Add basic aria and camellia ciphers modes to default provider
authorShane Lontis <shane.lontis@oracle.com>
Thu, 22 Aug 2019 01:42:54 +0000 (11:42 +1000)
committerShane Lontis <shane.lontis@oracle.com>
Thu, 22 Aug 2019 01:42:54 +0000 (11:42 +1000)
The aes code has been refactored into generic and algorithn specific parts,
so that most of the code can be shared.
The cipher related files have been broken up into smaller parts.
Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the
generic code used by aes).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9451)

57 files changed:
crypto/evp/e_aes.c
crypto/evp/e_camellia.c
crypto/evp/evp_enc.c
crypto/include/internal/aes_platform.h [deleted file]
crypto/include/internal/ciphermode_platform.h [new file with mode: 0644]
providers/common/ciphers/aes.c [deleted file]
providers/common/ciphers/aes_basic.c [deleted file]
providers/common/ciphers/aes_ccm_s390x.c [deleted file]
providers/common/ciphers/block.c
providers/common/ciphers/build.info
providers/common/ciphers/ccm.c [deleted file]
providers/common/ciphers/ccm_hw.c [deleted file]
providers/common/ciphers/cipher_aes.c [new file with mode: 0644]
providers/common/ciphers/cipher_aes.h [new file with mode: 0644]
providers/common/ciphers/cipher_aes_ccm.c [new file with mode: 0644]
providers/common/ciphers/cipher_aes_ccm_hw_aesni.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_ccm_hw_s390x.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_ccm_hw_t4.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_gcm.c [new file with mode: 0644]
providers/common/ciphers/cipher_aes_gcm_hw_aesni.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_gcm_hw_s390x.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_gcm_hw_t4.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_aes_hw_aesni.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_hw_s390x.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aes_hw_t4.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aria.c [new file with mode: 0644]
providers/common/ciphers/cipher_aria.h [new file with mode: 0644]
providers/common/ciphers/cipher_aria_ccm.c [new file with mode: 0644]
providers/common/ciphers/cipher_aria_ccm_hw.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aria_gcm.c [new file with mode: 0644]
providers/common/ciphers/cipher_aria_gcm_hw.inc [new file with mode: 0644]
providers/common/ciphers/cipher_aria_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_camellia.c [new file with mode: 0644]
providers/common/ciphers/cipher_camellia.h [new file with mode: 0644]
providers/common/ciphers/cipher_camellia_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_camellia_hw_t4.inc [new file with mode: 0644]
providers/common/ciphers/cipher_ccm.c [new file with mode: 0644]
providers/common/ciphers/cipher_ccm.h [new file with mode: 0644]
providers/common/ciphers/cipher_ccm_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_common.c [new file with mode: 0644]
providers/common/ciphers/cipher_common_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_gcm.c [new file with mode: 0644]
providers/common/ciphers/cipher_gcm.h [new file with mode: 0644]
providers/common/ciphers/cipher_gcm_hw.c [new file with mode: 0644]
providers/common/ciphers/cipher_locl.h [new file with mode: 0644]
providers/common/ciphers/ciphers_ccm.h [deleted file]
providers/common/ciphers/ciphers_common.c [deleted file]
providers/common/ciphers/ciphers_gcm.h [deleted file]
providers/common/ciphers/ciphers_locl.h [deleted file]
providers/common/ciphers/gcm.c [deleted file]
providers/common/ciphers/gcm_hw.c [deleted file]
providers/common/ciphers/gcm_s390x.c [deleted file]
providers/common/include/internal/provider_algs.h
providers/common/include/internal/providercommonerr.h
providers/default/defltprov.c
test/recipes/30-test_evp_data/evpciph.txt

index a46ac8f92f68d52add9943ff7ef888b5f485f124..39ed5280602cc683716295bc97503f199202b454 100644 (file)
@@ -20,7 +20,7 @@
 #include "internal/cryptlib.h"
 #include "internal/modes_int.h"
 #include "internal/siv_int.h"
-#include "internal/aes_platform.h"
+#include "internal/ciphermode_platform.h"
 #include "evp_locl.h"
 
 typedef struct {
index 9def167bfa25461e3b7035db1432392b2a98b4a9..5e66101422f5d44945af5907fc100b3ca167e0df 100644 (file)
@@ -19,6 +19,7 @@ NON_EMPTY_TRANSLATION_UNIT
 # include <openssl/camellia.h>
 # include "internal/evp_int.h"
 # include "internal/modes_int.h"
+# include "internal/ciphermode_platform.h"
 
 static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv, int enc);
@@ -43,34 +44,6 @@ typedef struct {
  * assembler support was in general requested... */
 #  include "sparc_arch.h"
 
-extern unsigned int OPENSSL_sparcv9cap_P[];
-
-#  define SPARC_CMLL_CAPABLE      (OPENSSL_sparcv9cap_P[1] & CFR_CAMELLIA)
-
-void cmll_t4_set_key(const unsigned char *key, int bits, CAMELLIA_KEY *ks);
-void cmll_t4_encrypt(const unsigned char *in, unsigned char *out,
-                     const CAMELLIA_KEY *key);
-void cmll_t4_decrypt(const unsigned char *in, unsigned char *out,
-                     const CAMELLIA_KEY *key);
-
-void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                            size_t len, const CAMELLIA_KEY *key,
-                            unsigned char *ivec);
-void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
-                            size_t len, const CAMELLIA_KEY *key,
-                            unsigned char *ivec);
-void cmll256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                            size_t len, const CAMELLIA_KEY *key,
-                            unsigned char *ivec);
-void cmll256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
-                            size_t len, const CAMELLIA_KEY *key,
-                            unsigned char *ivec);
-void cmll128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                              size_t blocks, const CAMELLIA_KEY *key,
-                              unsigned char *ivec);
-void cmll256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                              size_t blocks, const CAMELLIA_KEY *key,
-                              unsigned char *ivec);
 
 static int cmll_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
index 51a6423c825dc886ce841d9eb9f9b62b6b8a61aa..e67e20c7bae69e50e279773d1e1ac8c91d706b01 100644 (file)
@@ -175,6 +175,48 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         case NID_aria_256_ccm:
         case NID_aria_192_ccm:
         case NID_aria_128_ccm:
+        case NID_aria_256_ecb:
+        case NID_aria_192_ecb:
+        case NID_aria_128_ecb:
+        case NID_aria_256_cbc:
+        case NID_aria_192_cbc:
+        case NID_aria_128_cbc:
+        case NID_aria_256_ofb128:
+        case NID_aria_192_ofb128:
+        case NID_aria_128_ofb128:
+        case NID_aria_256_cfb128:
+        case NID_aria_192_cfb128:
+        case NID_aria_128_cfb128:
+        case NID_aria_256_cfb1:
+        case NID_aria_192_cfb1:
+        case NID_aria_128_cfb1:
+        case NID_aria_256_cfb8:
+        case NID_aria_192_cfb8:
+        case NID_aria_128_cfb8:
+        case NID_aria_256_ctr:
+        case NID_aria_192_ctr:
+        case NID_aria_128_ctr:
+        case NID_camellia_256_ecb:
+        case NID_camellia_192_ecb:
+        case NID_camellia_128_ecb:
+        case NID_camellia_256_cbc:
+        case NID_camellia_192_cbc:
+        case NID_camellia_128_cbc:
+        case NID_camellia_256_ofb128:
+        case NID_camellia_192_ofb128:
+        case NID_camellia_128_ofb128:
+        case NID_camellia_256_cfb128:
+        case NID_camellia_192_cfb128:
+        case NID_camellia_128_cfb128:
+        case NID_camellia_256_cfb1:
+        case NID_camellia_192_cfb1:
+        case NID_camellia_128_cfb1:
+        case NID_camellia_256_cfb8:
+        case NID_camellia_192_cfb8:
+        case NID_camellia_128_cfb8:
+        case NID_camellia_256_ctr:
+        case NID_camellia_192_ctr:
+        case NID_camellia_128_ctr:
             break;
         default:
             goto legacy;
diff --git a/crypto/include/internal/aes_platform.h b/crypto/include/internal/aes_platform.h
deleted file mode 100644 (file)
index 26d9fdd..0000000
+++ /dev/null
@@ -1,401 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_INTERNAL_AES_PLATFORM_H
-# define HEADER_INTERNAL_AES_PLATFORM_H
-
-# ifdef VPAES_ASM
-int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
-                          AES_KEY *key);
-int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
-                          AES_KEY *key);
-void vpaes_encrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-void vpaes_decrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-void vpaes_cbc_encrypt(const unsigned char *in,
-                       unsigned char *out,
-                       size_t length,
-                       const AES_KEY *key, unsigned char *ivec, int enc);
-# endif /* VPAES_ASM */
-
-# ifdef BSAES_ASM
-void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t length, const AES_KEY *key,
-                       unsigned char ivec[16], int enc);
-void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-                                size_t len, const AES_KEY *key,
-                                const unsigned char ivec[16]);
-void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-# endif /* BSAES_ASM */
-
-# ifdef AES_CTR_ASM
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const AES_KEY *key,
-                       const unsigned char ivec[AES_BLOCK_SIZE]);
-# endif /*  AES_CTR_ASM */
-
-# ifdef AES_XTS_ASM
-void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
-                     const AES_KEY *key1, const AES_KEY *key2,
-                     const unsigned char iv[16]);
-void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
-                     const AES_KEY *key1, const AES_KEY *key2,
-                     const unsigned char iv[16]);
-# endif /* AES_XTS_ASM */
-
-# if defined(OPENSSL_CPUID_OBJ)
-#  if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-#   include "ppc_arch.h"
-#   ifdef VPAES_ASM
-#    define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
-#   endif
-#   define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
-#   define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-#   define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-#   define HWAES_encrypt aes_p8_encrypt
-#   define HWAES_decrypt aes_p8_decrypt
-#   define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-#   define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-#   define HWAES_xts_encrypt aes_p8_xts_encrypt
-#   define HWAES_xts_decrypt aes_p8_xts_decrypt
-#  endif /* PPC */
-
-#  if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
-#   include "arm_arch.h"
-#   if __ARM_MAX_ARCH__>=7
-#    if defined(BSAES_ASM)
-#     define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
-#    endif
-#    if defined(VPAES_ASM)
-#     define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
-#    endif
-#    define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
-#    define HWAES_set_encrypt_key aes_v8_set_encrypt_key
-#    define HWAES_set_decrypt_key aes_v8_set_decrypt_key
-#    define HWAES_encrypt aes_v8_encrypt
-#    define HWAES_decrypt aes_v8_decrypt
-#    define HWAES_cbc_encrypt aes_v8_cbc_encrypt
-#    define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
-#   endif
-#  endif
-# endif /* OPENSSL_CPUID_OBJ */
-
-# if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
-         ((defined(__i386)       || defined(__i386__)    || \
-           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-         defined(__x86_64)       || defined(__x86_64__)  || \
-         defined(_M_AMD64)       || defined(_M_X64)      )
-
-/* AES-NI section */
-extern unsigned int OPENSSL_ia32cap_P[];
-
-#  define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
-#  ifdef VPAES_ASM
-#   define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-#  endif
-#  ifdef BSAES_ASM
-#   define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-#  endif
-
-int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
-                          AES_KEY *key);
-int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
-                          AES_KEY *key);
-
-void aesni_encrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-void aesni_decrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-
-void aesni_ecb_encrypt(const unsigned char *in,
-                       unsigned char *out,
-                       size_t length, const AES_KEY *key, int enc);
-void aesni_cbc_encrypt(const unsigned char *in,
-                       unsigned char *out,
-                       size_t length,
-                       const AES_KEY *key, unsigned char *ivec, int enc);
-#  ifndef OPENSSL_NO_OCB
-void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-#  endif /* OPENSSL_NO_OCB */
-
-void aesni_ctr32_encrypt_blocks(const unsigned char *in,
-                                unsigned char *out,
-                                size_t blocks,
-                                const void *key, const unsigned char *ivec);
-
-void aesni_xts_encrypt(const unsigned char *in,
-                       unsigned char *out,
-                       size_t length,
-                       const AES_KEY *key1, const AES_KEY *key2,
-                       const unsigned char iv[16]);
-
-void aesni_xts_decrypt(const unsigned char *in,
-                       unsigned char *out,
-                       size_t length,
-                       const AES_KEY *key1, const AES_KEY *key2,
-                       const unsigned char iv[16]);
-
-void aesni_ccm64_encrypt_blocks(const unsigned char *in,
-                                unsigned char *out,
-                                size_t blocks,
-                                const void *key,
-                                const unsigned char ivec[16],
-                                unsigned char cmac[16]);
-
-void aesni_ccm64_decrypt_blocks(const unsigned char *in,
-                                unsigned char *out,
-                                size_t blocks,
-                                const void *key,
-                                const unsigned char ivec[16],
-                                unsigned char cmac[16]);
-
-#  if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
-size_t aesni_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
-                         const void *key, unsigned char ivec[16], u64 *Xi);
-size_t aesni_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
-                         const void *key, unsigned char ivec[16], u64 *Xi);
-void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len);
-
-#   define AES_GCM_ASM(ctx)    (ctx->ctr == aesni_ctr32_encrypt_blocks && \
-                                ctx->gcm.ghash == gcm_ghash_avx)
-#  endif
-
-
-# elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
-
-/* Fujitsu SPARC64 X support */
-extern unsigned int OPENSSL_sparcv9cap_P[];
-#  include "sparc_arch.h"
-#  define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
-#  define HWAES_CAPABLE           (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
-#  define HWAES_set_encrypt_key aes_fx_set_encrypt_key
-#  define HWAES_set_decrypt_key aes_fx_set_decrypt_key
-#  define HWAES_encrypt aes_fx_encrypt
-#  define HWAES_decrypt aes_fx_decrypt
-#  define HWAES_cbc_encrypt aes_fx_cbc_encrypt
-#  define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
-
-void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
-void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
-void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
-                    const AES_KEY *key);
-void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
-                    const AES_KEY *key);
-/*
- * Key-length specific subroutines were chosen for following reason.
- * Each SPARC T4 core can execute up to 8 threads which share core's
- * resources. Loading as much key material to registers allows to
- * minimize references to shared memory interface, as well as amount
- * of instructions in inner loops [much needed on T4]. But then having
- * non-key-length specific routines would require conditional branches
- * either in inner loops or on subroutines' entries. Former is hardly
- * acceptable, while latter means code size increase to size occupied
- * by multiple key-length specific subroutines, so why fight?
- */
-void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
-                           size_t len, const AES_KEY *key,
-                           unsigned char *ivec);
-void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                             size_t blocks, const AES_KEY *key,
-                             unsigned char *ivec);
-void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                             size_t blocks, const AES_KEY *key,
-                             unsigned char *ivec);
-void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                             size_t blocks, const AES_KEY *key,
-                             unsigned char *ivec);
-void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
-                           size_t blocks, const AES_KEY *key1,
-                           const AES_KEY *key2, const unsigned char *ivec);
-void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
-                           size_t blocks, const AES_KEY *key1,
-                           const AES_KEY *key2, const unsigned char *ivec);
-void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
-                           size_t blocks, const AES_KEY *key1,
-                           const AES_KEY *key2, const unsigned char *ivec);
-void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
-                           size_t blocks, const AES_KEY *key1,
-                           const AES_KEY *key2, const unsigned char *ivec);
-
-# elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/* IBM S390X support */
-#  include "s390x_arch.h"
-
-
-/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
-#  define S390X_AES_FC(keylen)  (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
-
-/* Most modes of operation need km for partial block processing. */
-#  define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
-                                S390X_CAPBIT(S390X_AES_128))
-#  define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
-                                S390X_CAPBIT(S390X_AES_192))
-#  define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
-                                S390X_CAPBIT(S390X_AES_256))
-
-#  define S390X_aes_128_cbc_CAPABLE     1       /* checked by callee */
-#  define S390X_aes_192_cbc_CAPABLE     1
-#  define S390X_aes_256_cbc_CAPABLE     1
-
-#  define S390X_aes_128_ecb_CAPABLE     S390X_aes_128_CAPABLE
-#  define S390X_aes_192_ecb_CAPABLE     S390X_aes_192_CAPABLE
-#  define S390X_aes_256_ecb_CAPABLE     S390X_aes_256_CAPABLE
-
-#  define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmo[0] &        \
-                                     S390X_CAPBIT(S390X_AES_128)))
-#  define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmo[0] &        \
-                                     S390X_CAPBIT(S390X_AES_192)))
-#  define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmo[0] &        \
-                                     S390X_CAPBIT(S390X_AES_256)))
-
-#  define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmf[0] &        \
-                                     S390X_CAPBIT(S390X_AES_128)))
-#  define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmf[0] &        \
-                                     S390X_CAPBIT(S390X_AES_192)))
-#  define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE &&           \
-                                    (OPENSSL_s390xcap_P.kmf[0] &        \
-                                     S390X_CAPBIT(S390X_AES_256)))
-#  define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
-                                     S390X_CAPBIT(S390X_AES_128))
-#  define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
-                                     S390X_CAPBIT(S390X_AES_192))
-#  define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
-                                     S390X_CAPBIT(S390X_AES_256))
-#  define S390X_aes_128_cfb1_CAPABLE    0
-#  define S390X_aes_192_cfb1_CAPABLE    0
-#  define S390X_aes_256_cfb1_CAPABLE    0
-
-#  define S390X_aes_128_ctr_CAPABLE     1       /* checked by callee */
-#  define S390X_aes_192_ctr_CAPABLE     1
-#  define S390X_aes_256_ctr_CAPABLE     1
-
-#  define S390X_aes_128_xts_CAPABLE     1       /* checked by callee */
-#  define S390X_aes_256_xts_CAPABLE     1
-
-# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE &&        \
-                                    (OPENSSL_s390xcap_P.kma[0] &    \
-                                     S390X_CAPBIT(S390X_AES_128)))
-# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE &&        \
-                                    (OPENSSL_s390xcap_P.kma[0] &    \
-                                     S390X_CAPBIT(S390X_AES_192)))
-# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE &&        \
-                                    (OPENSSL_s390xcap_P.kma[0] &    \
-                                     S390X_CAPBIT(S390X_AES_256)))
-
-#  define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE &&       \
-                                    (OPENSSL_s390xcap_P.kmac[0] &   \
-                                     S390X_CAPBIT(S390X_AES_128)))
-#  define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE &&       \
-                                    (OPENSSL_s390xcap_P.kmac[0] &   \
-                                     S390X_CAPBIT(S390X_AES_192)))
-#  define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE &&       \
-                                    (OPENSSL_s390xcap_P.kmac[0] &   \
-                                     S390X_CAPBIT(S390X_AES_256)))
-#  define S390X_CCM_AAD_FLAG    0x40
-
-#  ifndef OPENSSL_NO_OCB
-#   define S390X_aes_128_ocb_CAPABLE    0
-#   define S390X_aes_192_ocb_CAPABLE    0
-#   define S390X_aes_256_ocb_CAPABLE    0
-#  endif /* OPENSSL_NO_OCB */
-
-#  ifndef OPENSSL_NO_SIV
-#   define S390X_aes_128_siv_CAPABLE    0
-#   define S390X_aes_192_siv_CAPABLE    0
-#   define S390X_aes_256_siv_CAPABLE    0
-#  endif /* OPENSSL_NO_SIV */
-
-/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
-#  define S390X_AES_FC(keylen)  (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
-# endif
-
-# if defined(HWAES_CAPABLE)
-int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                          AES_KEY *key);
-int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
-                          AES_KEY *key);
-void HWAES_encrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-void HWAES_decrypt(const unsigned char *in, unsigned char *out,
-                   const AES_KEY *key);
-void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t length, const AES_KEY *key,
-                       unsigned char *ivec, const int enc);
-void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-                                size_t len, const AES_KEY *key,
-                                const unsigned char ivec[16]);
-void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-#  ifndef OPENSSL_NO_OCB
-#   ifdef HWAES_ocb_encrypt
-void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-#   else
-#     define HWAES_ocb_encrypt ((ocb128_f)NULL)
-#   endif
-#   ifdef HWAES_ocb_decrypt
-void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-#   else
-#     define HWAES_ocb_decrypt ((ocb128_f)NULL)
-#   endif
-#  endif /* OPENSSL_NO_OCB */
-
-# endif /* HWAES_CAPABLE */
-
-#endif /* HEADER_INTERNAL_AES_PLATFORM_H */
diff --git a/crypto/include/internal/ciphermode_platform.h b/crypto/include/internal/ciphermode_platform.h
new file mode 100644 (file)
index 0000000..934d813
--- /dev/null
@@ -0,0 +1,434 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+# define HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+
+# include "openssl/aes.h"
+
+# ifdef VPAES_ASM
+int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+void vpaes_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void vpaes_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void vpaes_cbc_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key, unsigned char *ivec, int enc);
+# endif /* VPAES_ASM */
+
+# ifdef BSAES_ASM
+void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t length, const AES_KEY *key,
+                       unsigned char ivec[16], int enc);
+void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+                                size_t len, const AES_KEY *key,
+                                const unsigned char ivec[16]);
+void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+# endif /* BSAES_ASM */
+
+# ifdef AES_CTR_ASM
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const AES_KEY *key,
+                       const unsigned char ivec[AES_BLOCK_SIZE]);
+# endif /*  AES_CTR_ASM */
+
+# ifdef AES_XTS_ASM
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
+                     const AES_KEY *key1, const AES_KEY *key2,
+                     const unsigned char iv[16]);
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
+                     const AES_KEY *key1, const AES_KEY *key2,
+                     const unsigned char iv[16]);
+# endif /* AES_XTS_ASM */
+
+# if defined(OPENSSL_CPUID_OBJ)
+#  if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
+#   include "ppc_arch.h"
+#   ifdef VPAES_ASM
+#    define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+#   endif
+#   define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
+#   define HWAES_set_encrypt_key aes_p8_set_encrypt_key
+#   define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+#   define HWAES_encrypt aes_p8_encrypt
+#   define HWAES_decrypt aes_p8_decrypt
+#   define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+#   define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+#   define HWAES_xts_encrypt aes_p8_xts_encrypt
+#   define HWAES_xts_decrypt aes_p8_xts_decrypt
+#  endif /* PPC */
+
+#  if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
+#   include "arm_arch.h"
+#   if __ARM_MAX_ARCH__>=7
+#    if defined(BSAES_ASM)
+#     define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#    endif
+#    if defined(VPAES_ASM)
+#     define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#    endif
+#    define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
+#    define HWAES_set_encrypt_key aes_v8_set_encrypt_key
+#    define HWAES_set_decrypt_key aes_v8_set_decrypt_key
+#    define HWAES_encrypt aes_v8_encrypt
+#    define HWAES_decrypt aes_v8_decrypt
+#    define HWAES_cbc_encrypt aes_v8_cbc_encrypt
+#    define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
+#   endif
+#  endif
+# endif /* OPENSSL_CPUID_OBJ */
+
+# if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
+         ((defined(__i386)       || defined(__i386__)    || \
+           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
+         defined(__x86_64)       || defined(__x86_64__)  || \
+         defined(_M_AMD64)       || defined(_M_X64)      )
+
+/* AES-NI section */
+extern unsigned int OPENSSL_ia32cap_P[];
+
+#  define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+#  ifdef VPAES_ASM
+#   define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
+#  ifdef BSAES_ASM
+#   define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+
+void aesni_ecb_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length, const AES_KEY *key, int enc);
+void aesni_cbc_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key, unsigned char *ivec, int enc);
+#  ifndef OPENSSL_NO_OCB
+void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const void *key,
+                       size_t start_block_num,
+                       unsigned char offset_i[16],
+                       const unsigned char L_[][16],
+                       unsigned char checksum[16]);
+void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const void *key,
+                       size_t start_block_num,
+                       unsigned char offset_i[16],
+                       const unsigned char L_[][16],
+                       unsigned char checksum[16]);
+#  endif /* OPENSSL_NO_OCB */
+
+void aesni_ctr32_encrypt_blocks(const unsigned char *in,
+                                unsigned char *out,
+                                size_t blocks,
+                                const void *key, const unsigned char *ivec);
+
+void aesni_xts_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key1, const AES_KEY *key2,
+                       const unsigned char iv[16]);
+
+void aesni_xts_decrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key1, const AES_KEY *key2,
+                       const unsigned char iv[16]);
+
+void aesni_ccm64_encrypt_blocks(const unsigned char *in,
+                                unsigned char *out,
+                                size_t blocks,
+                                const void *key,
+                                const unsigned char ivec[16],
+                                unsigned char cmac[16]);
+
+void aesni_ccm64_decrypt_blocks(const unsigned char *in,
+                                unsigned char *out,
+                                size_t blocks,
+                                const void *key,
+                                const unsigned char ivec[16],
+                                unsigned char cmac[16]);
+
+#  if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
+size_t aesni_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
+                         const void *key, unsigned char ivec[16], u64 *Xi);
+size_t aesni_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
+                         const void *key, unsigned char ivec[16], u64 *Xi);
+void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len);
+
+#   define AES_GCM_ASM(ctx)    (ctx->ctr == aesni_ctr32_encrypt_blocks && \
+                                ctx->gcm.ghash == gcm_ghash_avx)
+#  endif
+
+
+# elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+
+/* Fujitsu SPARC64 X support */
+extern unsigned int OPENSSL_sparcv9cap_P[];
+#  include "sparc_arch.h"
+
+#  ifndef OPENSSL_NO_CAMELLIA
+#   define SPARC_CMLL_CAPABLE      (OPENSSL_sparcv9cap_P[1] & CFR_CAMELLIA)
+
+void cmll_t4_set_key(const unsigned char *key, int bits, CAMELLIA_KEY *ks);
+void cmll_t4_encrypt(const unsigned char *in, unsigned char *out,
+                     const CAMELLIA_KEY *key);
+void cmll_t4_decrypt(const unsigned char *in, unsigned char *out,
+                     const CAMELLIA_KEY *key);
+
+void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const CAMELLIA_KEY *key,
+                            unsigned char *ivec);
+void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const CAMELLIA_KEY *key,
+                            unsigned char *ivec);
+void cmll256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const CAMELLIA_KEY *key,
+                            unsigned char *ivec);
+void cmll256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const CAMELLIA_KEY *key,
+                            unsigned char *ivec);
+void cmll128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                              size_t blocks, const CAMELLIA_KEY *key,
+                              unsigned char *ivec);
+void cmll256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                              size_t blocks, const CAMELLIA_KEY *key,
+                              unsigned char *ivec);
+#  endif /* OPENSSL_NO_CAMELLIA */
+
+
+#  define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
+#  define HWAES_CAPABLE           (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
+#  define HWAES_set_encrypt_key aes_fx_set_encrypt_key
+#  define HWAES_set_decrypt_key aes_fx_set_decrypt_key
+#  define HWAES_encrypt aes_fx_encrypt
+#  define HWAES_decrypt aes_fx_decrypt
+#  define HWAES_cbc_encrypt aes_fx_cbc_encrypt
+#  define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
+
+void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
+                    const AES_KEY *key);
+void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
+                    const AES_KEY *key);
+/*
+ * Key-length specific subroutines were chosen for following reason.
