Fix error codes.
[oweals/openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         AES_KEY ks;
67         } EVP_AES_KEY;
68
69 typedef struct
70         {
71         AES_KEY ks;             /* AES key schedule to use */
72         int key_set;            /* Set if key initialised */
73         int iv_set;             /* Set if an iv is set */
74         GCM128_CONTEXT gcm;
75         unsigned char *iv;      /* Temporary IV store */
76         int ivlen;              /* IV length */
77         int taglen;
78         int iv_gen;             /* It is OK to generate IVs */
79         int tls_aad_len;        /* TLS AAD length */
80         } EVP_AES_GCM_CTX;
81
82 typedef struct
83         {
84         AES_KEY ks1, ks2;       /* AES key schedules to use */
85         XTS128_CONTEXT xts;
86         } EVP_AES_XTS_CTX;
87
88 typedef struct
89         {
90         AES_KEY ks;             /* AES key schedule to use */
91         int key_set;            /* Set if key initialised */
92         int iv_set;             /* Set if an iv is set */
93         int tag_set;            /* Set if tag is valid */
94         int len_set;            /* Set if message length set */
95         int L, M;               /* L and M parameters from RFC3610 */
96         CCM128_CONTEXT ccm;
97         } EVP_AES_CCM_CTX;
98
99 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
100
101 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
102         ((defined(__i386)       || defined(__i386__)    || \
103           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
104         defined(__x86_64)       || defined(__x86_64__)  || \
105         defined(_M_AMD64)       || defined(_M_X64)      || \
106         defined(__INTEL__)                              )
107 /*
108  * AES-NI section
109  */
110 extern unsigned int OPENSSL_ia32cap_P[2];
111 #define AESNI_CAPABLE   (1<<(57-32))
112
113 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
114                         AES_KEY *key);
115 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
116                         AES_KEY *key);
117
118 void aesni_encrypt(const unsigned char *in, unsigned char *out,
119                         const AES_KEY *key);
120 void aesni_decrypt(const unsigned char *in, unsigned char *out,
121                         const AES_KEY *key);
122
123 void aesni_ecb_encrypt(const unsigned char *in,
124                         unsigned char *out,
125                         size_t length,
126                         const AES_KEY *key,
127                         int enc);
128 void aesni_cbc_encrypt(const unsigned char *in,
129                         unsigned char *out,
130                         size_t length,
131                         const AES_KEY *key,
132                         unsigned char *ivec, int enc);
133
134 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
135                         unsigned char *out,
136                         size_t blocks,
137                         const void *key,
138                         const unsigned char *ivec);
139
140 void aesni_xts_encrypt(const unsigned char *in,
141                         unsigned char *out,
142                         size_t length,
143                         const AES_KEY *key1, const AES_KEY *key2,
144                         const unsigned char iv[16]);
145
146 void aesni_xts_decrypt(const unsigned char *in,
147                         unsigned char *out,
148                         size_t length,
149                         const AES_KEY *key1, const AES_KEY *key2,
150                         const unsigned char iv[16]);
151
152 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
153                         unsigned char *out,
154                         size_t blocks,
155                         const void *key,
156                         const unsigned char ivec[16],
157                         unsigned char cmac[16]);
158
159 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
160                         unsigned char *out,
161                         size_t blocks,
162                         const void *key,
163                         const unsigned char ivec[16],
164                         unsigned char cmac[16]);
165
166 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
167                    const unsigned char *iv, int enc)
168         {
169         int ret;
170
171         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
172             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
173             && !enc) 
174                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
175         else
176                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
177
178         if(ret < 0)
179                 {
180                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
181                 return 0;
182                 }
183
184         return 1;
185         }
186
187 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
