4b94b2a8404394bf6cb434d03a0c873d3d5edf14
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         AES_KEY ks;
67         void (*block)(const unsigned char *in, unsigned char *out,
68                         const AES_KEY *key);
69         void (*cbc)(const unsigned char *in,
70                         unsigned char *out,
71                         size_t length,
72                         const AES_KEY *key,
73                         unsigned char *ivec, int enc);
74
75         } EVP_AES_KEY;
76
77 typedef struct
78         {
79         AES_KEY ks;             /* AES key schedule to use */
80         int key_set;            /* Set if key initialised */
81         int iv_set;             /* Set if an iv is set */
82         GCM128_CONTEXT gcm;
83         unsigned char *iv;      /* Temporary IV store */
84         int ivlen;              /* IV length */
85         int taglen;
86         int iv_gen;             /* It is OK to generate IVs */
87         int tls_aad_len;        /* TLS AAD length */
88         } EVP_AES_GCM_CTX;
89
90 typedef struct
91         {
92         AES_KEY ks1, ks2;       /* AES key schedules to use */
93         XTS128_CONTEXT xts;
94         } EVP_AES_XTS_CTX;
95
96 typedef struct
97         {
98         AES_KEY ks;             /* AES key schedule to use */
99         int key_set;            /* Set if key initialised */
100         int iv_set;             /* Set if an iv is set */
101         int tag_set;            /* Set if tag is valid */
102         int len_set;            /* Set if message length set */
103         int L, M;               /* L and M parameters from RFC3610 */
104         CCM128_CONTEXT ccm;
105         } EVP_AES_CCM_CTX;
106
107 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
108
109 #ifdef VPAES_ASM
110 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
111                         AES_KEY *key);
112 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
113                         AES_KEY *key);
114
115 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
116                         const AES_KEY *key);
117 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
118                         const AES_KEY *key);
119
120 void vpaes_cbc_encrypt(const unsigned char *in,
121                         unsigned char *out,
122                         size_t length,
123                         const AES_KEY *key,
124                         unsigned char *ivec, int enc);
125 #endif
126
127 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
128         ((defined(__i386)       || defined(__i386__)    || \
129           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
130         defined(__x86_64)       || defined(__x86_64__)  || \
131         defined(_M_AMD64)       || defined(_M_X64)      || \
132         defined(__INTEL__)                              )
133
134 extern unsigned int OPENSSL_ia32cap_P[2];
135
136 #ifdef VPAES_ASM
137 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
138 #endif
139 /*
140  * AES-NI section
141  */
142 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
143
144 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
145                         AES_KEY *key);
146 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
147                         AES_KEY *key);
148
149 void aesni_encrypt(const unsigned char *in, unsigned char *out,
150                         const AES_KEY *key);
151 void aesni_decrypt(const unsigned char *in, unsigned char *out,
152                         const AES_KEY *key);
153
154 void aesni_ecb_encrypt(const unsigned char *in,
155                         unsigned char *out,
156                         size_t length,
157                         const AES_KEY *key,
158                         int enc);
159 void aesni_cbc_encrypt(const unsigned char *in,
160                         unsigned char *out,
161                         size_t length,
162                         const AES_KEY *key,
163                         unsigned char *ivec, int enc);
164
165 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
166                         unsigned char *out,
167                         size_t blocks,
168                         const void *key,
169                         const unsigned char *ivec);
170
171 void aesni_xts_encrypt(const unsigned char *in,
172                         unsigned char *out,
173                         size_t length,
174                         const AES_KEY *key1, const AES_KEY *key2,
175                         const unsigned char iv[16]);
176
177 void aesni_xts_decrypt(const unsigned char *in,
178                         unsigned char *out,
179                         size_t length,
180                         const AES_KEY *key1, const AES_KEY *key2,
181                         const unsigned char iv[16]);
182
183 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
184                         unsigned char *out,
185                         size_t blocks,
186                         const void *key,
187                         const unsigned char ivec[16],
188                         unsigned char cmac[16]);
189
190 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
191                         unsigned char *out,
192                         size_t blocks,
193                         const void *key,
194                         const unsigned char ivec[16],
195                         unsigned char cmac[16]);
196
197 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
198                    const unsigned char *iv, int enc)
199         {
200         int ret;
201
