bsaes-armv7.pl: remove partial register operations in CTR subroutine.
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         union { double align; AES_KEY ks; } ks;
67         block128_f block;
68         union {
69                 cbc128_f cbc;
70                 ctr128_f ctr;
71         } stream;
72         } EVP_AES_KEY;
73
74 typedef struct
75         {
76         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
77         int key_set;            /* Set if key initialised */
78         int iv_set;             /* Set if an iv is set */
79         GCM128_CONTEXT gcm;
80         unsigned char *iv;      /* Temporary IV store */
81         int ivlen;              /* IV length */
82         int taglen;
83         int iv_gen;             /* It is OK to generate IVs */
84         int tls_aad_len;        /* TLS AAD length */
85         ctr128_f ctr;
86         } EVP_AES_GCM_CTX;
87
88 typedef struct
89         {
90         union { double align; AES_KEY ks; } ks1, ks2;   /* AES key schedules to use */
91         XTS128_CONTEXT xts;
92         void     (*stream)(const unsigned char *in,
93                         unsigned char *out, size_t length,
94                         const AES_KEY *key1, const AES_KEY *key2,
95                         const unsigned char iv[16]);
96         } EVP_AES_XTS_CTX;
97
98 typedef struct
99         {
100         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
101         int key_set;            /* Set if key initialised */
102         int iv_set;             /* Set if an iv is set */
103         int tag_set;            /* Set if tag is valid */
104         int len_set;            /* Set if message length set */
105         int L, M;               /* L and M parameters from RFC3610 */
106         CCM128_CONTEXT ccm;
107         ccm128_f str;
108         } EVP_AES_CCM_CTX;
109
110 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
111
112 #ifdef VPAES_ASM
113 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
114                         AES_KEY *key);
115 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
116                         AES_KEY *key);
117
118 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
119                         const AES_KEY *key);
120 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
121                         const AES_KEY *key);
122
123 void vpaes_cbc_encrypt(const unsigned char *in,
124                         unsigned char *out,
125                         size_t length,
126                         const AES_KEY *key,
127                         unsigned char *ivec, int enc);
128 #endif
129 #ifdef BSAES_ASM
130 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
131                         size_t length, const AES_KEY *key,
132                         unsigned char ivec[16], int enc);
133 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
134                         size_t len, const AES_KEY *key,
135                         const unsigned char ivec[16]);
136 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
137                         size_t len, const AES_KEY *key1,
138                         const AES_KEY *key2, const unsigned char iv[16]);
139 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
140                         size_t len, const AES_KEY *key1,
141                         const AES_KEY *key2, const unsigned char iv[16]);
142 #endif
143 #ifdef AES_CTR_ASM
144 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
145                         size_t blocks, const AES_KEY *key,
146                         const unsigned char ivec[AES_BLOCK_SIZE]);
147 #endif
148 #ifdef AES_XTS_ASM
149 void AES_xts_encrypt(const char *inp,char *out,size_t len,
150                         const AES_KEY *key1, const AES_KEY *key2,
151                         const unsigned char iv[16]);
152 void AES_xts_decrypt(const char *inp,char *out,size_t len,
153                         const AES_KEY *key1, const AES_KEY *key2,
154                         const unsigned char iv[16]);
155 #endif
156
157 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
158         ((defined(__i386)       || defined(__i386__)    || \
159           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
160         defined(__x86_64)       || defined(__x86_64__)  || \
161         defined(_M_AMD64)       || defined(_M_X64)      || \
162         defined(__INTEL__)                              )
163
164 extern unsigned int OPENSSL_ia32cap_P[];
165
166 #ifdef VPAES_ASM
167 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
168 #endif
169 #ifdef BSAES_ASM
170 #define BSAES_CAPABLE   VPAES_CAPABLE
171 #endif
172 /*
173  * AES-NI section
174  */
175 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
176
177 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
178                         AES_KEY *key);
179 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
180                         AES_KEY *key);
181
182 void aesni_encrypt(const unsigned char *in, unsigned char *out,
183                         const AES_KEY *key);
184 void aesni_decrypt(const unsigned char *in, unsigned char *out,
185                         const AES_KEY *key);
186
187 void aesni_ecb_encrypt(const unsigned char *in,
188                         unsigned char *out,
189                         size_t length,
190                         const AES_KEY *key,
191                         int enc);
192 void aesni_cbc_encrypt(const unsigned char *in,
193                         unsigned char *out,
194                         size_t length,
195                         const AES_KEY *key,
196                         unsigned char *ivec, int enc);
197
198 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
199                         unsigned char *out,
200                         size_t blocks,
201                         const void *key,
202                         const unsigned char *ivec);
203
204 void aesni_xts_encrypt(const unsigned char *in,
205                         unsigned char *out,
206                         size_t length,
207                         const AES_KEY *key1, const AES_KEY *key2,
208                         const unsigned char iv[16]);
209
210 void aesni_xts_decrypt(const unsigned char *in,
211                         unsigned char *out,
212                         size_t length,
213                         const AES_KEY *key1, const AES_KEY *key2,
214                         const unsigned char iv[16]);
215
216 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
217                         unsigned char *out,
218                         size_t blocks,
219                         const void *key,
220                         const unsigned char ivec[16],
221                         unsigned char cmac[16]);
222
223 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
224                         unsigned char *out,
225                         size_t blocks,
226                         const void *key,
227                         const unsigned char ivec[16],
228                         unsigned char cmac[16]);
229
230 #if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
231 size_t aesni_gcm_encrypt(const unsigned char *in,
232                         unsigned char *out,
233                         size_t len,
234                         const void *key,
235                         unsigned char ivec[16],
236                         u64 *Xi);
237 #define AES_gcm_encrypt aesni_gcm_encrypt
238 size_t aesni_gcm_decrypt(const unsigned char *in,
239                         unsigned char *out,
240                         size_t len,
241                         const void *key,
242                         unsigned char ivec[16],
243                         u64 *Xi);
244 #define AES_gcm_decrypt aesni_gcm_decrypt
245 void gcm_ghash_avx(u64 Xi[2],const u128 Htable[16],const u8 *in,size_t len);
246 #define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
247                                  gctx->gcm.ghash==gcm_ghash_avx)
248 #define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
249                                  gctx->gcm.ghash==gcm_ghash_avx)
250 #undef AES_GCM_ASM2             /* minor size optimization */
251 #endif
252
253 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
254                    const unsigned char *iv, int enc)
255         {
256         int ret, mode;
257         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
258
259         mode = ctx->cipher->flags & EVP_CIPH_MODE;
260         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
261             && !enc)
262                 { 
263                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
264                 dat->block      = (block128_f)aesni_decrypt;
265                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
266                                         (cbc128_f)aesni_cbc_encrypt :
267                                         NULL;
268                 }
269         else    {
270                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
271                 dat->block      = (block128_f)aesni_encrypt;
272                 if (mode==EVP_CIPH_CBC_MODE)
273                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
274                 else if (mode==EVP_CIPH_CTR_MODE)
275                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
276                 else
277                         dat->stream.cbc = NULL;
278                 }
279
280         if(ret < 0)
281                 {
282                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
283                 return 0;
284                 }
285
286         return 1;
287         }
288
289 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
290         const unsigned char *in, size_t len)
291 {
292         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
293
294         return 1;
295 }
296
297 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
298         const unsigned char *in, size_t len)
299 {
300         size_t  bl = ctx->cipher->block_size;
301
302         if (len<bl)     return 1;
303
304         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
305
306         return 1;
307 }
308
309 #define aesni_ofb_cipher aes_ofb_cipher
310 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
311         const unsigned char *in,size_t len);
312
313 #define aesni_cfb_cipher aes_cfb_cipher
314 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
315         const unsigned char *in,size_t len);
316
317 #define aesni_cfb8_cipher aes_cfb8_cipher
318 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
319         const unsigned char *in,size_t len);
320
321 #define aesni_cfb1_cipher aes_cfb1_cipher
322 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
323         const unsigned char *in,size_t len);
324
325 #define aesni_ctr_cipher aes_ctr_cipher
326 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
327                 const unsigned char *in, size_t len);
328
329 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
330                         const unsigned char *iv, int enc)
331         {
332         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
333         if (!iv && !key)
334                 return 1;
335         if (key)
336                 {
337                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
338                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
339                                 (block128_f)aesni_encrypt);
340                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
341                 /* If we have an iv can set it directly, otherwise use
342                  * saved IV.