188         const unsigned char *in, size_t len)
189 {
190         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
191
192         return 1;
193 }
194
195 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
196         const unsigned char *in, size_t len)
197 {
198         size_t  bl = ctx->cipher->block_size;
199
200         if (len<bl)     return 1;
201
202         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
203
204         return 1;
205 }
206
207 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
208         const unsigned char *in,size_t len)
209 {
210         CRYPTO_ofb128_encrypt(in,out,len,ctx->cipher_data,
211                         ctx->iv,&ctx->num,
212                         (block128_f)aesni_encrypt);
213         return 1;
214 }
215
216 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
217         const unsigned char *in,size_t len)
218 {
219         CRYPTO_cfb128_encrypt(in,out,len,ctx->cipher_data,
220                         ctx->iv,&ctx->num,ctx->encrypt,
221                         (block128_f)aesni_encrypt);
222         return 1;
223 }
224
225 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
226         const unsigned char *in,size_t len)
227 {
228         CRYPTO_cfb128_8_encrypt(in,out,len,ctx->cipher_data,
229                         ctx->iv,&ctx->num,ctx->encrypt,
230                         (block128_f)aesni_encrypt);
231         return 1;
232 }
233
234 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
235         const unsigned char *in,size_t len)
236 {
237         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
238                 CRYPTO_cfb128_1_encrypt(in,out,len,ctx->cipher_data,
239                         ctx->iv,&ctx->num,ctx->encrypt,
240                         (block128_f)aesni_encrypt);
241                 return 1;
242         }
243
244         while (len>=MAXBITCHUNK) {
245                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,ctx->cipher_data,
246                         ctx->iv,&ctx->num,ctx->encrypt,
247                         (block128_f)aesni_encrypt);
248                 len-=MAXBITCHUNK;
249         }
250         if (len)
251                 CRYPTO_cfb128_1_encrypt(in,out,len*8,ctx->cipher_data,
252                         ctx->iv,&ctx->num,ctx->encrypt,
253                         (block128_f)aesni_encrypt);
254         
255         return 1;
256 }
257
258 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
259                 const unsigned char *in, size_t len)
260 {
261         unsigned int num;
262         num = ctx->num;
263
264         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
265                         ctx->cipher_data,ctx->iv,ctx->buf,&num,
266                         (ctr128_f)aesni_ctr32_encrypt_blocks);
267
268         ctx->num = (size_t)num;
269         return 1;
270 }
271
272 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
273                         const unsigned char *iv, int enc)
274         {
275         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
276         if (!iv && !key)
277                 return 1;
278         if (key)
279                 {
280                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
281                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
282                                 (block128_f)aesni_encrypt);
283                 /* If we have an iv can set it directly, otherwise use
284                  * saved IV.
285                  */
286                 if (iv == NULL && gctx->iv_set)
287                         iv = gctx->iv;
288                 if (iv)
289                         {
290                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
291                         gctx->iv_set = 1;
292                         }
293                 gctx->key_set = 1;
294                 }
295         else
296                 {
297                 /* If key set use IV, otherwise copy */
298                 if (gctx->key_set)
299                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
300                 else
301                         memcpy(gctx->iv, iv, gctx->ivlen);
302                 gctx->iv_set = 1;
303                 gctx->iv_gen = 0;
304                 }
305         return 1;
306         }
307
308 /* Handle TLS GCM packet format. This consists of the last portion of the IV
309  * followed by the payload and finally the tag. On encrypt generate IV,
310  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
311  * and verify tag.
312  */
313
314 static int aesni_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
315                 const unsigned char *in, size_t len)
316         {
317         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
318         int rv = -1;
319         /* Encrypt/decrypt must be performed in place */
320         if (out != in)
321                 return -1;
322         /* Set IV from start of buffer or generate IV and write to start
323          * of buffer.