202         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
203             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
204             && !enc) 
205                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
206         else
207                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
208
209         if(ret < 0)
210                 {
211                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
212                 return 0;
213                 }
214
215         return 1;
216         }
217
218 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
219         const unsigned char *in, size_t len)
220 {
221         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
222
223         return 1;
224 }
225
226 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
227         const unsigned char *in, size_t len)
228 {
229         size_t  bl = ctx->cipher->block_size;
230
231         if (len<bl)     return 1;
232
233         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
234
235         return 1;
236 }
237
238 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
239         const unsigned char *in,size_t len)
240 {
241         CRYPTO_ofb128_encrypt(in,out,len,ctx->cipher_data,
242                         ctx->iv,&ctx->num,
243                         (block128_f)aesni_encrypt);
244         return 1;
245 }
246
247 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
248         const unsigned char *in,size_t len)
249 {
250         CRYPTO_cfb128_encrypt(in,out,len,ctx->cipher_data,
251                         ctx->iv,&ctx->num,ctx->encrypt,
252                         (block128_f)aesni_encrypt);
253         return 1;
254 }
255
256 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
257         const unsigned char *in,size_t len)
258 {
259         CRYPTO_cfb128_8_encrypt(in,out,len,ctx->cipher_data,
260                         ctx->iv,&ctx->num,ctx->encrypt,
261                         (block128_f)aesni_encrypt);
262         return 1;
263 }
264
265 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
266         const unsigned char *in,size_t len)
267 {
268         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
269                 CRYPTO_cfb128_1_encrypt(in,out,len,ctx->cipher_data,
270                         ctx->iv,&ctx->num,ctx->encrypt,
271                         (block128_f)aesni_encrypt);
272                 return 1;
273         }
274
275         while (len>=MAXBITCHUNK) {
276                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,ctx->cipher_data,
277                         ctx->iv,&ctx->num,ctx->encrypt,
278                         (block128_f)aesni_encrypt);
279                 len-=MAXBITCHUNK;
280         }
281         if (len)
282                 CRYPTO_cfb128_1_encrypt(in,out,len*8,ctx->cipher_data,
283                         ctx->iv,&ctx->num,ctx->encrypt,
284                         (block128_f)aesni_encrypt);
285         
286         return 1;
287 }
288
289 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
290                 const unsigned char *in, size_t len)
291 {
292         unsigned int num;
293         num = ctx->num;
294
295         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
296                         ctx->cipher_data,ctx->iv,ctx->buf,&num,
297                         (ctr128_f)aesni_ctr32_encrypt_blocks);
298
299         ctx->num = (size_t)num;
300         return 1;
301 }
302
303 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
304                         const unsigned char *iv, int enc)
305         {
306         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
307         if (!iv && !key)
308                 return 1;
309         if (key)
310                 {
311                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
312                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
313                                 (block128_f)aesni_encrypt);
314                 /* If we have an iv can set it directly, otherwise use
315                  * saved IV.
316                  */
317                 if (iv == NULL && gctx->iv_set)
318                         iv = gctx->iv;
319                 if (iv)
320                         {
321                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
322                         gctx->iv_set = 1;
323                         }
324                 gctx->key_set = 1;
325                 }
326         else
327                 {
328                 /* If key set use IV, otherwise copy */
329                 if (gctx->key_set)
330                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
331                 else
332                         memcpy(gctx->iv, iv, gctx->ivlen);
333                 gctx->iv_set = 1;
334                 gctx->iv_gen = 0;
335                 }
336         return 1;
337         }
338
339 /* Handle TLS GCM packet format. This consists of the last portion of the IV
340  * followed by the payload and finally the tag. On encrypt generate IV,
341  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
342  * and verify tag.
343  */
344
345 static int aesni_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
346                 const unsigned char *in, size_t len)
347         {
348         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
349         int rv = -1;
350         /* Encrypt/decrypt must be performed in place */
351         if (out != in)
352                 return -1;
353         /* Set IV from start of buffer or generate IV and write to start
354          * of buffer.
