e_aes.c: uninitialized variable in aes_ccm_init_key [from HEAD].
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #include <openssl/opensslconf.h>
52 #ifndef OPENSSL_NO_AES
53 #include <openssl/evp.h>
54 #include <openssl/err.h>
55 #include <string.h>
56 #include <assert.h>
57 #include <openssl/aes.h>
58 #include "evp_locl.h"
59 #include "modes_lcl.h"
60 #include <openssl/rand.h>
61
62 #ifndef OPENSSL_FIPSCANISTER
63 #undef EVP_CIPH_FLAG_FIPS
64 #define EVP_CIPH_FLAG_FIPS 0
65 #endif
66
67 typedef struct
68         {
69         AES_KEY ks;
70         block128_f block;
71         union {
72                 cbc128_f cbc;
73                 ctr128_f ctr;
74         } stream;
75         } EVP_AES_KEY;
76
77 typedef struct
78         {
79         AES_KEY ks;             /* AES key schedule to use */
80         int key_set;            /* Set if key initialised */
81         int iv_set;             /* Set if an iv is set */
82         GCM128_CONTEXT gcm;
83         unsigned char *iv;      /* Temporary IV store */
84         int ivlen;              /* IV length */
85         int taglen;
86         int iv_gen;             /* It is OK to generate IVs */
87         int tls_aad_len;        /* TLS AAD length */
88         ctr128_f ctr;
89         } EVP_AES_GCM_CTX;
90
91 typedef struct
92         {
93         AES_KEY ks1, ks2;       /* AES key schedules to use */
94         XTS128_CONTEXT xts;
95         void     (*stream)(const unsigned char *in,
96                         unsigned char *out, size_t length,
97                         const AES_KEY *key1, const AES_KEY *key2,
98                         const unsigned char iv[16]);
99         } EVP_AES_XTS_CTX;
100
101 typedef struct
102         {
103         AES_KEY ks;             /* AES key schedule to use */
104         int key_set;            /* Set if key initialised */
105         int iv_set;             /* Set if an iv is set */
106         int tag_set;            /* Set if tag is valid */
107         int len_set;            /* Set if message length set */
108         int L, M;               /* L and M parameters from RFC3610 */
109         CCM128_CONTEXT ccm;
110         ccm128_f str;
111         } EVP_AES_CCM_CTX;
112
113 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
114
115 #ifdef VPAES_ASM
116 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
117                         AES_KEY *key);
118 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
119                         AES_KEY *key);
120
121 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
122                         const AES_KEY *key);
123 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
124                         const AES_KEY *key);
125
126 void vpaes_cbc_encrypt(const unsigned char *in,
127                         unsigned char *out,
128                         size_t length,
129                         const AES_KEY *key,
130                         unsigned char *ivec, int enc);
131 #endif
132 #ifdef BSAES_ASM
133 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
134                         size_t length, const AES_KEY *key,
135                         unsigned char ivec[16], int enc);
136 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
137                         size_t len, const AES_KEY *key,
138                         const unsigned char ivec[16]);
139 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
140                         size_t len, const AES_KEY *key1,
141                         const AES_KEY *key2, const unsigned char iv[16]);
142 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
143                         size_t len, const AES_KEY *key1,
144                         const AES_KEY *key2, const unsigned char iv[16]);
145 #endif
146 #ifdef AES_CTR_ASM
147 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
148                         size_t blocks, const AES_KEY *key,
149                         const unsigned char ivec[AES_BLOCK_SIZE]);
150 #endif
151 #ifdef AES_XTS_ASM
152 void AES_xts_encrypt(const char *inp,char *out,size_t len,
153                         const AES_KEY *key1, const AES_KEY *key2,
154                         const unsigned char iv[16]);
155 void AES_xts_decrypt(const char *inp,char *out,size_t len,
156                         const AES_KEY *key1, const AES_KEY *key2,
157                         const unsigned char iv[16]);
158 #endif
159
160 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
161         ((defined(__i386)       || defined(__i386__)    || \
162           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
163         defined(__x86_64)       || defined(__x86_64__)  || \
164         defined(_M_AMD64)       || defined(_M_X64)      || \
165         defined(__INTEL__)                              )
166
167 extern unsigned int OPENSSL_ia32cap_P[2];
168
169 #ifdef VPAES_ASM
170 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
171 #endif
172 #ifdef BSAES_ASM
173 #define BSAES_CAPABLE   VPAES_CAPABLE
174 #endif
175 /*
176  * AES-NI section
177  */
178 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
179
180 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
181                         AES_KEY *key);
182 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
183                         AES_KEY *key);
184
185 void aesni_encrypt(const unsigned char *in, unsigned char *out,
186                         const AES_KEY *key);
187 void aesni_decrypt(const unsigned char *in, unsigned char *out,