+ * Each SPARC T4 core can execute up to 8 threads which share core's
+ * resources. Loading as much key material to registers allows to
+ * minimize references to shared memory interface, as well as amount
+ * of instructions in inner loops [much needed on T4]. But then having
+ * non-key-length specific routines would require conditional branches
+ * either in inner loops or on subroutines' entries. Former is hardly
+ * acceptable, while latter means code size increase to size occupied
+ * by multiple key-length specific subroutines, so why fight?
+ */
+void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+void aes128_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t blocks, const AES_KEY *key1,
+                           const AES_KEY *key2, const unsigned char *ivec);
+void aes128_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t blocks, const AES_KEY *key1,
+                           const AES_KEY *key2, const unsigned char *ivec);
+void aes256_t4_xts_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t blocks, const AES_KEY *key1,
+                           const AES_KEY *key2, const unsigned char *ivec);
+void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t blocks, const AES_KEY *key1,
+                           const AES_KEY *key2, const unsigned char *ivec);
+
+# elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/* IBM S390X support */
+#  include "s390x_arch.h"
+
+
+/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
+#  define S390X_AES_FC(keylen)  (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
+
+/* Most modes of operation need km for partial block processing. */
+#  define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
+                                S390X_CAPBIT(S390X_AES_128))
+#  define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
+                                S390X_CAPBIT(S390X_AES_192))
+#  define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] &  \
+                                S390X_CAPBIT(S390X_AES_256))
+
+#  define S390X_aes_128_cbc_CAPABLE     1       /* checked by callee */
+#  define S390X_aes_192_cbc_CAPABLE     1
+#  define S390X_aes_256_cbc_CAPABLE     1
+
+#  define S390X_aes_128_ecb_CAPABLE     S390X_aes_128_CAPABLE
+#  define S390X_aes_192_ecb_CAPABLE     S390X_aes_192_CAPABLE
+#  define S390X_aes_256_ecb_CAPABLE     S390X_aes_256_CAPABLE
+
+#  define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmo[0] &        \
+                                     S390X_CAPBIT(S390X_AES_128)))
+#  define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmo[0] &        \
+                                     S390X_CAPBIT(S390X_AES_192)))
+#  define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmo[0] &        \
+                                     S390X_CAPBIT(S390X_AES_256)))
+
+#  define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmf[0] &        \
+                                     S390X_CAPBIT(S390X_AES_128)))
+#  define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmf[0] &        \
+                                     S390X_CAPBIT(S390X_AES_192)))
+#  define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE &&           \
+                                    (OPENSSL_s390xcap_P.kmf[0] &        \
+                                     S390X_CAPBIT(S390X_AES_256)))
+#  define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
+                                     S390X_CAPBIT(S390X_AES_128))
+#  define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
+                                     S390X_CAPBIT(S390X_AES_192))
+#  define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &       \
+                                     S390X_CAPBIT(S390X_AES_256))
+#  define S390X_aes_128_cfb1_CAPABLE    0
+#  define S390X_aes_192_cfb1_CAPABLE    0
+#  define S390X_aes_256_cfb1_CAPABLE    0
+
+#  define S390X_aes_128_ctr_CAPABLE     1       /* checked by callee */
+#  define S390X_aes_192_ctr_CAPABLE     1
+#  define S390X_aes_256_ctr_CAPABLE     1
+
+#  define S390X_aes_128_xts_CAPABLE     1       /* checked by callee */
+#  define S390X_aes_256_xts_CAPABLE     1
+
+# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE &&        \
+                                    (OPENSSL_s390xcap_P.kma[0] &    \
+                                     S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE &&        \
+                                    (OPENSSL_s390xcap_P.kma[0] &    \
+                                     S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE &&        \
+                                    (OPENSSL_s390xcap_P.kma[0] &    \
+                                     S390X_CAPBIT(S390X_AES_256)))
+
+#  define S390X_aes_128_ccm_CAPABLE (S390X_aes_128_CAPABLE &&       \
+                                    (OPENSSL_s390xcap_P.kmac[0] &   \
+                                     S390X_CAPBIT(S390X_AES_128)))
+#  define S390X_aes_192_ccm_CAPABLE (S390X_aes_192_CAPABLE &&       \
+                                    (OPENSSL_s390xcap_P.kmac[0] &   \
+                                     S390X_CAPBIT(S390X_AES_192)))
+#  define S390X_aes_256_ccm_CAPABLE (S390X_aes_256_CAPABLE &&       \
+                                    (OPENSSL_s390xcap_P.kmac[0] &   \
+                                     S390X_CAPBIT(S390X_AES_256)))
+#  define S390X_CCM_AAD_FLAG    0x40
+
+#  ifndef OPENSSL_NO_OCB
+#   define S390X_aes_128_ocb_CAPABLE    0
+#   define S390X_aes_192_ocb_CAPABLE    0
+#   define S390X_aes_256_ocb_CAPABLE    0
+#  endif /* OPENSSL_NO_OCB */
+
+#  ifndef OPENSSL_NO_SIV
+#   define S390X_aes_128_siv_CAPABLE    0
+#   define S390X_aes_192_siv_CAPABLE    0
+#   define S390X_aes_256_siv_CAPABLE    0
+#  endif /* OPENSSL_NO_SIV */
+
+/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
+#  define S390X_AES_FC(keylen)  (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
+# endif
+
+# if defined(HWAES_CAPABLE)
+int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                          AES_KEY *key);
+int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                          AES_KEY *key);
+void HWAES_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void HWAES_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t length, const AES_KEY *key,
+                       unsigned char *ivec, const int enc);
+void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+                                size_t len, const AES_KEY *key,
+                                const unsigned char ivec[16]);
+void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+#  ifndef OPENSSL_NO_OCB
+#   ifdef HWAES_ocb_encrypt
+void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const void *key,
+                       size_t start_block_num,
+                       unsigned char offset_i[16],
+                       const unsigned char L_[][16],
+                       unsigned char checksum[16]);
+#   else
+#     define HWAES_ocb_encrypt ((ocb128_f)NULL)
+#   endif
+#   ifdef HWAES_ocb_decrypt
+void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const void *key,
+                       size_t start_block_num,
+                       unsigned char offset_i[16],
+                       const unsigned char L_[][16],
+                       unsigned char checksum[16]);
+#   else
+#     define HWAES_ocb_decrypt ((ocb128_f)NULL)
+#   endif
+#  endif /* OPENSSL_NO_OCB */
+
+# endif /* HWAES_CAPABLE */
+
+#endif /* HEADER_INTERNAL_CIPHERMODE_PLATFORM_H */
diff --git a/providers/common/ciphers/aes.c b/providers/common/ciphers/aes.c
deleted file mode 100644 (file)
index 1b1074a..0000000
+++ /dev/null
@@ -1,458 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <openssl/crypto.h>
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include <openssl/rand.h>
-#include "internal/cryptlib.h"
-#include "internal/provider_algs.h"
-#include "ciphers_locl.h"
-#include "internal/providercommonerr.h"
-
-static OSSL_OP_cipher_encrypt_init_fn aes_einit;
-static OSSL_OP_cipher_decrypt_init_fn aes_dinit;
-static OSSL_OP_cipher_update_fn aes_block_update;
-static OSSL_OP_cipher_final_fn aes_block_final;
-static OSSL_OP_cipher_update_fn aes_stream_update;
-static OSSL_OP_cipher_final_fn aes_stream_final;
-static OSSL_OP_cipher_cipher_fn aes_cipher;
-static OSSL_OP_cipher_freectx_fn aes_freectx;
-static OSSL_OP_cipher_dupctx_fn aes_dupctx;
-static OSSL_OP_cipher_get_ctx_params_fn aes_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn aes_set_ctx_params;
-
-static int PROV_AES_KEY_generic_init(PROV_AES_KEY *ctx,
-                                      const unsigned char *iv,
-                                      size_t ivlen,
-                                      int enc)
-{
-    if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
-        if (ivlen != AES_BLOCK_SIZE) {
-            ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
-            return 0;
-        }
-        memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-    }
-    ctx->enc = enc;
-
-    return 1;
-}
-
-static int aes_einit(void *vctx, const unsigned char *key, size_t keylen,
-                           const unsigned char *iv, size_t ivlen)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    if (!PROV_AES_KEY_generic_init(ctx, iv, ivlen, 1)) {
-        /* ERR_raise already called */
-        return 0;
-    }
-    if (key != NULL) {
-        if (keylen != ctx->keylen) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-            return 0;
-        }
-        return ctx->ciph->init(ctx, key, ctx->keylen);
-    }
-
-    return 1;
-}
-
-static int aes_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    if (!PROV_AES_KEY_generic_init(ctx, iv, ivlen, 0)) {
-        /* ERR_raise already called */
-        return 0;
-    }
-    if (key != NULL) {
-        if (keylen != ctx->keylen) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-            return 0;
-        }
-        return ctx->ciph->init(ctx, key, ctx->keylen);
-    }
-
-    return 1;
-}
-
-static int aes_block_update(void *vctx, unsigned char *out, size_t *outl,
-                            size_t outsize, const unsigned char *in, size_t inl)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-    size_t nextblocks = fillblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in,
-                                  &inl);
-    size_t outlint = 0;
-
-    /*
-     * If we're decrypting and we end an update on a block boundary we hold
-     * the last block back in case this is the last update call and the last
-     * block is padded.
-     */
-    if (ctx->bufsz == AES_BLOCK_SIZE
-            && (ctx->enc || inl > 0 || !ctx->pad)) {
-        if (outsize < AES_BLOCK_SIZE) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-            return 0;
-        }
-        if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-            return 0;
-        }
-        ctx->bufsz = 0;
-        outlint = AES_BLOCK_SIZE;
-        out += AES_BLOCK_SIZE;
-    }
-    if (nextblocks > 0) {
-        if (!ctx->enc && ctx->pad && nextblocks == inl) {
-            if (!ossl_assert(inl >= AES_BLOCK_SIZE)) {
-                ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-                return 0;
-            }
-            nextblocks -= AES_BLOCK_SIZE;
-        }
-        outlint += nextblocks;
-        if (outsize < outlint) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-            return 0;
-        }
-        if (!ctx->ciph->cipher(ctx, out, in, nextblocks)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-            return 0;
-        }
-        in += nextblocks;
-        inl -= nextblocks;
-    }
-    if (!trailingdata(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in, &inl)) {
-        /* ERR_raise already called */
-        return 0;
-    }
-
-    *outl = outlint;
-    return inl == 0;
-}
-
-static int aes_block_final(void *vctx, unsigned char *out, size_t *outl,
-                           size_t outsize)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    if (ctx->enc) {
-        if (ctx->pad) {
-            padblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE);
-        } else if (ctx->bufsz == 0) {
-            *outl = 0;
-            return 1;
-        } else if (ctx->bufsz != AES_BLOCK_SIZE) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
-            return 0;
-        }
-
-        if (outsize < AES_BLOCK_SIZE) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-            return 0;
-        }
-        if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-            return 0;
-        }
-        ctx->bufsz = 0;
-        *outl = AES_BLOCK_SIZE;
-        return 1;
-    }
-
-    /* Decrypting */
-    if (ctx->bufsz != AES_BLOCK_SIZE) {
-        if (ctx->bufsz == 0 && !ctx->pad) {
-            *outl = 0;
-            return 1;
-        }
-        ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
-        return 0;
-    }
-
-    if (!ctx->ciph->cipher(ctx, ctx->buf, ctx->buf, AES_BLOCK_SIZE)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-        return 0;
-    }
-
-    if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE)) {
-        /* ERR_raise already called */
-        return 0;
-    }
-
-    if (outsize < ctx->bufsz) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return 0;
-    }
-    memcpy(out, ctx->buf, ctx->bufsz);
-    *outl = ctx->bufsz;
-    ctx->bufsz = 0;
-    return 1;
-}
-
-static int aes_stream_update(void *vctx, unsigned char *out, size_t *outl,
-                             size_t outsize, const unsigned char *in,
-                             size_t inl)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return 0;
-    }
-
-    if (!ctx->ciph->cipher(ctx, out, in, inl)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-        return 0;
-    }
-
-    *outl = inl;
-    return 1;
-}
-static int aes_stream_final(void *vctx, unsigned char *out, size_t *outl,
-                            size_t outsize)
-{
-    *outl = 0;
-    return 1;
-}
-
-static int aes_cipher(void *vctx,
-                      unsigned char *out, size_t *outl, size_t outsize,
-                      const unsigned char *in, size_t inl)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return 0;
-    }
-
-    if (!ctx->ciph->cipher(ctx, out, in, inl)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-        return 0;
-    }
-
-    *outl = inl;
-    return 1;
-}
-
-static void *aes_new_ctx(void *provctx, size_t mode, size_t kbits,
-                         const PROV_AES_CIPHER *ciph)
-{
-    PROV_AES_KEY *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    ctx->pad = 1;
-    ctx->keylen = kbits / 8;
-    ctx->ciph = ciph;
-    ctx->mode = mode;
-    return ctx;
-}
-
-static void aes_freectx(void *vctx)
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-
-    OPENSSL_clear_free(ctx,  sizeof(*ctx));
-}
-
-static void *aes_dupctx(void *ctx)
-{
-    PROV_AES_KEY *in = (PROV_AES_KEY *)ctx;
-    PROV_AES_KEY *ret = OPENSSL_malloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    *ret = *in;
-
-    return ret;
-}
-
-static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-    OSSL_PARAM *p;
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, AES_BLOCK_SIZE)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->pad)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
-    if (p != NULL
-        && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, AES_BLOCK_SIZE)
-        && !OSSL_PARAM_set_octet_string(p, &ctx->iv, AES_BLOCK_SIZE)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
-    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->num)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-
-    return 1;
-}
-
-static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
-    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
-    const OSSL_PARAM *p;
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
-    if (p != NULL) {
-        int pad;
-
-        if (!OSSL_PARAM_get_int(p, &pad)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        ctx->pad = pad ? 1 : 0;
-    }
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
-    if (p != NULL) {
-        int num;
-
-        if (!OSSL_PARAM_get_int(p, &num)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        ctx->num = num;
-    }
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL) {
-        int keylen;
-
-        if (!OSSL_PARAM_get_int(p, &keylen)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        ctx->keylen = keylen;
-    }
-    return 1;
-}
-
-#define IMPLEMENT_cipher(lcmode, UCMODE, flags, kbits, blkbits, ivbits)        \
-    static OSSL_OP_cipher_get_params_fn aes_##kbits##_##lcmode##_get_params;   \
-    static int aes_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])        \
-    {                                                                          \
-        return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE,     \
-                                         flags, kbits, blkbits, ivbits);       \
-    }                                                                          \
-    static OSSL_OP_cipher_newctx_fn aes_##kbits##_##lcmode##_newctx;           \
-    static void *aes_##kbits##_##lcmode##_newctx(void *provctx)                \
-    {                                                                          \
-        return aes_new_ctx(provctx, EVP_CIPH_##UCMODE##_MODE, kbits,           \
-                           PROV_AES_CIPHER_##lcmode(kbits / 8));               \
-    }
-
-/* ECB */
-IMPLEMENT_cipher(ecb, ECB, 0, 256, 128, 0)
-IMPLEMENT_cipher(ecb, ECB, 0, 192, 128, 0)
-IMPLEMENT_cipher(ecb, ECB, 0, 128, 128, 0)
-
-/* CBC */
-IMPLEMENT_cipher(cbc, CBC, 0, 256, 128, 128)
-IMPLEMENT_cipher(cbc, CBC, 0, 192, 128, 128)
-IMPLEMENT_cipher(cbc, CBC, 0, 128, 128, 128)
-
-/* OFB */
-IMPLEMENT_cipher(ofb, OFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(ofb, OFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(ofb, OFB, 0, 128, 8, 128)
-
-/* CFB */
-IMPLEMENT_cipher(cfb, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb, CFB, 0, 128, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb1, CFB, 0, 128, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 256, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 192, 8, 128)
-IMPLEMENT_cipher(cfb8, CFB, 0, 128, 8, 128)
-
-/* CTR */
-IMPLEMENT_cipher(ctr, CTR, 0, 256, 8, 128)
-IMPLEMENT_cipher(ctr, CTR, 0, 192, 8, 128)
-IMPLEMENT_cipher(ctr, CTR, 0, 128, 8, 128)
-
-#define IMPLEMENT_funcs(mode, kbits, type)                                     \
-const OSSL_DISPATCH aes##kbits##mode##_functions[] = {                         \
-    { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))aes_##kbits##_##mode##_newctx },\
-    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_einit },              \
-    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_dinit },              \
-    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##type##_update },          \
-    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##type##_final },            \
-    { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_cipher },                   \
-    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_freectx },                 \
-    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_dupctx },                   \
-    { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
-      (void (*)(void))aes_##kbits##_##mode##_get_params },                     \
-    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
-      (void (*)(void))aes_get_ctx_params },                                    \
-    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
-      (void (*)(void))aes_set_ctx_params },                                    \
-    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
-      (void (*)(void))cipher_default_gettable_params },                        \
-    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
-      (void (*)(void))cipher_default_gettable_ctx_params },                    \
-    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
-      (void (*)(void))cipher_default_settable_ctx_params },                    \
-    { 0, NULL }                                                                \
-};
-
-/* ECB */
-IMPLEMENT_funcs(ecb, 256, block)
-IMPLEMENT_funcs(ecb, 192, block)
-IMPLEMENT_funcs(ecb, 128, block)
-
-/* CBC */
-IMPLEMENT_funcs(cbc, 256, block)
-IMPLEMENT_funcs(cbc, 192, block)
-IMPLEMENT_funcs(cbc, 128, block)
-
-/* OFB */
-IMPLEMENT_funcs(ofb, 256, stream)
-IMPLEMENT_funcs(ofb, 192, stream)
-IMPLEMENT_funcs(ofb, 128, stream)
-
-/* CFB */
-IMPLEMENT_funcs(cfb, 256, stream)
-IMPLEMENT_funcs(cfb, 192, stream)
-IMPLEMENT_funcs(cfb, 128, stream)
-IMPLEMENT_funcs(cfb1, 256, stream)
-IMPLEMENT_funcs(cfb1, 192, stream)
-IMPLEMENT_funcs(cfb1, 128, stream)
-IMPLEMENT_funcs(cfb8, 256, stream)
-IMPLEMENT_funcs(cfb8, 192, stream)
-IMPLEMENT_funcs(cfb8, 128, stream)
-
-/* CTR */
-IMPLEMENT_funcs(ctr, 256, stream)
-IMPLEMENT_funcs(ctr, 192, stream)
-IMPLEMENT_funcs(ctr, 128, stream)
diff --git a/providers/common/ciphers/aes_basic.c b/providers/common/ciphers/aes_basic.c
deleted file mode 100644 (file)
index f43b8fc..0000000
+++ /dev/null
@@ -1,629 +0,0 @@
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#include <string.h>
-#include <assert.h>
-#include <openssl/opensslconf.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/aes.h>
-#include <openssl/rand.h>
-#include <openssl/cmac.h>
-#include "ciphers_locl.h"
-#include "internal/evp_int.h"
-#include "internal/providercommonerr.h"
-#include "internal/aes_platform.h"
-
-#define MAXBITCHUNK     ((size_t)1 << (sizeof(size_t) * 8 - 4))
-
-#if defined(AESNI_CAPABLE)
-
-/* AES-NI section. */
-
-static int aesni_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                          size_t keylen)
-{
-    int ret;
-
-    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
-        && !dat->enc) {
-        ret = aesni_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f) aesni_decrypt;
-        dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
-            (cbc128_f) aesni_cbc_encrypt : NULL;
-    } else {
-        ret = aesni_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f) aesni_encrypt;
-        if (dat->mode == EVP_CIPH_CBC_MODE)
-            dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
-        else if (dat->mode == EVP_CIPH_CTR_MODE)
-            dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
-        else
-            dat->stream.cbc = NULL;
-    }
-
-    if (ret < 0) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
-        return 0;
-    }
-
-    return 1;
-}
-
-static int aesni_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len)
-{
-    aesni_cbc_encrypt(in, out, len, &ctx->ks.ks, ctx->iv, ctx->enc);
-
-    return 1;
-}
-
-static int aesni_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len)
-{
-    if (len < AES_BLOCK_SIZE)
-        return 1;
-
-    aesni_ecb_encrypt(in, out, len, &ctx->ks.ks, ctx->enc);
-
-    return 1;
-}
-
-# define aesni_ofb_cipher aes_ofb_cipher
-static int aesni_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len);
-
-# define aesni_cfb_cipher aes_cfb_cipher
-static int aesni_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len);
-
-# define aesni_cfb8_cipher aes_cfb8_cipher
-static int aesni_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aesni_cfb1_cipher aes_cfb1_cipher
-static int aesni_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aesni_ctr_cipher aes_ctr_cipher
-static int aesni_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aesni_##mode = { \
-        aesni_init_key,                 \
-        aesni_##mode##_cipher};         \
-static const PROV_AES_CIPHER aes_##mode = { \
-        aes_init_key,                   \
-        aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return AESNI_CAPABLE?&aesni_##mode:&aes_##mode; }
-
-
-#elif defined(SPARC_AES_CAPABLE)
-
-static int aes_t4_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                           size_t keylen)
-{
-    int ret, bits;
-
-    bits = keylen * 8;
-    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
-        && !dat->enc) {
-        ret = 0;
-        aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
-        dat->block = (block128_f) aes_t4_decrypt;
-        switch (bits) {
-        case 128:
-            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
-                (cbc128_f) aes128_t4_cbc_decrypt : NULL;
-            break;
-        case 192:
-            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
-                (cbc128_f) aes192_t4_cbc_decrypt : NULL;
-            break;
-        case 256:
-            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
-                (cbc128_f) aes256_t4_cbc_decrypt : NULL;
-            break;
-        default:
-            ret = -1;
-        }
-    } else {
-        ret = 0;
-        aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
-        dat->block = (block128_f)aes_t4_encrypt;
-        switch (bits) {
-        case 128:
-            if (dat->mode == EVP_CIPH_CBC_MODE)
-                dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
-            else if (dat->mode == EVP_CIPH_CTR_MODE)
-                dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
-            else
-                dat->stream.cbc = NULL;
-            break;
-        case 192:
-            if (dat->mode == EVP_CIPH_CBC_MODE)
-                dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
-            else if (dat->mode == EVP_CIPH_CTR_MODE)
-                dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
-            else
-                dat->stream.cbc = NULL;
-            break;
-        case 256:
-            if (dat->mode == EVP_CIPH_CBC_MODE)
-                dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
-            else if (dat->mode == EVP_CIPH_CTR_MODE)
-                dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
-            else
-                dat->stream.cbc = NULL;
-            break;
-        default:
-            ret = -1;
-        }
-    }
-
-    if (ret < 0) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
-        return 0;
-    }
-
-    return 1;
-}
-
-# define aes_t4_cbc_cipher aes_cbc_cipher
-static int aes_t4_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aes_t4_ecb_cipher aes_ecb_cipher
-static int aes_t4_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aes_t4_ofb_cipher aes_ofb_cipher
-static int aes_t4_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aes_t4_cfb_cipher aes_cfb_cipher
-static int aes_t4_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define aes_t4_cfb8_cipher aes_cfb8_cipher
-static int aes_t4_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                              const unsigned char *in, size_t len);
-
-# define aes_t4_cfb1_cipher aes_cfb1_cipher
-static int aes_t4_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                              const unsigned char *in, size_t len);
-
-# define aes_t4_ctr_cipher aes_ctr_cipher
-static int aes_t4_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aes_t4_##mode = { \
-        aes_t4_init_key,                 \
-        aes_t4_##mode##_cipher};         \
-static const PROV_AES_CIPHER aes_##mode = { \
-        aes_init_key,                   \
-        aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return SPARC_AES_CAPABLE?&aes_t4_##mode:&aes_##mode; }
-
-
-#elif defined(S390X_aes_128_CAPABLE)
-/*
- * IBM S390X support
- */
-# include "s390x_arch.h"
-
-# define s390x_aes_init_key aes_init_key
-static int s390x_aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                              size_t keylen);
-# define S390X_AES_CBC_CTX          PROV_AES_KEY
-
-# define s390x_aes_cbc_init_key aes_init_key
-
-# define s390x_aes_cbc_cipher aes_cbc_cipher
-static int s390x_aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                const unsigned char *in, size_t len);
-
-static int s390x_aes_ecb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                                  size_t keylen)
-{
-    dat->plat.s390x.fc = S390X_AES_FC(keylen);
-    if (!dat->enc)
-        dat->plat.s390x.fc |= S390X_DECRYPT;
-
-    memcpy(dat->plat.s390x.param.km.k, key, keylen);
-    return 1;
-}
-
-static int s390x_aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                const unsigned char *in, size_t len)
-{
-    s390x_km(in, len, out, dat->plat.s390x.fc,
-             &dat->plat.s390x.param.km);
-    return 1;
-}
-
-static int s390x_aes_ofb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                                  size_t keylen)
-{
-    memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
-    memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