355          */
356         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
357                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
358                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
359                 goto err;
360         /* Use saved AAD */
361         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
362                 goto err;
363         /* Fix buffer and length to point to payload */
364         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
365         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
366         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
367         if (ctx->encrypt)
368                 {
369                 /* Encrypt payload */
370                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
371                                                 aesni_ctr32_encrypt_blocks))
372                         goto err;
373                 out += len;
374                 /* Finally write tag */
375                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
376                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
377                 }
378         else
379                 {
380                 /* Decrypt */
381                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
382                                                 aesni_ctr32_encrypt_blocks))
383                         goto err;
384                 /* Retrieve tag */
385                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
386                                         EVP_GCM_TLS_TAG_LEN);
387                 /* If tag mismatch wipe buffer */
388                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
389                         {
390                         OPENSSL_cleanse(out, len);
391                         goto err;
392                         }
393                 rv = len;
394                 }
395
396         err:
397         gctx->iv_set = 0;
398         gctx->tls_aad_len = -1;
399         return rv;
400         }
401
402 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
403                 const unsigned char *in, size_t len)
404         {
405         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
406         /* If not set up, return error */
407         if (!gctx->key_set)
408                 return -1;
409
410         if (gctx->tls_aad_len >= 0)
411                 return aesni_gcm_tls_cipher(ctx, out, in, len);
412
413         if (!gctx->iv_set)
414                 return -1;
415         if (!ctx->encrypt && gctx->taglen < 0)
416                 return -1;
417         if (in)
418                 {
419                 if (out == NULL)
420                         {
421                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
422                                 return -1;
423                         }
424                 else if (ctx->encrypt)
425                         {
426                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
427                                         in, out, len,
428                                         aesni_ctr32_encrypt_blocks))
429                                 return -1;
430                         }
431                 else
432                         {
433                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
434                                         in, out, len,
435                                         aesni_ctr32_encrypt_blocks))
436                                 return -1;
437                         }
438                 return len;
439                 }
440         else
441                 {
442                 if (!ctx->encrypt)
443                         {
444                         if (CRYPTO_gcm128_finish(&gctx->gcm,
445                                         ctx->buf, gctx->taglen) != 0)
446                                 return -1;
447                         gctx->iv_set = 0;
448                         return 0;
449                         }
450                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
451                 gctx->taglen = 16;
452                 /* Don't reuse the IV */
453                 gctx->iv_set = 0;
454                 return 0;
455                 }
456
457         }
458
459 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
460                         const unsigned char *iv, int enc)
461         {
462         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
463         if (!iv && !key)
464                 return 1;
465
466         if (key)
467                 {
468                 /* key_len is two AES keys */
469                 if (enc)
470                         {
471                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
472                         xctx->xts.block1 = (block128_f)aesni_encrypt;
473                         }
474                 else
475                         {
476                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
477                         xctx->xts.block1 = (block128_f)aesni_decrypt;
478                         }
479
480                 aesni_set_encrypt_key(key + ctx->key_len/2,
481                                                 ctx->key_len * 4, &xctx->ks2);
482                 xctx->xts.block2 = (block128_f)aesni_encrypt;
483
484                 xctx->xts.key1 = &xctx->ks1;
485                 }
486
487         if (iv)
488                 {
489                 xctx->xts.key2 = &xctx->ks2;
490                 memcpy(ctx->iv, iv, 16);
491                 }
492
493         return 1;
494         }
495
496 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
497                 const unsigned char *in, size_t len)
498         {
499         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
500         if (!xctx->xts.key1 || !xctx->xts.key2)
501                 return -1;
502         if (!out || !in)
503                 return -1;
504 #ifdef OPENSSL_FIPS
505         /* Requirement of SP800-38E */
506         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
507                         (len > (1L<<20)*16))
508                 {
509                 EVPerr(EVP_F_AESNI_XTS_CIPHER, EVP_R_TOO_LARGE);
510                 return -1;
511                 }
512 #endif
513         if (ctx->encrypt)
514                 aesni_xts_encrypt(in, out, len,
515                         xctx->xts.key1, xctx->xts.key2, ctx->iv);
516         else
517                 aesni_xts_decrypt(in, out, len,
518                         xctx->xts.key1, xctx->xts.key2, ctx->iv);
519
520         return len;
521         }
522
523 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
524                         const unsigned char *iv, int enc)
525         {
526         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
527         if (!iv && !key)
528                 return 1;
529         if (key)
530                 {
531                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
532                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
533                                         &cctx->ks, (block128_f)aesni_encrypt);
534                 cctx->key_set = 1;
535                 }
536         if (iv)
537                 {
538                 memcpy(ctx->iv, iv, 15 - cctx->L);
539                 cctx->iv_set = 1;
540                 }
541         return 1;
542         }
543
