                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 537                                                 (cbc128_f)aes192_t4_cbc_decrypt :
 538                                                 NULL;
 539                         break;
 540                     case 256:
 541                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 542                                                 (cbc128_f)aes256_t4_cbc_decrypt :
 543                                                 NULL;
 544                         break;
 545                     default:
 546                         ret = -1;
 547                     }
 548                 }
 549         else    {
 550                     ret = 0;
 551                     aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
 552                     dat->block  = (block128_f)aes_t4_encrypt;
 553                     switch (bits) {
 554                     case 128:
 555                         if (mode==EVP_CIPH_CBC_MODE)
 556                                 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
 557                         else if (mode==EVP_CIPH_CTR_MODE)
 558                                 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
 559                         else
 560                                 dat->stream.cbc = NULL;
 561                         break;
 562                     case 192:
 563                         if (mode==EVP_CIPH_CBC_MODE)
 564                                 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
 565                         else if (mode==EVP_CIPH_CTR_MODE)
 566                                 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
 567                         else
 568                                 dat->stream.cbc = NULL;
 569                         break;
 570                     case 256:
 571                         if (mode==EVP_CIPH_CBC_MODE)
 572                                 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
 573                         else if (mode==EVP_CIPH_CTR_MODE)
 574                                 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
 575                         else
 576                                 dat->stream.cbc = NULL;
 577                         break;
 578                     default:
 579                         ret = -1;
 580                     }
 581                 }
 582
 583         if(ret < 0)
 584                 {
 585                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
 586                 return 0;
 587                 }
 588
 589         return 1;
 590         }
 591
 592 #define aes_t4_cbc_cipher aes_cbc_cipher
 593 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 594         const unsigned char *in, size_t len);
 595
 596 #define aes_t4_ecb_cipher aes_ecb_cipher
 597 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 598         const unsigned char *in, size_t len);
 599
 600 #define aes_t4_ofb_cipher aes_ofb_cipher
 601 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 602         const unsigned char *in,size_t len);
 603
 604 #define aes_t4_cfb_cipher aes_cfb_cipher
 605 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 606         const unsigned char *in,size_t len);
 607
 608 #define aes_t4_cfb8_cipher aes_cfb8_cipher
 609 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 610         const unsigned char *in,size_t len);
 611
 612 #define aes_t4_cfb1_cipher aes_cfb1_cipher
 613 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 614         const unsigned char *in,size_t len);
 615
 616 #define aes_t4_ctr_cipher aes_ctr_cipher
 617 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 618                 const unsigned char *in, size_t len);
 619
 620 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 621                         const unsigned char *iv, int enc)
 622         {
 623         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
 624         if (!iv && !key)
 625                 return 1;
 626         if (key)
 627                 {
 628                 int bits = ctx->key_len * 8;
 629                 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
 630                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
 631                                 (block128_f)aes_t4_encrypt);
 632                 switch (bits) {
 633                     case 128:
 634                         gctx->ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
 635                         break;
 636                     case 192:
 637                         gctx->ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
 638                         break;
 639                     case 256:
 640                         gctx->ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
 641                         break;
 642                     default:
 643                         return 0;
 644                 }
 645                 /* If we have an iv can set it directly, otherwise use
 646                  * saved IV.