-    dat->plat.s390x.fc = S390X_AES_FC(keylen);
-    dat->plat.s390x.res = 0;
-    return 1;
-}
-
-static int s390x_aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                const unsigned char *in, size_t len)
-{
-    int n = dat->plat.s390x.res;
-    int rem;
-
-    while (n && len) {
-        *out = *in ^ dat->plat.s390x.param.kmo_kmf.cv[n];
-        n = (n + 1) & 0xf;
-        --len;
-        ++in;
-        ++out;
-    }
-
-    rem = len & 0xf;
-
-    len &= ~(size_t)0xf;
-    if (len) {
-        s390x_kmo(in, len, out, dat->plat.s390x.fc,
-                  &dat->plat.s390x.param.kmo_kmf);
-
-        out += len;
-        in += len;
-    }
-
-    if (rem) {
-        s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
-                 dat->plat.s390x.param.kmo_kmf.cv, dat->plat.s390x.fc,
-                 dat->plat.s390x.param.kmo_kmf.k);
-
-        while (rem--) {
-            out[n] = in[n] ^ dat->plat.s390x.param.kmo_kmf.cv[n];
-            ++n;
-        }
-    }
-
-    dat->plat.s390x.res = n;
-    return 1;
-}
-
-static int s390x_aes_cfb_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                                  size_t keylen)
-{
-    dat->plat.s390x.fc = S390X_AES_FC(keylen);
-    dat->plat.s390x.fc |= 16 << 24;   /* 16 bytes cipher feedback */
-    if (!dat->enc)
-        dat->plat.s390x.fc |= S390X_DECRYPT;
-
-    dat->plat.s390x.res = 0;
-    memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
-    memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
-    return 1;
-}
-
-static int s390x_aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                const unsigned char *in, size_t len)
-{
-    int n = dat->plat.s390x.res;
-    int rem;
-    unsigned char tmp;
-
-    while (n && len) {
-        tmp = *in;
-        *out = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
-        dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? *out : tmp;
-        n = (n + 1) & 0xf;
-        --len;
-        ++in;
-        ++out;
-    }
-
-    rem = len & 0xf;
-
-    len &= ~(size_t)0xf;
-    if (len) {
-        s390x_kmf(in, len, out, dat->plat.s390x.fc,
-                  &dat->plat.s390x.param.kmo_kmf);
-
-        out += len;
-        in += len;
-    }
-
-    if (rem) {
-        s390x_km(dat->plat.s390x.param.kmo_kmf.cv, 16,
-                 dat->plat.s390x.param.kmo_kmf.cv,
-                 S390X_AES_FC(dat->keylen), dat->plat.s390x.param.kmo_kmf.k);
-
-        while (rem--) {
-            tmp = in[n];
-            out[n] = dat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
-            dat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? out[n] : tmp;
-            ++n;
-        }
-    }
-
-    dat->plat.s390x.res = n;
-    return 1;
-}
-
-static int s390x_aes_cfb8_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                                  size_t keylen)
-{
-    dat->plat.s390x.fc = S390X_AES_FC(keylen);
-    dat->plat.s390x.fc |= 1 << 24;   /* 1 byte cipher feedback */
-    if (!dat->enc)
-        dat->plat.s390x.fc |= S390X_DECRYPT;
-
-    memcpy(dat->plat.s390x.param.kmo_kmf.cv, dat->iv, AES_BLOCK_SIZE);
-    memcpy(dat->plat.s390x.param.kmo_kmf.k, key, keylen);
-    return 1;
-}
-
-static int s390x_aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                 const unsigned char *in, size_t len)
-{
-    s390x_kmf(in, len, out, dat->plat.s390x.fc,
-              &dat->plat.s390x.param.kmo_kmf);
-    return 1;
-}
-
-# define s390x_aes_cfb1_init_key aes_init_key
-
-# define s390x_aes_cfb1_cipher aes_cfb1_cipher
-static int s390x_aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                 const unsigned char *in, size_t len);
-# define S390X_AES_CTR_CTX          PROV_AES_KEY
-
-# define s390x_aes_ctr_init_key aes_init_key
-
-# define s390x_aes_ctr_cipher aes_ctr_cipher
-static int s390x_aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                                const unsigned char *in, size_t len);
-
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER s390x_aes_##mode = { \
-        s390x_aes_##mode##_init_key,    \
-        s390x_aes_##mode##_cipher       \
-};  \
-static const PROV_AES_CIPHER aes_##mode = { \
-        aes_init_key,           \
-        aes_##mode##_cipher     \
-}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{   \
-    if ((keylen == 16 && S390X_aes_128_##mode##_CAPABLE)           \
-            || (keylen == 24 && S390X_aes_192_##mode##_CAPABLE)    \
-            || (keylen == 32 && S390X_aes_256_##mode##_CAPABLE))   \
-        return &s390x_aes_##mode;   \
-    \
-    return &aes_##mode; \
-}
-
-#else
-/* The generic case */
-# define BLOCK_CIPHER_generic_prov(mode) \
-static const PROV_AES_CIPHER aes_##mode = { \
-        aes_init_key,                   \
-        aes_##mode##_cipher}; \
-const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(size_t keylen) \
-{ return &aes_##mode; }
-
-#endif
-
-static int aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
-                        size_t keylen)
-{
-    int ret;
-
-    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
-        && !dat->enc) {
-#ifdef HWAES_CAPABLE
-        if (HWAES_CAPABLE) {
-            ret = HWAES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
-            dat->block = (block128_f)HWAES_decrypt;
-            dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
-            if (dat->mode == EVP_CIPH_CBC_MODE)
-                dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
-# endif
-        } else
-#endif
-#ifdef BSAES_CAPABLE
-        if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
-            ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
-            dat->block = (block128_f)AES_decrypt;
-            dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
-        } else
-#endif
-#ifdef VPAES_CAPABLE
-        if (VPAES_CAPABLE) {
-            ret = vpaes_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
-            dat->block = (block128_f)vpaes_decrypt;
-            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
-                              ?(cbc128_f)vpaes_cbc_encrypt : NULL;
-        } else
-#endif
-        {
-            ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
-            dat->block = (block128_f)AES_decrypt;
-            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
-                              ? (cbc128_f)AES_cbc_encrypt : NULL;
-        }
-    } else
-#ifdef HWAES_CAPABLE
-    if (HWAES_CAPABLE) {
-        ret = HWAES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f)HWAES_encrypt;
-        dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
-        if (dat->mode == EVP_CIPH_CBC_MODE)
-            dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
-        else
-# endif
-# ifdef HWAES_ctr32_encrypt_blocks
-        if (dat->mode == EVP_CIPH_CTR_MODE)
-            dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
-        else
-# endif
-            (void)0;            /* terminate potentially open 'else' */
-    } else
-#endif
-#ifdef BSAES_CAPABLE
-    if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
-        ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f)AES_encrypt;
-        dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
-    } else
-#endif
-#ifdef VPAES_CAPABLE
-    if (VPAES_CAPABLE) {
-        ret = vpaes_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f)vpaes_encrypt;
-        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
-                          ? (cbc128_f)vpaes_cbc_encrypt : NULL;
-    } else
-#endif
-    {
-        ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
-        dat->block = (block128_f)AES_encrypt;
-        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
-                          ? (cbc128_f)AES_cbc_encrypt : NULL;
-#ifdef AES_CTR_ASM
-        if (dat->mode == EVP_CIPH_CTR_MODE)
-            dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
-#endif
-    }
-
-    if (ret < 0) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
-        return 0;
-    }
-
-    return 1;
-}
-
-static int aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    if (dat->stream.cbc)
-        (*dat->stream.cbc) (in, out, len, &dat->ks, dat->iv, dat->enc);
-    else if (dat->enc)
-        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, dat->iv, dat->block);
-    else
-        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, dat->iv, dat->block);
-
-    return 1;
-}
-
-static int aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    size_t i;
-
-    if (len < AES_BLOCK_SIZE)
-        return 1;
-
-    for (i = 0, len -= AES_BLOCK_SIZE; i <= len; i += AES_BLOCK_SIZE)
-        (*dat->block) (in + i, out + i, &dat->ks);
-
-    return 1;
-}
-
-static int aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    int num = dat->num;
-    CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->block);
-    dat->num = num;
-
-    return 1;
-}
-
-static int aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    int num = dat->num;
-    CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
-                          dat->block);
-    dat->num = num;
-
-    return 1;
-}
-
-static int aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                           const unsigned char *in, size_t len)
-{
-    int num = dat->num;
-    CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
-                            dat->block);
-    dat->num = num;
-
-    return 1;
-}
-
-static int aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                           const unsigned char *in, size_t len)
-{
-    int num = dat->num;
-
-    if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
-        CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, dat->iv, &num,
-                                dat->enc, dat->block);
-        dat->num = num;
-        return 1;
-    }
-
-    while (len >= MAXBITCHUNK) {
-        CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
-                                dat->iv, &num, dat->enc, dat->block);
-        len -= MAXBITCHUNK;
-        out += MAXBITCHUNK;
-        in  += MAXBITCHUNK;
-    }
-    if (len)
-        CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, dat->iv, &num,
-                                dat->enc, dat->block);
-
-    dat->num = num;
-
-    return 1;
-}
-
-static int aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    unsigned int num = dat->num;
-
-    if (dat->stream.ctr)
-        CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, dat->iv, dat->buf,
-                                    &num, dat->stream.ctr);
-    else
-        CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, dat->iv, dat->buf,
-                              &num, dat->block);
-    dat->num = num;
-
-    return 1;
-}
-
-BLOCK_CIPHER_generic_prov(cbc)
-BLOCK_CIPHER_generic_prov(ecb)
-BLOCK_CIPHER_generic_prov(ofb)
-BLOCK_CIPHER_generic_prov(cfb)
-BLOCK_CIPHER_generic_prov(cfb1)
-BLOCK_CIPHER_generic_prov(cfb8)
-BLOCK_CIPHER_generic_prov(ctr)
-
diff --git a/providers/common/ciphers/aes_ccm_s390x.c b/providers/common/ciphers/aes_ccm_s390x.c
deleted file mode 100644 (file)
index c5aa6bc..0000000
+++ /dev/null
@@ -1,263 +0,0 @@
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#define S390X_CCM_AAD_FLAG 0x40
-
-static int s390x_aes_ccm_init_key(PROV_CCM_CTX *ctx,
-                                  const unsigned char *key, size_t keylen)
-{
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
-    sctx->ccm.s390x.fc = S390X_AES_FC(keylen);
-    memcpy(&sctx->ccm.s390x.kmac.k, key, keylen);
-    /* Store encoded m and l. */
-    sctx->ccm.s390x.nonce.b[0] = ((ctx->l - 1) & 0x7)
-                                | (((ctx->m - 2) >> 1) & 0x7) << 3;
-    memset(sctx->ccm.s390x.nonce.b + 1, 0, sizeof(sctx->ccm.s390x.nonce.b));
-    sctx->ccm.s390x.blocks = 0;
-    ctx->key_set = 1;
-    return 1;
-}
-
-static int s390x_aes_ccm_setiv(PROV_CCM_CTX *ctx,
-                               const unsigned char *nonce, size_t noncelen,
-                               size_t mlen)
-{
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
-    sctx->ccm.s390x.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
-    sctx->ccm.s390x.nonce.g[1] = mlen;
-    memcpy(sctx->ccm.s390x.nonce.b + 1, nonce, 15 - ctx->l);
-    return 1;
-}
-
-/*-
- * Process additional authenticated data. Code is big-endian.
- */
-static int s390x_aes_ccm_setaad(PROV_CCM_CTX *ctx,
-                                const unsigned char *aad, size_t alen)
-{
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-    unsigned char *ptr;
-    int i, rem;
-
-    if (!alen)
-        return 1;
-
-    sctx->ccm.s390x.nonce.b[0] |= S390X_CCM_AAD_FLAG;
-
-    /* Suppress 'type-punned pointer dereference' warning. */
-    ptr = sctx->ccm.s390x.buf.b;
-
-    if (alen < ((1 << 16) - (1 << 8))) {
-        *(uint16_t *)ptr = alen;
-        i = 2;
-    } else if (sizeof(alen) == 8
-               && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
-        *(uint16_t *)ptr = 0xffff;
-        *(uint64_t *)(ptr + 2) = alen;
-        i = 10;
-    } else {
-        *(uint16_t *)ptr = 0xfffe;
-        *(uint32_t *)(ptr + 2) = alen;
-        i = 6;
-    }
-
-    while (i < 16 && alen) {
-        sctx->ccm.s390x.buf.b[i] = *aad;
-        ++aad;
-        --alen;
-        ++i;
-    }
-    while (i < 16) {
-        sctx->ccm.s390x.buf.b[i] = 0;
-        ++i;
-    }
-
-    sctx->ccm.s390x.kmac.icv.g[0] = 0;
-    sctx->ccm.s390x.kmac.icv.g[1] = 0;
-    s390x_kmac(sctx->ccm.s390x.nonce.b, 32, sctx->ccm.s390x.fc,
-               &sctx->ccm.s390x.kmac);
-    sctx->ccm.s390x.blocks += 2;
-
-    rem = alen & 0xf;
-    alen &= ~(size_t)0xf;
-    if (alen) {
-        s390x_kmac(aad, alen, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
-        sctx->ccm.s390x.blocks += alen >> 4;
-        aad += alen;
-    }
-    if (rem) {
-        for (i = 0; i < rem; i++)
-            sctx->ccm.s390x.kmac.icv.b[i] ^= aad[i];
-
-        s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
-                 sctx->ccm.s390x.kmac.icv.b, sctx->ccm.s390x.fc,
-                 sctx->ccm.s390x.kmac.k);
-        sctx->ccm.s390x.blocks++;
-    }
-    return 1;
-}
-
-/*-
- * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 1 for
- * success.
- */
-static int s390x_aes_ccm_auth_encdec(PROV_CCM_CTX *ctx,
-                                     const unsigned char *in,
-                                     unsigned char *out, size_t len, int enc)
-{
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-    size_t n, rem;
-    unsigned int i, l, num;
-    unsigned char flags;
-
-    flags = sctx->ccm.s390x.nonce.b[0];
-    if (!(flags & S390X_CCM_AAD_FLAG)) {
-        s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.kmac.icv.b,
-                 sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
-        sctx->ccm.s390x.blocks++;
-    }
-    l = flags & 0x7;
-    sctx->ccm.s390x.nonce.b[0] = l;
-
-    /*-
-     * Reconstruct length from encoded length field
-     * and initialize it with counter value.
-     */
-    n = 0;
-    for (i = 15 - l; i < 15; i++) {
-        n |= sctx->ccm.s390x.nonce.b[i];
-        sctx->ccm.s390x.nonce.b[i] = 0;
-        n <<= 8;
-    }
-    n |= sctx->ccm.s390x.nonce.b[15];
-    sctx->ccm.s390x.nonce.b[15] = 1;
-
-    if (n != len)
-        return 0;      /* length mismatch */
-
-    if (enc) {
-        /* Two operations per block plus one for tag encryption */
-        sctx->ccm.s390x.blocks += (((len + 15) >> 4) << 1) + 1;
-        if (sctx->ccm.s390x.blocks > (1ULL << 61))
-            return 0;      /* too much data */
-    }
-
-    num = 0;
-    rem = len & 0xf;
-    len &= ~(size_t)0xf;
-
-    if (enc) {
-        /* mac-then-encrypt */
-        if (len)
-            s390x_kmac(in, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
-        if (rem) {
-            for (i = 0; i < rem; i++)
-                sctx->ccm.s390x.kmac.icv.b[i] ^= in[len + i];
-
-            s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
-                     sctx->ccm.s390x.kmac.icv.b,
-                     sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
-        }
-
-        CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
-                                    sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
-                                    &num, (ctr128_f)AES_ctr32_encrypt);
-    } else {
-        /* decrypt-then-mac */
-        CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
-                                    sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
-                                    &num, (ctr128_f)AES_ctr32_encrypt);
-
-        if (len)
-            s390x_kmac(out, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
-        if (rem) {
-            for (i = 0; i < rem; i++)
-                sctx->ccm.s390x.kmac.icv.b[i] ^= out[len + i];
-
-            s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
-                     sctx->ccm.s390x.kmac.icv.b,
-                     sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
-        }
-    }
-    /* encrypt tag */
-    for (i = 15 - l; i < 16; i++)
-        sctx->ccm.s390x.nonce.b[i] = 0;
-
-    s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.buf.b,
-             sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
-    sctx->ccm.s390x.kmac.icv.g[0] ^= sctx->ccm.s390x.buf.g[0];
-    sctx->ccm.s390x.kmac.icv.g[1] ^= sctx->ccm.s390x.buf.g[1];
-
-    sctx->ccm.s390x.nonce.b[0] = flags;    /* restore flags field */
-    return 1;
-}
-
-
-static int s390x_aes_ccm_gettag(PROV_CCM_CTX *ctx,
-                                unsigned char *tag, size_t tlen)
-{
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
-    if (tlen > ctx->m)
-        return 0;
-    memcpy(tag, sctx->ccm.s390x.kmac.icv.b, tlen);
-    return 1;
-}
-
-static int s390x_aes_ccm_auth_encrypt(PROV_CCM_CTX *ctx,
-                                      const unsigned char *in,
-                                      unsigned char *out, size_t len,
-                                      unsigned char *tag, size_t taglen)
-{
-    int rv;
-
-    rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 1);
-    if (rv && tag != NULL)
-        rv = s390x_aes_ccm_gettag(ctx, tag, taglen);
-    return rv;
-}
-
-static int s390x_aes_ccm_auth_decrypt(PROV_CCM_CTX *ctx,
-                                      const unsigned char *in,
-                                      unsigned char *out, size_t len,
-                                      unsigned char *expected_tag,
-                                      size_t taglen)
-{
-    int rv = 0;
-    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
-
-    rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 0);
-    if (rv) {
-        if (CRYPTO_memcmp(sctx->ccm.s390x.kmac.icv.b, expected_tag, ctx->m) != 0)
-            rv = 0;
-    }
-    if (rv == 0)
-        OPENSSL_cleanse(out, len);
-    return rv;
-}
-
-static const PROV_CCM_HW s390x_aes_ccm = {
-    s390x_aes_ccm_init_key,
-    s390x_aes_ccm_setiv,
-    s390x_aes_ccm_setaad,
-    s390x_aes_ccm_auth_encrypt,
-    s390x_aes_ccm_auth_decrypt,
-    s390x_aes_ccm_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
-    if ((keybits == 128 && S390X_aes_128_ccm_CAPABLE)
-         || (keybits == 192 && S390X_aes_192_ccm_CAPABLE)
-         || (keybits == 256 && S390X_aes_256_ccm_CAPABLE))
-        return &s390x_aes_ccm;
-    return &aes_ccm;
-}
index 7014b9d99797633e56403927378aa9d26ed566c0..73e17e1a11cc486b56ae45058e869c7156fa8a40 100644 (file)
@@ -7,12 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include "ciphers_locl.h"
 #include <assert.h>
-#include "internal/providercommonerr.h"
+#include "cipher_locl.h"
 
 /*
  * Fills a single block of buffered data from the input, and returns the amount
index 6702d701ff2fd5ae2a2f2971eed2d3df0c858c14..4a816d0f4d9d001ca8a260a835b3acff5ce2f013 100644 (file)
@@ -1,10 +1,22 @@
 LIBS=../../../libcrypto
 
-$COMMON=block.c aes.c aes_basic.c gcm.c gcm_hw.c ciphers_common.c \
-        ccm.c ccm_hw.c
+$COMMON=cipher_common.c cipher_common_hw.c block.c \
+        cipher_aes.c cipher_aes_hw.c \
+        cipher_gcm.c cipher_aes_gcm.c cipher_gcm_hw.c \
+        cipher_ccm.c cipher_aes_ccm.c cipher_ccm_hw.c
 
 SOURCE[../../../libcrypto]=$COMMON
+IF[{- !$disabled{aria} -}]
+  SOURCE[../../../libcrypto]=\
+      cipher_aria.c cipher_aria_hw.c \
+      cipher_aria_gcm.c cipher_aria_ccm.c 
+ENDIF
+
+IF[{- !$disabled{camellia} -}]
+  SOURCE[../../../libcrypto]=\
+      cipher_camellia.c cipher_camellia_hw.c
+ENDIF
 INCLUDE[../../../libcrypto]=. ../../../crypto
 
 SOURCE[../../fips]=$COMMON
-INCLUDE[../../fips]=. ../../../crypto
+INCLUDE[../../fips]=. ../../../crypto
\ No newline at end of file
diff --git a/providers/common/ciphers/ccm.c b/providers/common/ciphers/ccm.c
deleted file mode 100644 (file)
index 67a127a..0000000
+++ /dev/null
@@ -1,486 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include "internal/provider_algs.h"
-#include "internal/providercommonerr.h"
-#include "ciphers_locl.h"
-
-/* TODO(3.0) Figure out what flags are really needed here */
-#define CCM_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1      \
-                   | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER          \
-                   | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT            \
-                   | EVP_CIPH_CUSTOM_COPY)
-
-static OSSL_OP_cipher_encrypt_init_fn ccm_einit;
-static OSSL_OP_cipher_decrypt_init_fn ccm_dinit;
-static OSSL_OP_cipher_get_ctx_params_fn ccm_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn ccm_set_ctx_params;
-static OSSL_OP_cipher_update_fn ccm_stream_update;
-static OSSL_OP_cipher_final_fn ccm_stream_final;
-static OSSL_OP_cipher_cipher_fn ccm_cipher;
-
-static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
-                               size_t *padlen, const unsigned char *in,
-                               size_t len);
-
-static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
-{
-    size_t len;
-
-    if (alen != EVP_AEAD_TLS1_AAD_LEN)
-        return 0;
-
-    /* Save the aad for later use. */
-    memcpy(ctx->buf, aad, alen);
-    ctx->tls_aad_len = alen;
-
-    len = ctx->buf[alen - 2] << 8 | ctx->buf[alen - 1];
-    if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
-        return 0;
-
-    /* Correct length for explicit iv. */
-    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
-
-    if (!ctx->enc) {
-        if (len < ctx->m)
-            return 0;
-        /* Correct length for tag. */
-        len -= ctx->m;
-    }
-    ctx->buf[alen - 2] = (unsigned char)(len >> 8);
-    ctx->buf[alen - 1] = (unsigned char)(len & 0xff);
-
-    /* Extra padding: tag appended to record. */
-    return ctx->m;
-}
-
-static int ccm_tls_iv_set_fixed(PROV_CCM_CTX *ctx, unsigned char *fixed,
-                                size_t flen)
-{
-    if (flen != EVP_CCM_TLS_FIXED_IV_LEN)
-        return 0;
-
-    /* Copy to first part of the iv. */
-    memcpy(ctx->iv, fixed, flen);
-    return 1;
-}
-
-static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx)
-{
-    return 15 - ctx->l;
-}
-
-static int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-    const OSSL_PARAM *p;
-    size_t sz;
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
-    if (p != NULL) {
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
-            return 0;
-        }
-
-        if (p->data != NULL) {
-            if (ctx->enc) {
-                ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_NEEDED);
-                return 0;
-            }
-            memcpy(ctx->buf, p->data, p->data_size);
-            ctx->tag_set = 1;
-        }
-        ctx->m = p->data_size;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
-    if (p != NULL) {
-        size_t ivlen;
-
-        if (!OSSL_PARAM_get_size_t(p, &sz)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        ivlen = 15 - sz;
-        if (ivlen < 2 || ivlen > 8) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
-            return 0;
-        }
-        ctx->l = ivlen;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
-    if (p != NULL) {
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        sz = ccm_tls_init(ctx, p->data, p->data_size);
-        if (sz == 0) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
-            return 0;
-        }
-        ctx->tls_aad_pad_sz = sz;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
-    if (p != NULL) {
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
-            return 0;
-        }
-    }
-
-    return 1;
-}
-
-static int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-    OSSL_PARAM *p;
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ccm_get_ivlen(ctx))) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
-    if (p != NULL) {
-        if (ccm_get_ivlen(ctx) != p->data_size) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
-            return 0;
-        }
-        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-            return 0;
-        }
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
-    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
-    if (p != NULL) {
-        if (!ctx->enc || !ctx->tag_set) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET);
-            return 0;
-        }
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-            return 0;
-        }
-        if (!ctx->hw->gettag(ctx, p->data, p->data_size))
-            return 0;
-        ctx->tag_set = 0;
-        ctx->iv_set = 0;
-        ctx->len_set = 0;
-    }
-    return 1;
-}
-
-static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
-    ctx->enc = enc;
-
-    if (iv != NULL) {
-        if (ivlen != ccm_get_ivlen(ctx)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
-            return 0;
-        }
-
-        memcpy(ctx->iv, iv, ivlen);
-        ctx->iv_set = 1;
-    }
-    if (key != NULL) {
-        if (keylen != ctx->keylen) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
-            return 0;
-        }
-        return ctx->hw->setkey(ctx, key, keylen);
-    }
-    return 1;
-}
-
-static int ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
-{
-    return ccm_init(vctx, key, keylen, iv, ivlen, 1);
-}
-
-static int ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
-{
-    return ccm_init(vctx, key, keylen, iv, ivlen, 0);
-}
-
-static int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
-                             size_t outsize, const unsigned char *in,
-                             size_t inl)
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return 0;
-    }
-
-    if (!ccm_cipher_internal(ctx, out, outl, in, inl)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-        return 0;
-    }
-    return 1;
-}
-
-static int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
-                            size_t outsize)
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-    int i;
-
-    i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
-    if (i <= 0)
-        return 0;
-
-    *outl = 0;
-    return 1;
-}
-
-static int ccm_cipher(void *vctx,
-                      unsigned char *out, size_t *outl, size_t outsize,
-                      const unsigned char *in, size_t inl)
-{
-    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return -1;
-    }
-
-    if (ccm_cipher_internal(ctx, out, outl, in, inl) <= 0)
-        return -1;
-
-    *outl = inl;
-    return 1;
-}
-
-/* Copy the buffered iv */
-static int ccm_set_iv(PROV_CCM_CTX *ctx, size_t mlen)
-{
-    const PROV_CCM_HW *hw = ctx->hw;
-
-    if (!hw->setiv(ctx, ctx->iv, ccm_get_ivlen(ctx), mlen))
-        return 0;
-    ctx->len_set = 1;
-    return 1;
-}
-
-static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
-                          unsigned char *out, size_t *padlen,
-                          const unsigned char *in, size_t len)
-{
-    int rv = 0;
-    size_t olen = 0;
-
-    /* Encrypt/decrypt must be performed in place */
-    if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)ctx->m))
-        goto err;
-
-    /* If encrypting set explicit IV from sequence number (start of AAD) */
-    if (ctx->enc)
-        memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
-    /* Get rest of IV from explicit IV */
-    memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
-    /* Correct length value */
-    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
-    if (!ccm_set_iv(ctx, len))
-        goto err;
-
-    /* Use saved AAD */
-    if (!ctx->hw->setaad(ctx, ctx->buf, ctx->tls_aad_len))
-        goto err;
-
-    /* Fix buffer to point to payload */
-    in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
-    out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
-    if (ctx->enc) {
-        if (!ctx->hw->auth_encrypt(ctx, in, out, len,  out + len, ctx->m))