544 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
545                 const unsigned char *in, size_t len)
546         {
547         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
548         CCM128_CONTEXT *ccm = &cctx->ccm;
549         /* If not set up, return error */
550         if (!cctx->iv_set && !cctx->key_set)
551                 return -1;
552         if (!ctx->encrypt && !cctx->tag_set)
553                 return -1;
554         if (!out)
555                 {
556                 if (!in)
557                         {
558                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
559                                 return -1;
560                         cctx->len_set = 1;
561                         return len;
562                         }
563                 /* If have AAD need message length */
564                 if (!cctx->len_set && len)
565                         return -1;
566                 CRYPTO_ccm128_aad(ccm, in, len);
567                 return len;
568                 }
569         /* EVP_*Final() doesn't return any data */
570         if (!in)
571                 return 0;
572         /* If not set length yet do it */
573         if (!cctx->len_set)
574                 {
575                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
576                         return -1;
577                 cctx->len_set = 1;
578                 }
579         if (ctx->encrypt)
580                 {
581                 if (CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
582                                 aesni_ccm64_encrypt_blocks))
583                         return -1;
584                 cctx->tag_set = 1;
585                 return len;
586                 }
587         else
588                 {
589                 int rv = -1;
590                 if (!CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
591                                 aesni_ccm64_decrypt_blocks))
592                         {
593                         unsigned char tag[16];
594                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
595                                 {
596                                 if (!memcmp(tag, ctx->buf, cctx->M))
597                                         rv = len;
598                                 }
599                         }
600                 if (rv == -1)
601                         OPENSSL_cleanse(out, len);
602                 cctx->iv_set = 0;
603                 cctx->tag_set = 0;
604                 cctx->len_set = 0;
605                 return rv;
606                 }
607
608         }
609
610 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
611 static const EVP_CIPHER aesni_##keylen##_##mode = { \
612         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
613         flags|EVP_CIPH_##MODE##_MODE,   \
614         aesni_init_key,                 \
615         aesni_##mode##_cipher,          \
616         NULL,                           \
617         sizeof(EVP_AES_KEY),            \
618         NULL,NULL,NULL,NULL }; \
619 static const EVP_CIPHER aes_##keylen##_##mode = { \
620         nid##_##keylen##_##nmode,blocksize,     \
621         keylen/8,ivlen, \
622         flags|EVP_CIPH_##MODE##_MODE,   \
623         aes_init_key,                   \
624         aes_##mode##_cipher,            \
625         NULL,                           \
626         sizeof(EVP_AES_KEY),            \
627         NULL,NULL,NULL,NULL }; \
628 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
629 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
630
631 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
632 static const EVP_CIPHER aesni_##keylen##_##mode = { \
633         nid##_##keylen##_##mode,blocksize, \
634         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
635         flags|EVP_CIPH_##MODE##_MODE,   \
636         aesni_##mode##_init_key,        \
637         aesni_##mode##_cipher,          \
638         aes_##mode##_cleanup,           \
639         sizeof(EVP_AES_##MODE##_CTX),   \
640         NULL,NULL,aes_##mode##_ctrl,NULL }; \
641 static const EVP_CIPHER aes_##keylen##_##mode = { \
642         nid##_##keylen##_##mode,blocksize, \
643         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
644         flags|EVP_CIPH_##MODE##_MODE,   \
645         aes_##mode##_init_key,          \
646         aes_##mode##_cipher,            \
647         aes_##mode##_cleanup,           \
648         sizeof(EVP_AES_##MODE##_CTX),   \
649         NULL,NULL,aes_##mode##_ctrl,NULL }; \
650 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
651 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
652
653 #else
654
655 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
656 static const EVP_CIPHER aes_##keylen##_##mode = { \
657         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
658         flags|EVP_CIPH_##MODE##_MODE,   \
659         aes_init_key,                   \
660         aes_##mode##_cipher,            \
661         NULL,                           \
662         sizeof(EVP_AES_KEY),            \
663         NULL,NULL,NULL,NULL }; \
664 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
665 { return &aes_##keylen##_##mode; }
666
667 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
668 static const EVP_CIPHER aes_##keylen##_##mode = { \
669         nid##_##keylen##_##mode,blocksize, \
670         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
671         flags|EVP_CIPH_##MODE##_MODE,   \
672         aes_##mode##_init_key,          \
673         aes_##mode##_cipher,            \
674         aes_##mode##_cleanup,           \
675         sizeof(EVP_AES_##MODE##_CTX),   \
676         NULL,NULL,aes_##mode##_ctrl,NULL }; \
677 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
678 { return &aes_##keylen##_##mode; }
679 #endif
680
681 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
682         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
683         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
684         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
685         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
686         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
687         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
688         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
689
690 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
691                    const unsigned char *iv, int enc)
692         {
693         int ret;
694         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
695
696         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
697             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
698             && !enc)
699 #ifdef VPAES_CAPABLE
700             if (VPAES_CAPABLE)
701                 {
702                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
703                 dat->block = vpaes_decrypt;
704                 dat->cbc   = vpaes_cbc_encrypt;
705                 }
706             else
707 #endif
708                 {
709                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
710                 dat->block = AES_decrypt;
711                 dat->cbc   = AES_cbc_encrypt;
712                 }
713         else
714 #ifdef VPAES_CAPABLE
715             if (VPAES_CAPABLE)
716                 {
717                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
718                 dat->block = vpaes_encrypt;