 647                  */
 648                 if (iv == NULL && gctx->iv_set)
 649                         iv = gctx->iv;
 650                 if (iv)
 651                         {
 652                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
 653                         gctx->iv_set = 1;
 654                         }
 655                 gctx->key_set = 1;
 656                 }
 657         else
 658                 {
 659                 /* If key set use IV, otherwise copy */
 660                 if (gctx->key_set)
 661                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
 662                 else
 663                         memcpy(gctx->iv, iv, gctx->ivlen);
 664                 gctx->iv_set = 1;
 665                 gctx->iv_gen = 0;
 666                 }
 667         return 1;
 668         }
 669
 670 #define aes_t4_gcm_cipher aes_gcm_cipher
 671 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 672                 const unsigned char *in, size_t len);
 673
 674 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 675                         const unsigned char *iv, int enc)
 676         {
 677         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
 678         if (!iv && !key)
 679                 return 1;
 680
 681         if (key)
 682                 {
 683                 int bits = ctx->key_len * 4;
 684                 /* key_len is two AES keys */
 685                 if (enc)
 686                         {
 687                         aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
 688                         xctx->xts.block1 = (block128_f)aes_t4_encrypt;
 689 #if 0 /* not yet */
 690                         switch (bits) {
 691                             case 128:
 692                                 xctx->stream = aes128_t4_xts_encrypt;
 693                                 break;
 694                             case 192:
 695                                 xctx->stream = aes192_t4_xts_encrypt;
 696                                 break;
 697                             case 256:
 698                                 xctx->stream = aes256_t4_xts_encrypt;
 699                                 break;
 700                             default:
 701                                 return 0;
 702                             }
 703 #endif
 704                         }
 705                 else
 706                         {
 707                         aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
 708                         xctx->xts.block1 = (block128_f)aes_t4_decrypt;
 709 #if 0 /* not yet */
 710                         switch (bits) {
 711                             case 128:
 712                                 xctx->stream = aes128_t4_xts_decrypt;
 713                                 break;
 714                             case 192:
 715                                 xctx->stream = aes192_t4_xts_decrypt;
 716                                 break;
 717                             case 256:
 718                                 xctx->stream = aes256_t4_xts_decrypt;
 719                                 break;
 720                             default:
 721                                 return 0;
 722                             }
 723 #endif
 724                         }
 725
 726                 aes_t4_set_encrypt_key(key + ctx->key_len/2,
 727                                                 ctx->key_len * 4, &xctx->ks2.ks);
 728                 xctx->xts.block2 = (block128_f)aes_t4_encrypt;
 729
 730                 xctx->xts.key1 = &xctx->ks1;
 731                 }
 732
 733         if (iv)
 734                 {
 735                 xctx->xts.key2 = &xctx->ks2;
 736                 memcpy(ctx->iv, iv, 16);
 737                 }
 738
 739         return 1;
 740         }
 741
 742 #define aes_t4_xts_cipher aes_xts_cipher
 743 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 744                 const unsigned char *in, size_t len);
 745
 746 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 747                         const unsigned char *iv, int enc)
 748         {
 749         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
 750         if (!iv && !key)
 751                 return 1;
 752         if (key)
 753                 {
 754                 int bits = ctx->key_len * 8;
 755                 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
 756                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
 757                                         &cctx->ks, (block128_f)aes_t4_encrypt);
 758 #if 0 /* not yet */
 759                 switch (bits) {
 760                     case 128:
 761                         cctx->str = enc?(ccm128_f)aes128_t4_ccm64_encrypt :
 762                                 (ccm128_f)ae128_t4_ccm64_decrypt;
 763                         break;
 764                     case 192:
 765                         cctx->str = enc?(ccm128_f)aes192_t4_ccm64_encrypt :
 766                                 (ccm128_f)ae192_t4_ccm64_decrypt;
 767                         break;
 768                     case 256:
 769                         cctx->str = enc?(ccm128_f)aes256_t4_ccm64_encrypt :
 770                                 (ccm128_f)ae256_t4_ccm64_decrypt;
 771                         break;
 772                     default:
 773                         return 0;
 774                     }
 775 #endif
 776                 cctx->key_set = 1;
 777                 }
 778         if (iv)
 779                 {
 780                 memcpy(ctx->iv, iv, 15 - cctx->L);
 781                 cctx->iv_set = 1;
 782                 }
 783         return 1;
 784         }
 785
 786 #define aes_t4_ccm_cipher aes_ccm_cipher
 787 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 788                 const unsigned char *in, size_t len);
 789
 790 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 791 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
 792         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