-            goto err;
-        olen = len + EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
-    } else {
-        if (!ctx->hw->auth_decrypt(ctx, in, out, len,
-                                   (unsigned char *)in + len, ctx->m))
-            goto err;
-        olen = len;
-    }
-    rv = 1;
-err:
-    *padlen = olen;
-    return rv;
-}
-
-static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
-                               size_t *padlen, const unsigned char *in,
-                               size_t len)
-{
-    int rv = 0;
-    size_t olen = 0;
-    const PROV_CCM_HW *hw = ctx->hw;
-
-    /* If no key set, return error */
-    if (!ctx->key_set)
-        return 0;
-
-    if (ctx->tls_aad_len >= 0)
-        return ccm_tls_cipher(ctx, out, padlen, in, len);
-
-    /* EVP_*Final() doesn't return any data */
-    if (in == NULL && out != NULL)
-        return 1;
-
-    if (!ctx->iv_set)
-        goto err;
-
-    if (out == NULL) {
-        if (in == NULL) {
-            if (!ccm_set_iv(ctx, len))
-                goto err;
-        } else {
-            /* If we have AAD, we need a message length */
-            if (!ctx->len_set && len)
-                goto err;
-            if (!hw->setaad(ctx, in, len))
-                goto err;
-        }
-    } else {
-        /* If not set length yet do it */
-        if (!ctx->len_set && !ccm_set_iv(ctx, len))
-            goto err;
-
-        if (ctx->enc) {
-            if (!hw->auth_encrypt(ctx, in, out, len, NULL, 0))
-                goto err;
-            ctx->tag_set = 1;
-        } else {
-            /* The tag must be set before actually decrypting data */
-            if (!ctx->tag_set)
-                goto err;
-
-            if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
-                goto err;
-            /* Finished - reset flags so calling this method again will fail */
-            ctx->iv_set = 0;
-            ctx->tag_set = 0;
-            ctx->len_set = 0;
-        }
-    }
-    olen = len;
-    rv = 1;
-err:
-    *padlen = olen;
-    return rv;
-}
-
-static void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits,
-                        const PROV_CCM_HW *hw)
-{
-    ctx->keylen = keybits / 8;
-    ctx->key_set = 0;
-    ctx->iv_set = 0;
-    ctx->tag_set = 0;
-    ctx->len_set = 0;
-    ctx->l = 8;
-    ctx->m = 12;
-    ctx->tls_aad_len = -1;
-    ctx->hw = hw;
-}
-
-static void ccm_finalctx(PROV_CCM_CTX *ctx)
-{
-    OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
-}
-
-/*- Algorithm specific methods for CCM mode */
-
-static void *aes_ccm_newctx(void *provctx, size_t keybits)
-{
-    PROV_AES_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    ccm_initctx(&ctx->base, keybits, PROV_AES_HW_ccm(keybits));
-    return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aes_ccm_freectx;
-static void aes_ccm_freectx(void *vctx)
-{
-    PROV_AES_CCM_CTX *ctx = (PROV_AES_CCM_CTX *)vctx;
-
-    ccm_finalctx((PROV_CCM_CTX *)ctx);
-    OPENSSL_clear_free(ctx,  sizeof(*ctx));
-}
-
-/*- CCM Dispatch macros */
-
-/* aes128ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 128, 8, 96);
-/* aes192ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 192, 8, 96);
-/* aes256ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, CCM_FLAGS, 256, 8, 96);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-static void *aria_ccm_newctx(void *provctx, size_t keybits)
-{
-    PROV_ARIA_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    ccm_initctx(&ctx->base, keybits, PROV_ARIA_HW_ccm(keybits));
-    return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aria_ccm_freectx;
-static void aria_ccm_freectx(void *vctx)
-{
-    PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx;
-
-    ccm_finalctx((PROV_CCM_CTX *)ctx);
-    OPENSSL_clear_free(ctx,  sizeof(*ctx));
-}
-
-/* aria128ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 128, 8, 96);
-/* aria192ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 192, 8, 96);
-/* aria256ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, CCM_FLAGS, 256, 8, 96);
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/ccm_hw.c b/providers/common/ciphers/ccm_hw.c
deleted file mode 100644 (file)
index c59d88d..0000000
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#include "ciphers_locl.h"
-#include "internal/aes_platform.h"
-
-#define AES_CCM_SET_KEY_FN(fn_set_enc_key, fn_blk, fn_ccm_enc, fn_ccm_dec)     \
-    fn_set_enc_key(key, keylen * 8, &actx->ccm.ks.ks);                         \
-    CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ccm.ks.ks,        \
-                       (block128_f)fn_blk);                                    \
-    ctx->str = ctx->enc ? (ccm128_f)fn_ccm_enc : (ccm128_f)fn_ccm_dec;         \
-    ctx->key_set = 1;
-
-static int ccm_generic_aes_init_key(PROV_CCM_CTX *ctx,
-                                    const unsigned char *key, size_t keylen)
-{
-    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
-#ifdef HWAES_CAPABLE
-    if (HWAES_CAPABLE) {
-        AES_CCM_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_encrypt, NULL, NULL);
-    } else
-#endif /* HWAES_CAPABLE */
-#ifdef VPAES_CAPABLE
-    if (VPAES_CAPABLE) {
-        AES_CCM_SET_KEY_FN(vpaes_set_encrypt_key, vpaes_encrypt, NULL, NULL);
-    } else
-#endif
-    {
-        AES_CCM_SET_KEY_FN(AES_set_encrypt_key, AES_encrypt, NULL, NULL)
-    }
-    return 1;
-}
-
-static int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce,
-                             size_t nlen, size_t mlen)
-{
-    return CRYPTO_ccm128_setiv(&ctx->ccm_ctx, nonce, nlen, mlen) == 0;
-}
-
-static int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad,
-                              size_t alen)
-{
-    CRYPTO_ccm128_aad(&ctx->ccm_ctx, aad, alen);
-    return 1;
-}
-
-static int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag,
-                              size_t tlen)
-{
-    return CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, tlen) > 0;
-}
-
-static int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
-                                    unsigned char *out, size_t len,
-                                    unsigned char *tag, size_t taglen)
-{
-    int rv;
-
-    if (ctx->str != NULL)
-        rv = CRYPTO_ccm128_encrypt_ccm64(&ctx->ccm_ctx, in,
-                                         out, len, ctx->str) == 0;
-    else
-        rv = CRYPTO_ccm128_encrypt(&ctx->ccm_ctx, in, out, len) == 0;
-
-    if (rv == 1 && tag != NULL)
-        rv = (CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen) > 0);
-    return rv;
-}
-
-static int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
-                                    unsigned char *out, size_t len,
-                                    unsigned char *expected_tag,
-                                    size_t taglen)
-{
-    int rv = 0;
-
-    if (ctx->str != NULL)
-        rv = CRYPTO_ccm128_decrypt_ccm64(&ctx->ccm_ctx, in, out, len,
-                                         ctx->str) == 0;
-    else
-        rv = CRYPTO_ccm128_decrypt(&ctx->ccm_ctx, in, out, len) == 0;
-    if (rv) {
-        unsigned char tag[16];
-
-        if (!CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen)
-            || CRYPTO_memcmp(tag, expected_tag, taglen) != 0)
-            rv = 0;
-    }
-    if (rv == 0)
-        OPENSSL_cleanse(out, len);
-    return rv;
-}
-
-static const PROV_CCM_HW aes_ccm = {
-    ccm_generic_aes_init_key,
-    ccm_generic_setiv,
-    ccm_generic_setaad,
-    ccm_generic_auth_encrypt,
-    ccm_generic_auth_decrypt,
-    ccm_generic_gettag
-};
-
-#if defined(S390X_aes_128_CAPABLE)
-# include "aes_ccm_s390x.c"
-#elif defined(AESNI_CAPABLE)
-
-/* AES-NI section */
-static int ccm_aesni_init_key(PROV_CCM_CTX *ctx,
-                              const unsigned char *key, size_t keylen)
-{
-    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
-    AES_CCM_SET_KEY_FN(aesni_set_encrypt_key, aesni_encrypt,
-                       aesni_ccm64_encrypt_blocks, aesni_ccm64_decrypt_blocks);
-    return 1;
-}
-
-static const PROV_CCM_HW aesni_ccm = {
-    ccm_aesni_init_key,
-    ccm_generic_setiv,
-    ccm_generic_setaad,
-    ccm_generic_auth_encrypt,
-    ccm_generic_auth_decrypt,
-    ccm_generic_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
-    return AESNI_CAPABLE ? &aesni_ccm : &aes_ccm;
-}
-
-#elif defined(SPARC_AES_CAPABLE)
-/* Fujitsu SPARC64 X support */
-static int ccm_t4_aes_init_key(PROV_CCM_CTX *ctx,
-                               const unsigned char *key, size_t keylen)
-{
-    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
-
-    AES_CCM_SET_KEY_FN(aes_t4_set_encrypt_key, aes_t4_encrypt, NULL, NULL);
-    return 1;
-}
-
-static const PROV_CCM_HW t4_aes_ccm = {
-    ccm_t4_aes_init_key,
-    ccm_generic_setiv,
-    ccm_generic_setaad,
-    ccm_generic_auth_encrypt,
-    ccm_generic_auth_decrypt,
-    ccm_generic_gettag
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
-    return SPARC_AES_CAPABLE ? &t4_aes_ccm : &aes_ccm;
-}
-
-#else
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
-{
-    return &aes_ccm;
-}
-#endif
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-/* ARIA CCM Algorithm specific methods */
-static int ccm_aria_init_key(PROV_CCM_CTX *ctx,
-                             const unsigned char *key, size_t keylen)
-{
-    PROV_ARIA_CCM_CTX *actx = (PROV_ARIA_CCM_CTX *)ctx;
-
-    aria_set_encrypt_key(key, keylen * 8, &actx->ks.ks);
-    CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks,
-                       (block128_f)aria_encrypt);
-    ctx->str = NULL;
-    ctx->key_set = 1;
-    return 1;
-}
-
-static const PROV_CCM_HW ccm_aria = {
-    ccm_aria_init_key,
-    ccm_generic_setiv,
-    ccm_generic_setaad,
-    ccm_generic_auth_encrypt,
-    ccm_generic_auth_decrypt,
-    ccm_generic_gettag
-};
-const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keybits)
-{
-    return &ccm_aria;
-}
-#endif /* OPENSSL_NO_ARIA */
diff --git a/providers/common/ciphers/cipher_aes.c b/providers/common/ciphers/cipher_aes.c
new file mode 100644 (file)
index 0000000..15433bf
--- /dev/null
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+static OSSL_OP_cipher_freectx_fn aes_freectx;
+static OSSL_OP_cipher_dupctx_fn aes_dupctx;
+
+static void aes_freectx(void *vctx)
+{
+    PROV_AES_CTX *ctx = (PROV_AES_CTX *)vctx;
+
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+static void *aes_dupctx(void *ctx)
+{
+    PROV_AES_CTX *in = (PROV_AES_CTX *)ctx;
+    PROV_AES_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+    if (ret == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    *ret = *in;
+
+    return ret;
+}
+
+/* aes256ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 256, 128, 0, block)
+/* aes192ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 192, 128, 0, block)
+/* aes128ecb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 128, 128, 0, block)
+/* aes256cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 256, 128, 128, block)
+/* aes192cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 192, 128, 128, block)
+/* aes128cbc_functions */
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 128, 128, 128, block)
+/* aes256ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 256, 8, 128, stream)
+/* aes192ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 192, 8, 128, stream)
+/* aes128ofb_functions */
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 128, 8, 128, stream)
+/* aes256cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 256, 8, 128, stream)
+/* aes192cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 192, 8, 128, stream)
+/* aes128cfb_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 128, 8, 128, stream)
+/* aes256cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 256, 8, 128, stream)
+/* aes192cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 192, 8, 128, stream)
+/* aes128cfb1_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 128, 8, 128, stream)
+/* aes256cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 256, 8, 128, stream)
+/* aes192cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 192, 8, 128, stream)
+/* aes128cfb8_functions */
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 128, 8, 128, stream)
+/* aes256ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 256, 8, 128, stream)
+/* aes192ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 192, 8, 128, stream)
+/* aes128ctr_functions */
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 128, 8, 128, stream)
diff --git a/providers/common/ciphers/cipher_aes.h b/providers/common/ciphers/cipher_aes.h
new file mode 100644 (file)
index 0000000..6c4a623
--- /dev/null
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+
+typedef struct prov_aes_ctx_st {
+    PROV_CIPHER_CTX base;      /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        AES_KEY ks;
+    } ks;
+
+    /* Platform specific data */
+    union {
+        int dummy;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+        struct {
+            union {
+                OSSL_UNION_ALIGN;
+                /*-
+                 * KM-AES parameter block - begin
+                 * (see z/Architecture Principles of Operation >= SA22-7832-06)
+                 */
+                struct {
+                    unsigned char k[32];
+                } km;
+                /* KM-AES parameter block - end */
+                /*-
+                 * KMO-AES/KMF-AES parameter block - begin
+                 * (see z/Architecture Principles of Operation >= SA22-7832-08)
+                 */
+                struct {
+                    unsigned char cv[16];
+                    unsigned char k[32];
+                } kmo_kmf;
+                /* KMO-AES/KMF-AES parameter block - end */
+            } param;
+            unsigned int fc;
+            int res;
+        } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+    } plat;
+
+} PROV_AES_CTX;
+
+#define PROV_CIPHER_HW_aes_ofb PROV_CIPHER_HW_aes_ofb128
+#define PROV_CIPHER_HW_aes_cfb PROV_CIPHER_HW_aes_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ctr(size_t keybits);
+
diff --git a/providers/common/ciphers/cipher_aes_ccm.c b/providers/common/ciphers/cipher_aes_ccm.c
new file mode 100644 (file)
index 0000000..26b508d
--- /dev/null
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES CCM mode */
+
+#include "cipher_locl.h"
+
+static void *aes_ccm_newctx(void *provctx, size_t keybits)
+{
+    PROV_AES_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL)
+        ccm_initctx(&ctx->base, keybits, PROV_AES_HW_ccm(keybits));
+    return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aes_ccm_freectx;
+static void aes_ccm_freectx(void *vctx)
+{
+    PROV_AES_CCM_CTX *ctx = (PROV_AES_CCM_CTX *)vctx;
+
+    ccm_finalctx((PROV_CCM_CTX *)ctx);
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+/* aes128ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+/* aes192ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+/* aes256ccm_functions */
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
diff --git a/providers/common/ciphers/cipher_aes_ccm_hw_aesni.inc b/providers/common/ciphers/cipher_aes_ccm_hw_aesni.inc
new file mode 100644 (file)
index 0000000..0ace026
--- /dev/null
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+static int ccm_aesni_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+                             size_t keylen)
+{
+    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+    AES_CCM_SET_KEY_FN(aesni_set_encrypt_key, aesni_encrypt,
+                       aesni_ccm64_encrypt_blocks, aesni_ccm64_decrypt_blocks);
+    return 1;
+}
+
+static const PROV_CCM_HW aesni_ccm = {
+    ccm_aesni_initkey,
+    ccm_generic_setiv,
+    ccm_generic_setaad,
+    ccm_generic_auth_encrypt,
+    ccm_generic_auth_decrypt,
+    ccm_generic_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+    return AESNI_CAPABLE ? &aesni_ccm : &aes_ccm;
+}
diff --git a/providers/common/ciphers/cipher_aes_ccm_hw_s390x.inc b/providers/common/ciphers/cipher_aes_ccm_hw_s390x.inc
new file mode 100644 (file)
index 0000000..a5025e5
--- /dev/null
@@ -0,0 +1,268 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * S390X support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+#define S390X_CCM_AAD_FLAG 0x40
+
+static int s390x_aes_ccm_initkey(PROV_CCM_CTX *ctx,
+                                 const unsigned char *key, size_t keylen)
+{
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+    sctx->ccm.s390x.fc = S390X_AES_FC(keylen);
+    memcpy(&sctx->ccm.s390x.kmac.k, key, keylen);
+    /* Store encoded m and l. */
+    sctx->ccm.s390x.nonce.b[0] = ((ctx->l - 1) & 0x7)
+                                | (((ctx->m - 2) >> 1) & 0x7) << 3;
+    memset(sctx->ccm.s390x.nonce.b + 1, 0, sizeof(sctx->ccm.s390x.nonce.b));
+    sctx->ccm.s390x.blocks = 0;
+    ctx->key_set = 1;
+    return 1;
+}
+
+static int s390x_aes_ccm_setiv(PROV_CCM_CTX *ctx,
+                               const unsigned char *nonce, size_t noncelen,
+                               size_t mlen)
+{
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+    sctx->ccm.s390x.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
+    sctx->ccm.s390x.nonce.g[1] = mlen;
+    memcpy(sctx->ccm.s390x.nonce.b + 1, nonce, 15 - ctx->l);
+    return 1;
+}
+
+/*-
+ * Process additional authenticated data. Code is big-endian.
+ */
+static int s390x_aes_ccm_setaad(PROV_CCM_CTX *ctx,
+                                const unsigned char *aad, size_t alen)
+{
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+    unsigned char *ptr;
+    int i, rem;
+
+    if (!alen)
+        return 1;
+
+    sctx->ccm.s390x.nonce.b[0] |= S390X_CCM_AAD_FLAG;
+
+    /* Suppress 'type-punned pointer dereference' warning. */
+    ptr = sctx->ccm.s390x.buf.b;
+
+    if (alen < ((1 << 16) - (1 << 8))) {
+        *(uint16_t *)ptr = alen;
+        i = 2;
+    } else if (sizeof(alen) == 8
+               && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
+        *(uint16_t *)ptr = 0xffff;
+        *(uint64_t *)(ptr + 2) = alen;
+        i = 10;
+    } else {
+        *(uint16_t *)ptr = 0xfffe;
+        *(uint32_t *)(ptr + 2) = alen;
+        i = 6;
+    }
+
+    while (i < 16 && alen) {
+        sctx->ccm.s390x.buf.b[i] = *aad;
+        ++aad;
+        --alen;
+        ++i;
+    }
+    while (i < 16) {
+        sctx->ccm.s390x.buf.b[i] = 0;
+        ++i;
+    }
+
+    sctx->ccm.s390x.kmac.icv.g[0] = 0;
+    sctx->ccm.s390x.kmac.icv.g[1] = 0;
+    s390x_kmac(sctx->ccm.s390x.nonce.b, 32, sctx->ccm.s390x.fc,
+               &sctx->ccm.s390x.kmac);
+    sctx->ccm.s390x.blocks += 2;
+
+    rem = alen & 0xf;
+    alen &= ~(size_t)0xf;
+    if (alen) {
+        s390x_kmac(aad, alen, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+        sctx->ccm.s390x.blocks += alen >> 4;
+        aad += alen;
+    }
+    if (rem) {
+        for (i = 0; i < rem; i++)
+            sctx->ccm.s390x.kmac.icv.b[i] ^= aad[i];
+
+        s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+                 sctx->ccm.s390x.kmac.icv.b, sctx->ccm.s390x.fc,
+                 sctx->ccm.s390x.kmac.k);
+        sctx->ccm.s390x.blocks++;
+    }
+    return 1;
+}
+
+/*-
+ * En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 1 for
+ * success.
+ */
+static int s390x_aes_ccm_auth_encdec(PROV_CCM_CTX *ctx,
+                                     const unsigned char *in,
+                                     unsigned char *out, size_t len, int enc)
+{
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+    size_t n, rem;
+    unsigned int i, l, num;
+    unsigned char flags;
+
+    flags = sctx->ccm.s390x.nonce.b[0];
+    if (!(flags & S390X_CCM_AAD_FLAG)) {
+        s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.kmac.icv.b,
+                 sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+        sctx->ccm.s390x.blocks++;
+    }
+    l = flags & 0x7;
+    sctx->ccm.s390x.nonce.b[0] = l;
+
+    /*-
+     * Reconstruct length from encoded length field
+     * and initialize it with counter value.
+     */
+    n = 0;
+    for (i = 15 - l; i < 15; i++) {
+        n |= sctx->ccm.s390x.nonce.b[i];
+        sctx->ccm.s390x.nonce.b[i] = 0;
+        n <<= 8;
+    }
+    n |= sctx->ccm.s390x.nonce.b[15];
+    sctx->ccm.s390x.nonce.b[15] = 1;
+
+    if (n != len)
+        return 0;      /* length mismatch */
+
+    if (enc) {
+        /* Two operations per block plus one for tag encryption */
+        sctx->ccm.s390x.blocks += (((len + 15) >> 4) << 1) + 1;
+        if (sctx->ccm.s390x.blocks > (1ULL << 61))
+            return 0;      /* too much data */
+    }
+
+    num = 0;
+    rem = len & 0xf;
+    len &= ~(size_t)0xf;
+
+    if (enc) {
+        /* mac-then-encrypt */
+        if (len)
+            s390x_kmac(in, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+        if (rem) {
+            for (i = 0; i < rem; i++)
+                sctx->ccm.s390x.kmac.icv.b[i] ^= in[len + i];
+
+            s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+                     sctx->ccm.s390x.kmac.icv.b,
+                     sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+        }
+
+        CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
+                                    sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
+                                    &num, (ctr128_f)AES_ctr32_encrypt);
+    } else {
+        /* decrypt-then-mac */
+        CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
+                                    sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
+                                    &num, (ctr128_f)AES_ctr32_encrypt);
+
+        if (len)
+            s390x_kmac(out, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
+        if (rem) {
+            for (i = 0; i < rem; i++)
+                sctx->ccm.s390x.kmac.icv.b[i] ^= out[len + i];
+
+            s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
+                     sctx->ccm.s390x.kmac.icv.b,
+                     sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+        }
+    }
+    /* encrypt tag */
+    for (i = 15 - l; i < 16; i++)
+        sctx->ccm.s390x.nonce.b[i] = 0;
+
+    s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.buf.b,
+             sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
+    sctx->ccm.s390x.kmac.icv.g[0] ^= sctx->ccm.s390x.buf.g[0];
+    sctx->ccm.s390x.kmac.icv.g[1] ^= sctx->ccm.s390x.buf.g[1];
+
+    sctx->ccm.s390x.nonce.b[0] = flags;    /* restore flags field */
+    return 1;
+}
+
+
+static int s390x_aes_ccm_gettag(PROV_CCM_CTX *ctx,
+                                unsigned char *tag, size_t tlen)
+{
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+    if (tlen > ctx->m)
+        return 0;
+    memcpy(tag, sctx->ccm.s390x.kmac.icv.b, tlen);
+    return 1;
+}
+
+static int s390x_aes_ccm_auth_encrypt(PROV_CCM_CTX *ctx,
+                                      const unsigned char *in,
+                                      unsigned char *out, size_t len,
+                                      unsigned char *tag, size_t taglen)
+{
+    int rv;
+
+    rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 1);
+    if (rv && tag != NULL)
+        rv = s390x_aes_ccm_gettag(ctx, tag, taglen);
+    return rv;
+}
+
+static int s390x_aes_ccm_auth_decrypt(PROV_CCM_CTX *ctx,
+                                      const unsigned char *in,
+                                      unsigned char *out, size_t len,
+                                      unsigned char *expected_tag,
+                                      size_t taglen)
+{
+    int rv = 0;
+    PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
+
+    rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 0);
+    if (rv) {
+        if (CRYPTO_memcmp(sctx->ccm.s390x.kmac.icv.b, expected_tag, ctx->m) != 0)
+            rv = 0;
+    }
+    if (rv == 0)
+        OPENSSL_cleanse(out, len);
+    return rv;
+}
+
+static const PROV_CCM_HW s390x_aes_ccm = {
+    s390x_aes_ccm_initkey,
+    s390x_aes_ccm_setiv,
+    s390x_aes_ccm_setaad,
+    s390x_aes_ccm_auth_encrypt,
+    s390x_aes_ccm_auth_decrypt,
+    s390x_aes_ccm_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+    if ((keybits == 128 && S390X_aes_128_ccm_CAPABLE)
+         || (keybits == 192 && S390X_aes_192_ccm_CAPABLE)
+         || (keybits == 256 && S390X_aes_256_ccm_CAPABLE))
+        return &s390x_aes_ccm;
+    return &aes_ccm;
+}
diff --git a/providers/common/ciphers/cipher_aes_ccm_hw_t4.inc b/providers/common/ciphers/cipher_aes_ccm_hw_t4.inc
new file mode 100644 (file)
index 0000000..0dc6efc
--- /dev/null
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for AES CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+static int ccm_t4_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+                              size_t keylen)
+{
+    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+    AES_CCM_SET_KEY_FN(aes_t4_set_encrypt_key, aes_t4_encrypt, NULL, NULL);
+    return 1;
+}
+
+static const PROV_CCM_HW t4_aes_ccm = {
+    ccm_t4_aes_initkey,
+    ccm_generic_setiv,
+    ccm_generic_setaad,
+    ccm_generic_auth_encrypt,
+    ccm_generic_auth_decrypt,
+    ccm_generic_gettag
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+    return SPARC_AES_CAPABLE ? &t4_aes_ccm : &aes_ccm;
+}
diff --git a/providers/common/ciphers/cipher_aes_gcm.c b/providers/common/ciphers/cipher_aes_gcm.c
new file mode 100644 (file)
index 0000000..60df025
--- /dev/null
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for AES GCM mode */
+
+#include "cipher_locl.h"
+
+static void *aes_gcm_newctx(void *provctx, size_t keybits)
+{
+    PROV_AES_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL)
+        gcm_initctx(provctx, &ctx->base, keybits, PROV_AES_HW_gcm(keybits), 8);
+    return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aes_gcm_freectx;
+static void aes_gcm_freectx(void *vctx)
+{
+    PROV_AES_GCM_CTX *ctx = (PROV_AES_GCM_CTX *)vctx;
+
+    gcm_deinitctx((PROV_GCM_CTX *)ctx);
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+/* aes128gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+/* aes192gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+/* aes256gcm_functions */
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
diff --git a/providers/common/ciphers/cipher_aes_gcm_hw_aesni.inc b/providers/common/ciphers/cipher_aes_gcm_hw_aesni.inc
new file mode 100644 (file)
index 0000000..c0cb231
--- /dev/null
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+static int aesni_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+                             size_t keylen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    AES_KEY *ks = &actx->ks.ks;
+
+    SET_KEY_CTR_FN(ks, aesni_set_encrypt_key, aesni_encrypt,
+                   aesni_ctr32_encrypt_blocks);
+    return 1;
+}
+
+static const PROV_GCM_HW aesni_gcm = {
+    aesni_gcm_initkey,
+    gcm_setiv,
+    gcm_aad_update,
+    gcm_cipher_update,
+    gcm_cipher_final,
+    gcm_one_shot
+};
+
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+    return AESNI_CAPABLE ? &aesni_gcm : &aes_gcm;
+}
+
diff --git a/providers/common/ciphers/cipher_aes_gcm_hw_s390x.inc b/providers/common/ciphers/cipher_aes_gcm_hw_s390x.inc
new file mode 100644 (file)
index 0000000..ceb733d
--- /dev/null
@@ -0,0 +1,303 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * IBM S390X support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+/* iv + padding length for iv lengths != 12 */
+#define S390X_gcm_ivpadlen(i)  ((((i) + 15) >> 4 << 4) + 16)
+
+static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx,
+                                 const unsigned char *key, size_t keylen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+
+    ctx->key_set = 1;
+    memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
+    actx->plat.s390x.fc = S390X_AES_FC(keylen);
+    if (!ctx->enc)
+        actx->plat.s390x.fc |= S390X_DECRYPT;
+    return 1;
+}
+
+static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
+                               size_t ivlen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+
+    kma->t.g[0] = 0;
+    kma->t.g[1] = 0;
+    kma->tpcl = 0;
+    kma->taadl = 0;
+    actx->plat.s390x.mreslen = 0;
+    actx->plat.s390x.areslen = 0;
+    actx->plat.s390x.kreslen = 0;
+
+    if (ivlen == GCM_IV_DEFAULT_SIZE) {
+        memcpy(&kma->j0, iv, ivlen);
+        kma->j0.w[3] = 1;
+        kma->cv.w = 1;
+    } else {
+        unsigned long long ivbits = ivlen << 3;
+        size_t len = S390X_gcm_ivpadlen(ivlen);
+        unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
+        /*
+         * The IV length needs to be zero padded to be a multiple of 16 bytes
+         * followed by 8 bytes of zeros and 8 bytes for the IV length.