719                 dat->cbc   = vpaes_cbc_encrypt;
720                 }
721             else
722 #endif
723                 {
724                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
725                 dat->block = AES_encrypt;
726                 dat->cbc   = AES_cbc_encrypt;
727                 }
728
729         if(ret < 0)
730                 {
731                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
732                 return 0;
733                 }
734
735         return 1;
736         }
737
738 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
739         const unsigned char *in, size_t len)
740 {
741         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
742
743         (*dat->cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
744
745         return 1;
746 }
747
748 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
749         const unsigned char *in, size_t len)
750 {
751         size_t  bl = ctx->cipher->block_size;
752         size_t  i;
753         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
754
755         if (len<bl)     return 1;
756
757         for (i=0,len-=bl;i<=len;i+=bl)
758                 (*dat->block)(in+i,out+i,&dat->ks);
759
760         return 1;
761 }
762
763 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
764         const unsigned char *in,size_t len)
765 {
766         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
767
768         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
769                         ctx->iv,&ctx->num,
770                         (block128_f)dat->block);
771         return 1;
772 }
773
774 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
775         const unsigned char *in,size_t len)
776 {
777         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
778
779         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
780                         ctx->iv,&ctx->num,ctx->encrypt,
781                         (block128_f)dat->block);
782         return 1;
783 }
784
785 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
786         const unsigned char *in,size_t len)
787 {
788         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
789
790         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
791                         ctx->iv,&ctx->num,ctx->encrypt,
792                         (block128_f)dat->block);
793         return 1;
794 }
795
796 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
797         const unsigned char *in,size_t len)
798 {
799         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
800
801         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
802                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
803                         ctx->iv,&ctx->num,ctx->encrypt,
804                         (block128_f)dat->block);
805                 return 1;
806         }
807
808         while (len>=MAXBITCHUNK) {
809                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
810                         ctx->iv,&ctx->num,ctx->encrypt,
811                         (block128_f)dat->block);
812                 len-=MAXBITCHUNK;
813         }
814         if (len)
815                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
816                         ctx->iv,&ctx->num,ctx->encrypt,
817                         (block128_f)dat->block);
818         
819         return 1;
820 }
821
822 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
823                 const unsigned char *in, size_t len)
824 {
825         unsigned int num = ctx->num;
826         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
827 #ifdef AES_CTR_ASM
828         void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
829                         size_t blocks, const AES_KEY *key,
830                         const unsigned char ivec[AES_BLOCK_SIZE]);
831
832         CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
833                 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
834 #else
835         CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
836                 ctx->iv,ctx->buf,&num,(block128_f)dat->block);
837 #endif
838         ctx->num = (size_t)num;
839         return 1;
840 }
841
842 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
843 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
844 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
845
846 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
847         {
848         EVP_AES_GCM_CTX *gctx = c->cipher_data;
849         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
850         if (gctx->iv != c->iv)
851                 OPENSSL_free(gctx->iv);
852         return 1;
853         }
854
855 /* increment counter (64-bit int) by 1 */
856 static void ctr64_inc(unsigned char *counter) {
857         int n=8;
858         unsigned char  c;
859
860         do {
861                 --n;
862                 c = counter[n];
863                 ++c;
864                 counter[n] = c;
865                 if (c) return;
866         } while (n);
867 }
868
869 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
870         {
871         EVP_AES_GCM_CTX *gctx = c->cipher_data;
872         switch (type)
873                 {
874         case EVP_CTRL_INIT:
875                 gctx->key_set = 0;
876                 gctx->iv_set = 0;
877                 gctx->ivlen = c->cipher->iv_len;
878                 gctx->iv = c->iv;
879                 gctx->taglen = -1;
880                 gctx->iv_gen = 0;
881                 gctx->tls_aad_len = -1;
882                 return 1;
883
884         case EVP_CTRL_GCM_SET_IVLEN:
885                 if (arg <= 0)
886                         return 0;
887 #ifdef OPENSSL_FIPS
888                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
889                                                  && arg < 12)
890                         return 0;
891 #endif
892                 /* Allocate memory for IV if needed */
893                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
894                         {
895                         if (gctx->iv != c->iv)
896                                 OPENSSL_free(gctx->iv);
897                         gctx->iv = OPENSSL_malloc(arg);
898                         if (!gctx->iv)
899                                 return 0;
900                         }
901                 gctx->ivlen = arg;
902                 return 1;
903
904         case EVP_CTRL_GCM_SET_TAG:
905                 if (arg <= 0 || arg > 16 || c->encrypt)
906                         return 0;
907                 memcpy(c->buf, ptr, arg);
908                 gctx->taglen = arg;
909                 return 1;
910
911         case EVP_CTRL_GCM_GET_TAG:
912                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
913                         return 0;
914                 memcpy(ptr, c->buf, arg);
915                 return 1;
916
917         case EVP_CTRL_GCM_SET_IV_FIXED:
918                 /* Special case: -1 length restores whole IV */
919                 if (arg == -1)
920                         {
921                         memcpy(gctx->iv, ptr, gctx->ivlen);
922                         gctx->iv_gen = 1;
923                         return 1;
924                         }
925                 /* Fixed field must be at least 4 bytes and invocation field
926                  * at least 8.