188                         const AES_KEY *key);
189
190 void aesni_ecb_encrypt(const unsigned char *in,
191                         unsigned char *out,
192                         size_t length,
193                         const AES_KEY *key,
194                         int enc);
195 void aesni_cbc_encrypt(const unsigned char *in,
196                         unsigned char *out,
197                         size_t length,
198                         const AES_KEY *key,
199                         unsigned char *ivec, int enc);
200
201 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
202                         unsigned char *out,
203                         size_t blocks,
204                         const void *key,
205                         const unsigned char *ivec);
206
207 void aesni_xts_encrypt(const unsigned char *in,
208                         unsigned char *out,
209                         size_t length,
210                         const AES_KEY *key1, const AES_KEY *key2,
211                         const unsigned char iv[16]);
212
213 void aesni_xts_decrypt(const unsigned char *in,
214                         unsigned char *out,
215                         size_t length,
216                         const AES_KEY *key1, const AES_KEY *key2,
217                         const unsigned char iv[16]);
218
219 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
220                         unsigned char *out,
221                         size_t blocks,
222                         const void *key,
223                         const unsigned char ivec[16],
224                         unsigned char cmac[16]);
225
226 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
227                         unsigned char *out,
228                         size_t blocks,
229                         const void *key,
230                         const unsigned char ivec[16],
231                         unsigned char cmac[16]);
232
233 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
234                    const unsigned char *iv, int enc)
235         {
236         int ret, mode;
237         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
238
239         mode = ctx->cipher->flags & EVP_CIPH_MODE;
240         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
241             && !enc)
242                 { 
243                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
244                 dat->block      = (block128_f)aesni_decrypt;
245                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
246                                         (cbc128_f)aesni_cbc_encrypt :
247                                         NULL;
248                 }
249         else    {
250                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
251                 dat->block      = (block128_f)aesni_encrypt;
252                 if (mode==EVP_CIPH_CBC_MODE)
253                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
254                 else if (mode==EVP_CIPH_CTR_MODE)
255                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
256                 else
257                         dat->stream.cbc = NULL;
258                 }
259
260         if(ret < 0)
261                 {
262                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
263                 return 0;
264                 }
265
266         return 1;
267         }
268
269 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
270         const unsigned char *in, size_t len)
271 {
272         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
273
274         return 1;
275 }
276
277 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
278         const unsigned char *in, size_t len)
279 {
280         size_t  bl = ctx->cipher->block_size;
281
282         if (len<bl)     return 1;
283
284         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
285
286         return 1;
287 }
288
289 #define aesni_ofb_cipher aes_ofb_cipher
290 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
291         const unsigned char *in,size_t len);
292
293 #define aesni_cfb_cipher aes_cfb_cipher
294 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
295         const unsigned char *in,size_t len);
296
297 #define aesni_cfb8_cipher aes_cfb8_cipher
298 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
299         const unsigned char *in,size_t len);
300
301 #define aesni_cfb1_cipher aes_cfb1_cipher
302 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
303         const unsigned char *in,size_t len);
304
305 #define aesni_ctr_cipher aes_ctr_cipher
306 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
307                 const unsigned char *in, size_t len);
308
309 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
310                         const unsigned char *iv, int enc)
311         {
312         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
313         if (!iv && !key)
314                 return 1;
315         if (key)
316                 {
317                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
318                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
319                                 (block128_f)aesni_encrypt);
320                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
321                 /* If we have an iv can set it directly, otherwise use
322                  * saved IV.