343                  */
344                 if (iv == NULL && gctx->iv_set)
345                         iv = gctx->iv;
346                 if (iv)
347                         {
348                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
349                         gctx->iv_set = 1;
350                         }
351                 gctx->key_set = 1;
352                 }
353         else
354                 {
355                 /* If key set use IV, otherwise copy */
356                 if (gctx->key_set)
357                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
358                 else
359                         memcpy(gctx->iv, iv, gctx->ivlen);
360                 gctx->iv_set = 1;
361                 gctx->iv_gen = 0;
362                 }
363         return 1;
364         }
365
366 #define aesni_gcm_cipher aes_gcm_cipher
367 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
368                 const unsigned char *in, size_t len);
369
370 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
371                         const unsigned char *iv, int enc)
372         {
373         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
374         if (!iv && !key)
375                 return 1;
376
377         if (key)
378                 {
379                 /* key_len is two AES keys */
380                 if (enc)
381                         {
382                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
383                         xctx->xts.block1 = (block128_f)aesni_encrypt;
384                         xctx->stream = aesni_xts_encrypt;
385                         }
386                 else
387                         {
388                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
389                         xctx->xts.block1 = (block128_f)aesni_decrypt;
390                         xctx->stream = aesni_xts_decrypt;
391                         }
392
393                 aesni_set_encrypt_key(key + ctx->key_len/2,
394                                                 ctx->key_len * 4, &xctx->ks2.ks);
395                 xctx->xts.block2 = (block128_f)aesni_encrypt;
396
397                 xctx->xts.key1 = &xctx->ks1;
398                 }
399
400         if (iv)
401                 {
402                 xctx->xts.key2 = &xctx->ks2;
403                 memcpy(ctx->iv, iv, 16);
404                 }
405
406         return 1;
407         }
408
409 #define aesni_xts_cipher aes_xts_cipher
410 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
411                 const unsigned char *in, size_t len);
412
413 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
414                         const unsigned char *iv, int enc)
415         {
416         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
417         if (!iv && !key)
418                 return 1;
419         if (key)
420                 {
421                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
422                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
423                                         &cctx->ks, (block128_f)aesni_encrypt);
424                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
425                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
426                 cctx->key_set = 1;
427                 }
428         if (iv)
429                 {
430                 memcpy(ctx->iv, iv, 15 - cctx->L);
431                 cctx->iv_set = 1;
432                 }
433         return 1;
434         }
435
436 #define aesni_ccm_cipher aes_ccm_cipher
437 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
438                 const unsigned char *in, size_t len);
439
440 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
441 static const EVP_CIPHER aesni_##keylen##_##mode = { \
442         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
443         flags|EVP_CIPH_##MODE##_MODE,   \
444         aesni_init_key,                 \
445         aesni_##mode##_cipher,          \
446         NULL,                           \
447         sizeof(EVP_AES_KEY),            \
448         NULL,NULL,NULL,NULL }; \
449 static const EVP_CIPHER aes_##keylen##_##mode = { \
450         nid##_##keylen##_##nmode,blocksize,     \
451         keylen/8,ivlen, \
452         flags|EVP_CIPH_##MODE##_MODE,   \
453         aes_init_key,                   \
454         aes_##mode##_cipher,            \
455         NULL,                           \
456         sizeof(EVP_AES_KEY),            \
457         NULL,NULL,NULL,NULL }; \
458 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
459 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
460
461 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
462 static const EVP_CIPHER aesni_##keylen##_##mode = { \
463         nid##_##keylen##_##mode,blocksize, \
464         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
465         flags|EVP_CIPH_##MODE##_MODE,   \
466         aesni_##mode##_init_key,        \
467         aesni_##mode##_cipher,          \
468         aes_##mode##_cleanup,           \
469         sizeof(EVP_AES_##MODE##_CTX),   \
470         NULL,NULL,aes_##mode##_ctrl,NULL }; \
471 static const EVP_CIPHER aes_##keylen##_##mode = { \
472         nid##_##keylen##_##mode,blocksize, \
473         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
474         flags|EVP_CIPH_##MODE##_MODE,   \
475         aes_##mode##_init_key,          \
476         aes_##mode##_cipher,            \
477         aes_##mode##_cleanup,           \
478         sizeof(EVP_AES_##MODE##_CTX),   \
479         NULL,NULL,aes_##mode##_ctrl,NULL }; \
480 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
481 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
482
483 #elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
484
485 #include "sparc_arch.h"
486
487 extern unsigned int OPENSSL_sparcv9cap_P[];
488
489 #define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
490
491 void    aes_t4_set_encrypt_key (const unsigned char *key, int bits,
492                                 AES_KEY *ks);
493 void    aes_t4_set_decrypt_key (const unsigned char *key, int bits,
494                                 AES_KEY *ks);
495 void    aes_t4_encrypt (const unsigned char *in, unsigned char *out,
496                                 const AES_KEY *key);
497 void    aes_t4_decrypt (const unsigned char *in, unsigned char *out,
498                                 const AES_KEY *key);
499 /*
500  * Key-length specific subroutines were chosen for following reason.
501  * Each SPARC T4 core can execute up to 8 threads which share core's
502  * resources. Loading as much key material to registers allows to
503  * minimize references to shared memory interface, as well as amount
504  * of instructions in inner loops [much needed on T4]. But then having
505  * non-key-length specific routines would require conditional branches
506  * either in inner loops or on subroutines' entries. Former is hardly
507  * acceptable, while latter means code size increase to size occupied
508  * by multiple key-length specfic subroutines, so why fight?