 793         flags|EVP_CIPH_##MODE##_MODE,   \
 794         aes_t4_init_key,                \
 795         aes_t4_##mode##_cipher,         \
 796         NULL,                           \
 797         sizeof(EVP_AES_KEY),            \
 798         NULL,NULL,NULL,NULL }; \
 799 static const EVP_CIPHER aes_##keylen##_##mode = { \
 800         nid##_##keylen##_##nmode,blocksize,     \
 801         keylen/8,ivlen, \
 802         flags|EVP_CIPH_##MODE##_MODE,   \
 803         aes_init_key,                   \
 804         aes_##mode##_cipher,            \
 805         NULL,                           \
 806         sizeof(EVP_AES_KEY),            \
 807         NULL,NULL,NULL,NULL }; \
 808 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 809 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
 810
 811 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 812 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
 813         nid##_##keylen##_##mode,blocksize, \
 814         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
 815         flags|EVP_CIPH_##MODE##_MODE,   \
 816         aes_t4_##mode##_init_key,       \
 817         aes_t4_##mode##_cipher,         \
 818         aes_##mode##_cleanup,           \
 819         sizeof(EVP_AES_##MODE##_CTX),   \
 820         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 821 static const EVP_CIPHER aes_##keylen##_##mode = { \
 822         nid##_##keylen##_##mode,blocksize, \
 823         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
 824         flags|EVP_CIPH_##MODE##_MODE,   \
 825         aes_##mode##_init_key,          \
 826         aes_##mode##_cipher,            \
 827         aes_##mode##_cleanup,           \
 828         sizeof(EVP_AES_##MODE##_CTX),   \
 829         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 830 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 831 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
 832
 833 #else
 834
 835 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 836 static const EVP_CIPHER aes_##keylen##_##mode = { \
 837         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
 838         flags|EVP_CIPH_##MODE##_MODE,   \
 839         aes_init_key,                   \
 840         aes_##mode##_cipher,            \
 841         NULL,                           \
 842         sizeof(EVP_AES_KEY),            \
 843         NULL,NULL,NULL,NULL }; \
 844 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 845 { return &aes_##keylen##_##mode; }
 846
 847 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 848 static const EVP_CIPHER aes_##keylen##_##mode = { \
 849         nid##_##keylen##_##mode,blocksize, \
 850         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
 851         flags|EVP_CIPH_##MODE##_MODE,   \
 852         aes_##mode##_init_key,          \
 853         aes_##mode##_cipher,            \
 854         aes_##mode##_cleanup,           \
 855         sizeof(EVP_AES_##MODE##_CTX),   \
 856         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 857 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 858 { return &aes_##keylen##_##mode; }
 859 #endif
 860
 861 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
 862         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
 863         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
 864         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
 865         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
 866         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
 867         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
 868         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
 869
 870 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 871                    const unsigned char *iv, int enc)
 872         {
 873         int ret, mode;
 874         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 875
 876         mode = ctx->cipher->flags & EVP_CIPH_MODE;
 877         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
 878             && !enc)
 879 #ifdef BSAES_CAPABLE
 880             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
 881                 {
 882                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 883                 dat->block      = (block128_f)AES_decrypt;
 884                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
 885                 }
 886             else
 887 #endif
 888 #ifdef VPAES_CAPABLE
 889             if (VPAES_CAPABLE)
 890                 {
 891                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 892                 dat->block      = (block128_f)vpaes_decrypt;
 893                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 894                                         (cbc128_f)vpaes_cbc_encrypt :
 895                                         NULL;
 896                 }
 897             else
 898 #endif
 899                 {
 900                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 901                 dat->block      = (block128_f)AES_decrypt;
 902                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 903                                         (cbc128_f)AES_cbc_encrypt :
 904                                         NULL;
 905                 }
 906         else
 907 #ifdef BSAES_CAPABLE
 908             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
 909                 {
 910                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 911                 dat->block      = (block128_f)AES_encrypt;
 912                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
 913                 }
 914             else
 915 #endif
 916 #ifdef VPAES_CAPABLE
 917             if (VPAES_CAPABLE)
 918                 {
 919                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 920                 dat->block      = (block128_f)vpaes_encrypt;
 921                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 922                                         (cbc128_f)vpaes_cbc_encrypt :