323                  */
324                 if (iv == NULL && gctx->iv_set)
325                         iv = gctx->iv;
326                 if (iv)
327                         {
328                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
329                         gctx->iv_set = 1;
330                         }
331                 gctx->key_set = 1;
332                 }
333         else
334                 {
335                 /* If key set use IV, otherwise copy */
336                 if (gctx->key_set)
337                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
338                 else
339                         memcpy(gctx->iv, iv, gctx->ivlen);
340                 gctx->iv_set = 1;
341                 gctx->iv_gen = 0;
342                 }
343         return 1;
344         }
345
346 #define aesni_gcm_cipher aes_gcm_cipher
347 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
348                 const unsigned char *in, size_t len);
349
350 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
351                         const unsigned char *iv, int enc)
352         {
353         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
354         if (!iv && !key)
355                 return 1;
356
357         if (key)
358                 {
359                 /* key_len is two AES keys */
360                 if (enc)
361                         {
362                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
363                         xctx->xts.block1 = (block128_f)aesni_encrypt;
364                         xctx->stream = aesni_xts_encrypt;
365                         }
366                 else
367                         {
368                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
369                         xctx->xts.block1 = (block128_f)aesni_decrypt;
370                         xctx->stream = aesni_xts_decrypt;
371                         }
372
373                 aesni_set_encrypt_key(key + ctx->key_len/2,
374                                                 ctx->key_len * 4, &xctx->ks2);
375                 xctx->xts.block2 = (block128_f)aesni_encrypt;
376
377                 xctx->xts.key1 = &xctx->ks1;
378                 }
379
380         if (iv)
381                 {
382                 xctx->xts.key2 = &xctx->ks2;
383                 memcpy(ctx->iv, iv, 16);
384                 }
385
386         return 1;
387         }
388
389 #define aesni_xts_cipher aes_xts_cipher
390 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
391                 const unsigned char *in, size_t len);
392
393 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
394                         const unsigned char *iv, int enc)
395         {
396         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
397         if (!iv && !key)
398                 return 1;
399         if (key)
400                 {
401                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
402                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
403                                         &cctx->ks, (block128_f)aesni_encrypt);
404                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
405                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
406                 cctx->key_set = 1;
407                 }
408         if (iv)
409                 {
410                 memcpy(ctx->iv, iv, 15 - cctx->L);
411                 cctx->iv_set = 1;
412                 }
413         return 1;
414         }
415
416 #define aesni_ccm_cipher aes_ccm_cipher
417 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
418                 const unsigned char *in, size_t len);
419
420 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
421 static const EVP_CIPHER aesni_##keylen##_##mode = { \
422         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
423         flags|EVP_CIPH_##MODE##_MODE,   \
424         aesni_init_key,                 \
425         aesni_##mode##_cipher,          \
426         NULL,                           \
427         sizeof(EVP_AES_KEY),            \
428         NULL,NULL,NULL,NULL }; \
429 static const EVP_CIPHER aes_##keylen##_##mode = { \
430         nid##_##keylen##_##nmode,blocksize,     \
431         keylen/8,ivlen, \
432         flags|EVP_CIPH_##MODE##_MODE,   \
433         aes_init_key,                   \
434         aes_##mode##_cipher,            \
435         NULL,                           \
436         sizeof(EVP_AES_KEY),            \
437         NULL,NULL,NULL,NULL }; \
438 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
439 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
440
441 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
442 static const EVP_CIPHER aesni_##keylen##_##mode = { \
443         nid##_##keylen##_##mode,blocksize, \
444         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
445         flags|EVP_CIPH_##MODE##_MODE,   \
446         aesni_##mode##_init_key,        \
447         aesni_##mode##_cipher,          \
448         aes_##mode##_cleanup,           \
449         sizeof(EVP_AES_##MODE##_CTX),   \
450         NULL,NULL,aes_##mode##_ctrl,NULL }; \
451 static const EVP_CIPHER aes_##keylen##_##mode = { \
452         nid##_##keylen##_##mode,blocksize, \
453         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
454         flags|EVP_CIPH_##MODE##_MODE,   \
455         aes_##mode##_init_key,          \
456         aes_##mode##_cipher,            \
457         aes_##mode##_cleanup,           \
458         sizeof(EVP_AES_##MODE##_CTX),   \
459         NULL,NULL,aes_##mode##_ctrl,NULL }; \
460 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
461 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
462
463 #else
464
465 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
466 static const EVP_CIPHER aes_##keylen##_##mode = { \
467         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
468         flags|EVP_CIPH_##MODE##_MODE,   \
469         aes_init_key,                   \
470         aes_##mode##_cipher,            \
471         NULL,                           \