509  */
510 void    aes128_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
511                                 size_t len, const AES_KEY *key,
512                                 unsigned char *ivec);
513 void    aes128_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
514                                 size_t len, const AES_KEY *key,
515                                 unsigned char *ivec);
516 void    aes192_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
517                                 size_t len, const AES_KEY *key,
518                                 unsigned char *ivec);
519 void    aes192_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
520                                 size_t len, const AES_KEY *key,
521                                 unsigned char *ivec);
522 void    aes256_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
523                                 size_t len, const AES_KEY *key,
524                                 unsigned char *ivec);
525 void    aes256_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
526                                 size_t len, const AES_KEY *key,
527                                 unsigned char *ivec);
528 void    aes128_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
529                                 size_t blocks, const AES_KEY *key,
530                                 unsigned char *ivec);
531 void    aes192_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
532                                 size_t blocks, const AES_KEY *key,
533                                 unsigned char *ivec);
534 void    aes256_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
535                                 size_t blocks, const AES_KEY *key,
536                                 unsigned char *ivec);
537 void    aes128_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
538                                 size_t blocks, const AES_KEY *key1,
539                                 const AES_KEY *key2, const unsigned char *ivec);
540 void    aes128_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
541                                 size_t blocks, const AES_KEY *key1,
542                                 const AES_KEY *key2, const unsigned char *ivec);
543 void    aes256_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
544                                 size_t blocks, const AES_KEY *key1,
545                                 const AES_KEY *key2, const unsigned char *ivec);
546 void    aes256_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
547                                 size_t blocks, const AES_KEY *key1,
548                                 const AES_KEY *key2, const unsigned char *ivec);
549
550 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
551                    const unsigned char *iv, int enc)
552         {
553         int ret, mode, bits;
554         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
555
556         mode = ctx->cipher->flags & EVP_CIPH_MODE;
557         bits = ctx->key_len*8;
558         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
559             && !enc)
560                 {
561                     ret = 0;
562                     aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
563                     dat->block  = (block128_f)aes_t4_decrypt;
564                     switch (bits) {
565                     case 128:
566                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
567                                                 (cbc128_f)aes128_t4_cbc_decrypt :
568                                                 NULL;
569                         break;
570                     case 192:
571                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
572                                                 (cbc128_f)aes192_t4_cbc_decrypt :
573                                                 NULL;
574                         break;
575                     case 256:
576                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
577                                                 (cbc128_f)aes256_t4_cbc_decrypt :
578                                                 NULL;
579                         break;
580                     default:
581                         ret = -1;
582                     }
583                 }
584         else    {
585                     ret = 0;
586                     aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
587                     dat->block  = (block128_f)aes_t4_encrypt;
588                     switch (bits) {
589                     case 128:
590                         if (mode==EVP_CIPH_CBC_MODE)
591                                 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
592                         else if (mode==EVP_CIPH_CTR_MODE)
593                                 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
594                         else
595                                 dat->stream.cbc = NULL;
596                         break;
597                     case 192:
598                         if (mode==EVP_CIPH_CBC_MODE)
599                                 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
600                         else if (mode==EVP_CIPH_CTR_MODE)
601                                 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
602                         else
603                                 dat->stream.cbc = NULL;
604                         break;
605                     case 256:
606                         if (mode==EVP_CIPH_CBC_MODE)
607                                 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
608                         else if (mode==EVP_CIPH_CTR_MODE)
609                                 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
610                         else
611                                 dat->stream.cbc = NULL;
612                         break;
613                     default:
614                         ret = -1;
615                     }
616                 }
617
618         if(ret < 0)
619                 {
620                 EVPerr(EVP_F_AES_T4_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
621                 return 0;
622                 }
623
624         return 1;
625         }
626
627 #define aes_t4_cbc_cipher aes_cbc_cipher
628 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
629         const unsigned char *in, size_t len);
630
631 #define aes_t4_ecb_cipher aes_ecb_cipher 
632 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
633         const unsigned char *in, size_t len);
634
635 #define aes_t4_ofb_cipher aes_ofb_cipher
636 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
637         const unsigned char *in,size_t len);
638
639 #define aes_t4_cfb_cipher aes_cfb_cipher
640 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
641         const unsigned char *in,size_t len);
642
643 #define aes_t4_cfb8_cipher aes_cfb8_cipher
644 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
645         const unsigned char *in,size_t len);
646
647 #define aes_t4_cfb1_cipher aes_cfb1_cipher
648 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
649         const unsigned char *in,size_t len);
650
651 #define aes_t4_ctr_cipher aes_ctr_cipher
652 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
653                 const unsigned char *in, size_t len);
654
655 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
656                         const unsigned char *iv, int enc)
657         {
658         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
659         if (!iv && !key)
660                 return 1;
661         if (key)
662                 {
663                 int bits = ctx->key_len * 8;
664                 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
665                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
666                                 (block128_f)aes_t4_encrypt);
667                 switch (bits) {
668                     case 128:
669                         gctx->ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
670                         break;
671                     case 192:
672                         gctx->ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
673                         break;
674                     case 256:
675                         gctx->ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
676                         break;
677                     default:
678                         return 0;
679                 }
680                 /* If we have an iv can set it directly, otherwise use
681                  * saved IV.