927                  */
928                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
929                         return 0;
930                 if (arg)
931                         memcpy(gctx->iv, ptr, arg);
932                 if (c->encrypt &&
933                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
934                         return 0;
935                 gctx->iv_gen = 1;
936                 return 1;
937
938         case EVP_CTRL_GCM_IV_GEN:
939                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
940                         return 0;
941                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
942                 if (arg <= 0 || arg > gctx->ivlen)
943                         arg = gctx->ivlen;
944                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
945                 /* Invocation field will be at least 8 bytes in size and
946                  * so no need to check wrap around or increment more than
947                  * last 8 bytes.
948                  */
949                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
950                 gctx->iv_set = 1;
951                 return 1;
952
953         case EVP_CTRL_GCM_SET_IV_INV:
954                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
955                         return 0;
956                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
957                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
958                 gctx->iv_set = 1;
959                 return 1;
960
961         case EVP_CTRL_AEAD_TLS1_AAD:
962                 /* Save the AAD for later use */
963                 if (arg != 13)
964                         return 0;
965                 memcpy(c->buf, ptr, arg);
966                 gctx->tls_aad_len = arg;
967                         {
968                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
969                         /* Correct length for explicit IV */
970                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
971                         /* If decrypting correct for tag too */
972                         if (!c->encrypt)
973                                 len -= EVP_GCM_TLS_TAG_LEN;
974                         c->buf[arg-2] = len>>8;
975                         c->buf[arg-1] = len & 0xff;
976                         }
977                 /* Extra padding: tag appended to record */
978                 return EVP_GCM_TLS_TAG_LEN;
979
980         default:
981                 return -1;
982
983                 }
984         }
985
986 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
987                         const unsigned char *iv, int enc)
988         {
989         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
990         if (!iv && !key)
991                 return 1;
992         if (key)
993                 { do {
994 #ifdef VPAES_CAPABLE
995                 if (VPAES_CAPABLE)
996                         {
997                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
998                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
999                                         (block128_f)vpaes_encrypt);
1000                         break;
1001                         }
1002 #endif
1003                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
1004                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1005                 } while (0);
1006
1007                 /* If we have an iv can set it directly, otherwise use
1008                  * saved IV.
1009                  */
1010                 if (iv == NULL && gctx->iv_set)
1011                         iv = gctx->iv;
1012                 if (iv)
1013                         {
1014                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1015                         gctx->iv_set = 1;
1016                         }
1017                 gctx->key_set = 1;
1018                 }
1019         else
1020                 {
1021                 /* If key set use IV, otherwise copy */
1022                 if (gctx->key_set)
1023                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1024                 else
1025                         memcpy(gctx->iv, iv, gctx->ivlen);
1026                 gctx->iv_set = 1;
1027                 gctx->iv_gen = 0;
1028                 }
1029         return 1;
1030         }
1031
1032 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1033  * followed by the payload and finally the tag. On encrypt generate IV,
1034  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1035  * and verify tag.
1036  */
1037
1038 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1039                 const unsigned char *in, size_t len)
1040         {
1041         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1042         int rv = -1;
1043         /* Encrypt/decrypt must be performed in place */
1044         if (out != in)
1045                 return -1;
1046         /* Set IV from start of buffer or generate IV and write to start
1047          * of buffer.