472         sizeof(EVP_AES_KEY),            \
473         NULL,NULL,NULL,NULL }; \
474 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
475 { return &aes_##keylen##_##mode; }
476
477 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
478 static const EVP_CIPHER aes_##keylen##_##mode = { \
479         nid##_##keylen##_##mode,blocksize, \
480         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
481         flags|EVP_CIPH_##MODE##_MODE,   \
482         aes_##mode##_init_key,          \
483         aes_##mode##_cipher,            \
484         aes_##mode##_cleanup,           \
485         sizeof(EVP_AES_##MODE##_CTX),   \
486         NULL,NULL,aes_##mode##_ctrl,NULL }; \
487 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
488 { return &aes_##keylen##_##mode; }
489 #endif
490
491 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
492         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
493         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
494         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
495         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
496         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
497         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
498         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
499
500 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
501                    const unsigned char *iv, int enc)
502         {
503         int ret, mode;
504         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
505
506         mode = ctx->cipher->flags & EVP_CIPH_MODE;
507         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
508             && !enc)
509 #ifdef BSAES_CAPABLE
510             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
511                 {
512                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
513                 dat->block      = (block128_f)AES_decrypt;
514                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
515                 }
516             else
517 #endif
518 #ifdef VPAES_CAPABLE
519             if (VPAES_CAPABLE)
520                 {
521                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
522                 dat->block      = (block128_f)vpaes_decrypt;
523                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
524                                         (cbc128_f)vpaes_cbc_encrypt :
525                                         NULL;
526                 }
527             else
528 #endif
529                 {
530                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
531                 dat->block      = (block128_f)AES_decrypt;
532                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
533                                         (cbc128_f)AES_cbc_encrypt :
534                                         NULL;
535                 }
536         else
537 #ifdef BSAES_CAPABLE
538             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
539                 {
540                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
541                 dat->block      = (block128_f)AES_encrypt;
542                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
543                 }
544             else
545 #endif
546 #ifdef VPAES_CAPABLE
547             if (VPAES_CAPABLE)
548                 {
549                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
550                 dat->block      = (block128_f)vpaes_encrypt;
551                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
552                                         (cbc128_f)vpaes_cbc_encrypt :
553                                         NULL;
554                 }
555             else
556 #endif
557                 {
558                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
559                 dat->block      = (block128_f)AES_encrypt;
560                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
561                                         (cbc128_f)AES_cbc_encrypt :
562                                         NULL;
563 #ifdef AES_CTR_ASM
564                 if (mode==EVP_CIPH_CTR_MODE)
565                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
566 #endif
567                 }
568
569         if(ret < 0)
570                 {
571                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
572                 return 0;
573                 }
574
575         return 1;
576         }
577
578 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
579         const unsigned char *in, size_t len)
580 {
581         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
582
583         if (dat->stream.cbc)
584                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
585         else if (ctx->encrypt)
586                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
587         else
588                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
589
590         return 1;
591 }
592
593 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
594         const unsigned char *in, size_t len)
595 {
596         size_t  bl = ctx->cipher->block_size;
597         size_t  i;
598         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
599
600         if (len<bl)     return 1;
601
602         for (i=0,len-=bl;i<=len;i+=bl)
603                 (*dat->block)(in+i,out+i,&dat->ks);
604
605         return 1;
606 }
607
608 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
609         const unsigned char *in,size_t len)
610 {
611         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
612
613         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
614                         ctx->iv,&ctx->num,dat->block);
615         return 1;
616 }
617
618 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
619         const unsigned char *in,size_t len)
620 {
621         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
622
623         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
624                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