+         * The GHASH of this value can then be calculated.
+         */
+        memcpy(iv_zero_pad, iv, ivlen);
+        memset(iv_zero_pad + ivlen, 0, len - ivlen);
+        memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
+        /*
+         * Calculate the ghash of the iv - the result is stored into the tag
+         * param.
+         */
+        s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
+        actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */
+
+        /* Copy the 128 bit GHASH result into J0 and clear the tag */
+        kma->j0.g[0] = kma->t.g[0];
+        kma->j0.g[1] = kma->t.g[1];
+        kma->t.g[0] = 0;
+        kma->t.g[1] = 0;
+        /* Set the 32 bit counter */
+        kma->cv.w = kma->j0.w[3];
+    }
+    return 1;
+}
+
+static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+    unsigned char out[AES_BLOCK_SIZE];
+    int rc;
+
+    kma->taadl <<= 3;
+    kma->tpcl <<= 3;
+    s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
+              actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
+              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
+
+    /* gctx->mres already returned to the caller */
+    OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
+
+    if (ctx->enc) {
+        ctx->taglen = GCM_TAG_MAX_SIZE;
+        memcpy(tag, kma->t.b, ctx->taglen);
+        rc = 1;
+    } else {
+        if (ctx->taglen < 0)
+            rc = 0;
+        else
+            rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
+    }
+    return rc;
+}
+
+static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
+                                  unsigned char *aad, size_t aad_len,
+                                  const unsigned char *in, size_t in_len,
+                                  unsigned char *out,
+                                  unsigned char *tag, size_t taglen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+    int rc;
+
+    kma->taadl = aad_len << 3;
+    kma->tpcl = in_len << 3;
+    s390x_kma(aad, aad_len, in, in_len, out,
+              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
+
+    if (ctx->enc) {
+        memcpy(tag, kma->t.b, taglen);
+        rc = 1;
+    } else {
+        rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
+    }
+    return rc;
+}
+
+/*
+ * Process additional authenticated data. Returns 1 on success. Code is
+ * big-endian.
+ */
+static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
+                                    const unsigned char *aad, size_t len)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+    unsigned long long alen;
+    int n, rem;
+
+    /* If already processed pt/ct then error */
+    if (kma->tpcl != 0)
+        return 0;
+
+    /* update the total aad length */
+    alen = kma->taadl + len;
+    if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
+        return 0;
+    kma->taadl = alen;
+
+    /* check if there is any existing aad data from a previous add */
+    n = actx->plat.s390x.areslen;
+    if (n) {
+        /* add additional data to a buffer until it has 16 bytes */
+        while (n && len) {
+            actx->plat.s390x.ares[n] = *aad;
+            ++aad;
+            --len;
+            n = (n + 1) & 0xf;
+        }
+        /* ctx->ares contains a complete block if offset has wrapped around */
+        if (!n) {
+            s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
+                      actx->plat.s390x.fc, kma);
+            actx->plat.s390x.fc |= S390X_KMA_HS;
+        }
+        actx->plat.s390x.areslen = n;
+    }
+
+    /* If there are leftover bytes (< 128 bits) save them for next time */
+    rem = len & 0xf;
+    /* Add any remaining 16 byte blocks (128 bit each) */
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
+        actx->plat.s390x.fc |= S390X_KMA_HS;
+        aad += len;
+    }
+
+    if (rem) {
+        actx->plat.s390x.areslen = rem;
+
+        do {
+            --rem;
+            actx->plat.s390x.ares[rem] = aad[rem];
+        } while (rem);
+    }
+    return 1;
+}
+
+/*-
+ * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
+ * success. Code is big-endian.
+ */
+static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
+                                       const unsigned char *in, size_t len,
+                                       unsigned char *out)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
+    const unsigned char *inptr;
+    unsigned long long mlen;
+    union {
+        unsigned int w[4];
+        unsigned char b[16];
+    } buf;
+    size_t inlen;
+    int n, rem, i;
+
+    mlen = kma->tpcl + len;
+    if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
+        return 0;
+    kma->tpcl = mlen;
+
+    n = actx->plat.s390x.mreslen;
+    if (n) {
+        inptr = in;
+        inlen = len;
+        while (n && inlen) {
+            actx->plat.s390x.mres[n] = *inptr;
+            n = (n + 1) & 0xf;
+            ++inptr;
+            --inlen;
+        }
+        /* ctx->mres contains a complete block if offset has wrapped around */
+        if (!n) {
+            s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
+                      actx->plat.s390x.mres, 16, buf.b,
+                      actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
+            actx->plat.s390x.fc |= S390X_KMA_HS;
+            actx->plat.s390x.areslen = 0;
+
+            /* previous call already encrypted/decrypted its remainder,
+             * see comment below */
+            n = actx->plat.s390x.mreslen;
+            while (n) {
+                *out = buf.b[n];
+                n = (n + 1) & 0xf;
+                ++out;
+                ++in;
+                --len;
+            }
+            actx->plat.s390x.mreslen = 0;
+        }
+    }
+
+    rem = len & 0xf;
+
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
+                  actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
+        in += len;
+        out += len;
+        actx->plat.s390x.fc |= S390X_KMA_HS;
+        actx->plat.s390x.areslen = 0;
+    }
+
+    /*-
+     * If there is a remainder, it has to be saved such that it can be
+     * processed by kma later. However, we also have to do the for-now
+     * unauthenticated encryption/decryption part here and now...
+     */
+    if (rem) {
+        if (!actx->plat.s390x.mreslen) {
+            buf.w[0] = kma->j0.w[0];
+            buf.w[1] = kma->j0.w[1];
+            buf.w[2] = kma->j0.w[2];
+            buf.w[3] = kma->cv.w + 1;
+            s390x_km(buf.b, 16, actx->plat.s390x.kres,
+                     actx->plat.s390x.fc & 0x1f, &kma->k);
+        }
+
+        n = actx->plat.s390x.mreslen;
+        for (i = 0; i < rem; i++) {
+            actx->plat.s390x.mres[n + i] = in[i];
+            out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
+        }
+        actx->plat.s390x.mreslen += rem;
+    }
+    return 1;
+}
+
+static const PROV_GCM_HW s390x_aes_gcm = {
+    s390x_aes_gcm_initkey,
+    s390x_aes_gcm_setiv,
+    s390x_aes_gcm_aad_update,
+    s390x_aes_gcm_cipher_update,
+    s390x_aes_gcm_cipher_final,
+    s390x_aes_gcm_one_shot
+};
+
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+    if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
+         || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
+         || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
+        return &s390x_aes_gcm;
+    return &aes_gcm;
+}
diff --git a/providers/common/ciphers/cipher_aes_gcm_hw_t4.inc b/providers/common/ciphers/cipher_aes_gcm_hw_t4.inc
new file mode 100644 (file)
index 0000000..0cb3f81
--- /dev/null
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for AES GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+static int t4_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+                              size_t keylen)
+{
+    ctr128_f ctr;
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    AES_KEY *ks = &actx->ks.ks;
+
+
+    switch (keylen) {
+    case 16:
+        ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
+        break;
+    case 24:
+        ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
+        break;
+    case 32:
+        ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
+        break;
+    default:
+        return 0;
+    }
+
+    SET_KEY_CTR_FN(ks, aes_t4_set_encrypt_key, aes_t4_encrypt, ctr);
+    return 1;
+}
+
+static const PROV_GCM_HW t4_aes_gcm = {
+    t4_aes_gcm_initkey,
+    gcm_setiv,
+    gcm_aad_update,
+    gcm_cipher_update,
+    gcm_cipher_final,
+    gcm_one_shot
+};
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+    return SPARC_AES_CAPABLE ? &t4_aes_gcm : &aes_gcm;
+}
diff --git a/providers/common/ciphers/cipher_aes_hw.c b/providers/common/ciphers/cipher_aes_hw.c
new file mode 100644 (file)
index 0000000..d80c63e
--- /dev/null
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static int cipher_hw_aes_initkey(PROV_CIPHER_CTX *dat,
+                                 const unsigned char *key, size_t keylen)
+{
+    int ret;
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+    AES_KEY *ks = &adat->ks.ks;
+
+    dat->ks = ks;
+
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+#ifdef HWAES_CAPABLE
+        if (HWAES_CAPABLE) {
+            ret = HWAES_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)HWAES_decrypt;
+            dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+# endif
+        } else
+#endif
+#ifdef BSAES_CAPABLE
+        if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
+            ret = AES_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)AES_decrypt;
+            dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
+        } else
+#endif
+#ifdef VPAES_CAPABLE
+        if (VPAES_CAPABLE) {
+            ret = vpaes_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)vpaes_decrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ?(cbc128_f)vpaes_cbc_encrypt : NULL;
+        } else
+#endif
+        {
+            ret = AES_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)AES_decrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ? (cbc128_f)AES_cbc_encrypt : NULL;
+        }
+    } else
+#ifdef HWAES_CAPABLE
+    if (HWAES_CAPABLE) {
+        ret = HWAES_set_encrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f)HWAES_encrypt;
+        dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+        if (dat->mode == EVP_CIPH_CBC_MODE)
+            dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+        else
+# endif
+# ifdef HWAES_ctr32_encrypt_blocks
+        if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
+        else
+# endif
+            (void)0;            /* terminate potentially open 'else' */
+    } else
+#endif
+#ifdef BSAES_CAPABLE
+    if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
+        ret = AES_set_encrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f)AES_encrypt;
+        dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
+    } else
+#endif
+#ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE) {
+        ret = vpaes_set_encrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f)vpaes_encrypt;
+        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                          ? (cbc128_f)vpaes_cbc_encrypt : NULL;
+    } else
+#endif
+    {
+        ret = AES_set_encrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f)AES_encrypt;
+        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                          ? (cbc128_f)AES_cbc_encrypt : NULL;
+#ifdef AES_CTR_ASM
+        if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
+#endif
+    }
+
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+#define PROV_CIPHER_HW_aes_mode(mode)                                          \
+static const PROV_CIPHER_HW aes_##mode = {                                     \
+    cipher_hw_aes_initkey,                                                     \
+    cipher_hw_generic_##mode                                                   \
+};                                                                             \
+PROV_CIPHER_HW_declare(mode)                                                   \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_##mode(size_t keybits)                \
+{                                                                              \
+    PROV_CIPHER_HW_select(mode)                                                \
+    return &aes_##mode;                                                        \
+}
+
+#if defined(AESNI_CAPABLE)
+# include "cipher_aes_hw_aesni.inc"
+#elif defined(SPARC_AES_CAPABLE)
+# include "cipher_aes_hw_t4.inc"
+#elif defined(S390X_aes_128_CAPABLE)
+# include "cipher_aes_hw_s390x.inc"
+#else
+/* The generic case */
+# define PROV_CIPHER_HW_declare(mode)
+# define PROV_CIPHER_HW_select(mode)
+#endif
+
+PROV_CIPHER_HW_aes_mode(cbc)
+PROV_CIPHER_HW_aes_mode(ecb)
+PROV_CIPHER_HW_aes_mode(ofb128)
+PROV_CIPHER_HW_aes_mode(cfb128)
+PROV_CIPHER_HW_aes_mode(cfb1)
+PROV_CIPHER_HW_aes_mode(cfb8)
+PROV_CIPHER_HW_aes_mode(ctr)
diff --git a/providers/common/ciphers/cipher_aes_hw_aesni.inc b/providers/common/ciphers/cipher_aes_hw_aesni.inc
new file mode 100644 (file)
index 0000000..6070939
--- /dev/null
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * AES-NI support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+#define cipher_hw_aesni_ofb128 cipher_hw_generic_ofb128
+#define cipher_hw_aesni_cfb128 cipher_hw_generic_cfb128
+#define cipher_hw_aesni_cfb8   cipher_hw_generic_cfb8
+#define cipher_hw_aesni_cfb1   cipher_hw_generic_cfb1
+#define cipher_hw_aesni_ctr    cipher_hw_generic_ctr
+
+static int cipher_hw_aesni_initkey(PROV_CIPHER_CTX *dat,
+                                   const unsigned char *key, size_t keylen)
+{
+    int ret;
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+    AES_KEY *ks = &adat->ks.ks;
+
+    dat->ks = ks;
+
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+        ret = aesni_set_decrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f) aesni_decrypt;
+        dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+            (cbc128_f) aesni_cbc_encrypt : NULL;
+    } else {
+        ret = aesni_set_encrypt_key(key, keylen * 8, ks);
+        dat->block = (block128_f) aesni_encrypt;
+        if (dat->mode == EVP_CIPH_CBC_MODE)
+            dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
+        else if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
+        else
+            dat->stream.cbc = NULL;
+    }
+
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+static int cipher_hw_aesni_cbc(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                               const unsigned char *in, size_t len)
+{
+    const AES_KEY *ks = ctx->ks;
+
+    aesni_cbc_encrypt(in, out, len, ks, ctx->iv, ctx->enc);
+
+    return 1;
+}
+
+static int cipher_hw_aesni_ecb(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                               const unsigned char *in, size_t len)
+{
+    if (len < ctx->blocksize)
+        return 1;
+
+    aesni_ecb_encrypt(in, out, len, ctx->ks, ctx->enc);
+
+    return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode)                                           \
+static const PROV_CIPHER_HW aesni_##mode = {                                   \
+    cipher_hw_aesni_initkey,                                                   \
+    cipher_hw_aesni_##mode                                                     \
+};
+#define PROV_CIPHER_HW_select(mode)                                            \
+if (AESNI_CAPABLE)                                                             \
+    return &aesni_##mode;
diff --git a/providers/common/ciphers/cipher_aes_hw_s390x.inc b/providers/common/ciphers/cipher_aes_hw_s390x.inc
new file mode 100644 (file)
index 0000000..1a8ee07
--- /dev/null
@@ -0,0 +1,196 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * IBM S390X support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+#include "s390x_arch.h"
+
+#define s390x_aes_cbc_initkey    cipher_hw_aes_initkey
+#define s390x_aes_cfb1_initkey   cipher_hw_aes_initkey
+#define s390x_aes_ctr_initkey    cipher_hw_aes_initkey
+#define s390x_aes_cbc_cipher_hw  cipher_hw_generic_cbc
+#define s390x_aes_cfb1_cipher_hw cipher_hw_generic_cfb1
+#define s390x_aes_ctr_cipher_hw  cipher_hw_generic_ctr
+
+static int s390x_aes_ecb_initkey(PROV_CIPHER_CTX *dat,
+                                 const unsigned char *key, size_t keylen)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    adat->plat.s390x.fc = S390X_AES_FC(keylen);
+    if (!dat->enc)
+        adat->plat.s390x.fc |= S390X_DECRYPT;
+
+    memcpy(adat->plat.s390x.param.km.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_ecb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+                                   const unsigned char *in, size_t len)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    s390x_km(in, len, out, adat->plat.s390x.fc, &adat->plat.s390x.param.km);
+    return 1;
+}
+
+static int s390x_aes_ofb_initkey(PROV_CIPHER_CTX *dat,
+                                 const unsigned char *key, size_t keylen)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+    memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+    adat->plat.s390x.fc = S390X_AES_FC(keylen);
+    adat->plat.s390x.res = 0;
+    return 1;
+}
+
+static int s390x_aes_ofb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+                                   const unsigned char *in, size_t len)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+    int n = adat->plat.s390x.res;
+    int rem;
+
+    while (n && len) {
+        *out = *in ^ adat->plat.s390x.param.kmo_kmf.cv[n];
+        n = (n + 1) & 0xf;
+        --len;
+        ++in;
+        ++out;
+    }
+
+    rem = len & 0xf;
+
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kmo(in, len, out, adat->plat.s390x.fc,
+                  &adat->plat.s390x.param.kmo_kmf);
+
+        out += len;
+        in += len;
+    }
+
+    if (rem) {
+        s390x_km(adat->plat.s390x.param.kmo_kmf.cv, 16,
+                 adat->plat.s390x.param.kmo_kmf.cv, adat->plat.s390x.fc,
+                 adat->plat.s390x.param.kmo_kmf.k);
+
+        while (rem--) {
+            out[n] = in[n] ^ adat->plat.s390x.param.kmo_kmf.cv[n];
+            ++n;
+        }
+    }
+
+    adat->plat.s390x.res = n;
+    return 1;
+}
+
+static int s390x_aes_cfb_initkey(PROV_CIPHER_CTX *dat,
+                                 const unsigned char *key, size_t keylen)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    adat->plat.s390x.fc = S390X_AES_FC(keylen);
+    adat->plat.s390x.fc |= 16 << 24;   /* 16 bytes cipher feedback */
+    if (!dat->enc)
+        adat->plat.s390x.fc |= S390X_DECRYPT;
+
+    adat->plat.s390x.res = 0;
+    memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+    memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_cfb_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+                                   const unsigned char *in, size_t len)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+    int n = adat->plat.s390x.res;
+    int rem;
+    unsigned char tmp;
+
+    while (n && len) {
+        tmp = *in;
+        *out = adat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
+        adat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? *out : tmp;
+        n = (n + 1) & 0xf;
+        --len;
+        ++in;
+        ++out;
+    }
+
+    rem = len & 0xf;
+
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kmf(in, len, out, adat->plat.s390x.fc,
+                  &adat->plat.s390x.param.kmo_kmf);
+
+        out += len;
+        in += len;
+    }
+
+    if (rem) {
+        s390x_km(adat->plat.s390x.param.kmo_kmf.cv, 16,
+                 adat->plat.s390x.param.kmo_kmf.cv,
+                 S390X_AES_FC(dat->keylen), adat->plat.s390x.param.kmo_kmf.k);
+
+        while (rem--) {
+            tmp = in[n];
+            out[n] = adat->plat.s390x.param.kmo_kmf.cv[n] ^ tmp;
+            adat->plat.s390x.param.kmo_kmf.cv[n] = dat->enc ? out[n] : tmp;
+            ++n;
+        }
+    }
+
+    adat->plat.s390x.res = n;
+    return 1;
+}
+
+static int s390x_aes_cfb8_initkey(PROV_CIPHER_CTX *dat,
+                                  const unsigned char *key, size_t keylen)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    adat->plat.s390x.fc = S390X_AES_FC(keylen);
+    adat->plat.s390x.fc |= 1 << 24;   /* 1 byte cipher feedback */
+    if (!dat->enc)
+        adat->plat.s390x.fc |= S390X_DECRYPT;
+
+    memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->blocksize);
+    memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_cfb8_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
+                                    const unsigned char *in, size_t len)
+{
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    s390x_kmf(in, len, out, adat->plat.s390x.fc,
+              &adat->plat.s390x.param.kmo_kmf);
+    return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode)                                           \
+static const PROV_CIPHER_HW s390x_aes_##mode = {                               \
+    s390x_aes_##mode##_initkey,                                                \
+    s390x_aes_##mode##_cipher_hw                                               \
+};
+#define PROV_CIPHER_HW_select(mode)                                            \
+if ((keybits == 128 && S390X_aes_128_##mode##_CAPABLE)                         \
+     || (keybits == 192 && S390X_aes_192_##mode##_CAPABLE)                     \
+     || (keybits == 256 && S390X_aes_256_##mode##_CAPABLE))                    \
+    return &s390x_aes_##mode;
+
diff --git a/providers/common/ciphers/cipher_aes_hw_t4.inc b/providers/common/ciphers/cipher_aes_hw_t4.inc
new file mode 100644 (file)
index 0000000..f7e363e
--- /dev/null
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Sparc t4 support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+static int cipher_hw_aes_t4_initkey(PROV_CIPHER_CTX *dat,
+                                    const unsigned char *key, size_t keylen)
+{
+    int ret, bits;
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+
+    dat->ks = &adat->ks.ks;
+
+    bits = keylen * 8;
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+        ret = 0;
+        aes_t4_set_decrypt_key(key, bits, dat->ks);
+        dat->block = (block128_f) aes_t4_decrypt;
+        switch (bits) {
+        case 128:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes128_t4_cbc_decrypt : NULL;
+            break;
+        case 192:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes192_t4_cbc_decrypt : NULL;
+            break;
+        case 256:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes256_t4_cbc_decrypt : NULL;
+            break;
+        default:
+            ret = -1;
+        }
+    } else {
+        ret = 0;
+        aes_t4_set_encrypt_key(key, bits, dat->ks);
+        dat->block = (block128_f)aes_t4_encrypt;
+        switch (bits) {
+        case 128:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        case 192:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        case 256:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        default:
+            ret = -1;
+        }
+    }
+
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode)                                           \
+static const PROV_CIPHER_HW aes_t4_##mode = {                                  \
+    cipher_hw_aes_t4_initkey,                                                  \
+    cipher_hw_generic_##mode                                                   \
+};
+#define PROV_CIPHER_HW_select(mode)                                            \
+    if (SPARC_AES_CAPABLE)                                                     \
+        return aes_t4_##mode;
diff --git a/providers/common/ciphers/cipher_aria.c b/providers/common/ciphers/cipher_aria.c
new file mode 100644 (file)
index 0000000..5b7e839
--- /dev/null
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+static OSSL_OP_cipher_freectx_fn aria_freectx;
+static OSSL_OP_cipher_dupctx_fn aria_dupctx;
+
+static void aria_freectx(void *vctx)
+{
+    PROV_ARIA_CTX *ctx = (PROV_ARIA_CTX *)vctx;
+
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+static void *aria_dupctx(void *ctx)
+{
+    PROV_ARIA_CTX *in = (PROV_ARIA_CTX *)ctx;
+    PROV_ARIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+    if (ret == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    *ret = *in;
+
+    return ret;
+}
+
+/* aria256ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 256, 128, 0, block)
+/* aria192ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 192, 128, 0, block)
+/* aria128ecb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 128, 128, 0, block)
+/* aria256cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 256, 128, 128, block)
+/* aria192cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 192, 128, 128, block)
+/* aria128cbc_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 128, 128, 128, block)
+/* aria256ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 256, 8, 128, stream)
+/* aria192ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 192, 8, 128, stream)
+/* aria128ofb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 128, 8, 128, stream)
+/* aria256cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 256, 8, 128, stream)
+/* aria192cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 192, 8, 128, stream)
+/* aria128cfb_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 128, 8, 128, stream)
+/* aria256cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 256, 8, 128, stream)
+/* aria192cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 192, 8, 128, stream)
+/* aria128cfb1_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 128, 8, 128, stream)
+/* aria256cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 256, 8, 128, stream)
+/* aria192cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 192, 8, 128, stream)
+/* aria128cfb8_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 128, 8, 128, stream)
+/* aria256ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 256, 8, 128, stream)
+/* aria192ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 192, 8, 128, stream)
+/* aria128ctr_functions */
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 128, 8, 128, stream)
diff --git a/providers/common/ciphers/cipher_aria.h b/providers/common/ciphers/cipher_aria.h
new file mode 100644 (file)
index 0000000..2b8015f
--- /dev/null
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#if !defined(OPENSSL_NO_ARIA)
+# include "internal/aria.h"
+
+typedef struct prov_aria_ctx_st {
+    PROV_CIPHER_CTX base;      /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        ARIA_KEY ks;
+    } ks;
+} PROV_ARIA_CTX;
+
+# define PROV_CIPHER_HW_aria_ofb PROV_CIPHER_HW_aria_ofb128
+# define PROV_CIPHER_HW_aria_cfb PROV_CIPHER_HW_aria_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_ctr(size_t keybits);
+
+#endif /* OPENSSL_NO_ARIA */
diff --git a/providers/common/ciphers/cipher_aria_ccm.c b/providers/common/ciphers/cipher_aria_ccm.c
new file mode 100644 (file)
index 0000000..061ce53
--- /dev/null
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA CCM mode */
+
+#include "cipher_locl.h"
+
+static void *aria_ccm_newctx(void *provctx, size_t keybits)
+{
+    PROV_ARIA_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL)
+        ccm_initctx(&ctx->base, keybits, PROV_ARIA_HW_ccm(keybits));
+    return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aria_ccm_freectx;
+static void aria_ccm_freectx(void *vctx)
+{
+    PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx;
+
+    ccm_finalctx((PROV_CCM_CTX *)ctx);
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+/* aria128ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+/* aria192ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+/* aria256ccm functions */
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
+
diff --git a/providers/common/ciphers/cipher_aria_ccm_hw.inc b/providers/common/ciphers/cipher_aria_ccm_hw.inc
new file mode 100644 (file)
index 0000000..d980fa9
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Generic support for ARIA CCM.