324          */
325         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
326                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
327                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
328                 goto err;
329         /* Use saved AAD */
330         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
331                 goto err;
332         /* Fix buffer and length to point to payload */
333         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
334         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
335         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
336         if (ctx->encrypt)
337                 {
338                 /* Encrypt payload */
339                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
340                                                 aesni_ctr32_encrypt_blocks))
341                 out += len;
342                 /* Finally write tag */
343                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
344                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
345                 }
346         else
347                 {
348                 /* Decrypt */
349                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
350                                                 aesni_ctr32_encrypt_blocks))
351                         goto err;
352                 /* Retrieve tag */
353                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
354                                         EVP_GCM_TLS_TAG_LEN);
355                 /* If tag mismatch wipe buffer */
356                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
357                         {
358                         OPENSSL_cleanse(out, len);
359                         goto err;
360                         }
361                 rv = len;
362                 }
363
364         err:
365         gctx->iv_set = 0;
366         gctx->tls_aad_len = -1;
367         return rv;
368         }
369
370 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
371                 const unsigned char *in, size_t len)
372         {
373         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
374         /* If not set up, return error */
375         if (!gctx->key_set)
376                 return -1;
377
378         if (gctx->tls_aad_len >= 0)
379                 return aesni_gcm_tls_cipher(ctx, out, in, len);
380
381         if (!gctx->iv_set)
382                 return -1;
383         if (!ctx->encrypt && gctx->taglen < 0)
384                 return -1;
385         if (in)
386                 {
387                 if (out == NULL)
388                         {
389                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
390                                 return -1;
391                         }
392                 else if (ctx->encrypt)
393                         {
394                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
395                                         in, out, len,
396                                         aesni_ctr32_encrypt_blocks))
397                                 return -1;
398                         }
399                 else
400                         {
401                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
402                                         in, out, len,
403                                         aesni_ctr32_encrypt_blocks))
404                                 return -1;
405                         }
406                 return len;
407                 }
408         else
409                 {
410                 if (!ctx->encrypt)
411                         {
412                         if (CRYPTO_gcm128_finish(&gctx->gcm,
413                                         ctx->buf, gctx->taglen) != 0)
414                                 return -1;
415                         gctx->iv_set = 0;
416                         return 0;
417                         }
418                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
419                 gctx->taglen = 16;
420                 /* Don't reuse the IV */
421                 gctx->iv_set = 0;
422                 return 0;
423                 }
424
425         }
426
427 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
428                         const unsigned char *iv, int enc)
429         {
430         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
431         if (!iv && !key)
432                 return 1;
433
434         if (key)
435                 {
436                 /* key_len is two AES keys */
437                 if (enc)
438                         {
439                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
440                         xctx->xts.block1 = (block128_f)aesni_encrypt;
441                         }
442                 else
443                         {
444                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
445                         xctx->xts.block1 = (block128_f)aesni_decrypt;
446                         }
447
448                 aesni_set_encrypt_key(key + ctx->key_len/2,
449                                                 ctx->key_len * 4, &xctx->ks2);
450                 xctx->xts.block2 = (block128_f)aesni_encrypt;
451
452                 xctx->xts.key1 = &xctx->ks1;
453                 }
454
455         if (iv)
456                 {
457                 xctx->xts.key2 = &xctx->ks2;
458                 memcpy(ctx->iv, iv, 16);
459                 }
460
461         return 1;
462         }
463
464 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
465                 const unsigned char *in, size_t len)
466         {
467         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
468         if (!xctx->xts.key1 || !xctx->xts.key2)
469                 return -1;
470         if (!out || !in)
471                 return -1;
472 #ifdef OPENSSL_FIPS
473         /* Requirement of SP800-38E */
474         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
475                         (len > (1L<<20)*16))
476                 {
477                 EVPerr(EVP_F_AESNI_XTS_CIPHER, EVP_R_TOO_LARGE);
478                 return -1;
479                 }
480 #endif
481         if (ctx->encrypt)
482                 aesni_xts_encrypt(in, out, len,
483                         xctx->xts.key1, xctx->xts.key2, ctx->iv);