625         return 1;
626 }
627
628 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
629         const unsigned char *in,size_t len)
630 {
631         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
632
633         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
634                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
635         return 1;
636 }
637
638 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
639         const unsigned char *in,size_t len)
640 {
641         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
642
643         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
644                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
645                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
646                 return 1;
647         }
648
649         while (len>=MAXBITCHUNK) {
650                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
651                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
652                 len-=MAXBITCHUNK;
653         }
654         if (len)
655                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
656                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
657         
658         return 1;
659 }
660
661 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
662                 const unsigned char *in, size_t len)
663 {
664         unsigned int num = ctx->num;
665         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
666
667         if (dat->stream.ctr)
668                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
669                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
670         else
671                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
672                         ctx->iv,ctx->buf,&num,dat->block);
673         ctx->num = (size_t)num;
674         return 1;
675 }
676
677 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
678 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
679 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
680
681 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
682         {
683         EVP_AES_GCM_CTX *gctx = c->cipher_data;
684         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
685         if (gctx->iv != c->iv)
686                 OPENSSL_free(gctx->iv);
687         return 1;
688         }
689
690 /* increment counter (64-bit int) by 1 */
691 static void ctr64_inc(unsigned char *counter) {
692         int n=8;
693         unsigned char  c;
694
695         do {
696                 --n;
697                 c = counter[n];
698                 ++c;
699                 counter[n] = c;
700                 if (c) return;
701         } while (n);
702 }
703
704 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
705         {
706         EVP_AES_GCM_CTX *gctx = c->cipher_data;
707         switch (type)
708                 {
709         case EVP_CTRL_INIT:
710                 gctx->key_set = 0;
711                 gctx->iv_set = 0;
712                 gctx->ivlen = c->cipher->iv_len;
713                 gctx->iv = c->iv;
714                 gctx->taglen = -1;
715                 gctx->iv_gen = 0;
716                 gctx->tls_aad_len = -1;
717                 return 1;
718
719         case EVP_CTRL_GCM_SET_IVLEN:
720                 if (arg <= 0)
721                         return 0;
722 #ifdef OPENSSL_FIPSCANISTER
723                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
724                                                  && arg < 12)
725                         return 0;
726 #endif
727                 /* Allocate memory for IV if needed */
728                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
729                         {
730                         if (gctx->iv != c->iv)
731                                 OPENSSL_free(gctx->iv);
732                         gctx->iv = OPENSSL_malloc(arg);
733                         if (!gctx->iv)
734                                 return 0;
735                         }
736                 gctx->ivlen = arg;
737                 return 1;
738
739         case EVP_CTRL_GCM_SET_TAG:
740                 if (arg <= 0 || arg > 16 || c->encrypt)
741                         return 0;
742                 memcpy(c->buf, ptr, arg);
743                 gctx->taglen = arg;
744                 return 1;
745
746         case EVP_CTRL_GCM_GET_TAG:
747                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
748                         return 0;
749                 memcpy(ptr, c->buf, arg);
750                 return 1;
751
752         case EVP_CTRL_GCM_SET_IV_FIXED:
753                 /* Special case: -1 length restores whole IV */
754                 if (arg == -1)
755                         {
756                         memcpy(gctx->iv, ptr, gctx->ivlen);
757                         gctx->iv_gen = 1;
758                         return 1;
759                         }
760                 /* Fixed field must be at least 4 bytes and invocation field
761                  * at least 8.
762                  */
763                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
764                         return 0;
765                 if (arg)
766                         memcpy(gctx->iv, ptr, arg);
767                 if (c->encrypt &&
768                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
769                         return 0;
770                 gctx->iv_gen = 1;
771                 return 1;
772
773         case EVP_CTRL_GCM_IV_GEN:
774                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
775                         return 0;
776                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
777                 if (arg <= 0 || arg > gctx->ivlen)
778                         arg = gctx->ivlen;
779                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
780                 /* Invocation field will be at least 8 bytes in size and
781                  * so no need to check wrap around or increment more than
782                  * last 8 bytes.