682                  */
683                 if (iv == NULL && gctx->iv_set)
684                         iv = gctx->iv;
685                 if (iv)
686                         {
687                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
688                         gctx->iv_set = 1;
689                         }
690                 gctx->key_set = 1;
691                 }
692         else
693                 {
694                 /* If key set use IV, otherwise copy */
695                 if (gctx->key_set)
696                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
697                 else
698                         memcpy(gctx->iv, iv, gctx->ivlen);
699                 gctx->iv_set = 1;
700                 gctx->iv_gen = 0;
701                 }
702         return 1;
703         }
704
705 #define aes_t4_gcm_cipher aes_gcm_cipher
706 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
707                 const unsigned char *in, size_t len);
708
709 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
710                         const unsigned char *iv, int enc)
711         {
712         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
713         if (!iv && !key)
714                 return 1;
715
716         if (key)
717                 {
718                 int bits = ctx->key_len * 4;
719                 xctx->stream = NULL;
720                 /* key_len is two AES keys */
721                 if (enc)
722                         {
723                         aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
724                         xctx->xts.block1 = (block128_f)aes_t4_encrypt;
725                         switch (bits) {
726                             case 128:
727                                 xctx->stream = aes128_t4_xts_encrypt;
728                                 break;
729 #if 0 /* not yet */
730                             case 192:
731                                 xctx->stream = aes192_t4_xts_encrypt;
732                                 break;
733 #endif
734                             case 256:
735                                 xctx->stream = aes256_t4_xts_encrypt;
736                                 break;
737                             default:
738                                 return 0;
739                             }
740                         }
741                 else
742                         {
743                         aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
744                         xctx->xts.block1 = (block128_f)aes_t4_decrypt;
745                         switch (bits) {
746                             case 128:
747                                 xctx->stream = aes128_t4_xts_decrypt;
748                                 break;
749 #if 0 /* not yet */
750                             case 192:
751                                 xctx->stream = aes192_t4_xts_decrypt;
752                                 break;
753 #endif
754                             case 256:
755                                 xctx->stream = aes256_t4_xts_decrypt;
756                                 break;
757                             default:
758                                 return 0;
759                             }
760                         }
761
762                 aes_t4_set_encrypt_key(key + ctx->key_len/2,
763                                                 ctx->key_len * 4, &xctx->ks2.ks);
764                 xctx->xts.block2 = (block128_f)aes_t4_encrypt;
765
766                 xctx->xts.key1 = &xctx->ks1;
767                 }
768
769         if (iv)
770                 {
771                 xctx->xts.key2 = &xctx->ks2;
772                 memcpy(ctx->iv, iv, 16);
773                 }
774
775         return 1;
776         }
777
778 #define aes_t4_xts_cipher aes_xts_cipher
779 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
780                 const unsigned char *in, size_t len);
781
782 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
783                         const unsigned char *iv, int enc)
784         {
785         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
786         if (!iv && !key)
787                 return 1;
788         if (key)
789                 {
790                 int bits = ctx->key_len * 8;
791                 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
792                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
793                                         &cctx->ks, (block128_f)aes_t4_encrypt);
794 #if 0 /* not yet */
795                 switch (bits) {
796                     case 128:
797                         cctx->str = enc?(ccm128_f)aes128_t4_ccm64_encrypt :
798                                 (ccm128_f)ae128_t4_ccm64_decrypt;
799                         break;
800                     case 192:
801                         cctx->str = enc?(ccm128_f)aes192_t4_ccm64_encrypt :
802                                 (ccm128_f)ae192_t4_ccm64_decrypt;
803                         break;
804                     case 256:
805                         cctx->str = enc?(ccm128_f)aes256_t4_ccm64_encrypt :
806                                 (ccm128_f)ae256_t4_ccm64_decrypt;
807                         break;
808                     default:
809                         return 0;
810                     }
811 #endif
812                 cctx->key_set = 1;
813                 }
814         if (iv)
815                 {
816                 memcpy(ctx->iv, iv, 15 - cctx->L);
817                 cctx->iv_set = 1;
818                 }
819         return 1;
820         }
821
822 #define aes_t4_ccm_cipher aes_ccm_cipher
823 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
824                 const unsigned char *in, size_t len);
825
826 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
827 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
828         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
829         flags|EVP_CIPH_##MODE##_MODE,   \
830         aes_t4_init_key,                \
831         aes_t4_##mode##_cipher,         \
832         NULL,                           \
833         sizeof(EVP_AES_KEY),            \
834         NULL,NULL,NULL,NULL }; \
835 static const EVP_CIPHER aes_##keylen##_##mode = { \
836         nid##_##keylen##_##nmode,blocksize,     \
837         keylen/8,ivlen, \
838         flags|EVP_CIPH_##MODE##_MODE,   \
839         aes_init_key,                   \
840         aes_##mode##_cipher,            \
841         NULL,                           \
842         sizeof(EVP_AES_KEY),            \
843         NULL,NULL,NULL,NULL }; \
844 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
845 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
846
847 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
848 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
849         nid##_##keylen##_##mode,blocksize, \
850         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
851         flags|EVP_CIPH_##MODE##_MODE,   \
852         aes_t4_##mode##_init_key,       \
853         aes_t4_##mode##_cipher,         \
854         aes_##mode##_cleanup,           \
855         sizeof(EVP_AES_##MODE##_CTX),   \
856         NULL,NULL,aes_##mode##_ctrl,NULL }; \
857 static const EVP_CIPHER aes_##keylen##_##mode = { \
858         nid##_##keylen##_##mode,blocksize, \
859         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
860         flags|EVP_CIPH_##MODE##_MODE,   \
861         aes_##mode##_init_key,          \
862         aes_##mode##_cipher,            \
863         aes_##mode##_cleanup,           \
864         sizeof(EVP_AES_##MODE##_CTX),   \
865         NULL,NULL,aes_##mode##_ctrl,NULL }; \
866 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
867 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
868
869 #else
870
871 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
872 static const EVP_CIPHER aes_##keylen##_##mode = { \
873         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
874         flags|EVP_CIPH_##MODE##_MODE,   \
875         aes_init_key,                   \
876         aes_##mode##_cipher,            \
877         NULL,                           \
878         sizeof(EVP_AES_KEY),            \
879         NULL,NULL,NULL,NULL }; \
880 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
881 { return &aes_##keylen##_##mode; }
882
883 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
884 static const EVP_CIPHER aes_##keylen##_##mode = { \
885         nid##_##keylen##_##mode,blocksize, \
886         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
887         flags|EVP_CIPH_##MODE##_MODE,   \
888         aes_##mode##_init_key,          \
889         aes_##mode##_cipher,            \
890         aes_##mode##_cleanup,           \
891         sizeof(EVP_AES_##MODE##_CTX),   \
892         NULL,NULL,aes_##mode##_ctrl,NULL }; \
893 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
894 { return &aes_##keylen##_##mode; }
895
896 #endif
897
898 #if defined(AES_ASM) && defined(BSAES_ASM) && (defined(__arm__) || defined(__arm))
899 #include "arm_arch.h"
900 #if __ARM_ARCH__>=7
901 #define BSAES_CAPABLE   (OPENSSL_armcap_P & ARMV7_NEON)
902 #endif
903 #endif
904
905 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
906         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
907         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
908         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
909         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
910         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
911         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
912         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
913
914 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
915                    const unsigned char *iv, int enc)
916         {
917         int ret, mode;
918         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
919
920         mode = ctx->cipher->flags & EVP_CIPH_MODE;
921         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
922             && !enc)
923 #ifdef BSAES_CAPABLE
924             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
925                 {
926                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
927                 dat->block      = (block128_f)AES_decrypt;
928                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
929                 }
930             else
931 #endif
932 #ifdef VPAES_CAPABLE
933             if (VPAES_CAPABLE)
934                 {
935                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
936                 dat->block      = (block128_f)vpaes_decrypt;
937                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
938                                         (cbc128_f)vpaes_cbc_encrypt :
939                                         NULL;
940                 }
941             else
942 #endif
943                 {
944                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
945                 dat->block      = (block128_f)AES_decrypt;
946                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
947                                         (cbc128_f)AES_cbc_encrypt :
948                                         NULL;
949                 }
950         else
951 #ifdef BSAES_CAPABLE
952             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
953                 {
954                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
955                 dat->block      = (block128_f)AES_encrypt;
956                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
957                 }
958             else
959 #endif
960 #ifdef VPAES_CAPABLE
961             if (VPAES_CAPABLE)
962                 {
963                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
964                 dat->block      = (block128_f)vpaes_encrypt;
965                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
966                                         (cbc128_f)vpaes_cbc_encrypt :
967                                         NULL;