484         else
485                 aesni_xts_decrypt(in, out, len,
486                         xctx->xts.key1, xctx->xts.key2, ctx->iv);
487
488         return len;
489         }
490
491 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
492                         const unsigned char *iv, int enc)
493         {
494         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
495         if (!iv && !key)
496                 return 1;
497         if (key)
498                 {
499                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
500                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
501                                         &cctx->ks, (block128_f)aesni_encrypt);
502                 cctx->key_set = 1;
503                 }
504         if (iv)
505                 {
506                 memcpy(ctx->iv, iv, 15 - cctx->L);
507                 cctx->iv_set = 1;
508                 }
509         return 1;
510         }
511
512 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
513                 const unsigned char *in, size_t len)
514         {
515         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
516         CCM128_CONTEXT *ccm = &cctx->ccm;
517         /* If not set up, return error */
518         if (!cctx->iv_set && !cctx->key_set)
519                 return -1;
520         if (!ctx->encrypt && !cctx->tag_set)
521                 return -1;
522         if (!out)
523                 {
524                 if (!in)
525                         {
526                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
527                                 return -1;
528                         cctx->len_set = 1;
529                         return len;
530                         }
531                 /* If have AAD need message length */
532                 if (!cctx->len_set && len)
533                         return -1;
534                 CRYPTO_ccm128_aad(ccm, in, len);
535                 return len;
536                 }
537         /* EVP_*Final() doesn't return any data */
538         if (!in)
539                 return 0;
540         /* If not set length yet do it */
541         if (!cctx->len_set)
542                 {
543                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
544                         return -1;
545                 cctx->len_set = 1;
546                 }
547         if (ctx->encrypt)
548                 {
549                 if (CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
550                                 aesni_ccm64_encrypt_blocks))
551                         return -1;
552                 cctx->tag_set = 1;
553                 return len;
554                 }
555         else
556                 {
557                 int rv = -1;
558                 if (!CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
559                                 aesni_ccm64_decrypt_blocks))
560                         {
561                         unsigned char tag[16];
562                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
563                                 {
564                                 if (!memcmp(tag, ctx->buf, cctx->M))
565                                         rv = len;
566                                 }
567                         }
568                 if (rv == -1)
569                         OPENSSL_cleanse(out, len);
570                 cctx->iv_set = 0;
571                 cctx->tag_set = 0;
572                 cctx->len_set = 0;
573                 return rv;
574                 }
575
576         }
577
578 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
579 static const EVP_CIPHER aesni_##keylen##_##mode = { \
580         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
581         flags|EVP_CIPH_##MODE##_MODE,   \
582         aesni_init_key,                 \
583         aesni_##mode##_cipher,          \
584         NULL,                           \
585         sizeof(EVP_AES_KEY),            \
586         NULL,NULL,NULL,NULL }; \
587 static const EVP_CIPHER aes_##keylen##_##mode = { \
588         nid##_##keylen##_##nmode,blocksize,     \
589         keylen/8,ivlen, \
590         flags|EVP_CIPH_##MODE##_MODE,   \
591         aes_init_key,                   \
592         aes_##mode##_cipher,            \
593         NULL,                           \
594         sizeof(EVP_AES_KEY),            \
595         NULL,NULL,NULL,NULL }; \
596 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
597 { return (OPENSSL_ia32cap_P[1]&AESNI_CAPABLE)? \
598   &aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
599
600 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
601 static const EVP_CIPHER aesni_##keylen##_##mode = { \
602         nid##_##keylen##_##mode,blocksize, \
603         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
604         flags|EVP_CIPH_##MODE##_MODE,   \
605         aesni_##mode##_init_key,        \
606         aesni_##mode##_cipher,          \
607         aes_##mode##_cleanup,           \
608         sizeof(EVP_AES_##MODE##_CTX),   \
609         NULL,NULL,aes_##mode##_ctrl,NULL }; \
610 static const EVP_CIPHER aes_##keylen##_##mode = { \
611         nid##_##keylen##_##mode,blocksize, \
612         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
613         flags|EVP_CIPH_##MODE##_MODE,   \
614         aes_##mode##_init_key,          \
615         aes_##mode##_cipher,            \
616         aes_##mode##_cleanup,           \
617         sizeof(EVP_AES_##MODE##_CTX),   \
618         NULL,NULL,aes_##mode##_ctrl,NULL }; \
619 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
620 { return (OPENSSL_ia32cap_P[1]&AESNI_CAPABLE)? \
621   &aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
622
623 #else
624
625 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
626 static const EVP_CIPHER aes_##keylen##_##mode = { \
627         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
628         flags|EVP_CIPH_##MODE##_MODE,   \
629         aes_init_key,                   \
630         aes_##mode##_cipher,            \
631         NULL,                           \
632         sizeof(EVP_AES_KEY),            \
633         NULL,NULL,NULL,NULL }; \
634 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
635 { return &aes_##keylen##_##mode; }
636
637 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