783                  */
784                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
785                 gctx->iv_set = 1;
786                 return 1;
787
788         case EVP_CTRL_GCM_SET_IV_INV:
789                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
790                         return 0;
791                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
792                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
793                 gctx->iv_set = 1;
794                 return 1;
795
796         case EVP_CTRL_AEAD_TLS1_AAD:
797                 /* Save the AAD for later use */
798                 if (arg != 13)
799                         return 0;
800                 memcpy(c->buf, ptr, arg);
801                 gctx->tls_aad_len = arg;
802                         {
803                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
804                         /* Correct length for explicit IV */
805                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
806                         /* If decrypting correct for tag too */
807                         if (!c->encrypt)
808                                 len -= EVP_GCM_TLS_TAG_LEN;
809                         c->buf[arg-2] = len>>8;
810                         c->buf[arg-1] = len & 0xff;
811                         }
812                 /* Extra padding: tag appended to record */
813                 return EVP_GCM_TLS_TAG_LEN;
814
815         default:
816                 return -1;
817
818                 }
819         }
820
821 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
822                         const unsigned char *iv, int enc)
823         {
824         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
825         if (!iv && !key)
826                 return 1;
827         if (key)
828                 { do {
829 #ifdef BSAES_CAPABLE
830                 if (BSAES_CAPABLE)
831                         {
832                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
833                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
834                                         (block128_f)AES_encrypt);
835                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
836                         break;
837                         }
838                 else
839 #endif
840 #ifdef VPAES_CAPABLE
841                 if (VPAES_CAPABLE)
842                         {
843                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
844                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
845                                         (block128_f)vpaes_encrypt);
846                         gctx->ctr = NULL;
847                         break;
848                         }
849 #endif
850                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
851                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
852 #ifdef AES_CTR_ASM
853                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
854 #else
855                 gctx->ctr = NULL;
856 #endif
857                 } while (0);
858
859                 /* If we have an iv can set it directly, otherwise use
860                  * saved IV.
861                  */
862                 if (iv == NULL && gctx->iv_set)
863                         iv = gctx->iv;
864                 if (iv)
865                         {
866                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
867                         gctx->iv_set = 1;
868                         }
869                 gctx->key_set = 1;
870                 }
871         else
872                 {
873                 /* If key set use IV, otherwise copy */
874                 if (gctx->key_set)
875                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
876                 else
877                         memcpy(gctx->iv, iv, gctx->ivlen);
878                 gctx->iv_set = 1;
879                 gctx->iv_gen = 0;
880                 }
881         return 1;
882         }
883
884 /* Handle TLS GCM packet format. This consists of the last portion of the IV
885  * followed by the payload and finally the tag. On encrypt generate IV,
886  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
887  * and verify tag.
888  */
889
890 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
891                 const unsigned char *in, size_t len)
892         {
893         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
894         int rv = -1;
895         /* Encrypt/decrypt must be performed in place */
896         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
897                 return -1;
898         /* Set IV from start of buffer or generate IV and write to start
899          * of buffer.
900          */
901         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
902                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
903                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
904                 goto err;
905         /* Use saved AAD */
906         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
907                 goto err;
908         /* Fix buffer and length to point to payload */
909         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
910         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
911         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
912         if (ctx->encrypt)
913                 {
914                 /* Encrypt payload */
915                 if (gctx->ctr)
916                         {
917                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
918                                                         in, out, len,
919                                                         gctx->ctr))
920                                 goto err;
921                         }
922                 else    {
923                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
924                                 goto err;
925                         }
926                 out += len;
927                 /* Finally write tag */
928                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
929                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
930                 }
931         else
932                 {
933                 /* Decrypt */
934                 if (gctx->ctr)
935                         {
936                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
937                                                         in, out, len,
938                                                         gctx->ctr))
939                                 goto err;
940                         }
941                 else    {
942                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
943                                 goto err;
944                         }
945                 /* Retrieve tag */
946                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
947                                         EVP_GCM_TLS_TAG_LEN);
948                 /* If tag mismatch wipe buffer */
949                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
950                         {