+ * This file is included by cipher_ccm_hw.c
+ */
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+static int ccm_aria_initkey(PROV_CCM_CTX *ctx,
+                            const unsigned char *key, size_t keylen)
+{
+    PROV_ARIA_CCM_CTX *actx = (PROV_ARIA_CCM_CTX *)ctx;
+
+    aria_set_encrypt_key(key, keylen * 8, &actx->ks.ks);
+    CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks,
+                       (block128_f)aria_encrypt);
+    ctx->str = NULL;
+    ctx->key_set = 1;
+    return 1;
+}
+
+static const PROV_CCM_HW ccm_aria = {
+    ccm_aria_initkey,
+    ccm_generic_setiv,
+    ccm_generic_setaad,
+    ccm_generic_auth_encrypt,
+    ccm_generic_auth_decrypt,
+    ccm_generic_gettag
+};
+const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keybits)
+{
+    return &ccm_aria;
+}
+#endif /* OPENSSL_NO_ARIA */
diff --git a/providers/common/ciphers/cipher_aria_gcm.c b/providers/common/ciphers/cipher_aria_gcm.c
new file mode 100644 (file)
index 0000000..c68ad2c
--- /dev/null
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ARIA GCM mode */
+
+#include "cipher_locl.h"
+
+static void *aria_gcm_newctx(void *provctx, size_t keybits)
+{
+    PROV_ARIA_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL)
+        gcm_initctx(provctx, &ctx->base, keybits, PROV_ARIA_HW_gcm(keybits), 4);
+    return ctx;
+}
+
+static OSSL_OP_cipher_freectx_fn aria_gcm_freectx;
+static void aria_gcm_freectx(void *vctx)
+{
+    PROV_ARIA_GCM_CTX *ctx = (PROV_ARIA_GCM_CTX *)vctx;
+
+    gcm_deinitctx((PROV_GCM_CTX *)ctx);
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+/* aria128gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+/* aria192gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+/* aria256gcm_functions */
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
+
diff --git a/providers/common/ciphers/cipher_aria_gcm_hw.inc b/providers/common/ciphers/cipher_aria_gcm_hw.inc
new file mode 100644 (file)
index 0000000..fcb9bfc
--- /dev/null
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Generic support for ARIA GCM.
+ * This file is included by cipher_gcm_hw.c
+ */
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+static int aria_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+                            size_t keylen)
+{
+    PROV_ARIA_GCM_CTX *actx = (PROV_ARIA_GCM_CTX *)ctx;
+    ARIA_KEY *ks = &actx->ks.ks;
+
+    SET_KEY_CTR_FN(ks, aria_set_encrypt_key, aria_encrypt, NULL);
+    return 1;
+}
+
+static int aria_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+                              size_t len, unsigned char *out)
+{
+    if (ctx->enc) {
+        if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
+            return 0;
+    } else {
+        if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
+            return 0;
+    }
+    return 1;
+}
+
+static const PROV_GCM_HW aria_gcm = {
+    aria_gcm_initkey,
+    gcm_setiv,
+    gcm_aad_update,
+    aria_cipher_update,
+    gcm_cipher_final,
+    gcm_one_shot
+};
+const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits)
+{
+    return &aria_gcm;
+}
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/cipher_aria_hw.c b/providers/common/ciphers/cipher_aria_hw.c
new file mode 100644 (file)
index 0000000..2a89573
--- /dev/null
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static int cipher_hw_aria_initkey(PROV_CIPHER_CTX *dat,
+                                  const unsigned char *key, size_t keylen)
+{
+    int ret, mode = dat->mode;
+    PROV_ARIA_CTX *adat = (PROV_ARIA_CTX *)dat;
+    ARIA_KEY *ks = &adat->ks.ks;
+
+    if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE))
+        ret = aria_set_encrypt_key(key, keylen * 8, ks);
+    else
+        ret = aria_set_decrypt_key(key, keylen * 8, ks);
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED);
+        return 0;
+    }
+    dat->ks = ks;
+    dat->block = (block128_f)aria_encrypt;
+    return 1;
+}
+
+# define PROV_CIPHER_HW_aria_mode(mode)                                        \
+static const PROV_CIPHER_HW aria_##mode = {                                    \
+    cipher_hw_aria_initkey,                                                    \
+    cipher_hw_chunked_##mode                                                   \
+};                                                                             \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aria_##mode(size_t keybits)               \
+{                                                                              \
+    return &aria_##mode;                                                       \
+}
+
+PROV_CIPHER_HW_aria_mode(cbc)
+PROV_CIPHER_HW_aria_mode(ecb)
+PROV_CIPHER_HW_aria_mode(ofb128)
+PROV_CIPHER_HW_aria_mode(cfb128)
+PROV_CIPHER_HW_aria_mode(cfb1)
+PROV_CIPHER_HW_aria_mode(cfb8)
+PROV_CIPHER_HW_aria_mode(ctr)
diff --git a/providers/common/ciphers/cipher_camellia.c b/providers/common/ciphers/cipher_camellia.c
new file mode 100644 (file)
index 0000000..9215346
--- /dev/null
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for CAMELLIA cipher modes ecb, cbc, ofb, cfb, ctr */
+
+#include "cipher_locl.h"
+
+#if !defined(OPENSSL_NO_CAMELLIA)
+static OSSL_OP_cipher_freectx_fn camellia_freectx;
+static OSSL_OP_cipher_dupctx_fn camellia_dupctx;
+
+static void camellia_freectx(void *vctx)
+{
+    PROV_CAMELLIA_CTX *ctx = (PROV_CAMELLIA_CTX *)vctx;
+
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+static void *camellia_dupctx(void *ctx)
+{
+    PROV_CAMELLIA_CTX *in = (PROV_CAMELLIA_CTX *)ctx;
+    PROV_CAMELLIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+    if (ret == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    *ret = *in;
+
+    return ret;
+}
+
+/* camellia256ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 256, 128, 0, block)
+/* camellia192ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 192, 128, 0, block)
+/* camellia128ecb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 128, 128, 0, block)
+/* camellia256cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 256, 128, 128, block)
+/* camellia192cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 192, 128, 128, block)
+/* camellia128cbc_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 128, 128, 128, block)
+/* camellia256ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 256, 8, 128, stream)
+/* camellia192ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 192, 8, 128, stream)
+/* camellia128ofb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 128, 8, 128, stream)
+/* camellia256cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 128, 8, 128, stream)
+/* camellia256cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb1_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 128, 8, 128, stream)
+/* camellia256cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 256, 8, 128, stream)
+/* camellia192cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 192, 8, 128, stream)
+/* camellia128cfb8_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 128, 8, 128, stream)
+/* camellia256ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 256, 8, 128, stream)
+/* camellia192ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream)
+/* camellia128ctr_functions */
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream)
+
+#endif /* OPENSSL_NO_CAMELLIA */
diff --git a/providers/common/ciphers/cipher_camellia.h b/providers/common/ciphers/cipher_camellia.h
new file mode 100644 (file)
index 0000000..e8e96ba
--- /dev/null
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_CAMELLIA
+
+# include <openssl/camellia.h>
+
+typedef struct prov_camellia_ctx_st {
+    PROV_CIPHER_CTX base;      /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        CAMELLIA_KEY ks;
+    } ks;
+} PROV_CAMELLIA_CTX;
+
+# define PROV_CIPHER_HW_camellia_ofb PROV_CIPHER_HW_camellia_ofb128
+# define PROV_CIPHER_HW_camellia_cfb PROV_CIPHER_HW_camellia_cfb128
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ecb(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cbc(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ofb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb128(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb1(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_cfb8(size_t keybits);
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_ctr(size_t keybits);
+
+#endif /* OPENSSL_NO_CAMELLIA */
diff --git a/providers/common/ciphers/cipher_camellia_hw.c b/providers/common/ciphers/cipher_camellia_hw.c
new file mode 100644 (file)
index 0000000..dd65b31
--- /dev/null
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#if !defined(OPENSSL_NO_CAMELLIA)
+static int cipher_hw_camellia_initkey(PROV_CIPHER_CTX *dat,
+                                      const unsigned char *key, size_t keylen)
+{
+    int ret, mode = dat->mode;
+    PROV_CAMELLIA_CTX *adat = (PROV_CAMELLIA_CTX *)dat;
+    CAMELLIA_KEY *ks = &adat->ks.ks;
+
+    dat->ks = ks;
+    ret = Camellia_set_key(key, keylen * 8, ks);
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, EVP_R_ARIA_KEY_SETUP_FAILED);
+        return 0;
+    }
+    if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) {
+        dat->block = (block128_f) Camellia_encrypt;
+        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+            (cbc128_f) Camellia_cbc_encrypt : NULL;
+    } else {
+        dat->block = (block128_f) Camellia_decrypt;
+        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+            (cbc128_f) Camellia_cbc_encrypt : NULL;
+    }
+    return 1;
+}
+
+# if defined(SPARC_CMLL_CAPABLE)
+#  include "cipher_camellia_hw_t4.inc"
+# else
+/* The generic case */
+#  define PROV_CIPHER_HW_declare(mode)
+#  define PROV_CIPHER_HW_select(mode)
+# endif /* SPARC_CMLL_CAPABLE */
+
+#define PROV_CIPHER_HW_camellia_mode(mode)                                     \
+static const PROV_CIPHER_HW camellia_##mode = {                                \
+    cipher_hw_camellia_initkey,                                                \
+    cipher_hw_generic_##mode                                                   \
+};                                                                             \
+PROV_CIPHER_HW_declare(mode)                                                   \
+const PROV_CIPHER_HW *PROV_CIPHER_HW_camellia_##mode(size_t keybits)           \
+{                                                                              \
+    PROV_CIPHER_HW_select(mode)                                                \
+    return &camellia_##mode;                                                   \
+}
+
+PROV_CIPHER_HW_camellia_mode(cbc)
+PROV_CIPHER_HW_camellia_mode(ecb)
+PROV_CIPHER_HW_camellia_mode(ofb128)
+PROV_CIPHER_HW_camellia_mode(cfb128)
+PROV_CIPHER_HW_camellia_mode(cfb1)
+PROV_CIPHER_HW_camellia_mode(cfb8)
+PROV_CIPHER_HW_camellia_mode(ctr)
+#endif /* OPENSSL_NO_CAMELLIA */
diff --git a/providers/common/ciphers/cipher_camellia_hw_t4.inc b/providers/common/ciphers/cipher_camellia_hw_t4.inc
new file mode 100644 (file)
index 0000000..24e1046
--- /dev/null
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * Fujitsu SPARC64 X support for camellia modes.
+ * This file is included by cipher_camellia_hw.c
+ */
+
+static int cipher_hw_camellia_t4_initkey(PROV_CIPHER_CTX *dat,
+                                         const unsigned char *key,
+                                         size_t keylen)
+{
+    int ret = 0, bits, mode = dat->mode;
+    PROV_CAMELLIA_CTX *adat = (PROV_CAMELLIA_CTX *)dat;
+    CAMELLIA_KEY *ks = &adat->ks.ks;
+
+    dat->ks = ks;
+    bits = keylen * 8;
+
+    cmll_t4_set_key(key, bits, ks);
+
+    if (dat->enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) {
+        dat->block = (block128_f) cmll_t4_encrypt;
+        switch (bits) {
+        case 128:
+            if (mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f) cmll128_t4_cbc_encrypt;
+            else if (mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f) cmll128_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        case 192:
+        case 256:
+            if (mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f) cmll256_t4_cbc_encrypt;
+            else if (mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f) cmll256_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        default:
+            ret = -1;
+            break;
+        }
+    } else {
+        dat->block = (block128_f) cmll_t4_decrypt;
+        switch (bits) {
+        case 128:
+            dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) cmll128_t4_cbc_decrypt : NULL;
+            break;
+        case 192:
+        case 256:
+            dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) cmll256_t4_cbc_decrypt : NULL;
+            break;
+        default:
+            ret = -1;
+            break;
+        }
+    }
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, EVP_R_CAMELLIA_KEY_SETUP_FAILED);
+        return 0;
+    }
+    return 1;
+}
+
+#define PROV_CIPHER_HW_declare(mode)                                           \
+static const PROV_CIPHER_HW t4_camellia_##mode = {                             \
+    cipher_hw_camellia_t4_initkey,                                             \
+    cipher_hw_generic_##mode                                                   \
+};
+#define PROV_CIPHER_HW_select(mode)                                            \
+if (SPARC_CMLL_CAPABLE)                                                        \
+    return &t4_camellia_##mode;
diff --git a/providers/common/ciphers/cipher_ccm.c b/providers/common/ciphers/cipher_ccm.c
new file mode 100644 (file)
index 0000000..980c815
--- /dev/null
@@ -0,0 +1,413 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for ccm mode */
+
+#include "cipher_locl.h"
+
+static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
+                               size_t *padlen, const unsigned char *in,
+                               size_t len);
+
+static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
+{
+    size_t len;
+
+    if (alen != EVP_AEAD_TLS1_AAD_LEN)
+        return 0;
+
+    /* Save the aad for later use. */
+    memcpy(ctx->buf, aad, alen);
+    ctx->tls_aad_len = alen;
+
+    len = ctx->buf[alen - 2] << 8 | ctx->buf[alen - 1];
+    if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
+        return 0;
+
+    /* Correct length for explicit iv. */
+    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
+
+    if (!ctx->enc) {
+        if (len < ctx->m)
+            return 0;
+        /* Correct length for tag. */
+        len -= ctx->m;
+    }
+    ctx->buf[alen - 2] = (unsigned char)(len >> 8);
+    ctx->buf[alen - 1] = (unsigned char)(len & 0xff);
+
+    /* Extra padding: tag appended to record. */
+    return ctx->m;
+}
+
+static int ccm_tls_iv_set_fixed(PROV_CCM_CTX *ctx, unsigned char *fixed,
+                                size_t flen)
+{
+    if (flen != EVP_CCM_TLS_FIXED_IV_LEN)
+        return 0;
+
+    /* Copy to first part of the iv. */
+    memcpy(ctx->iv, fixed, flen);
+    return 1;
+}
+
+static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx)
+{
+    return 15 - ctx->l;
+}
+
+int ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+    const OSSL_PARAM *p;
+    size_t sz;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
+            return 0;
+        }
+
+        if (p->data != NULL) {
+            if (ctx->enc) {
+                ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_NEEDED);
+                return 0;
+            }
+            memcpy(ctx->buf, p->data, p->data_size);
+            ctx->tag_set = 1;
+        }
+        ctx->m = p->data_size;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
+    if (p != NULL) {
+        size_t ivlen;
+
+        if (!OSSL_PARAM_get_size_t(p, &sz)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        ivlen = 15 - sz;
+        if (ivlen < 2 || ivlen > 8) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+            return 0;
+        }
+        ctx->l = ivlen;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        sz = ccm_tls_init(ctx, p->data, p->data_size);
+        if (sz == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
+            return 0;
+        }
+        ctx->tls_aad_pad_sz = sz;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+            return 0;
+        }
+    }
+
+    return 1;
+}
+
+int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ccm_get_ivlen(ctx))) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+    if (p != NULL) {
+        if (ccm_get_ivlen(ctx) != p->data_size) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+            return 0;
+        }
+        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        if (!ctx->enc || !ctx->tag_set) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOTSET);
+            return 0;
+        }
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+        if (!ctx->hw->gettag(ctx, p->data, p->data_size))
+            return 0;
+        ctx->tag_set = 0;
+        ctx->iv_set = 0;
+        ctx->len_set = 0;
+    }
+    return 1;
+}
+
+static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
+                    const unsigned char *iv, size_t ivlen, int enc)
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+    ctx->enc = enc;
+
+    if (iv != NULL) {
+        if (ivlen != ccm_get_ivlen(ctx)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
+            return 0;
+        }
+
+        memcpy(ctx->iv, iv, ivlen);
+        ctx->iv_set = 1;
+    }
+    if (key != NULL) {
+        if (keylen != ctx->keylen) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
+            return 0;
+        }
+        return ctx->hw->setkey(ctx, key, keylen);
+    }
+    return 1;
+}
+
+int ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
+                     const unsigned char *iv, size_t ivlen)
+{
+    return ccm_init(vctx, key, keylen, iv, ivlen, 1);
+}
+
+int ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
+                     const unsigned char *iv, size_t ivlen)
+{
+    return ccm_init(vctx, key, keylen, iv, ivlen, 0);
+}
+
+int ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
+                             size_t outsize, const unsigned char *in,
+                             size_t inl)
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    if (!ccm_cipher_internal(ctx, out, outl, in, inl)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return 0;
+    }
+    return 1;
+}
+
+int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
+                            size_t outsize)
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+    int i;
+
+    i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
+    if (i <= 0)
+        return 0;
+
+    *outl = 0;
+    return 1;
+}
+
+int ccm_cipher(void *vctx,
+                      unsigned char *out, size_t *outl, size_t outsize,
+                      const unsigned char *in, size_t inl)
+{
+    PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return -1;
+    }
+
+    if (ccm_cipher_internal(ctx, out, outl, in, inl) <= 0)
+        return -1;
+
+    *outl = inl;
+    return 1;
+}
+
+/* Copy the buffered iv */
+static int ccm_set_iv(PROV_CCM_CTX *ctx, size_t mlen)
+{
+    const PROV_CCM_HW *hw = ctx->hw;
+
+    if (!hw->setiv(ctx, ctx->iv, ccm_get_ivlen(ctx), mlen))
+        return 0;
+    ctx->len_set = 1;
+    return 1;
+}
+
+static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
+                          unsigned char *out, size_t *padlen,
+                          const unsigned char *in, size_t len)
+{
+    int rv = 0;
+    size_t olen = 0;
+
+    /* Encrypt/decrypt must be performed in place */
+    if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)ctx->m))
+        goto err;
+
+    /* If encrypting set explicit IV from sequence number (start of AAD) */
+    if (ctx->enc)
+        memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+    /* Get rest of IV from explicit IV */
+    memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+    /* Correct length value */
+    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
+    if (!ccm_set_iv(ctx, len))
+        goto err;
+
+    /* Use saved AAD */
+    if (!ctx->hw->setaad(ctx, ctx->buf, ctx->tls_aad_len))
+        goto err;
+
+    /* Fix buffer to point to payload */
+    in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+    out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+    if (ctx->enc) {
+        if (!ctx->hw->auth_encrypt(ctx, in, out, len,  out + len, ctx->m))
+            goto err;
+        olen = len + EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
+    } else {
+        if (!ctx->hw->auth_decrypt(ctx, in, out, len,
+                                   (unsigned char *)in + len, ctx->m))
+            goto err;
+        olen = len;
+    }
+    rv = 1;
+err:
+    *padlen = olen;
+    return rv;
+}
+
+static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
+                               size_t *padlen, const unsigned char *in,
+                               size_t len)
+{
+    int rv = 0;
+    size_t olen = 0;
+    const PROV_CCM_HW *hw = ctx->hw;
+
+    /* If no key set, return error */
+    if (!ctx->key_set)
+        return 0;
+
+    if (ctx->tls_aad_len >= 0)
+        return ccm_tls_cipher(ctx, out, padlen, in, len);
+
+    /* EVP_*Final() doesn't return any data */
+    if (in == NULL && out != NULL)
+        return 1;
+
+    if (!ctx->iv_set)
+        goto err;
+
+    if (out == NULL) {
+        if (in == NULL) {
+            if (!ccm_set_iv(ctx, len))
+                goto err;
+        } else {
+            /* If we have AAD, we need a message length */
+            if (!ctx->len_set && len)
+                goto err;
+            if (!hw->setaad(ctx, in, len))
+                goto err;
+        }
+    } else {
+        /* If not set length yet do it */
+        if (!ctx->len_set && !ccm_set_iv(ctx, len))
+            goto err;
+
+        if (ctx->enc) {
+            if (!hw->auth_encrypt(ctx, in, out, len, NULL, 0))
+                goto err;
+            ctx->tag_set = 1;
+        } else {
+            /* The tag must be set before actually decrypting data */
+            if (!ctx->tag_set)
+                goto err;
+
+            if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
+                goto err;
+            /* Finished - reset flags so calling this method again will fail */
+            ctx->iv_set = 0;
+            ctx->tag_set = 0;
+            ctx->len_set = 0;
+        }
+    }
+    olen = len;
+    rv = 1;
+err:
+    *padlen = olen;
+    return rv;
+}
+
+void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw)
+{
+    ctx->keylen = keybits / 8;
+    ctx->key_set = 0;
+    ctx->iv_set = 0;
+    ctx->tag_set = 0;
+    ctx->len_set = 0;
+    ctx->l = 8;
+    ctx->m = 12;
+    ctx->tls_aad_len = -1;
+    ctx->hw = hw;
+}
+
+void ccm_finalctx(PROV_CCM_CTX *ctx)
+{
+    OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
+}
diff --git a/providers/common/ciphers/cipher_ccm.h b/providers/common/ciphers/cipher_ccm.h
new file mode 100644 (file)
index 0000000..d91ad00
--- /dev/null
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+typedef struct prov_ccm_hw_st PROV_CCM_HW;
+
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/*-
+ * KMAC-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-08)
+ */
+typedef struct S390X_kmac_params_st {
+    union {
+        unsigned long long g[2];
+        unsigned char b[16];
+    } icv;
+    unsigned char k[32];
+} S390X_KMAC_PARAMS;
+/* KMAC-AES parameter block - end */
+#endif
+
+/* Base structure that is shared by AES & ARIA for CCM MODE */
+typedef struct prov_ccm_st {
+    int enc;
+    int key_set;                /* Set if key initialised */
+    int iv_set;                 /* Set if an iv is set */
+    int tag_set;                /* Set if tag is valid */
+    int len_set;                /* Set if message length set */
+    size_t l, m;                /* L and M parameters from RFC3610 */
+    size_t keylen;
+    int tls_aad_len;            /* TLS AAD length */
+    int tls_aad_pad_sz;
+    unsigned char iv[AES_BLOCK_SIZE];
+    unsigned char buf[AES_BLOCK_SIZE];
+    CCM128_CONTEXT ccm_ctx;
+    ccm128_f str;
+    const PROV_CCM_HW *hw;      /* hardware specific methods  */
+} PROV_CCM_CTX;
+
+typedef struct prov_aes_ccm_ctx_st {
+    PROV_CCM_CTX base;          /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        /*-
+         * Padding is chosen so that s390x.kmac.k overlaps with ks.ks and
+         * fc with ks.ks.rounds. Remember that on s390x, an AES_KEY's
+         * rounds field is used to store the function code and that the key
+         * schedule is not stored (if aes hardware support is detected).