638 static const EVP_CIPHER aes_##keylen##_##mode = { \
639         nid##_##keylen##_##mode,blocksize, \
640         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
641         flags|EVP_CIPH_##MODE##_MODE,   \
642         aes_##mode##_init_key,          \
643         aes_##mode##_cipher,            \
644         aes_##mode##_cleanup,           \
645         sizeof(EVP_AES_##MODE##_CTX),   \
646         NULL,NULL,aes_##mode##_ctrl,NULL }; \
647 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
648 { return &aes_##keylen##_##mode; }
649 #endif
650
651 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
652         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
653         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
654         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
655         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
656         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
657         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
658         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
659
660 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
661                    const unsigned char *iv, int enc)
662         {
663         int ret;
664
665         if (((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_ECB_MODE
666             || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CBC_MODE)
667             && !enc) 
668                 ret = AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
669         else
670                 ret = AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
671
672         if(ret < 0)
673                 {
674                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
675                 return 0;
676                 }
677
678         return 1;
679         }
680
681 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
682         const unsigned char *in, size_t len)
683 {
684         AES_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
685
686         return 1;
687 }
688
689 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
690         const unsigned char *in, size_t len)
691 {
692         size_t  bl = ctx->cipher->block_size;
693         size_t  i;
694
695         if (len<bl)     return 1;
696
697         if (ctx->encrypt) {
698                 for (i=0,len-=bl;i<=len;i+=bl)
699                         AES_encrypt(in+i,out+i,ctx->cipher_data);
700         } else {
701                 for (i=0,len-=bl;i<=len;i+=bl)
702                         AES_decrypt(in+i,out+i,ctx->cipher_data);
703         }
704
705         return 1;
706 }
707
708 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
709         const unsigned char *in,size_t len)
710 {
711         CRYPTO_ofb128_encrypt(in,out,len,ctx->cipher_data,
712                         ctx->iv,&ctx->num,
713                         (block128_f)AES_encrypt);
714         return 1;
715 }
716
717 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
718         const unsigned char *in,size_t len)
719 {
720         CRYPTO_cfb128_encrypt(in,out,len,ctx->cipher_data,
721                         ctx->iv,&ctx->num,ctx->encrypt,
722                         (block128_f)AES_encrypt);
723         return 1;
724 }
725
726 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
727         const unsigned char *in,size_t len)
728 {
729         CRYPTO_cfb128_8_encrypt(in,out,len,ctx->cipher_data,
730                         ctx->iv,&ctx->num,ctx->encrypt,
731                         (block128_f)AES_encrypt);
732         return 1;
733 }
734
735 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
736         const unsigned char *in,size_t len)
737 {
738         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
739                 CRYPTO_cfb128_1_encrypt(in,out,len,ctx->cipher_data,
740                         ctx->iv,&ctx->num,ctx->encrypt,
741                         (block128_f)AES_encrypt);
742                 return 1;
743         }
744
745         while (len>=MAXBITCHUNK) {
746                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,ctx->cipher_data,
747                         ctx->iv,&ctx->num,ctx->encrypt,
748                         (block128_f)AES_encrypt);
749                 len-=MAXBITCHUNK;
750         }
751         if (len)
752                 CRYPTO_cfb128_1_encrypt(in,out,len*8,ctx->cipher_data,
753                         ctx->iv,&ctx->num,ctx->encrypt,
754                         (block128_f)AES_encrypt);
755         
756         return 1;
757 }
758
759 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
760                 const unsigned char *in, size_t len)
761 {
762         unsigned int num;
763         num = ctx->num;
764 #ifdef AES_CTR_ASM
765         void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
766                         size_t blocks, const AES_KEY *key,
767                         const unsigned char ivec[AES_BLOCK_SIZE]);
768
769         CRYPTO_ctr128_encrypt_ctr32(in,out,len,
770                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
771                 ctx->iv,ctx->buf,&num,(ctr128_f)AES_ctr32_encrypt);
772 #else
773         CRYPTO_ctr128_encrypt(in,out,len,
774                 &((EVP_AES_KEY *)ctx->cipher_data)->ks,
775                 ctx->iv,ctx->buf,&num,(block128_f)AES_encrypt);
776 #endif
777         ctx->num = (size_t)num;
778         return 1;
779 }
780
781 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
782 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
783 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
784
785 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
786         {
787         EVP_AES_GCM_CTX *gctx = c->cipher_data;
788         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
789         if (gctx->iv != c->iv)
790                 OPENSSL_free(gctx->iv);
791         return 1;
792         }
793
794 /* increment counter (64-bit int) by 1 */
795 static void ctr64_inc(unsigned char *counter) {
796         int n=8;
797         unsigned char  c;
798
799         do {
800                 --n;
801                 c = counter[n];
802                 ++c;
803                 counter[n] = c;
804                 if (c) return;
805         } while (n);
806 }
807
808 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
809         {
810         EVP_AES_GCM_CTX *gctx = c->cipher_data;
811         switch (type)