951                         OPENSSL_cleanse(out, len);
952                         goto err;
953                         }
954                 rv = len;
955                 }
956
957         err:
958         gctx->iv_set = 0;
959         gctx->tls_aad_len = -1;
960         return rv;
961         }
962
963 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
964                 const unsigned char *in, size_t len)
965         {
966         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
967         /* If not set up, return error */
968         if (!gctx->key_set)
969                 return -1;
970
971         if (gctx->tls_aad_len >= 0)
972                 return aes_gcm_tls_cipher(ctx, out, in, len);
973
974         if (!gctx->iv_set)
975                 return -1;
976         if (!ctx->encrypt && gctx->taglen < 0)
977                 return -1;
978         if (in)
979                 {
980                 if (out == NULL)
981                         {
982                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
983                                 return -1;
984                         }
985                 else if (ctx->encrypt)
986                         {
987                         if (gctx->ctr)
988                                 {
989                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
990                                                         in, out, len,
991                                                         gctx->ctr))
992                                         return -1;
993                                 }
994                         else    {
995                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
996                                         return -1;
997                                 }
998                         }
999                 else
1000                         {
1001                         if (gctx->ctr)
1002                                 {
1003                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1004                                                         in, out, len,
1005                                                         gctx->ctr))
1006                                         return -1;
1007                                 }
1008                         else    {
1009                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1010                                         return -1;
1011                                 }
1012                         }
1013                 return len;
1014                 }
1015         else
1016                 {
1017                 if (!ctx->encrypt)
1018                         {
1019                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1020                                         ctx->buf, gctx->taglen) != 0)
1021                                 return -1;
1022                         gctx->iv_set = 0;
1023                         return 0;
1024                         }
1025                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1026                 gctx->taglen = 16;
1027                 /* Don't reuse the IV */
1028                 gctx->iv_set = 0;
1029                 return 0;
1030                 }
1031
1032         }
1033
1034 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1035                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1036                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1037
1038 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1039                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1040 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1041                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1042 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1043                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1044
1045 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1046         {
1047         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1048         if (type != EVP_CTRL_INIT)
1049                 return -1;
1050         /* key1 and key2 are used as an indicator both key and IV are set */
1051         xctx->xts.key1 = NULL;
1052         xctx->xts.key2 = NULL;
1053         return 1;
1054         }
1055
1056 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1057                         const unsigned char *iv, int enc)
1058         {
1059         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1060         if (!iv && !key)
1061                 return 1;
1062
1063         if (key) do
1064                 {
1065 #ifdef AES_XTS_ASM
1066                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1067 #else
1068                 xctx->stream = NULL;
1069 #endif
1070                 /* key_len is two AES keys */
1071 #ifdef BSAES_CAPABLE
1072                 if (BSAES_CAPABLE)
1073                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1074                 else
1075 #endif
1076 #ifdef VPAES_CAPABLE
1077                 if (VPAES_CAPABLE)
1078                     {
1079                     if (enc)
1080                         {
1081                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1082                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1083                         }
1084                     else
1085                         {
1086                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1087                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1088                         }
1089
1090                 vpaes_set_encrypt_key(key + ctx->key_len/2,
1091                                                 ctx->key_len * 4, &xctx->ks2);
1092                 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1093
1094                 xctx->xts.key1 = &xctx->ks1;
1095                 break;
1096                 }
1097 #endif
1098                 if (enc)
1099                         {
1100                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1101                         xctx->xts.block1 = (block128_f)AES_encrypt;
1102                         }
1103                 else
1104                         {
1105                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1106                         xctx->xts.block1 = (block128_f)AES_decrypt;
1107                         }
1108
1109                 AES_set_encrypt_key(key + ctx->key_len/2,
1110                                                 ctx->key_len * 4, &xctx->ks2);
1111                 xctx->xts.block2 = (block128_f)AES_encrypt;
1112
1113                 xctx->xts.key1 = &xctx->ks1;
1114                 } while (0);
1115
1116         if (iv)
1117                 {
1118                 xctx->xts.key2 = &xctx->ks2;
1119                 memcpy(ctx->iv, iv, 16);
1120                 }
1121
1122         return 1;
1123         }
1124
1125 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1126                 const unsigned char *in, size_t len)
1127         {
1128         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1129         if (!xctx->xts.key1 || !xctx->xts.key2)
1130                 return 0;
1131         if (!out || !in || len<AES_BLOCK_SIZE)