968                 }
969             else
970 #endif
971                 {
972                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
973                 dat->block      = (block128_f)AES_encrypt;
974                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
975                                         (cbc128_f)AES_cbc_encrypt :
976                                         NULL;
977 #ifdef AES_CTR_ASM
978                 if (mode==EVP_CIPH_CTR_MODE)
979                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
980 #endif
981                 }
982
983         if(ret < 0)
984                 {
985                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
986                 return 0;
987                 }
988
989         return 1;
990         }
991
992 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
993         const unsigned char *in, size_t len)
994 {
995         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
996
997         if (dat->stream.cbc)
998                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
999         else if (ctx->encrypt)
1000                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1001         else
1002                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1003
1004         return 1;
1005 }
1006
1007 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1008         const unsigned char *in, size_t len)
1009 {
1010         size_t  bl = ctx->cipher->block_size;
1011         size_t  i;
1012         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1013
1014         if (len<bl)     return 1;
1015
1016         for (i=0,len-=bl;i<=len;i+=bl)
1017                 (*dat->block)(in+i,out+i,&dat->ks);
1018
1019         return 1;
1020 }
1021
1022 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1023         const unsigned char *in,size_t len)
1024 {
1025         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1026
1027         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
1028                         ctx->iv,&ctx->num,dat->block);
1029         return 1;
1030 }
1031
1032 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1033         const unsigned char *in,size_t len)
1034 {
1035         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1036
1037         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
1038                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1039         return 1;
1040 }
1041
1042 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1043         const unsigned char *in,size_t len)
1044 {
1045         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1046
1047         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
1048                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1049         return 1;
1050 }
1051
1052 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1053         const unsigned char *in,size_t len)
1054 {
1055         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1056
1057         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
1058                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
1059                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1060                 return 1;
1061         }
1062
1063         while (len>=MAXBITCHUNK) {
1064                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
1065                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1066                 len-=MAXBITCHUNK;
1067         }
1068         if (len)
1069                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
1070                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1071         
1072         return 1;
1073 }
1074
1075 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
1076                 const unsigned char *in, size_t len)
1077 {
1078         unsigned int num = ctx->num;
1079         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1080
1081         if (dat->stream.ctr)
1082                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
1083                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
1084         else
1085                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
1086                         ctx->iv,ctx->buf,&num,dat->block);
1087         ctx->num = (size_t)num;
1088         return 1;
1089 }
1090
1091 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
1092 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
1093 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
1094
1095 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1096         {
1097         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1098         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1099         if (gctx->iv != c->iv)
1100                 OPENSSL_free(gctx->iv);
1101         return 1;
1102         }
1103
1104 /* increment counter (64-bit int) by 1 */
1105 static void ctr64_inc(unsigned char *counter) {
1106         int n=8;
1107         unsigned char  c;
1108
1109         do {
1110                 --n;
1111                 c = counter[n];
1112                 ++c;
1113                 counter[n] = c;
1114                 if (c) return;
1115         } while (n);
1116 }
1117
1118 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1119         {
1120         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1121         switch (type)
1122                 {
1123         case EVP_CTRL_INIT:
1124                 gctx->key_set = 0;
1125                 gctx->iv_set = 0;
1126                 gctx->ivlen = c->cipher->iv_len;
1127                 gctx->iv = c->iv;
1128                 gctx->taglen = -1;
1129                 gctx->iv_gen = 0;
1130                 gctx->tls_aad_len = -1;
1131                 return 1;
1132
1133         case EVP_CTRL_GCM_SET_IVLEN:
1134                 if (arg <= 0)
1135                         return 0;
1136 #ifdef OPENSSL_FIPS
1137                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1138                                                  && arg < 12)
1139                         return 0;
1140 #endif
1141                 /* Allocate memory for IV if needed */
1142                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
1143                         {
1144                         if (gctx->iv != c->iv)
1145                                 OPENSSL_free(gctx->iv);
1146                         gctx->iv = OPENSSL_malloc(arg);
1147                         if (!gctx->iv)
1148                                 return 0;
1149                         }
1150                 gctx->ivlen = arg;
1151                 return 1;
1152
1153         case EVP_CTRL_GCM_SET_TAG:
1154                 if (arg <= 0 || arg > 16 || c->encrypt)
1155                         return 0;
1156                 memcpy(c->buf, ptr, arg);
1157                 gctx->taglen = arg;
1158                 return 1;
1159
1160         case EVP_CTRL_GCM_GET_TAG:
1161                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1162                         return 0;
1163                 memcpy(ptr, c->buf, arg);
1164                 return 1;
1165
1166         case EVP_CTRL_GCM_SET_IV_FIXED:
1167                 /* Special case: -1 length restores whole IV */
1168                 if (arg == -1)
1169                         {
1170                         memcpy(gctx->iv, ptr, gctx->ivlen);
1171                         gctx->iv_gen = 1;
1172                         return 1;
1173                         }
1174                 /* Fixed field must be at least 4 bytes and invocation field
1175                  * at least 8.
1176                  */
1177                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1178                         return 0;
1179                 if (arg)
1180                         memcpy(gctx->iv, ptr, arg);
1181                 if (c->encrypt &&
1182                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1183                         return 0;
1184                 gctx->iv_gen = 1;
1185                 return 1;
1186
1187         case EVP_CTRL_GCM_IV_GEN:
1188                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1189                         return 0;
1190                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1191                 if (arg <= 0 || arg > gctx->ivlen)
1192                         arg = gctx->ivlen;
1193                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1194                 /* Invocation field will be at least 8 bytes in size and
1195                  * so no need to check wrap around or increment more than
1196                  * last 8 bytes.
1197                  */
1198                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1199                 gctx->iv_set = 1;
1200                 return 1;
1201
1202         case EVP_CTRL_GCM_SET_IV_INV:
1203                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1204                         return 0;
1205                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1206                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1207                 gctx->iv_set = 1;
1208                 return 1;
1209
1210         case EVP_CTRL_AEAD_TLS1_AAD:
1211                 /* Save the AAD for later use */
1212                 if (arg != 13)
1213                         return 0;
1214                 memcpy(c->buf, ptr, arg);
1215                 gctx->tls_aad_len = arg;
1216                         {
1217                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
1218                         /* Correct length for explicit IV */
1219                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1220                         /* If decrypting correct for tag too */
1221                         if (!c->encrypt)
1222                                 len -= EVP_GCM_TLS_TAG_LEN;
1223                         c->buf[arg-2] = len>>8;
1224                         c->buf[arg-1] = len & 0xff;
1225                         }
1226                 /* Extra padding: tag appended to record */
1227                 return EVP_GCM_TLS_TAG_LEN;
1228
1229         default:
1230                 return -1;
1231
1232                 }
1233         }
1234
1235 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1236                         const unsigned char *iv, int enc)
1237         {
1238         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1239         if (!iv && !key)
1240                 return 1;
1241         if (key)
1242                 { do {
1243 #ifdef BSAES_CAPABLE
1244                 if (BSAES_CAPABLE)
1245                         {
1246                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1247                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1248                                         (block128_f)AES_encrypt);
1249                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1250                         break;
1251                         }
1252                 else
1253 #endif
1254 #ifdef VPAES_CAPABLE
1255                 if (VPAES_CAPABLE)
1256                         {
1257                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1258                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1259                                         (block128_f)vpaes_encrypt);
1260                         gctx->ctr = NULL;
1261                         break;
1262                         }
1263                 else
1264 #endif
1265                 (void)0;        /* terminate potentially open 'else' */
1266
1267                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1268                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1269 #ifdef AES_CTR_ASM
1270                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
1271 #else
1272                 gctx->ctr = NULL;
1273 #endif
1274                 } while (0);
1275
1276                 /* If we have an iv can set it directly, otherwise use
1277                  * saved IV.