 923                                         NULL;
 924                 }
 925             else
 926 #endif
 927                 {
 928                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
 929                 dat->block      = (block128_f)AES_encrypt;
 930                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
 931                                         (cbc128_f)AES_cbc_encrypt :
 932                                         NULL;
 933 #ifdef AES_CTR_ASM
 934                 if (mode==EVP_CIPH_CTR_MODE)
 935                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
 936 #endif
 937                 }
 938
 939         if(ret < 0)
 940                 {
 941                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
 942                 return 0;
 943                 }
 944
 945         return 1;
 946         }
 947
 948 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 949         const unsigned char *in, size_t len)
 950 {
 951         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 952
 953         if (dat->stream.cbc)
 954                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
 955         else if (ctx->encrypt)
 956                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
 957         else
 958                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
 959
 960         return 1;
 961 }
 962
 963 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 964         const unsigned char *in, size_t len)
 965 {
 966         size_t  bl = ctx->cipher->block_size;
 967         size_t  i;
 968         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 969
 970         if (len<bl)     return 1;
 971
 972         for (i=0,len-=bl;i<=len;i+=bl)
 973                 (*dat->block)(in+i,out+i,&dat->ks);
 974
 975         return 1;
 976 }
 977
 978 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 979         const unsigned char *in,size_t len)
 980 {
 981         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 982
 983         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
 984                         ctx->iv,&ctx->num,dat->block);
 985         return 1;
 986 }
 987
 988 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 989         const unsigned char *in,size_t len)
 990 {
 991         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 992
 993         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
 994                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
 995         return 1;
 996 }
 997
 998 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
 999         const unsigned char *in,size_t len)
1000 {
1001         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1002
1003         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
1004                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1005         return 1;
1006 }
1007
1008 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1009         const unsigned char *in,size_t len)
1010 {
1011         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1012
1013         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
1014                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
1015                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1016                 return 1;
1017         }
1018
1019         while (len>=MAXBITCHUNK) {
1020                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
1021                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1022                 len-=MAXBITCHUNK;
1023         }
1024         if (len)
1025                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
1026                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1027
1028         return 1;
1029 }
1030
1031 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
1032                 const unsigned char *in, size_t len)
1033 {
1034         unsigned int num = ctx->num;
1035         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1036
1037         if (dat->stream.ctr)
1038                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
1039                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
1040         else
1041                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
1042                         ctx->iv,ctx->buf,&num,dat->block);
1043         ctx->num = (size_t)num;
1044         return 1;
1045 }
1046
1047 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
1048 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
1049 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
1050
1051 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1052         {
1053         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1054         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1055         if (gctx->iv != c->iv)
1056                 OPENSSL_free(gctx->iv);
1057         return 1;
1058         }
1059
1060 /* increment counter (64-bit int) by 1 */
1061 static void ctr64_inc(unsigned char *counter) {
1062         int n=8;
1063         unsigned char  c;
1064
1065         do {
1066                 --n;
1067                 c = counter[n];
1068                 ++c;
1069                 counter[n] = c;
1070                 if (c) return;
1071         } while (n);
1072 }
1073
1074 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1075         {
1076         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1077         switch (type)
1078                 {
1079         case EVP_CTRL_INIT:
1080                 gctx->key_set = 0;
1081                 gctx->iv_set = 0;
1082                 gctx->ivlen = c->cipher->iv_len;
1083                 gctx->iv = c->iv;
1084                 gctx->taglen = -1;
1085                 gctx->iv_gen = 0;
1086                 gctx->tls_aad_len = -1;
1087                 return 1;
1088
1089         case EVP_CTRL_GCM_SET_IVLEN:
1090                 if (arg <= 0)
1091                         return 0;