1048          */
1049         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1050                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1051                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1052                 goto err;
1053         /* Use saved AAD */
1054         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1055                 goto err;
1056         /* Fix buffer and length to point to payload */
1057         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1058         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1059         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1060         if (ctx->encrypt)
1061                 {
1062                 /* Encrypt payload */
1063                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1064                         goto err;
1065                 out += len;
1066                 /* Finally write tag */
1067                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1068                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1069                 }
1070         else
1071                 {
1072                 /* Decrypt */
1073                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1074                         goto err;
1075                 /* Retrieve tag */
1076                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1077                                         EVP_GCM_TLS_TAG_LEN);
1078                 /* If tag mismatch wipe buffer */
1079                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1080                         {
1081                         OPENSSL_cleanse(out, len);
1082                         goto err;
1083                         }
1084                 rv = len;
1085                 }
1086
1087         err:
1088         gctx->iv_set = 0;
1089         gctx->tls_aad_len = -1;
1090         return rv;
1091         }
1092
1093 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1094                 const unsigned char *in, size_t len)
1095         {
1096         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1097         /* If not set up, return error */
1098         if (!gctx->key_set)
1099                 return -1;
1100
1101         if (gctx->tls_aad_len >= 0)
1102                 return aes_gcm_tls_cipher(ctx, out, in, len);
1103
1104         if (!gctx->iv_set)
1105                 return -1;
1106         if (!ctx->encrypt && gctx->taglen < 0)
1107                 return -1;
1108         if (in)
1109                 {
1110                 if (out == NULL)
1111                         {
1112                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1113                                 return -1;
1114                         }
1115                 else if (ctx->encrypt)
1116                         {
1117                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1118                                 return -1;
1119                         }
1120                 else
1121                         {
1122                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1123                                 return -1;
1124                         }
1125                 return len;
1126                 }
1127         else
1128                 {
1129                 if (!ctx->encrypt)
1130                         {
1131                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1132                                         ctx->buf, gctx->taglen) != 0)
1133                                 return -1;
1134                         gctx->iv_set = 0;
1135                         return 0;
1136                         }
1137                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1138                 gctx->taglen = 16;
1139                 /* Don't reuse the IV */
1140                 gctx->iv_set = 0;
1141                 return 0;
1142                 }
1143
1144         }
1145
1146 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1147                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1148                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1149
1150 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1151                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1152 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1153                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1154 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1155                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1156
1157 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1158         {
1159         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1160         if (type != EVP_CTRL_INIT)
1161                 return -1;
1162         /* key1 and key2 are used as an indicator both key and IV are set */
1163         xctx->xts.key1 = NULL;
1164         xctx->xts.key2 = NULL;
1165         return 1;
1166         }
1167
1168 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1169                         const unsigned char *iv, int enc)
1170         {
1171         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1172         if (!iv && !key)
1173                 return 1;
1174
1175         if (key) do
1176                 {
1177                 /* key_len is two AES keys */
1178 #ifdef VPAES_CAPABLE
1179                 if (VPAES_CAPABLE)
1180                     {
1181                     if (enc)
1182                         {
1183                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1184                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1185                         }
1186                     else
1187                         {
1188                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1189                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1190                         }
1191
1192                 vpaes_set_encrypt_key(key + ctx->key_len/2,
1193                                                 ctx->key_len * 4, &xctx->ks2);
1194                 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1195
1196                 xctx->xts.key1 = &xctx->ks1;
1197                 break;
1198                 }
1199 #endif
1200                 if (enc)
1201                         {
1202                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1203                         xctx->xts.block1 = (block128_f)AES_encrypt;
1204                         }
1205                 else
1206                         {
1207                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1208                         xctx->xts.block1 = (block128_f)AES_decrypt;
1209                         }
1210
1211                 AES_set_encrypt_key(key + ctx->key_len/2,
1212                                                 ctx->key_len * 4, &xctx->ks2);
1213                 xctx->xts.block2 = (block128_f)AES_encrypt;
1214
1215                 xctx->xts.key1 = &xctx->ks1;
1216                 } while (0);
1217
1218         if (iv)