+         */
+        struct {
+            unsigned char pad[16];
+            AES_KEY ks;
+        } ks;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+        struct {
+            S390X_KMAC_PARAMS kmac;
+            unsigned long long blocks;
+            union {
+                unsigned long long g[2];
+                unsigned char b[AES_BLOCK_SIZE];
+            } nonce;
+            union {
+                unsigned long long g[2];
+                unsigned char b[AES_BLOCK_SIZE];
+            } buf;
+            unsigned char dummy_pad[168];
+            unsigned int fc;    /* fc has same offset as ks.ks.rounds */
+        } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+    } ccm;
+} PROV_AES_CCM_CTX;
+
+PROV_CIPHER_FUNC(int, CCM_cipher, (PROV_CCM_CTX *ctx, unsigned char *out,      \
+                                   size_t *padlen, const unsigned char *in,    \
+                                   size_t len));
+PROV_CIPHER_FUNC(int, CCM_setkey, (PROV_CCM_CTX *ctx,                          \
+                                   const unsigned char *key, size_t keylen));
+PROV_CIPHER_FUNC(int, CCM_setiv, (PROV_CCM_CTX *dat,                           \
+                                  const unsigned char *iv, size_t ivlen,       \
+                                  size_t mlen));
+PROV_CIPHER_FUNC(int, CCM_setaad, (PROV_CCM_CTX *ctx,                          \
+                                   const unsigned char *aad, size_t aadlen));
+PROV_CIPHER_FUNC(int, CCM_auth_encrypt, (PROV_CCM_CTX *ctx,                    \
+                                         const unsigned char *in,              \
+                                         unsigned char *out, size_t len,       \
+                                         unsigned char *tag, size_t taglen));
+PROV_CIPHER_FUNC(int, CCM_auth_decrypt, (PROV_CCM_CTX *ctx,                    \
+                                         const unsigned char *in,              \
+                                         unsigned char *out, size_t len,       \
+                                         unsigned char *tag, size_t taglen));
+PROV_CIPHER_FUNC(int, CCM_gettag, (PROV_CCM_CTX *ctx,                          \
+                                   unsigned char *tag,  size_t taglen));
+
+/*
+ * CCM Mode internal method table used to handle hardware specific differences,
+ * (and different algorithms).
+ */
+struct prov_ccm_hw_st {
+    OSSL_CCM_setkey_fn setkey;
+    OSSL_CCM_setiv_fn setiv;
+    OSSL_CCM_setaad_fn setaad;
+    OSSL_CCM_auth_encrypt_fn auth_encrypt;
+    OSSL_CCM_auth_decrypt_fn auth_decrypt;
+    OSSL_CCM_gettag_fn gettag;
+};
+
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keylen);
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+# include "internal/aria.h"
+typedef struct prov_aria_ccm_ctx_st {
+    PROV_CCM_CTX base; /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        ARIA_KEY ks;
+    } ks;                       /* ARIA key schedule to use */
+} PROV_ARIA_CCM_CTX;
+
+const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keylen);
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+
+OSSL_OP_cipher_encrypt_init_fn ccm_einit;
+OSSL_OP_cipher_decrypt_init_fn ccm_dinit;
+OSSL_OP_cipher_get_ctx_params_fn ccm_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn ccm_set_ctx_params;
+OSSL_OP_cipher_update_fn ccm_stream_update;
+OSSL_OP_cipher_final_fn ccm_stream_final;
+OSSL_OP_cipher_cipher_fn ccm_cipher;
+void ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw);
+void ccm_finalctx(PROV_CCM_CTX *ctx);
diff --git a/providers/common/ciphers/cipher_ccm_hw.c b/providers/common/ciphers/cipher_ccm_hw.c
new file mode 100644 (file)
index 0000000..3036bfa
--- /dev/null
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#define AES_CCM_SET_KEY_FN(fn_set_enc_key, fn_blk, fn_ccm_enc, fn_ccm_dec)     \
+    fn_set_enc_key(key, keylen * 8, &actx->ccm.ks.ks);                         \
+    CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ccm.ks.ks,        \
+                       (block128_f)fn_blk);                                    \
+    ctx->str = ctx->enc ? (ccm128_f)fn_ccm_enc : (ccm128_f)fn_ccm_dec;         \
+    ctx->key_set = 1;
+
+static int ccm_generic_aes_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+                                   size_t keylen)
+{
+    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+#ifdef HWAES_CAPABLE
+    if (HWAES_CAPABLE) {
+        AES_CCM_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_encrypt, NULL, NULL);
+    } else
+#endif /* HWAES_CAPABLE */
+#ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE) {
+        AES_CCM_SET_KEY_FN(vpaes_set_encrypt_key, vpaes_encrypt, NULL, NULL);
+    } else
+#endif
+    {
+        AES_CCM_SET_KEY_FN(AES_set_encrypt_key, AES_encrypt, NULL, NULL)
+    }
+    return 1;
+}
+
+static int ccm_generic_setiv(PROV_CCM_CTX *ctx, const unsigned char *nonce,
+                             size_t nlen, size_t mlen)
+{
+    return CRYPTO_ccm128_setiv(&ctx->ccm_ctx, nonce, nlen, mlen) == 0;
+}
+
+static int ccm_generic_setaad(PROV_CCM_CTX *ctx, const unsigned char *aad,
+                              size_t alen)
+{
+    CRYPTO_ccm128_aad(&ctx->ccm_ctx, aad, alen);
+    return 1;
+}
+
+static int ccm_generic_gettag(PROV_CCM_CTX *ctx, unsigned char *tag,
+                              size_t tlen)
+{
+    return CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, tlen) > 0;
+}
+
+static int ccm_generic_auth_encrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
+                                    unsigned char *out, size_t len,
+                                    unsigned char *tag, size_t taglen)
+{
+    int rv;
+
+    if (ctx->str != NULL)
+        rv = CRYPTO_ccm128_encrypt_ccm64(&ctx->ccm_ctx, in,
+                                         out, len, ctx->str) == 0;
+    else
+        rv = CRYPTO_ccm128_encrypt(&ctx->ccm_ctx, in, out, len) == 0;
+
+    if (rv == 1 && tag != NULL)
+        rv = (CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen) > 0);
+    return rv;
+}
+
+static int ccm_generic_auth_decrypt(PROV_CCM_CTX *ctx, const unsigned char *in,
+                                    unsigned char *out, size_t len,
+                                    unsigned char *expected_tag,
+                                    size_t taglen)
+{
+    int rv = 0;
+
+    if (ctx->str != NULL)
+        rv = CRYPTO_ccm128_decrypt_ccm64(&ctx->ccm_ctx, in, out, len,
+                                         ctx->str) == 0;
+    else
+        rv = CRYPTO_ccm128_decrypt(&ctx->ccm_ctx, in, out, len) == 0;
+    if (rv) {
+        unsigned char tag[16];
+
+        if (!CRYPTO_ccm128_tag(&ctx->ccm_ctx, tag, taglen)
+            || CRYPTO_memcmp(tag, expected_tag, taglen) != 0)
+            rv = 0;
+    }
+    if (rv == 0)
+        OPENSSL_cleanse(out, len);
+    return rv;
+}
+
+static const PROV_CCM_HW aes_ccm = {
+    ccm_generic_aes_initkey,
+    ccm_generic_setiv,
+    ccm_generic_setaad,
+    ccm_generic_auth_encrypt,
+    ccm_generic_auth_decrypt,
+    ccm_generic_gettag
+};
+#if defined(S390X_aes_128_CAPABLE)
+# include "cipher_aes_ccm_hw_s390x.inc"
+#elif defined(AESNI_CAPABLE)
+# include "cipher_aes_ccm_hw_aesni.inc"
+#elif defined(SPARC_AES_CAPABLE)
+# include "cipher_aes_ccm_hw_t4.inc"
+#else
+const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keybits)
+{
+    return &aes_ccm;
+}
+#endif
+
+#include "cipher_aria_ccm_hw.inc"
diff --git a/providers/common/ciphers/cipher_common.c b/providers/common/ciphers/cipher_common.c
new file mode 100644 (file)
index 0000000..9c9047c
--- /dev/null
@@ -0,0 +1,403 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Generic dispatch table functions for ciphers.
+ */
+
+#include "cipher_locl.h"
+
+#define MAXCHUNK    ((size_t)1 << (sizeof(long) * 8 - 2))
+#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
+
+/*-
+ * Default cipher functions for OSSL_PARAM gettables and settables
+ */
+static const OSSL_PARAM cipher_known_gettable_params[] = {
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_MODE, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
+    OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_gettable_params(void)
+{
+    return cipher_known_gettable_params;
+}
+
+int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
+                              int kbits, int blkbits, int ivbits)
+{
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
+    if (p != NULL && !OSSL_PARAM_set_int(p, md)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS);
+    if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, kbits / 8)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
+    if (p != NULL && !OSSL_PARAM_set_int(p, blkbits / 8)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ivbits / 8)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    return 1;
+}
+
+static const OSSL_PARAM cipher_known_gettable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_NUM, NULL),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
+    OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_gettable_ctx_params(void)
+{
+    return cipher_known_gettable_ctx_params;
+}
+
+static const OSSL_PARAM cipher_known_settable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_NUM, NULL),
+    OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_default_settable_ctx_params(void)
+{
+    return cipher_known_settable_ctx_params;
+}
+
+/*-
+ * AEAD cipher functions for OSSL_PARAM gettables and settables
+ */
+static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+    OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_aead_gettable_ctx_params(void)
+{
+    return cipher_aead_known_gettable_ctx_params;
+}
+
+static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
+    OSSL_PARAM_END
+};
+const OSSL_PARAM *cipher_aead_settable_ctx_params(void)
+{
+    return cipher_aead_known_settable_ctx_params;
+}
+
+static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
+                                        const unsigned char *key, size_t keylen,
+                                        const unsigned char *iv, size_t ivlen,
+                                        int enc)
+{
+    ctx->enc = enc;
+
+    if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
+        if (ivlen != GENERIC_BLOCK_SIZE) {
+            ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+        memcpy(ctx->iv, iv, GENERIC_BLOCK_SIZE);
+    }
+    if (key != NULL) {
+        if (keylen != ctx->keylen) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
+            return 0;
+        }
+        return ctx->hw->init(ctx, key, ctx->keylen);
+    }
+    return 1;
+}
+
+int cipher_generic_einit(void *vctx, const unsigned char *key, size_t keylen,
+                         const unsigned char *iv, size_t ivlen)
+{
+    return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
+                                        iv, ivlen, 1);
+}
+
+int cipher_generic_dinit(void *vctx, const unsigned char *key, size_t keylen,
+                         const unsigned char *iv, size_t ivlen)
+{
+    return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
+                                        iv, ivlen, 0);
+}
+
+int cipher_generic_block_update(void *vctx, unsigned char *out, size_t *outl,
+                                size_t outsize, const unsigned char *in,
+                                size_t inl)
+{
+    size_t outlint = 0;
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+    size_t nextblocks = fillblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE, &in,
+                                  &inl);
+
+    /*
+     * If we're decrypting and we end an update on a block boundary we hold
+     * the last block back in case this is the last update call and the last
+     * block is padded.
+     */
+    if (ctx->bufsz == GENERIC_BLOCK_SIZE && (ctx->enc || inl > 0 || !ctx->pad)) {
+        if (outsize < GENERIC_BLOCK_SIZE) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
+        if (!ctx->hw->cipher(ctx, out, ctx->buf, GENERIC_BLOCK_SIZE)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+            return 0;
+        }
+        ctx->bufsz = 0;
+        outlint = GENERIC_BLOCK_SIZE;
+        out += GENERIC_BLOCK_SIZE;
+    }
+    if (nextblocks > 0) {
+        if (!ctx->enc && ctx->pad && nextblocks == inl) {
+            if (!ossl_assert(inl >= GENERIC_BLOCK_SIZE)) {
+                ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+                return 0;
+            }
+            nextblocks -= GENERIC_BLOCK_SIZE;
+        }
+        outlint += nextblocks;
+        if (outsize < outlint) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
+        if (!ctx->hw->cipher(ctx, out, in, nextblocks)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+            return 0;
+        }
+        in += nextblocks;
+        inl -= nextblocks;
+    }
+    if (!trailingdata(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE, &in, &inl)) {
+        /* ERR_raise already called */
+        return 0;
+    }
+
+    *outl = outlint;
+    return inl == 0;
+}
+
+int cipher_generic_block_final(void *vctx, unsigned char *out, size_t *outl,
+                               size_t outsize)
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+    if (ctx->enc) {
+        if (ctx->pad) {
+            padblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE);
+        } else if (ctx->bufsz == 0) {
+            *outl = 0;
+            return 1;
+        } else if (ctx->bufsz != GENERIC_BLOCK_SIZE) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+            return 0;
+        }
+
+        if (outsize < GENERIC_BLOCK_SIZE) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
+        if (!ctx->hw->cipher(ctx, out, ctx->buf, GENERIC_BLOCK_SIZE)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+            return 0;
+        }
+        ctx->bufsz = 0;
+        *outl = GENERIC_BLOCK_SIZE;
+        return 1;
+    }
+
+    /* Decrypting */
+    if (ctx->bufsz != GENERIC_BLOCK_SIZE) {
+        if (ctx->bufsz == 0 && !ctx->pad) {
+            *outl = 0;
+            return 1;
+        }
+        ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+        return 0;
+    }
+
+    if (!ctx->hw->cipher(ctx, ctx->buf, ctx->buf, GENERIC_BLOCK_SIZE)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return 0;
+    }
+
+    if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, GENERIC_BLOCK_SIZE)) {
+        /* ERR_raise already called */
+        return 0;
+    }
+
+    if (outsize < ctx->bufsz) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return 0;
+    }
+    memcpy(out, ctx->buf, ctx->bufsz);
+    *outl = ctx->bufsz;
+    ctx->bufsz = 0;
+    return 1;
+}
+
+int cipher_generic_stream_update(void *vctx, unsigned char *out, size_t *outl,
+                                 size_t outsize, const unsigned char *in,
+                                 size_t inl)
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    if (!ctx->hw->cipher(ctx, out, in, inl)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return 0;
+    }
+
+    *outl = inl;
+    return 1;
+}
+int cipher_generic_stream_final(void *vctx, unsigned char *out, size_t *outl,
+                                size_t outsize)
+{
+    *outl = 0;
+    return 1;
+}
+
+int cipher_generic_cipher(void *vctx,
+                          unsigned char *out, size_t *outl, size_t outsize,
+                          const unsigned char *in, size_t inl)
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    if (!ctx->hw->cipher(ctx, out, in, inl)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return 0;
+    }
+
+    *outl = inl;
+    return 1;
+}
+
+int cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, GENERIC_BLOCK_SIZE)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->pad)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+    if (p != NULL
+        && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, GENERIC_BLOCK_SIZE)
+        && !OSSL_PARAM_set_octet_string(p, &ctx->iv, GENERIC_BLOCK_SIZE)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->num)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+
+    return 1;
+}
+
+int cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
+    if (p != NULL) {
+        int pad;
+
+        if (!OSSL_PARAM_get_int(p, &pad)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        ctx->pad = pad ? 1 : 0;
+    }
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
+    if (p != NULL) {
+        int num;
+
+        if (!OSSL_PARAM_get_int(p, &num)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        ctx->num = num;
+    }
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL) {
+        int keylen;
+
+        if (!OSSL_PARAM_get_int(p, &keylen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        ctx->keylen = keylen;
+    }
+    return 1;
+}
+
+void cipher_generic_initkey(void *vctx, int kbits, int blkbits, int mode,
+                            const PROV_CIPHER_HW *hw)
+{
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
+    ctx->pad = 1;
+    ctx->keylen = ((kbits) / 8);
+    ctx->hw = hw;
+    ctx->mode = mode;
+    ctx->blocksize = blkbits/8;
+}
diff --git a/providers/common/ciphers/cipher_common_hw.c b/providers/common/ciphers/cipher_common_hw.c
new file mode 100644 (file)
index 0000000..47e14af
--- /dev/null
@@ -0,0 +1,192 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+#define MAXCHUNK    ((size_t)1 << (sizeof(long) * 8 - 2))
+#define MAXBITCHUNK ((size_t)1 << (sizeof(size_t) * 8 - 4))
+
+/*-
+ * The generic cipher functions for cipher modes cbc, ecb, ofb, cfb and ctr.
+ * Used if there is no special hardware implementations.
+ */
+int cipher_hw_generic_cbc(PROV_CIPHER_CTX *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    if (dat->stream.cbc)
+        (*dat->stream.cbc) (in, out, len, dat->ks, dat->iv, dat->enc);
+    else if (dat->enc)
+        CRYPTO_cbc128_encrypt(in, out, len, dat->ks, dat->iv, dat->block);
+    else
+        CRYPTO_cbc128_decrypt(in, out, len, dat->ks, dat->iv, dat->block);
+
+    return 1;
+}
+
+int cipher_hw_generic_ecb(PROV_CIPHER_CTX *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    size_t i, bl = dat->blocksize;
+
+    if (len < bl)
+        return 1;
+
+    for (i = 0, len -= bl; i <= len; i += bl)
+        (*dat->block) (in + i, out + i, dat->ks);
+
+    return 1;
+}
+
+int cipher_hw_generic_ofb128(PROV_CIPHER_CTX *dat, unsigned char *out,
+                             const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+
+    CRYPTO_ofb128_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+int cipher_hw_generic_cfb128(PROV_CIPHER_CTX *dat, unsigned char *out,
+                             const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+
+    CRYPTO_cfb128_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->enc,
+                          dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+int cipher_hw_generic_cfb8(PROV_CIPHER_CTX *dat, unsigned char *out,
+                           const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+
+    CRYPTO_cfb128_8_encrypt(in, out, len, dat->ks, dat->iv, &num, dat->enc,
+                            dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+int cipher_hw_generic_cfb1(PROV_CIPHER_CTX *dat, unsigned char *out,
+                           const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+
+    if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
+        CRYPTO_cfb128_1_encrypt(in, out, len, dat->ks, dat->iv, &num,
+                                dat->enc, dat->block);
+        dat->num = num;
+        return 1;
+    }
+
+    while (len >= MAXBITCHUNK) {
+        CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, dat->ks,
+                                dat->iv, &num, dat->enc, dat->block);
+        len -= MAXBITCHUNK;
+        out += MAXBITCHUNK;
+        in  += MAXBITCHUNK;
+    }
+    if (len)
+        CRYPTO_cfb128_1_encrypt(in, out, len * 8, dat->ks, dat->iv, &num,
+                                dat->enc, dat->block);
+
+    dat->num = num;
+
+    return 1;
+}
+
+int cipher_hw_generic_ctr(PROV_CIPHER_CTX *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    unsigned int num = dat->num;
+
+    if (dat->stream.ctr)
+        CRYPTO_ctr128_encrypt_ctr32(in, out, len, dat->ks, dat->iv, dat->buf,
+                                    &num, dat->stream.ctr);
+    else
+        CRYPTO_ctr128_encrypt(in, out, len, dat->ks, dat->iv, dat->buf,
+                              &num, dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+/*-
+ * The chunked cipher functions for cipher modes cbc, ecb, ofb, cfb and ctr.
+ * Used if there is no special hardware implementations.
+ */
+
+int cipher_hw_chunked_cbc(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, size_t inl)
+{
+    while (inl >= MAXCHUNK) {
+        cipher_hw_generic_cbc(ctx, out, in, MAXCHUNK);
+        inl -= MAXCHUNK;
+        in  += MAXCHUNK;
+        out += MAXCHUNK;
+    }
+    if (inl > 0)
+        cipher_hw_generic_cbc(ctx, out, in, inl);
+    return 1;
+}
+
+int cipher_hw_chunked_cfb8(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, size_t inl)
+{
+    size_t chunk = MAXCHUNK;
+
+    if (inl < chunk)
+        chunk = inl;
+    while (inl > 0 && inl >= chunk) {
+        cipher_hw_generic_cfb8(ctx, out, in, inl);
+        inl -= chunk;
+        in += chunk;
+        out += chunk;
+        if (inl < chunk)
+            chunk = inl;
+    }
+    return 1;
+}
+
+int cipher_hw_chunked_cfb128(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                             const unsigned char *in, size_t inl)
+{
+    size_t chunk = MAXCHUNK;
+
+    if (inl < chunk)
+        chunk = inl;
+    while (inl > 0 && inl >= chunk) {
+        cipher_hw_generic_cfb128(ctx, out, in, inl);
+        inl -= chunk;
+        in += chunk;
+        out += chunk;
+        if (inl < chunk)
+            chunk = inl;
+    }
+    return 1;
+}
+
+int cipher_hw_chunked_ofb128(PROV_CIPHER_CTX *ctx, unsigned char *out,
+                             const unsigned char *in, size_t inl)
+{
+    while (inl >= MAXCHUNK) {
+        cipher_hw_generic_ofb128(ctx, out, in, MAXCHUNK);
+        inl -= MAXCHUNK;
+        in  += MAXCHUNK;
+        out += MAXCHUNK;
+    }
+    if (inl > 0)
+        cipher_hw_generic_ofb128(ctx, out, in, inl);
+    return 1;
+}
diff --git a/providers/common/ciphers/cipher_gcm.c b/providers/common/ciphers/cipher_gcm.c
new file mode 100644 (file)
index 0000000..40c8845
--- /dev/null
@@ -0,0 +1,495 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for gcm mode */
+
+#include "cipher_locl.h"
+#include "internal/rand_int.h"
+#include "internal/provider_ctx.h"
+
+static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
+static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
+                                size_t len);
+static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
+                          const unsigned char *in, size_t len);
+static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
+                               size_t *padlen, const unsigned char *in,
+                               size_t len);
+
+void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
+                 const PROV_GCM_HW *hw, size_t ivlen_min)
+{
+    ctx->pad = 1;
+    ctx->mode = EVP_CIPH_GCM_MODE;
+    ctx->taglen = -1;
+    ctx->tls_aad_len = -1;
+    ctx->ivlen_min = ivlen_min;
+    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
+    ctx->keylen = keybits / 8;
+    ctx->hw = hw;
+    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+}
+
+void gcm_deinitctx(PROV_GCM_CTX *ctx)
+{
+    OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
+}
+
+static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
+                    const unsigned char *iv, size_t ivlen, int enc)
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+    ctx->enc = enc;
+
+    if (iv != NULL) {
+        if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+            return 0;
+        }
+        ctx->ivlen = ivlen;
+        memcpy(ctx->iv, iv, ctx->ivlen);
+        ctx->iv_state = IV_STATE_BUFFERED;
+    }
+
+    if (key != NULL) {
+        if (keylen != ctx->keylen) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+            return 0;
+        }
+        return ctx->hw->setkey(ctx, key, ctx->keylen);
+    }
+    return 1;
+}
+
+int gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
+              const unsigned char *iv, size_t ivlen)
+{
+    return gcm_init(vctx, key, keylen, iv, ivlen, 1);
+}
+
+int gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
+              const unsigned char *iv, size_t ivlen)
+{
+    return gcm_init(vctx, key, keylen, iv, ivlen, 0);
+}
+
+int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+    OSSL_PARAM *p;
+    size_t sz;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->ivlen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+    if (p != NULL) {
+        if (ctx->iv_gen != 1 && ctx->iv_gen_rand != 1)
+            return 0;
+        if (ctx->ivlen != (int)p->data_size) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+            return 0;
+        }
+        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        sz = p->data_size;
+        if (sz == 0 || sz > EVP_GCM_TLS_TAG_LEN || !ctx->enc || ctx->taglen < 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
+            return 0;
+        }
+        if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+    const OSSL_PARAM *p;
+    size_t sz;
+    void *vp;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        vp = ctx->buf;
+        if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (sz == 0 || ctx->enc) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
+            return 0;
+        }
+        ctx->taglen = sz;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
+    if (p != NULL) {
+        if (!OSSL_PARAM_get_size_t(p, &sz)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (sz == 0 || sz > sizeof(ctx->iv)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+            return 0;
+        }
+        ctx->ivlen = sz;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        sz = gcm_tls_init(ctx, p->data, p->data_size);
+        if (sz == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
+            return 0;
+        }
+        ctx->tls_aad_pad_sz = sz;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+    }
+
+    /*
+     * TODO(3.0) Temporary solution to address fuzz test crash, which will be
+     * reworked once the discussion in PR #9510 is resolved. i.e- We need a
+     * general solution for handling missing parameters inside set_params and
+     * get_params methods.
+     */
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL) {
+        int keylen;
+
+        if (!OSSL_PARAM_get_int(p, &keylen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        /* The key length can not be modified for gcm mode */
+        if (keylen != (int)ctx->keylen)
+            return 0;
+    }
+
+    return 1;
+}
+
+int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
+                      size_t outsize, const unsigned char *in, size_t inl)
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return -1;
+    }
+
+    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return -1;
+    }
+    return 1;
+}
+
+int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
+                     size_t outsize)
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+    int i;
+
+    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
+    if (i <= 0)
+        return 0;
+
+    *outl = 0;
+    return 1;
+}
+
+int gcm_cipher(void *vctx,
+               unsigned char *out, size_t *outl, size_t outsize,
+               const unsigned char *in, size_t inl)
+{
+    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return -1;
+    }
+
+    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
+        return -1;
+
+    *outl = inl;
+    return 1;
+}
+
+/*
+ * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
+ *
+ * See also 8.2.2 RBG-based construction.
+ * Random construction consists of a free field (which can be NULL) and a
+ * random field which will use a DRBG that can return at least 96 bits of
+ * entropy strength. (The DRBG must be seeded by the FIPS module).
+ */
+static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
+{
+    int sz = ctx->ivlen - offset;
+
+    /* Must be at least 96 bits */
+    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
+        return 0;
+
+    /* Use DRBG to generate random iv */
+    if (rand_bytes_ex(ctx->libctx, ctx->iv + offset, sz) <= 0)
+        return 0;
+    ctx->iv_state = IV_STATE_BUFFERED;
+    ctx->iv_gen_rand = 1;
+    return 1;
+}
+
+static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
+                               size_t *padlen, const unsigned char *in,
+                               size_t len)
+{
+    size_t olen = 0;
+    int rv = 0;
+    const PROV_GCM_HW *hw = ctx->hw;
+
+    if (ctx->tls_aad_len >= 0)
+        return gcm_tls_cipher(ctx, out, padlen, in, len);
+
+    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
+        goto err;
+
+    /*
+     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
+     * The IV can still be set externally (the security policy will state that
+     * this is not FIPS compliant). There are some applications
+     * where setting the IV externally is the only option available.