812                 {
813         case EVP_CTRL_INIT:
814                 gctx->key_set = 0;
815                 gctx->iv_set = 0;
816                 gctx->ivlen = c->cipher->iv_len;
817                 gctx->iv = c->iv;
818                 gctx->taglen = -1;
819                 gctx->iv_gen = 0;
820                 gctx->tls_aad_len = -1;
821                 return 1;
822
823         case EVP_CTRL_GCM_SET_IVLEN:
824                 if (arg <= 0)
825                         return 0;
826 #ifdef OPENSSL_FIPS
827                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
828                                                  && arg < 12)
829                         return 0;
830 #endif
831                 /* Allocate memory for IV if needed */
832                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
833                         {
834                         if (gctx->iv != c->iv)
835                                 OPENSSL_free(gctx->iv);
836                         gctx->iv = OPENSSL_malloc(arg);
837                         if (!gctx->iv)
838                                 return 0;
839                         }
840                 gctx->ivlen = arg;
841                 return 1;
842
843         case EVP_CTRL_GCM_SET_TAG:
844                 if (arg <= 0 || arg > 16 || c->encrypt)
845                         return 0;
846                 memcpy(c->buf, ptr, arg);
847                 gctx->taglen = arg;
848                 return 1;
849
850         case EVP_CTRL_GCM_GET_TAG:
851                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
852                         return 0;
853                 memcpy(ptr, c->buf, arg);
854                 return 1;
855
856         case EVP_CTRL_GCM_SET_IV_FIXED:
857                 /* Special case: -1 length restores whole IV */
858                 if (arg == -1)
859                         {
860                         memcpy(gctx->iv, ptr, gctx->ivlen);
861                         gctx->iv_gen = 1;
862                         return 1;
863                         }
864                 /* Fixed field must be at least 4 bytes and invocation field
865                  * at least 8.
866                  */
867                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
868                         return 0;
869                 if (arg)
870                         memcpy(gctx->iv, ptr, arg);
871                 if (c->encrypt &&
872                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
873                         return 0;
874                 gctx->iv_gen = 1;
875                 return 1;
876
877         case EVP_CTRL_GCM_IV_GEN:
878                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
879                         return 0;
880                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
881                 if (arg <= 0 || arg > gctx->ivlen)
882                         arg = gctx->ivlen;
883                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
884                 /* Invocation field will be at least 8 bytes in size and
885                  * so no need to check wrap around or increment more than
886                  * last 8 bytes.
887                  */
888                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
889                 gctx->iv_set = 1;
890                 return 1;
891
892         case EVP_CTRL_GCM_SET_IV_INV:
893                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
894                         return 0;
895                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
896                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
897                 gctx->iv_set = 1;
898                 return 1;
899
900         case EVP_CTRL_AEAD_TLS1_AAD:
901                 /* Save the AAD for later use */
902                 if (arg != 13)
903                         return 0;
904                 memcpy(c->buf, ptr, arg);
905                 gctx->tls_aad_len = arg;
906                         {
907                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
908                         /* Correct length for explicit IV */
909                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
910                         /* If decrypting correct for tag too */
911                         if (!c->encrypt)
912                                 len -= EVP_GCM_TLS_TAG_LEN;
913                         c->buf[arg-2] = len>>8;
914                         c->buf[arg-1] = len & 0xff;
915                         }
916                 /* Extra padding: tag appended to record */
917                 return EVP_GCM_TLS_TAG_LEN;
918
919         default:
920                 return -1;
921
922                 }
923         }
924
925 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
926                         const unsigned char *iv, int enc)
927         {
928         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
929         if (!iv && !key)
930                 return 1;
931         if (key)
932                 {
933                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
934                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
935                 /* If we have an iv can set it directly, otherwise use
936                  * saved IV.
937                  */
938                 if (iv == NULL && gctx->iv_set)
939                         iv = gctx->iv;
940                 if (iv)
941                         {
942                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
943                         gctx->iv_set = 1;
944                         }
945                 gctx->key_set = 1;
946                 }
947         else
948                 {
949                 /* If key set use IV, otherwise copy */
950                 if (gctx->key_set)
951                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
952                 else
953                         memcpy(gctx->iv, iv, gctx->ivlen);
954                 gctx->iv_set = 1;
955                 gctx->iv_gen = 0;
956                 }
957         return 1;
958         }
959
960 /* Handle TLS GCM packet format. This consists of the last portion of the IV
961  * followed by the payload and finally the tag. On encrypt generate IV,
962  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
963  * and verify tag.