1092 #ifdef OPENSSL_FIPS
1093                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1094                                                  && arg < 12)
1095                         return 0;
1096 #endif
1097                 /* Allocate memory for IV if needed */
1098                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
1099                         {
1100                         if (gctx->iv != c->iv)
1101                                 OPENSSL_free(gctx->iv);
1102                         gctx->iv = OPENSSL_malloc(arg);
1103                         if (!gctx->iv)
1104                                 return 0;
1105                         }
1106                 gctx->ivlen = arg;
1107                 return 1;
1108
1109         case EVP_CTRL_GCM_SET_TAG:
1110                 if (arg <= 0 || arg > 16 || c->encrypt)
1111                         return 0;
1112                 memcpy(c->buf, ptr, arg);
1113                 gctx->taglen = arg;
1114                 return 1;
1115
1116         case EVP_CTRL_GCM_GET_TAG:
1117                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1118                         return 0;
1119                 memcpy(ptr, c->buf, arg);
1120                 return 1;
1121
1122         case EVP_CTRL_GCM_SET_IV_FIXED:
1123                 /* Special case: -1 length restores whole IV */
1124                 if (arg == -1)
1125                         {
1126                         memcpy(gctx->iv, ptr, gctx->ivlen);
1127                         gctx->iv_gen = 1;
1128                         return 1;
1129                         }
1130                 /* Fixed field must be at least 4 bytes and invocation field
1131                  * at least 8.
1132                  */
1133                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1134                         return 0;
1135                 if (arg)
1136                         memcpy(gctx->iv, ptr, arg);
1137                 if (c->encrypt &&
1138                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1139                         return 0;
1140                 gctx->iv_gen = 1;
1141                 return 1;
1142
1143         case EVP_CTRL_GCM_IV_GEN:
1144                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1145                         return 0;
1146                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1147                 if (arg <= 0 || arg > gctx->ivlen)
1148                         arg = gctx->ivlen;
1149                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1150                 /* Invocation field will be at least 8 bytes in size and
1151                  * so no need to check wrap around or increment more than
1152                  * last 8 bytes.
1153                  */
1154                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1155                 gctx->iv_set = 1;
1156                 return 1;
1157
1158         case EVP_CTRL_GCM_SET_IV_INV:
1159                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1160                         return 0;
1161                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1162                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1163                 gctx->iv_set = 1;
1164                 return 1;
1165
1166         case EVP_CTRL_AEAD_TLS1_AAD:
1167                 /* Save the AAD for later use */
1168                 if (arg != 13)
1169                         return 0;
1170                 memcpy(c->buf, ptr, arg);
1171                 gctx->tls_aad_len = arg;
1172                         {
1173                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
1174                         /* Correct length for explicit IV */
1175                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1176                         /* If decrypting correct for tag too */
1177                         if (!c->encrypt)
1178                                 len -= EVP_GCM_TLS_TAG_LEN;
1179                         c->buf[arg-2] = len>>8;
1180                         c->buf[arg-1] = len & 0xff;
1181                         }
1182                 /* Extra padding: tag appended to record */
1183                 return EVP_GCM_TLS_TAG_LEN;
1184
1185         default:
1186                 return -1;
1187
1188                 }
1189         }
1190
1191 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1192                         const unsigned char *iv, int enc)
1193         {
1194         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1195         if (!iv && !key)
1196                 return 1;
1197         if (key)
1198                 { do {
1199 #ifdef BSAES_CAPABLE
1200                 if (BSAES_CAPABLE)
1201                         {
1202                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1203                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1204                                         (block128_f)AES_encrypt);
1205                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1206                         break;
1207                         }
1208                 else
1209 #endif
1210 #ifdef VPAES_CAPABLE
1211                 if (VPAES_CAPABLE)
1212                         {
1213                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1214                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1215                                         (block128_f)vpaes_encrypt);
1216                         gctx->ctr = NULL;
1217                         break;
1218                         }
1219 #endif
1220                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1221                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1222 #ifdef AES_CTR_ASM
1223                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
1224 #else
1225                 gctx->ctr = NULL;
1226 #endif
1227                 } while (0);
1228
1229                 /* If we have an iv can set it directly, otherwise use
1230                  * saved IV.