1219                 {
1220                 xctx->xts.key2 = &xctx->ks2;
1221                 memcpy(ctx->iv, iv, 16);
1222                 }
1223
1224         return 1;
1225         }
1226
1227 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1228                 const unsigned char *in, size_t len)
1229         {
1230         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1231         if (!xctx->xts.key1 || !xctx->xts.key2)
1232                 return -1;
1233         if (!out || !in)
1234                 return -1;
1235 #ifdef OPENSSL_FIPS
1236         /* Requirement of SP800-38E */
1237         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1238                         (len > (1L<<20)*16))
1239                 {
1240                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1241                 return -1;
1242                 }
1243 #endif
1244         if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1245                                                                 ctx->encrypt))
1246                 return -1;
1247         return len;
1248         }
1249
1250 #define aes_xts_cleanup NULL
1251
1252 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1253 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1254
1255 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1256         {
1257         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1258         switch (type)
1259                 {
1260         case EVP_CTRL_INIT:
1261                 cctx->key_set = 0;
1262                 cctx->iv_set = 0;
1263                 cctx->L = 8;
1264                 cctx->M = 12;
1265                 cctx->tag_set = 0;
1266                 cctx->len_set = 0;
1267                 return 1;
1268
1269         case EVP_CTRL_CCM_SET_IVLEN:
1270                 arg = 15 - arg;
1271         case EVP_CTRL_CCM_SET_L:
1272                 if (arg < 2 || arg > 8)
1273                         return 0;
1274                 cctx->L = arg;
1275                 return 1;
1276
1277         case EVP_CTRL_CCM_SET_TAG:
1278                 if ((arg & 1) || arg < 4 || arg > 16)
1279                         return 0;
1280                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1281                         return 0;
1282                 if (ptr)
1283                         {
1284                         cctx->tag_set = 1;
1285                         memcpy(c->buf, ptr, arg);
1286                         }
1287                 cctx->M = arg;
1288                 return 1;
1289
1290         case EVP_CTRL_CCM_GET_TAG:
1291                 if (!c->encrypt || !cctx->tag_set)
1292                         return 0;
1293                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1294                         return 0;
1295                 cctx->tag_set = 0;
1296                 cctx->iv_set = 0;
1297                 cctx->len_set = 0;
1298                 return 1;
1299
1300         default:
1301                 return -1;
1302
1303                 }
1304         }
1305
1306 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1307                         const unsigned char *iv, int enc)
1308         {
1309         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1310         if (!iv && !key)
1311                 return 1;
1312         if (key) do
1313                 {
1314 #ifdef VPAES_CAPABLE
1315                 if (VPAES_CAPABLE)
1316                         {
1317                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1318                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1319                                         &cctx->ks, (block128_f)vpaes_encrypt);
1320                         cctx->key_set = 1;
1321                         break;
1322                         }
1323 #endif
1324                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1325                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1326                                         &cctx->ks, (block128_f)AES_encrypt);
1327                 cctx->key_set = 1;
1328                 } while (0);
1329         if (iv)
1330                 {
1331                 memcpy(ctx->iv, iv, 15 - cctx->L);
1332                 cctx->iv_set = 1;
1333                 }
1334         return 1;
1335         }
1336
1337 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1338                 const unsigned char *in, size_t len)
1339         {
1340         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1341         CCM128_CONTEXT *ccm = &cctx->ccm;
1342         /* If not set up, return error */
1343         if (!cctx->iv_set && !cctx->key_set)
1344                 return -1;
1345         if (!ctx->encrypt && !cctx->tag_set)
1346                 return -1;
1347         if (!out)
1348                 {
1349                 if (!in)
1350                         {
1351                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1352                                 return -1;
1353                         cctx->len_set = 1;
1354                         return len;
1355                         }
1356                 /* If have AAD need message length */
1357                 if (!cctx->len_set && len)
1358                         return -1;
1359                 CRYPTO_ccm128_aad(ccm, in, len);
1360                 return len;
1361                 }
1362         /* EVP_*Final() doesn't return any data */
1363         if (!in)
1364                 return 0;
1365         /* If not set length yet do it */
1366         if (!cctx->len_set)
1367                 {
1368                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1369                         return -1;
1370                 cctx->len_set = 1;
1371                 }
1372         if (ctx->encrypt)
1373                 {
1374                 if (CRYPTO_ccm128_encrypt(ccm, in, out, len))
1375                         return -1;
1376                 cctx->tag_set = 1;
1377                 return len;
1378                 }
1379         else
1380                 {
1381                 int rv = -1;
1382                 if (!CRYPTO_ccm128_decrypt(ccm, in, out, len))
1383                         {
1384                         unsigned char tag[16];
1385                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1386                                 {
1387                                 if (!memcmp(tag, ctx->buf, cctx->M))
1388                                         rv = len;
1389                                 }
1390                         }
1391                 if (rv == -1)
1392                         OPENSSL_cleanse(out, len);
1393                 cctx->iv_set = 0;
1394                 cctx->tag_set = 0;
1395                 cctx->len_set = 0;
1396                 return rv;
1397                 }
1398
1399         }
1400
1401 #define aes_ccm_cleanup NULL
1402
1403 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1404 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1405 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1406
1407 #endif