1132                 return 0;
1133 #ifdef OPENSSL_FIPSCANISTER
1134         /* Requirement of SP800-38E */
1135         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1136                         (len > (1UL<<20)*16))
1137                 {
1138                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1139                 return 0;
1140                 }
1141 #endif
1142         if (xctx->stream)
1143                 (*xctx->stream)(in, out, len,
1144                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1145         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1146                                                                 ctx->encrypt))
1147                 return 0;
1148         return 1;
1149         }
1150
1151 #define aes_xts_cleanup NULL
1152
1153 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1154                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1155
1156 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1157 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1158
1159 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1160         {
1161         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1162         switch (type)
1163                 {
1164         case EVP_CTRL_INIT:
1165                 cctx->key_set = 0;
1166                 cctx->iv_set = 0;
1167                 cctx->L = 8;
1168                 cctx->M = 12;
1169                 cctx->tag_set = 0;
1170                 cctx->len_set = 0;
1171                 return 1;
1172
1173         case EVP_CTRL_CCM_SET_IVLEN:
1174                 arg = 15 - arg;
1175         case EVP_CTRL_CCM_SET_L:
1176                 if (arg < 2 || arg > 8)
1177                         return 0;
1178                 cctx->L = arg;
1179                 return 1;
1180
1181         case EVP_CTRL_CCM_SET_TAG:
1182                 if ((arg & 1) || arg < 4 || arg > 16)
1183                         return 0;
1184                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1185                         return 0;
1186                 if (ptr)
1187                         {
1188                         cctx->tag_set = 1;
1189                         memcpy(c->buf, ptr, arg);
1190                         }
1191                 cctx->M = arg;
1192                 return 1;
1193
1194         case EVP_CTRL_CCM_GET_TAG:
1195                 if (!c->encrypt || !cctx->tag_set)
1196                         return 0;
1197                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1198                         return 0;
1199                 cctx->tag_set = 0;
1200                 cctx->iv_set = 0;
1201                 cctx->len_set = 0;
1202                 return 1;
1203
1204         default:
1205                 return -1;
1206
1207                 }
1208         }
1209
1210 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1211                         const unsigned char *iv, int enc)
1212         {
1213         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1214         if (!iv && !key)
1215                 return 1;
1216         if (key) do
1217                 {
1218 #ifdef VPAES_CAPABLE
1219                 if (VPAES_CAPABLE)
1220                         {
1221                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1222                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1223                                         &cctx->ks, (block128_f)vpaes_encrypt);
1224                         cctx->str = NULL;
1225                         cctx->key_set = 1;
1226                         break;
1227                         }
1228 #endif
1229                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1230                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1231                                         &cctx->ks, (block128_f)AES_encrypt);
1232                 cctx->str = NULL;
1233                 cctx->key_set = 1;
1234                 } while (0);
1235         if (iv)
1236                 {
1237                 memcpy(ctx->iv, iv, 15 - cctx->L);
1238                 cctx->iv_set = 1;
1239                 }
1240         return 1;
1241         }
1242
1243 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1244                 const unsigned char *in, size_t len)
1245         {
1246         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1247         CCM128_CONTEXT *ccm = &cctx->ccm;
1248         /* If not set up, return error */
1249         if (!cctx->iv_set && !cctx->key_set)
1250                 return -1;
1251         if (!ctx->encrypt && !cctx->tag_set)
1252                 return -1;
1253         if (!out)
1254                 {
1255                 if (!in)
1256                         {
1257                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1258                                 return -1;
1259                         cctx->len_set = 1;
1260                         return len;
1261                         }
1262                 /* If have AAD need message length */
1263                 if (!cctx->len_set && len)
1264                         return -1;
1265                 CRYPTO_ccm128_aad(ccm, in, len);
1266                 return len;
1267                 }
1268         /* EVP_*Final() doesn't return any data */
1269         if (!in)
1270                 return 0;
1271         /* If not set length yet do it */
1272         if (!cctx->len_set)
1273                 {
1274                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1275                         return -1;
1276                 cctx->len_set = 1;
1277                 }
1278         if (ctx->encrypt)
1279                 {
1280                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1281                                                 cctx->str) :
1282                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1283                         return -1;
1284                 cctx->tag_set = 1;
1285                 return len;
1286                 }
1287         else
1288                 {
1289                 int rv = -1;
1290                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1291                                                 cctx->str) :
1292                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1293                         {
1294                         unsigned char tag[16];
1295                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1296                                 {
1297                                 if (!memcmp(tag, ctx->buf, cctx->M))
1298                                         rv = len;
1299                                 }
1300                         }
1301                 if (rv == -1)
1302                         OPENSSL_cleanse(out, len);
1303                 cctx->iv_set = 0;
1304                 cctx->tag_set = 0;
1305                 cctx->len_set = 0;
1306                 return rv;
1307                 }
1308
1309         }
1310
1311 #define aes_ccm_cleanup NULL
1312
1313 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1314 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1315 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1316
1317 #endif