1231                  */
1232                 if (iv == NULL && gctx->iv_set)
1233                         iv = gctx->iv;
1234                 if (iv)
1235                         {
1236                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1237                         gctx->iv_set = 1;
1238                         }
1239                 gctx->key_set = 1;
1240                 }
1241         else
1242                 {
1243                 /* If key set use IV, otherwise copy */
1244                 if (gctx->key_set)
1245                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1246                 else
1247                         memcpy(gctx->iv, iv, gctx->ivlen);
1248                 gctx->iv_set = 1;
1249                 gctx->iv_gen = 0;
1250                 }
1251         return 1;
1252         }
1253
1254 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1255  * followed by the payload and finally the tag. On encrypt generate IV,
1256  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1257  * and verify tag.
1258  */
1259
1260 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1261                 const unsigned char *in, size_t len)
1262         {
1263         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1264         int rv = -1;
1265         /* Encrypt/decrypt must be performed in place */
1266         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
1267                 return -1;
1268         /* Set IV from start of buffer or generate IV and write to start
1269          * of buffer.
1270          */
1271         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1272                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1273                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1274                 goto err;
1275         /* Use saved AAD */
1276         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1277                 goto err;
1278         /* Fix buffer and length to point to payload */
1279         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1280         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1281         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1282         if (ctx->encrypt)
1283                 {
1284                 /* Encrypt payload */
1285                 if (gctx->ctr)
1286                         {
1287                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1288                                                         in, out, len,
1289                                                         gctx->ctr))
1290                                 goto err;
1291                         }
1292                 else    {
1293                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1294                                 goto err;
1295                         }
1296                 out += len;
1297                 /* Finally write tag */
1298                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1299                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1300                 }
1301         else
1302                 {
1303                 /* Decrypt */
1304                 if (gctx->ctr)
1305                         {
1306                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1307                                                         in, out, len,
1308                                                         gctx->ctr))
1309                                 goto err;
1310                         }
1311                 else    {
1312                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1313                                 goto err;
1314                         }
1315                 /* Retrieve tag */
1316                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1317                                         EVP_GCM_TLS_TAG_LEN);
1318                 /* If tag mismatch wipe buffer */
1319                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1320                         {
1321                         OPENSSL_cleanse(out, len);
1322                         goto err;
1323                         }
1324                 rv = len;
1325                 }
1326
1327         err:
1328         gctx->iv_set = 0;
1329         gctx->tls_aad_len = -1;
1330         return rv;
1331         }
1332
1333 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1334                 const unsigned char *in, size_t len)
1335         {
1336         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1337         /* If not set up, return error */
1338         if (!gctx->key_set)
1339                 return -1;
1340
1341         if (gctx->tls_aad_len >= 0)
1342                 return aes_gcm_tls_cipher(ctx, out, in, len);
1343
1344         if (!gctx->iv_set)
1345                 return -1;
1346         if (!ctx->encrypt && gctx->taglen < 0)
1347                 return -1;
1348         if (in)
1349                 {
1350                 if (out == NULL)
1351                         {
1352                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1353                                 return -1;
1354                         }
1355                 else if (ctx->encrypt)
1356                         {
1357                         if (gctx->ctr)
1358                                 {
1359                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1360                                                         in, out, len,
1361                                                         gctx->ctr))
1362                                         return -1;
1363                                 }
1364                         else    {
1365                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1366                                         return -1;
1367                                 }
1368                         }
1369                 else
1370                         {
1371                         if (gctx->ctr)
1372                                 {
1373                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1374                                                         in, out, len,