1278                  */
1279                 if (iv == NULL && gctx->iv_set)
1280                         iv = gctx->iv;
1281                 if (iv)
1282                         {
1283                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1284                         gctx->iv_set = 1;
1285                         }
1286                 gctx->key_set = 1;
1287                 }
1288         else
1289                 {
1290                 /* If key set use IV, otherwise copy */
1291                 if (gctx->key_set)
1292                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1293                 else
1294                         memcpy(gctx->iv, iv, gctx->ivlen);
1295                 gctx->iv_set = 1;
1296                 gctx->iv_gen = 0;
1297                 }
1298         return 1;
1299         }
1300
1301 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1302  * followed by the payload and finally the tag. On encrypt generate IV,
1303  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1304  * and verify tag.
1305  */
1306
1307 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1308                 const unsigned char *in, size_t len)
1309         {
1310         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1311         int rv = -1;
1312         /* Encrypt/decrypt must be performed in place */
1313         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
1314                 return -1;
1315         /* Set IV from start of buffer or generate IV and write to start
1316          * of buffer.
1317          */
1318         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1319                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1320                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1321                 goto err;
1322         /* Use saved AAD */
1323         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1324                 goto err;
1325         /* Fix buffer and length to point to payload */
1326         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1327         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1328         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1329         if (ctx->encrypt)
1330                 {
1331                 /* Encrypt payload */
1332                 if (gctx->ctr)
1333                         {
1334                         size_t bulk=0;
1335 #if defined(AES_GCM_ASM)
1336                         if (len>=32 && AES_GCM_ASM(gctx))
1337                                 {
1338                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1339                                         return -1;
1340
1341                                 bulk = AES_gcm_encrypt(in,out,len,
1342                                                         gctx->gcm.key,
1343                                                         gctx->gcm.Yi.c,
1344                                                         gctx->gcm.Xi.u);
1345                                 gctx->gcm.len.u[1] += bulk;
1346                                 }
1347 #endif
1348                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1349                                                         in +bulk,
1350                                                         out+bulk,
1351                                                         len-bulk,
1352                                                         gctx->ctr))
1353                                 goto err;
1354                         }
1355                 else    {
1356                         size_t bulk=0;
1357 #if defined(AES_GCM_ASM2)
1358                         if (len>=32 && AES_GCM_ASM2(gctx))
1359                                 {
1360                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1361                                         return -1;
1362
1363                                 bulk = AES_gcm_encrypt(in,out,len,
1364                                                         gctx->gcm.key,
1365                                                         gctx->gcm.Yi.c,
1366                                                         gctx->gcm.Xi.u);
1367                                 gctx->gcm.len.u[1] += bulk;
1368                                 }
1369 #endif
1370                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1371                                                         in +bulk,
1372                                                         out+bulk,
1373                                                         len-bulk))
1374                                 goto err;
1375                         }
1376                 out += len;
1377                 /* Finally write tag */
1378                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1379                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1380                 }
1381         else
1382                 {
1383                 /* Decrypt */
1384                 if (gctx->ctr)
1385                         {
1386                         size_t bulk=0;
1387 #if defined(AES_GCM_ASM)
1388                         if (len>=16 && AES_GCM_ASM(gctx))
1389                                 {
1390                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1391                                         return -1;
1392
1393                                 bulk = AES_gcm_decrypt(in,out,len,
1394                                                         gctx->gcm.key,
1395                                                         gctx->gcm.Yi.c,
1396                                                         gctx->gcm.Xi.u);
1397                                 gctx->gcm.len.u[1] += bulk;
1398                                 }
1399 #endif
1400                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1401                                                         in +bulk,
1402                                                         out+bulk,
1403                                                         len-bulk,
1404                                                         gctx->ctr))
1405                                 goto err;
1406                         }
1407                 else    {
1408                         size_t bulk=0;
1409 #if defined(AES_GCM_ASM2)
1410                         if (len>=16 && AES_GCM_ASM2(gctx))
1411                                 {
1412                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1413                                         return -1;
1414
1415                                 bulk = AES_gcm_decrypt(in,out,len,
1416                                                         gctx->gcm.key,
1417                                                         gctx->gcm.Yi.c,
1418                                                         gctx->gcm.Xi.u);
1419                                 gctx->gcm.len.u[1] += bulk;
1420                                 }
1421 #endif
1422                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1423                                                         in +bulk,
1424                                                         out+bulk,
1425                                                         len-bulk))
1426                                 goto err;
1427                         }
1428                 /* Retrieve tag */
1429                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1430                                         EVP_GCM_TLS_TAG_LEN);
1431                 /* If tag mismatch wipe buffer */
1432                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1433                         {
1434                         OPENSSL_cleanse(out, len);
1435                         goto err;
1436                         }
1437                 rv = len;
1438                 }
1439
1440         err:
1441         gctx->iv_set = 0;
1442         gctx->tls_aad_len = -1;
1443         return rv;
1444         }
1445
1446 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1447                 const unsigned char *in, size_t len)
1448         {
1449         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1450         /* If not set up, return error */
1451         if (!gctx->key_set)
1452                 return -1;
1453
1454         if (gctx->tls_aad_len >= 0)
1455                 return aes_gcm_tls_cipher(ctx, out, in, len);
1456
1457         if (!gctx->iv_set)
1458                 return -1;
1459         if (in)
1460                 {
1461                 if (out == NULL)
1462                         {
1463                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1464                                 return -1;
1465                         }
1466                 else if (ctx->encrypt)
1467                         {
1468                         if (gctx->ctr)
1469                                 {
1470                                 size_t bulk=0;
1471 #if defined(AES_GCM_ASM)
1472                                 if (len>=32 && AES_GCM_ASM(gctx))
1473                                         {
1474                                         size_t res = (16-gctx->gcm.mres)%16;
1475
1476                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1477                                                         in,out,res))
1478                                                 return -1;
1479
1480                                         bulk = AES_gcm_encrypt(in+res,
1481                                                         out+res,len-res,                                                                gctx->gcm.key,
1482                                                         gctx->gcm.Yi.c,
1483                                                         gctx->gcm.Xi.u);
1484                                         gctx->gcm.len.u[1] += bulk;
1485                                         bulk += res;
1486                                         }
1487 #endif
1488                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1489                                                         in +bulk,
1490                                                         out+bulk,
1491                                                         len-bulk,