964  */
965
966 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
967                 const unsigned char *in, size_t len)
968         {
969         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
970         int rv = -1;
971         /* Encrypt/decrypt must be performed in place */
972         if (out != in)
973                 return -1;
974         /* Set IV from start of buffer or generate IV and write to start
975          * of buffer.
976          */
977         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
978                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
979                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
980                 goto err;
981         /* Use saved AAD */
982         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
983                 goto err;
984         /* Fix buffer and length to point to payload */
985         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
986         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
987         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
988         if (ctx->encrypt)
989                 {
990                 /* Encrypt payload */
991                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
992                         goto err;
993                 out += len;
994                 /* Finally write tag */
995                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
996                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
997                 }
998         else
999                 {
1000                 /* Decrypt */
1001                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1002                         goto err;
1003                 /* Retrieve tag */
1004                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1005                                         EVP_GCM_TLS_TAG_LEN);
1006                 /* If tag mismatch wipe buffer */
1007                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1008                         {
1009                         OPENSSL_cleanse(out, len);
1010                         goto err;
1011                         }
1012                 rv = len;
1013                 }
1014
1015         err:
1016         gctx->iv_set = 0;
1017         gctx->tls_aad_len = -1;
1018         return rv;
1019         }
1020
1021 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1022                 const unsigned char *in, size_t len)
1023         {
1024         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1025         /* If not set up, return error */
1026         if (!gctx->key_set)
1027                 return -1;
1028
1029         if (gctx->tls_aad_len >= 0)
1030                 return aes_gcm_tls_cipher(ctx, out, in, len);
1031
1032         if (!gctx->iv_set)
1033                 return -1;
1034         if (!ctx->encrypt && gctx->taglen < 0)
1035                 return -1;
1036         if (in)
1037                 {
1038                 if (out == NULL)
1039                         {
1040                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1041                                 return -1;
1042                         }
1043                 else if (ctx->encrypt)
1044                         {
1045                         if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
1046                                 return -1;
1047                         }
1048                 else
1049                         {
1050                         if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1051                                 return -1;
1052                         }
1053                 return len;
1054                 }
1055         else
1056                 {
1057                 if (!ctx->encrypt)
1058                         {
1059                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1060                                         ctx->buf, gctx->taglen) != 0)
1061                                 return -1;
1062                         gctx->iv_set = 0;
1063                         return 0;
1064                         }
1065                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1066                 gctx->taglen = 16;
1067                 /* Don't reuse the IV */
1068                 gctx->iv_set = 0;
1069                 return 0;
1070                 }
1071
1072         }
1073
1074 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1075                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1076                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1077
1078 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1079                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1080 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1081                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1082 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1083                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1084
1085 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1086         {
1087         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1088         if (type != EVP_CTRL_INIT)
1089                 return -1;
1090         /* key1 and key2 are used as an indicator both key and IV are set */
1091         xctx->xts.key1 = NULL;
1092         xctx->xts.key2 = NULL;
1093         return 1;
1094         }
1095
1096 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1097                         const unsigned char *iv, int enc)
1098         {
1099         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1100         if (!iv && !key)
1101                 return 1;
1102
1103         if (key)
1104                 {
1105                 /* key_len is two AES keys */
1106                 if (enc)
1107                         {
1108                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1109                         xctx->xts.block1 = (block128_f)AES_encrypt;
1110                         }
1111                 else
1112                         {
1113                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1114                         xctx->xts.block1 = (block128_f)AES_decrypt;
1115                         }
1116
1117                 AES_set_encrypt_key(key + ctx->key_len/2,
1118                                                 ctx->key_len * 4, &xctx->ks2);
1119                 xctx->xts.block2 = (block128_f)AES_encrypt;
1120
1121                 xctx->xts.key1 = &xctx->ks1;
1122                 }
1123
1124         if (iv)