1375                                                         gctx->ctr))
1376                                         return -1;
1377                                 }
1378                         else    {
1379                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1380                                         return -1;
1381                                 }
1382                         }
1383                 return len;
1384                 }
1385         else
1386                 {
1387                 if (!ctx->encrypt)
1388                         {
1389                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1390                                         ctx->buf, gctx->taglen) != 0)
1391                                 return -1;
1392                         gctx->iv_set = 0;
1393                         return 0;
1394                         }
1395                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1396                 gctx->taglen = 16;
1397                 /* Don't reuse the IV */
1398                 gctx->iv_set = 0;
1399                 return 0;
1400                 }
1401
1402         }
1403
1404 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1405                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1406                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1407
1408 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1409                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1410 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1411                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1412 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1413                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1414
1415 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1416         {
1417         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1418         if (type != EVP_CTRL_INIT)
1419                 return -1;
1420         /* key1 and key2 are used as an indicator both key and IV are set */
1421         xctx->xts.key1 = NULL;
1422         xctx->xts.key2 = NULL;
1423         return 1;
1424         }
1425
1426 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1427                         const unsigned char *iv, int enc)
1428         {
1429         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1430         if (!iv && !key)
1431                 return 1;
1432
1433         if (key) do
1434                 {
1435 #ifdef AES_XTS_ASM
1436                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1437 #else
1438                 xctx->stream = NULL;
1439 #endif
1440                 /* key_len is two AES keys */
1441 #ifdef BSAES_CAPABLE
1442                 if (BSAES_CAPABLE)
1443                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1444                 else
1445 #endif
1446 #ifdef VPAES_CAPABLE
1447                 if (VPAES_CAPABLE)
1448                     {
1449                     if (enc)
1450                         {
1451                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1452                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1453                         }
1454                     else
1455                         {
1456                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1457                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1458                         }
1459
1460                 vpaes_set_encrypt_key(key + ctx->key_len/2,
1461                                                 ctx->key_len * 4, &xctx->ks2.ks);
1462                 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1463
1464                 xctx->xts.key1 = &xctx->ks1;
1465                 break;
1466                 }
1467 #endif
1468                 if (enc)
1469                         {
1470                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1471                         xctx->xts.block1 = (block128_f)AES_encrypt;
1472                         }
1473                 else
1474                         {
1475                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1476                         xctx->xts.block1 = (block128_f)AES_decrypt;
1477                         }
1478
1479                 AES_set_encrypt_key(key + ctx->key_len/2,
1480                                                 ctx->key_len * 4, &xctx->ks2.ks);
1481                 xctx->xts.block2 = (block128_f)AES_encrypt;
1482
1483                 xctx->xts.key1 = &xctx->ks1;
1484                 } while (0);
1485
1486         if (iv)
1487                 {
1488                 xctx->xts.key2 = &xctx->ks2;
1489                 memcpy(ctx->iv, iv, 16);
1490                 }
1491
1492         return 1;
1493         }
1494
1495 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1496                 const unsigned char *in, size_t len)
1497         {
1498         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1499         if (!xctx->xts.key1 || !xctx->xts.key2)
1500                 return 0;
1501         if (!out || !in || len<AES_BLOCK_SIZE)
1502                 return 0;
1503 #ifdef OPENSSL_FIPS
1504         /* Requirement of SP800-38E */
1505         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1506                         (len > (1UL<<20)*16))
1507                 {
1508                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1509                 return 0;
1510                 }
1511 #endif
1512         if (xctx->stream)
1513                 (*xctx->stream)(in, out, len,
1514                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1515         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1516                                                                 ctx->encrypt))
1517                 return 0;
1518         return 1;
1519         }
1520
1521 #define aes_xts_cleanup NULL
1522
1523 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1524                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1525
1526 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1527 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1528