1492                                                         gctx->ctr))
1493                                         return -1;
1494                                 }
1495                         else    {
1496                                 size_t bulk=0;
1497 #if defined(AES_GCM_ASM2)
1498                                 if (len>=32 && AES_GCM_ASM2(gctx))
1499                                         {
1500                                         size_t res = (16-gctx->gcm.mres)%16;
1501
1502                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1503                                                         in,out,res))
1504                                                 return -1;
1505
1506                                         bulk = AES_gcm_encrypt(in+res,
1507                                                         out+res,len-res,                                                                gctx->gcm.key,
1508                                                         gctx->gcm.Yi.c,
1509                                                         gctx->gcm.Xi.u);
1510                                         gctx->gcm.len.u[1] += bulk;
1511                                         bulk += res;
1512                                         }
1513 #endif
1514                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1515                                                         in +bulk,
1516                                                         out+bulk,
1517                                                         len-bulk))
1518                                         return -1;
1519                                 }
1520                         }
1521                 else
1522                         {
1523                         if (gctx->ctr)
1524                                 {
1525                                 size_t bulk=0;
1526 #if defined(AES_GCM_ASM)
1527                                 if (len>=16 && AES_GCM_ASM(gctx))
1528                                         {
1529                                         size_t res = (16-gctx->gcm.mres)%16;
1530
1531                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1532                                                         in,out,res))
1533                                                 return -1;
1534
1535                                         bulk = AES_gcm_decrypt(in+res,
1536                                                         out+res,len-res,
1537                                                         gctx->gcm.key,
1538                                                         gctx->gcm.Yi.c,
1539                                                         gctx->gcm.Xi.u);
1540                                         gctx->gcm.len.u[1] += bulk;
1541                                         bulk += res;
1542                                         }
1543 #endif
1544                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1545                                                         in +bulk,
1546                                                         out+bulk,
1547                                                         len-bulk,
1548                                                         gctx->ctr))
1549                                         return -1;
1550                                 }
1551                         else    {
1552                                 size_t bulk=0;
1553 #if defined(AES_GCM_ASM2)
1554                                 if (len>=16 && AES_GCM_ASM2(gctx))
1555                                         {
1556                                         size_t res = (16-gctx->gcm.mres)%16;
1557
1558                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1559                                                         in,out,res))
1560                                                 return -1;
1561
1562                                         bulk = AES_gcm_decrypt(in+res,
1563                                                         out+res,len-res,
1564                                                         gctx->gcm.key,
1565                                                         gctx->gcm.Yi.c,
1566                                                         gctx->gcm.Xi.u);
1567                                         gctx->gcm.len.u[1] += bulk;
1568                                         bulk += res;
1569                                         }
1570 #endif
1571                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1572                                                         in +bulk,
1573                                                         out+bulk,
1574                                                         len-bulk))
1575                                         return -1;
1576                                 }
1577                         }
1578                 return len;
1579                 }
1580         else
1581                 {
1582                 if (!ctx->encrypt)
1583                         {
1584                         if (gctx->taglen < 0)
1585                                 return -1;
1586                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1587                                         ctx->buf, gctx->taglen) != 0)
1588                                 return -1;
1589                         gctx->iv_set = 0;
1590                         return 0;
1591                         }
1592                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1593                 gctx->taglen = 16;
1594                 /* Don't reuse the IV */
1595                 gctx->iv_set = 0;
1596                 return 0;
1597                 }
1598
1599         }
1600
1601 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1602                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1603                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1604
1605 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1606                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1607 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1608                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1609 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1610                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1611
1612 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1613         {
1614         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1615         if (type != EVP_CTRL_INIT)
1616                 return -1;
1617         /* key1 and key2 are used as an indicator both key and IV are set */
1618         xctx->xts.key1 = NULL;
1619         xctx->xts.key2 = NULL;
1620         return 1;
1621         }
1622
1623 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1624                         const unsigned char *iv, int enc)
1625         {
1626         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1627         if (!iv && !key)
1628                 return 1;
1629
1630         if (key) do
1631                 {
1632 #ifdef AES_XTS_ASM
1633                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1634 #else
1635                 xctx->stream = NULL;
1636 #endif
1637                 /* key_len is two AES keys */
1638 #ifdef BSAES_CAPABLE
1639                 if (BSAES_CAPABLE)
1640                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1641                 else
1642 #endif
1643 #ifdef VPAES_CAPABLE
1644                 if (VPAES_CAPABLE)
1645                     {
1646                     if (enc)
1647                         {
1648                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1649                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1650                         }
1651                     else
1652                         {
1653                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1654                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1655                         }
1656
1657                     vpaes_set_encrypt_key(key + ctx->key_len/2,
1658                                                 ctx->key_len * 4, &xctx->ks2.ks);
1659                     xctx->xts.block2 = (block128_f)vpaes_encrypt;
1660
1661                     xctx->xts.key1 = &xctx->ks1;
1662                     break;
1663                     }
1664                 else
1665 #endif
1666                 (void)0;        /* terminate potentially open 'else' */
1667
1668                 if (enc)
1669                         {
1670                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1671                         xctx->xts.block1 = (block128_f)AES_encrypt;
1672                         }
1673                 else
1674                         {
1675                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1676                         xctx->xts.block1 = (block128_f)AES_decrypt;
1677                         }
1678
1679                 AES_set_encrypt_key(key + ctx->key_len/2,
1680                                                 ctx->key_len * 4, &xctx->ks2.ks);
1681                 xctx->xts.block2 = (block128_f)AES_encrypt;
1682
1683                 xctx->xts.key1 = &xctx->ks1;
1684                 } while (0);
1685
1686         if (iv)
1687                 {
1688                 xctx->xts.key2 = &xctx->ks2;
1689                 memcpy(ctx->iv, iv, 16);
1690                 }
1691
1692         return 1;
1693         }
1694
1695 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1696                 const unsigned char *in, size_t len)
1697         {
1698         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1699         if (!xctx->xts.key1 || !xctx->xts.key2)
1700                 return 0;
1701         if (!out || !in || len<AES_BLOCK_SIZE)
1702                 return 0;
1703 #ifdef OPENSSL_FIPS
1704         /* Requirement of SP800-38E */
1705         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1706                         (len > (1UL<<20)*16))
1707                 {
1708                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1709                 return 0;
1710                 }