1125                 {
1126                 xctx->xts.key2 = &xctx->ks2;
1127                 memcpy(ctx->iv, iv, 16);
1128                 }
1129
1130         return 1;
1131         }
1132
1133 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1134                 const unsigned char *in, size_t len)
1135         {
1136         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1137         if (!xctx->xts.key1 || !xctx->xts.key2)
1138                 return -1;
1139         if (!out || !in)
1140                 return -1;
1141 #ifdef OPENSSL_FIPS
1142         /* Requirement of SP800-38E */
1143         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1144                         (len > (1L<<20)*16))
1145                 {
1146                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1147                 return -1;
1148                 }
1149 #endif
1150         if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1151                                                                 ctx->encrypt))
1152                 return -1;
1153         return len;
1154         }
1155
1156 #define aes_xts_cleanup NULL
1157
1158 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1159 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1160
1161 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1162         {
1163         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1164         switch (type)
1165                 {
1166         case EVP_CTRL_INIT:
1167                 cctx->key_set = 0;
1168                 cctx->iv_set = 0;
1169                 cctx->L = 8;
1170                 cctx->M = 12;
1171                 cctx->tag_set = 0;
1172                 cctx->len_set = 0;
1173                 return 1;
1174
1175         case EVP_CTRL_CCM_SET_IVLEN:
1176                 arg = 15 - arg;
1177         case EVP_CTRL_CCM_SET_L:
1178                 if (arg < 2 || arg > 8)
1179                         return 0;
1180                 cctx->L = arg;
1181                 return 1;
1182
1183         case EVP_CTRL_CCM_SET_TAG:
1184                 if ((arg & 1) || arg < 4 || arg > 16)
1185                         return 0;
1186                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1187                         return 0;
1188                 if (ptr)
1189                         {
1190                         cctx->tag_set = 1;
1191                         memcpy(c->buf, ptr, arg);
1192                         }
1193                 cctx->M = arg;
1194                 return 1;
1195
1196         case EVP_CTRL_CCM_GET_TAG:
1197                 if (!c->encrypt || !cctx->tag_set)
1198                         return 0;
1199                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1200                         return 0;
1201                 cctx->tag_set = 0;
1202                 cctx->iv_set = 0;
1203                 cctx->len_set = 0;
1204                 return 1;
1205
1206         default:
1207                 return -1;
1208
1209                 }
1210         }
1211
1212 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1213                         const unsigned char *iv, int enc)
1214         {
1215         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1216         if (!iv && !key)
1217                 return 1;
1218         if (key)
1219                 {
1220                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1221                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1222                                         &cctx->ks, (block128_f)AES_encrypt);
1223                 cctx->key_set = 1;
1224                 }
1225         if (iv)
1226                 {
1227                 memcpy(ctx->iv, iv, 15 - cctx->L);
1228                 cctx->iv_set = 1;
1229                 }
1230         return 1;
1231         }
1232
1233 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1234                 const unsigned char *in, size_t len)
1235         {
1236         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1237         CCM128_CONTEXT *ccm = &cctx->ccm;
1238         /* If not set up, return error */
1239         if (!cctx->iv_set && !cctx->key_set)
1240                 return -1;
1241         if (!ctx->encrypt && !cctx->tag_set)
1242                 return -1;
1243         if (!out)
1244                 {
1245                 if (!in)
1246                         {
1247                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1248                                 return -1;
1249                         cctx->len_set = 1;
1250                         return len;
1251                         }
1252                 /* If have AAD need message length */
1253                 if (!cctx->len_set && len)
1254                         return -1;
1255                 CRYPTO_ccm128_aad(ccm, in, len);
1256                 return len;
1257                 }
1258         /* EVP_*Final() doesn't return any data */
1259         if (!in)
1260                 return 0;
1261         /* If not set length yet do it */
1262         if (!cctx->len_set)
1263                 {
1264                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1265                         return -1;
1266                 cctx->len_set = 1;
1267                 }
1268         if (ctx->encrypt)
1269                 {
1270                 if (CRYPTO_ccm128_encrypt(ccm, in, out, len))
1271                         return -1;
1272                 cctx->tag_set = 1;
1273                 return len;
1274                 }
1275         else
1276                 {
1277                 int rv = -1;
1278                 if (!CRYPTO_ccm128_decrypt(ccm, in, out, len))
1279                         {
1280                         unsigned char tag[16];
1281                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1282                                 {
1283                                 if (!memcmp(tag, ctx->buf, cctx->M))
1284                                         rv = len;
1285                                 }
1286                         }
1287                 if (rv == -1)
1288                         OPENSSL_cleanse(out, len);
1289                 cctx->iv_set = 0;
1290                 cctx->tag_set = 0;
1291                 cctx->len_set = 0;
1292                 return rv;
1293                 }
1294
1295         }
1296
1297 #define aes_ccm_cleanup NULL
1298
1299 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1300 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1301 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1302
1303 #endif