1529 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1530         {
1531         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1532         switch (type)
1533                 {
1534         case EVP_CTRL_INIT:
1535                 cctx->key_set = 0;
1536                 cctx->iv_set = 0;
1537                 cctx->L = 8;
1538                 cctx->M = 12;
1539                 cctx->tag_set = 0;
1540                 cctx->len_set = 0;
1541                 return 1;
1542
1543         case EVP_CTRL_CCM_SET_IVLEN:
1544                 arg = 15 - arg;
1545         case EVP_CTRL_CCM_SET_L:
1546                 if (arg < 2 || arg > 8)
1547                         return 0;
1548                 cctx->L = arg;
1549                 return 1;
1550
1551         case EVP_CTRL_CCM_SET_TAG:
1552                 if ((arg & 1) || arg < 4 || arg > 16)
1553                         return 0;
1554                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1555                         return 0;
1556                 if (ptr)
1557                         {
1558                         cctx->tag_set = 1;
1559                         memcpy(c->buf, ptr, arg);
1560                         }
1561                 cctx->M = arg;
1562                 return 1;
1563
1564         case EVP_CTRL_CCM_GET_TAG:
1565                 if (!c->encrypt || !cctx->tag_set)
1566                         return 0;
1567                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1568                         return 0;
1569                 cctx->tag_set = 0;
1570                 cctx->iv_set = 0;
1571                 cctx->len_set = 0;
1572                 return 1;
1573
1574         default:
1575                 return -1;
1576
1577                 }
1578         }
1579
1580 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1581                         const unsigned char *iv, int enc)
1582         {
1583         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1584         if (!iv && !key)
1585                 return 1;
1586         if (key) do
1587                 {
1588 #ifdef VPAES_CAPABLE
1589                 if (VPAES_CAPABLE)
1590                         {
1591                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks);
1592                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1593                                         &cctx->ks, (block128_f)vpaes_encrypt);
1594                         cctx->str = NULL;
1595                         cctx->key_set = 1;
1596                         break;
1597                         }
1598 #endif
1599                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1600                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1601                                         &cctx->ks, (block128_f)AES_encrypt);
1602                 cctx->str = NULL;
1603                 cctx->key_set = 1;
1604                 } while (0);
1605         if (iv)
1606                 {
1607                 memcpy(ctx->iv, iv, 15 - cctx->L);
1608                 cctx->iv_set = 1;
1609                 }
1610         return 1;
1611         }
1612
1613 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1614                 const unsigned char *in, size_t len)
1615         {
1616         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1617         CCM128_CONTEXT *ccm = &cctx->ccm;
1618         /* If not set up, return error */
1619         if (!cctx->iv_set && !cctx->key_set)
1620                 return -1;
1621         if (!ctx->encrypt && !cctx->tag_set)
1622                 return -1;
1623         if (!out)
1624                 {
1625                 if (!in)
1626                         {
1627                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1628                                 return -1;
1629                         cctx->len_set = 1;
1630                         return len;
1631                         }
1632                 /* If have AAD need message length */
1633                 if (!cctx->len_set && len)
1634                         return -1;
1635                 CRYPTO_ccm128_aad(ccm, in, len);
1636                 return len;
1637                 }
1638         /* EVP_*Final() doesn't return any data */
1639         if (!in)
1640                 return 0;
1641         /* If not set length yet do it */
1642         if (!cctx->len_set)
1643                 {
1644                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1645                         return -1;
1646                 cctx->len_set = 1;
1647                 }
1648         if (ctx->encrypt)
1649                 {
1650                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1651                                                 cctx->str) :
1652                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1653                         return -1;
1654                 cctx->tag_set = 1;
1655                 return len;
1656                 }
1657         else
1658                 {
1659                 int rv = -1;
1660                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1661                                                 cctx->str) :
1662                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1663                         {
1664                         unsigned char tag[16];
1665                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1666                                 {
1667                                 if (!memcmp(tag, ctx->buf, cctx->M))
1668                                         rv = len;
1669                                 }
1670                         }
1671                 if (rv == -1)
1672                         OPENSSL_cleanse(out, len);
1673                 cctx->iv_set = 0;
1674                 cctx->tag_set = 0;
1675                 cctx->len_set = 0;
1676                 return rv;
1677                 }
1678
1679         }
1680
1681 #define aes_ccm_cleanup NULL
1682
1683 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1684 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1685 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1686
1687 #endif