1711 #endif
1712         if (xctx->stream)
1713                 (*xctx->stream)(in, out, len,
1714                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1715         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1716                                                                 ctx->encrypt))
1717                 return 0;
1718         return 1;
1719         }
1720
1721 #define aes_xts_cleanup NULL
1722
1723 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1724                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1725
1726 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1727 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1728
1729 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1730         {
1731         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1732         switch (type)
1733                 {
1734         case EVP_CTRL_INIT:
1735                 cctx->key_set = 0;
1736                 cctx->iv_set = 0;
1737                 cctx->L = 8;
1738                 cctx->M = 12;
1739                 cctx->tag_set = 0;
1740                 cctx->len_set = 0;
1741                 return 1;
1742
1743         case EVP_CTRL_CCM_SET_IVLEN:
1744                 arg = 15 - arg;
1745         case EVP_CTRL_CCM_SET_L:
1746                 if (arg < 2 || arg > 8)
1747                         return 0;
1748                 cctx->L = arg;
1749                 return 1;
1750
1751         case EVP_CTRL_CCM_SET_TAG:
1752                 if ((arg & 1) || arg < 4 || arg > 16)
1753                         return 0;
1754                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1755                         return 0;
1756                 if (ptr)
1757                         {
1758                         cctx->tag_set = 1;
1759                         memcpy(c->buf, ptr, arg);
1760                         }
1761                 cctx->M = arg;
1762                 return 1;
1763
1764         case EVP_CTRL_CCM_GET_TAG:
1765                 if (!c->encrypt || !cctx->tag_set)
1766                         return 0;
1767                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1768                         return 0;
1769                 cctx->tag_set = 0;
1770                 cctx->iv_set = 0;
1771                 cctx->len_set = 0;
1772                 return 1;
1773
1774         default:
1775                 return -1;
1776
1777                 }
1778         }
1779
1780 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1781                         const unsigned char *iv, int enc)
1782         {
1783         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1784         if (!iv && !key)
1785                 return 1;
1786         if (key) do
1787                 {
1788 #ifdef VPAES_CAPABLE
1789                 if (VPAES_CAPABLE)
1790                         {
1791                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks);
1792                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1793                                         &cctx->ks, (block128_f)vpaes_encrypt);
1794                         cctx->str = NULL;
1795                         cctx->key_set = 1;
1796                         break;
1797                         }
1798 #endif
1799                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1800                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1801                                         &cctx->ks, (block128_f)AES_encrypt);
1802                 cctx->str = NULL;
1803                 cctx->key_set = 1;
1804                 } while (0);
1805         if (iv)
1806                 {
1807                 memcpy(ctx->iv, iv, 15 - cctx->L);
1808                 cctx->iv_set = 1;
1809                 }
1810         return 1;
1811         }
1812
1813 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1814                 const unsigned char *in, size_t len)
1815         {
1816         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1817         CCM128_CONTEXT *ccm = &cctx->ccm;
1818         /* If not set up, return error */
1819         if (!cctx->iv_set && !cctx->key_set)
1820                 return -1;
1821         if (!ctx->encrypt && !cctx->tag_set)
1822                 return -1;
1823         if (!out)
1824                 {
1825                 if (!in)
1826                         {
1827                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1828                                 return -1;
1829                         cctx->len_set = 1;
1830                         return len;
1831                         }
1832                 /* If have AAD need message length */
1833                 if (!cctx->len_set && len)
1834                         return -1;
1835                 CRYPTO_ccm128_aad(ccm, in, len);
1836                 return len;
1837                 }
1838         /* EVP_*Final() doesn't return any data */
1839         if (!in)
1840                 return 0;
1841         /* If not set length yet do it */
1842         if (!cctx->len_set)
1843                 {
1844                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1845                         return -1;
1846                 cctx->len_set = 1;
1847                 }
1848         if (ctx->encrypt)
1849                 {
1850                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1851                                                 cctx->str) :
1852                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1853                         return -1;
1854                 cctx->tag_set = 1;
1855                 return len;
1856                 }
1857         else
1858                 {
1859                 int rv = -1;
1860                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1861                                                 cctx->str) :
1862                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1863                         {
1864                         unsigned char tag[16];
1865                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1866                                 {
1867                                 if (!memcmp(tag, ctx->buf, cctx->M))
1868                                         rv = len;
1869                                 }
1870                         }
1871                 if (rv == -1)
1872                         OPENSSL_cleanse(out, len);
1873                 cctx->iv_set = 0;
1874                 cctx->tag_set = 0;
1875                 cctx->len_set = 0;
1876                 return rv;
1877                 }
1878
1879         }
1880
1881 #define aes_ccm_cleanup NULL
1882
1883 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1884 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1885 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1886
1887 typedef struct
1888         {
1889         union { double align; AES_KEY ks; } ks;
1890         /* Indicates if IV has been set */
1891         unsigned char *iv;
1892         } EVP_AES_WRAP_CTX;
1893
1894 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1895                         const unsigned char *iv, int enc)
1896         {
1897         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1898         if (!iv && !key)
1899                 return 1;
1900         if (key)
1901                 {
1902                 if (ctx->encrypt)
1903                         AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1904                 else
1905                         AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1906                 if (!iv)
1907                         wctx->iv = NULL;
1908                 }
1909         if (iv)
1910                 {
1911                 memcpy(ctx->iv, iv, 8);
1912                 wctx->iv = ctx->iv;
1913                 }
1914         return 1;
1915         }
1916
1917 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1918                 const unsigned char *in, size_t inlen)
1919         {
1920         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1921         size_t rv;
1922         if (inlen % 8)
1923                 return 0;
1924         if (!out)
1925                 {
1926                 if (ctx->encrypt)
1927                         return inlen + 8;
1928                 else
1929                         return inlen - 8;
1930                 }
1931         if (!in)
1932                 return 0;
1933         if (ctx->encrypt)
1934                 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1935                                                 (block128_f)AES_encrypt);
1936         else
1937                 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
1938                                                 (block128_f)AES_decrypt);
1939         return rv ? (int)rv : -1;
1940         }
1941
1942 #define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
1943                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1944                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
1945
1946 static const EVP_CIPHER aes_128_wrap = {
1947         NID_id_aes128_wrap,
1948         8, 16, 8, WRAP_FLAGS,
1949         aes_wrap_init_key, aes_wrap_cipher,
1950         NULL,   
1951         sizeof(EVP_AES_WRAP_CTX),
1952         NULL,NULL,NULL,NULL };
1953
1954 const EVP_CIPHER *EVP_aes_128_wrap(void)
1955         {
1956         return &aes_128_wrap;
1957         }
1958
1959 static const EVP_CIPHER aes_192_wrap = {
1960         NID_id_aes192_wrap,
1961         8, 24, 8, WRAP_FLAGS,
1962         aes_wrap_init_key, aes_wrap_cipher,
1963         NULL,   
1964         sizeof(EVP_AES_WRAP_CTX),
1965         NULL,NULL,NULL,NULL };
1966
1967 const EVP_CIPHER *EVP_aes_192_wrap(void)
1968         {
1969         return &aes_192_wrap;
1970         }
1971
1972 static const EVP_CIPHER aes_256_wrap = {
1973         NID_id_aes256_wrap,
1974         8, 32, 8, WRAP_FLAGS,
1975         aes_wrap_init_key, aes_wrap_cipher,
1976         NULL,   
1977         sizeof(EVP_AES_WRAP_CTX),
1978         NULL,NULL,NULL,NULL };
1979
1980 const EVP_CIPHER *EVP_aes_256_wrap(void)
1981         {
1982         return &aes_256_wrap;
1983         }
1984
1985 #endif