+     */
+    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
+        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
+            goto err;
+    }
+
+    if (ctx->iv_state == IV_STATE_BUFFERED) {
+        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
+            goto err;
+        ctx->iv_state = IV_STATE_COPIED;
+    }
+
+    if (in != NULL) {
+        /*  The input is AAD if out is NULL */
+        if (out == NULL) {
+            if (!hw->aadupdate(ctx, in, len))
+                goto err;
+        } else {
+            /* The input is ciphertext OR plaintext */
+            if (!hw->cipherupdate(ctx, in, len, out))
+                goto err;
+        }
+    } else {
+        /* Finished when in == NULL */
+        if (!hw->cipherfinal(ctx, ctx->buf))
+            goto err;
+        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
+        goto finish;
+    }
+    olen = len;
+finish:
+    rv = 1;
+err:
+    *padlen = olen;
+    return rv;
+}
+
+static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
+{
+    unsigned char *buf;
+    size_t len;
+
+    if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
+       return 0;
+
+    /* Save the aad for later use. */
+    buf = dat->buf;
+    memcpy(buf, aad, aad_len);
+    dat->tls_aad_len = aad_len;
+    dat->tls_enc_records = 0;
+
+    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
+    /* Correct length for explicit iv. */
+    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+        return 0;
+    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+
+    /* If decrypting correct for tag too. */
+    if (!dat->enc) {
+        if (len < EVP_GCM_TLS_TAG_LEN)
+            return 0;
+        len -= EVP_GCM_TLS_TAG_LEN;
+    }
+    buf[aad_len - 2] = (unsigned char)(len >> 8);
+    buf[aad_len - 1] = (unsigned char)(len & 0xff);
+    /* Extra padding: tag appended to record. */
+    return EVP_GCM_TLS_TAG_LEN;
+}
+
+static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
+                                size_t len)
+{
+    /* Special case: -1 length restores whole IV */
+    if (len == (size_t)-1) {
+        memcpy(ctx->iv, iv, ctx->ivlen);
+        ctx->iv_gen = 1;
+        ctx->iv_state = IV_STATE_BUFFERED;
+        return 1;
+    }
+    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
+    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
+        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+            return 0;
+    if (len > 0)
+        memcpy(ctx->iv, iv, len);
+    if (ctx->enc
+        && rand_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len) <= 0)
+            return 0;
+    ctx->iv_gen = 1;
+    ctx->iv_state = IV_STATE_BUFFERED;
+    return 1;
+}
+
+/* increment counter (64-bit int) by 1 */
+static void ctr64_inc(unsigned char *counter)
+{
+    int n = 8;
+    unsigned char c;
+
+    do {
+        --n;
+        c = counter[n];
+        ++c;
+        counter[n] = c;
+        if (c > 0)
+            return;
+    } while (n > 0);
+}
+
+/*
+ * Handle TLS GCM packet format. This consists of the last portion of the IV
+ * followed by the payload and finally the tag. On encrypt generate IV,
+ * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
+ * and verify tag.
+ */
+static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
+                          const unsigned char *in, size_t len)
+{
+    int rv = 0, arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+    size_t plen = 0;
+    unsigned char *tag = NULL;
+
+    if (!ctx->key_set)
+        goto err;
+
+    /* Encrypt/decrypt must be performed in place */
+    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
+        goto err;
+
+    /*
+     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
+     * Requirements from SP 800-38D".  The requirements is for one party to the
+     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
+     * side only.
+     */
+    if (ctx->enc && ++ctx->tls_enc_records == 0) {
+        ERR_raise(ERR_LIB_PROV, EVP_R_TOO_MANY_RECORDS);
+        goto err;
+    }
+
+    if (ctx->iv_gen == 0)
+        goto err;
+    /*
+     * Set IV from start of buffer or generate IV and write to start of
+     * buffer.
+     */
+    if (ctx->enc) {
+        if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
+            goto err;
+        if (arg > ctx->ivlen)
+            arg = ctx->ivlen;
+        memcpy(out, ctx->iv + ctx->ivlen - arg, arg);
+        /*
+         * Invocation field will be at least 8 bytes in size and so no need
+         * to check wrap around or increment more than last 8 bytes.
+         */
+        ctr64_inc(ctx->iv + ctx->ivlen - 8);
+    } else {
+        memcpy(ctx->iv + ctx->ivlen - arg, out, arg);
+        if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
+            goto err;
+    }
+    ctx->iv_state = IV_STATE_COPIED;
+
+    /* Fix buffer and length to point to payload */
+    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
+
+    tag = ctx->enc ? out + len : (unsigned char *)in + len;
+    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
+                          EVP_GCM_TLS_TAG_LEN)) {
+        if (!ctx->enc)
+            OPENSSL_cleanse(out, len);
+        goto err;
+    }
+    if (ctx->enc)
+        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
+    else
+        plen = len;
+
+    rv = 1;
+err:
+    ctx->iv_state = IV_STATE_FINISHED;
+    ctx->tls_aad_len = -1;
+    *padlen = plen;
+    return rv;
+}
diff --git a/providers/common/ciphers/cipher_gcm.h b/providers/common/ciphers/cipher_gcm.h
new file mode 100644 (file)
index 0000000..59bbeee
--- /dev/null
@@ -0,0 +1,165 @@
+
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+
+typedef struct prov_gcm_hw_st PROV_GCM_HW;
+
+#define GCM_IV_DEFAULT_SIZE 12/* IV's for AES_GCM should normally be 12 bytes */
+#define GCM_IV_MAX_SIZE     64
+#define GCM_TAG_MAX_SIZE    16
+
+/* TODO(3.0) Figure out what flags are really needed */
+#define AEAD_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1     \
+                       | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER      \
+                       | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT        \
+                       | EVP_CIPH_CUSTOM_COPY)
+
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/*-
+ * KMA-GCM-AES parameter block - begin
+ * (see z/Architecture Principles of Operation >= SA22-7832-11)
+ */
+typedef struct S390X_kma_params_st {
+    unsigned char reserved[12];
+    union {
+        unsigned int w;
+        unsigned char b[4];
+    } cv; /* 32 bit counter value */
+    union {
+        unsigned long long g[2];
+        unsigned char b[16];
+    } t; /* tag */
+    unsigned char h[16]; /* hash subkey */
+    unsigned long long taadl; /* total AAD length */
+    unsigned long long tpcl; /* total plaintxt/ciphertxt len */
+    union {
+        unsigned long long g[2];
+        unsigned int w[4];
+    } j0;                   /* initial counter value */
+    unsigned char k[32];    /* key */
+} S390X_KMA_PARAMS;
+
+#endif
+
+typedef struct prov_gcm_ctx_st {
+    int enc;                /* Set to 1 if we are encrypting or 0 otherwise */
+    int mode;               /* The mode that we are using */
+    size_t keylen;
+    int ivlen;
+    size_t ivlen_min;
+    int taglen;
+    int key_set;            /* Set if key initialised */
+    int iv_state;           /* set to one of IV_STATE_XXX */
+    int iv_gen_rand;        /* No IV was specified, so generate a rand IV */
+    int iv_gen;             /* It is OK to generate IVs */
+    int tls_aad_pad_sz;
+    int tls_aad_len;        /* TLS AAD length */
+    uint64_t tls_enc_records;   /* Number of TLS records encrypted */
+
+    /*
+     * num contains the number of bytes of |iv| which are valid for modes that
+     * manage partial blocks themselves.
+     */
+    size_t num;
+    size_t bufsz;           /* Number of bytes in buf */
+    uint64_t flags;
+
+    unsigned int pad : 1;   /* Whether padding should be used or not */
+
+    unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
+    unsigned char buf[AES_BLOCK_SIZE];     /* Buffer of partial blocks processed via update calls */
+
+    OPENSSL_CTX *libctx;    /* needed for rand calls */
+    const PROV_GCM_HW *hw;  /* hardware specific methods */
+    GCM128_CONTEXT gcm;
+    ctr128_f ctr;
+    const void *ks;
+} PROV_GCM_CTX;
+
+typedef struct prov_aes_gcm_ctx_st {
+    PROV_GCM_CTX base;          /* must be first entry in struct */
+    union {
+        OSSL_UNION_ALIGN;
+        AES_KEY ks;
+    } ks;                       /* AES key schedule to use */
+
+    /* Platform specific data */
+    union {
+        int dummy;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+        struct {
+            union {
+                OSSL_UNION_ALIGN;
+                S390X_KMA_PARAMS kma;
+            } param;
+            unsigned int fc;
+            unsigned char ares[16];
+            unsigned char mres[16];
+            unsigned char kres[16];
+            int areslen;
+            int mreslen;
+            int kreslen;
+            int res;
+        } s390x;
+#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
+    } plat;
+} PROV_AES_GCM_CTX;
+
+PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key,
+                                   size_t keylen));
+PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv,
+                                  size_t ivlen));
+PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx,
+                                      const unsigned char *aad, size_t aadlen));
+PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx,
+                                         const unsigned char *in, size_t len,
+                                         unsigned char *out));
+PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag));
+PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad,
+                                    size_t aad_len, const unsigned char *in,
+                                    size_t in_len, unsigned char *out,
+                                    unsigned char *tag, size_t taglen));
+struct prov_gcm_hw_st {
+  OSSL_GCM_setkey_fn setkey;
+  OSSL_GCM_setiv_fn setiv;
+  OSSL_GCM_aadupdate_fn aadupdate;
+  OSSL_GCM_cipherupdate_fn cipherupdate;
+  OSSL_GCM_cipherfinal_fn cipherfinal;
+  OSSL_GCM_oneshot_fn oneshot;
+};
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits);
+
+#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
+
+#include "internal/aria.h"
+
+typedef struct prov_aria_gcm_ctx_st {
+    PROV_GCM_CTX base;              /* must be first entry in struct */
+    union {
+        OSSL_UNION_ALIGN;
+        ARIA_KEY ks;
+    } ks;
+} PROV_ARIA_GCM_CTX;
+const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits);
+
+#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
+
+OSSL_OP_cipher_encrypt_init_fn gcm_einit;
+OSSL_OP_cipher_decrypt_init_fn gcm_dinit;
+OSSL_OP_cipher_get_ctx_params_fn gcm_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn gcm_set_ctx_params;
+OSSL_OP_cipher_cipher_fn gcm_cipher;
+OSSL_OP_cipher_update_fn gcm_stream_update;
+OSSL_OP_cipher_final_fn gcm_stream_final;
+void gcm_deinitctx(PROV_GCM_CTX *ctx);
+void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
+                 const PROV_GCM_HW *hw, size_t ivlen_min);
+
diff --git a/providers/common/ciphers/cipher_gcm_hw.c b/providers/common/ciphers/cipher_gcm_hw.c
new file mode 100644 (file)
index 0000000..f9ddc4d
--- /dev/null
@@ -0,0 +1,201 @@
+/*
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_locl.h"
+
+static const PROV_GCM_HW aes_gcm;
+
+static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
+static int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
+                          size_t aad_len);
+static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
+static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
+                        const unsigned char *in, size_t in_len,
+                        unsigned char *out, unsigned char *tag, size_t tag_len);
+static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+                             size_t len, unsigned char *out);
+
+#define SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr)                   \
+    ctx->ks = ks;                                                              \
+    fn_set_enc_key(key, keylen * 8, ks);                                       \
+    CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block);                   \
+    ctx->ctr = (ctr128_f)fn_ctr;                                               \
+    ctx->key_set = 1;
+
+#if defined(AESNI_CAPABLE)
+# include "cipher_aes_gcm_hw_aesni.inc"
+#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+# include "cipher_aes_gcm_hw_t4.inc"
+#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+# include "cipher_aes_gcm_hw_s390x.inc"
+#else
+const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
+{
+    return &aes_gcm;
+}
+#endif
+
+static int generic_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+                                   size_t keylen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    AES_KEY *ks = &actx->ks.ks;
+
+# ifdef HWAES_CAPABLE
+    if (HWAES_CAPABLE) {
+#  ifdef HWAES_ctr32_encrypt_blocks
+        SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt,
+                       HWAES_ctr32_encrypt_blocks);
+#  else
+        SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt, NULL);
+#  endif /* HWAES_ctr32_encrypt_blocks */
+    } else
+# endif /* HWAES_CAPABLE */
+
+# ifdef BSAES_CAPABLE
+    if (BSAES_CAPABLE) {
+        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt,
+                       bsaes_ctr32_encrypt_blocks);
+    } else
+# endif /* BSAES_CAPABLE */
+
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE) {
+        SET_KEY_CTR_FN(ks, vpaes_set_encrypt_key, vpaes_encrypt, NULL);
+    } else
+# endif /* VPAES_CAPABLE */
+
+    {
+# ifdef AES_CTR_ASM
+        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, AES_ctr32_encrypt);
+# else
+        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, NULL);
+# endif /* AES_CTR_ASM */
+    }
+    ctx->key_set = 1;
+    return 1;
+}
+
+static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen)
+{
+    CRYPTO_gcm128_setiv(&ctx->gcm, iv, ivlen);
+    return 1;
+}
+
+static int gcm_aad_update(PROV_GCM_CTX *ctx,
+                          const unsigned char *aad, size_t aad_len)
+{
+    return CRYPTO_gcm128_aad(&ctx->gcm, aad, aad_len) == 0;
+}
+
+static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
+                             size_t len, unsigned char *out)
+{
+    if (ctx->enc) {
+        if (ctx->ctr != NULL) {
+#if defined(AES_GCM_ASM)
+            size_t bulk = 0;
+
+            if (len >= 32 && AES_GCM_ASM(ctx)) {
+                size_t res = (16 - ctx->gcm.mres) % 16;
+
+                if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res))
+                    return 0;
+                bulk = aesni_gcm_encrypt(in + res, out + res, len - res,
+                                         ctx->gcm.key,
+                                         ctx->gcm.Yi.c, ctx->gcm.Xi.u);
+                ctx->gcm.len.u[1] += bulk;
+                bulk += res;
+            }
+            if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
+                                            len - bulk, ctx->ctr))
+                return 0;
+#else
+            if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
+                return 0;
+#endif /* AES_GCM_ASM */
+        } else {
+            if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
+                return 0;
+        }
+    } else {
+        if (ctx->ctr != NULL) {
+#if defined(AES_GCM_ASM)
+            size_t bulk = 0;
+
+            if (len >= 16 && AES_GCM_ASM(ctx)) {
+                size_t res = (16 - ctx->gcm.mres) % 16;
+
+                if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res))
+                    return -1;
+
+                bulk = aesni_gcm_decrypt(in + res, out + res, len - res,
+                                         ctx->gcm.key,
+                                         ctx->gcm.Yi.c, ctx->gcm.Xi.u);
+                ctx->gcm.len.u[1] += bulk;
+                bulk += res;
+            }
+            if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
+                                            len - bulk, ctx->ctr))
+                return 0;
+#else
+            if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
+                return 0;
+#endif /* AES_GCM_ASM */
+        } else {
+            if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
+                return 0;
+        }
+    }
+    return 1;
+}
+
+static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
+{
+    if (ctx->enc) {
+        CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE);
+        ctx->taglen = GCM_TAG_MAX_SIZE;
+    } else {
+        if (ctx->taglen < 0
+            || CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0)
+            return 0;
+    }
+    return 1;
+}
+
+static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
+                        const unsigned char *in, size_t in_len,
+                        unsigned char *out, unsigned char *tag, size_t tag_len)
+{
+    int ret = 0;
+
+    /* Use saved AAD */
+    if (!ctx->hw->aadupdate(ctx, aad, aad_len))
+        goto err;
+    if (!ctx->hw->cipherupdate(ctx, in, in_len, out))
+        goto err;
+    ctx->taglen = GCM_TAG_MAX_SIZE;
+    if (!ctx->hw->cipherfinal(ctx, tag))
+        goto err;
+    ret = 1;
+
+err:
+    return ret;
+}
+
+static const PROV_GCM_HW aes_gcm = {
+    generic_aes_gcm_initkey,
+    gcm_setiv,
+    gcm_aad_update,
+    gcm_cipher_update,
+    gcm_cipher_final,
+    gcm_one_shot
+};
+
+#include "cipher_aria_gcm_hw.inc"
diff --git a/providers/common/ciphers/cipher_locl.h b/providers/common/ciphers/cipher_locl.h
new file mode 100644 (file)
index 0000000..9d95a7c
--- /dev/null
@@ -0,0 +1,193 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/opensslconf.h>
+#include <openssl/params.h>
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include "internal/cryptlib.h"
+#include "internal/modes_int.h"
+#include "internal/provider_algs.h"
+#include "internal/providercommonerr.h"
+#include "internal/ciphermode_platform.h"
+
+#define GENERIC_BLOCK_SIZE 16
+#define IV_STATE_UNINITIALISED 0  /* initial state is not initialized */
+#define IV_STATE_BUFFERED      1  /* iv has been copied to the iv buffer */
+#define IV_STATE_COPIED        2  /* iv has been copied from the iv buffer */
+#define IV_STATE_FINISHED      3  /* the iv has been used - so don't reuse it */
+
+#define PROV_CIPHER_FUNC(type, name, args) typedef type (* OSSL_##name##_fn)args
+
+typedef struct prov_cipher_hw_st PROV_CIPHER_HW;
+typedef struct prov_cipher_ctx_st PROV_CIPHER_CTX;
+
+typedef int (PROV_CIPHER_HW_FN)(PROV_CIPHER_CTX *dat, unsigned char *out,
+                                const unsigned char *in, size_t len);
+
+struct prov_cipher_ctx_st {
+    block128_f block;
+    union {
+        cbc128_f cbc;
+        ctr128_f ctr;
+    } stream;
+
+    /*
+     * num contains the number of bytes of |iv| which are valid for modes that
+     * manage partial blocks themselves.
+     */
+    size_t num;
+
+    int mode;
+    int enc;              /* Set to 1 for encrypt, or 0 otherwise */
+    size_t bufsz;         /* Number of bytes in buf */
+    size_t keylen;        /* key size (in bytes) */
+    size_t blocksize;
+    uint64_t flags;
+    unsigned int pad : 1; /* Whether padding should be used or not */
+
+    /* Buffer of partial blocks processed via update calls */
+    unsigned char buf[GENERIC_BLOCK_SIZE];
+    unsigned char iv[GENERIC_BLOCK_SIZE];
+    const PROV_CIPHER_HW *hw; /* hardware specific functions */
+    const void *ks; /* Pointer to algorithm specific key data */
+};
+
+struct prov_cipher_hw_st {
+    int (*init)(PROV_CIPHER_CTX *dat, const uint8_t *key, size_t keylen);
+    PROV_CIPHER_HW_FN *cipher;
+};
+
+OSSL_OP_cipher_encrypt_init_fn cipher_generic_einit;
+OSSL_OP_cipher_decrypt_init_fn cipher_generic_dinit;
+OSSL_OP_cipher_update_fn cipher_generic_block_update;
+OSSL_OP_cipher_final_fn cipher_generic_block_final;
+OSSL_OP_cipher_update_fn cipher_generic_stream_update;
+OSSL_OP_cipher_final_fn cipher_generic_stream_final;
+OSSL_OP_cipher_cipher_fn cipher_generic_cipher;
+OSSL_OP_cipher_get_ctx_params_fn cipher_generic_get_ctx_params;
+OSSL_OP_cipher_set_ctx_params_fn cipher_generic_set_ctx_params;
+OSSL_OP_cipher_gettable_params_fn     cipher_default_gettable_params;
+OSSL_OP_cipher_gettable_ctx_params_fn cipher_default_gettable_ctx_params;
+OSSL_OP_cipher_settable_ctx_params_fn cipher_default_settable_ctx_params;
+OSSL_OP_cipher_gettable_ctx_params_fn cipher_aead_gettable_ctx_params;
+OSSL_OP_cipher_settable_ctx_params_fn cipher_aead_settable_ctx_params;
+int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
+                              int kbits, int blkbits, int ivbits);
+void cipher_generic_initkey(void *vctx, int kbits, int blkbits, int mode,
+                            const PROV_CIPHER_HW *ciph);
+
+size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
+int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);
+
+#include "cipher_aes.h"
+#include "cipher_aria.h"
+#include "cipher_camellia.h"
+#include "cipher_gcm.h"
+#include "cipher_ccm.h"
+
+#define IMPLEMENT_generic_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits,     \
+                                 blkbits, ivbits, typ)                         \
+static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params;     \
+static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])          \
+{                                                                              \
+    return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags,  \
+                                     kbits, blkbits, ivbits);                  \
+}                                                                              \
+static OSSL_OP_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx;             \
+static void * alg##_##kbits##_##lcmode##_newctx(void *provctx)                 \
+{                                                                              \
+     PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));                   \
+     if (ctx != NULL) {                                                        \
+         cipher_generic_initkey(ctx, kbits, blkbits, EVP_CIPH_##UCMODE##_MODE, \
+                                PROV_CIPHER_HW_##alg##_##lcmode(kbits));       \
+     }                                                                         \
+     return ctx;                                                               \
+}                                                                              \
+const OSSL_DISPATCH alg##kbits##lcmode##_functions[] = {                       \
+    { OSSL_FUNC_CIPHER_NEWCTX,                                                 \
+      (void (*)(void)) alg##_##kbits##_##lcmode##_newctx },                    \
+    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx },              \
+    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx },                \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))cipher_generic_einit },   \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))cipher_generic_dinit },   \
+    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))cipher_generic_##typ##_update },\
+    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))cipher_generic_##typ##_final },  \
+    { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))cipher_generic_cipher },        \
+    { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
+      (void (*)(void)) alg##_##kbits##_##lcmode##_get_params },                \
+    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
+      (void (*)(void))cipher_generic_get_ctx_params },                         \
+    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
+      (void (*)(void))cipher_generic_set_ctx_params },                         \
+    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
+      (void (*)(void))cipher_default_gettable_params },                        \
+    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
+      (void (*)(void))cipher_default_gettable_ctx_params },                    \
+    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
+     (void (*)(void))cipher_default_settable_ctx_params },                     \
+    { 0, NULL }                                                                \
+};
+
+#define IMPLEMENT_aead_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits)  \
+static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lc##_get_params;         \
+static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[])              \
+{                                                                              \
+    return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE,         \
+                                     flags, kbits, blkbits, ivbits);           \
+}                                                                              \
+static OSSL_OP_cipher_newctx_fn alg##kbits##lc##_newctx;                       \
+static void * alg##kbits##lc##_newctx(void *provctx)                           \
+{                                                                              \
+    return alg##_##lc##_newctx(provctx, kbits);                                \
+}                                                                              \
+const OSSL_DISPATCH alg##kbits##lc##_functions[] = {                           \
+    { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx },      \
+    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx },        \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) lc##_einit },            \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) lc##_dinit },            \
+    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void)) lc##_stream_update },          \
+    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void)) lc##_stream_final },            \
+    { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void)) lc##_cipher },                 \
+    { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
+      (void (*)(void)) alg##_##kbits##_##lc##_get_params },                    \
+    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
+      (void (*)(void)) lc##_get_ctx_params },                                  \
+    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
+      (void (*)(void)) lc##_set_ctx_params },                                  \
+    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
+      (void (*)(void))cipher_default_gettable_params },                        \
+    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
+      (void (*)(void))cipher_aead_gettable_ctx_params },                       \
+    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
+      (void (*)(void))cipher_aead_settable_ctx_params },                       \
+    { 0, NULL }                                                                \
+}
+
+PROV_CIPHER_HW_FN cipher_hw_generic_cbc;
+PROV_CIPHER_HW_FN cipher_hw_generic_ecb;
+PROV_CIPHER_HW_FN cipher_hw_generic_ofb128;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb128;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb8;
+PROV_CIPHER_HW_FN cipher_hw_generic_cfb1;
+PROV_CIPHER_HW_FN cipher_hw_generic_ctr;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cbc;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cfb8;
+PROV_CIPHER_HW_FN cipher_hw_chunked_cfb128;
+PROV_CIPHER_HW_FN cipher_hw_chunked_ofb128;
+#define cipher_hw_chunked_ecb  cipher_hw_generic_ecb
+#define cipher_hw_chunked_ctr  cipher_hw_generic_ctr
+#define cipher_hw_chunked_cfb1 cipher_hw_generic_cfb1
diff --git a/providers/common/ciphers/ciphers_ccm.h b/providers/common/ciphers/ciphers_ccm.h
deleted file mode 100644 (file)
index 1560d28..0000000
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-typedef struct prov_ccm_hw_st PROV_CCM_HW;
-
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/*-
- * KMAC-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-08)
- */
-typedef struct S390X_kmac_params_st {
-    union {
-        unsigned long long g[2];
-        unsigned char b[16];
-    } icv;
-    unsigned char k[32];
-} S390X_KMAC_PARAMS;
-/* KMAC-AES parameter block - end */
-#endif
-
-/* Base structure that is shared by AES & ARIA for CCM MODE */
-typedef struct prov_ccm_st {
-    int enc;
-    int key_set;                /* Set if key initialised */
-    int iv_set;                 /* Set if an iv is set */
-    int tag_set;                /* Set if tag is valid */
-    int len_set;                /* Set if message length set */
-    size_t l, m;                /* L and M parameters from RFC3610 */
-    size_t keylen;
-    int tls_aad_len;            /* TLS AAD length */
-    int tls_aad_pad_sz;
-    unsigned char iv[AES_BLOCK_SIZE];
-    unsigned char buf[AES_BLOCK_SIZE];
-    CCM128_CONTEXT ccm_ctx;
-    ccm128_f str;
-    const PROV_CCM_HW *hw;      /* hardware specific methods  */
-} PROV_CCM_CTX;
-
-typedef struct prov_aes_ccm_ctx_st {
-    PROV_CCM_CTX base;          /* Must be first */
-    union {
-        OSSL_UNION_ALIGN;
-        /*-
-         * Padding is chosen so that s390x.kmac.k overlaps with ks.ks and
-         * fc with ks.ks.rounds. Remember that on s390x, an AES_KEY's
-         * rounds field is used to store the function code and that the key
-         * schedule is not stored (if aes hardware support is detected).
-         */
-        struct {
-            unsigned char pad[16];
-            AES_KEY ks;
-        } ks;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-        struct {
-            S390X_KMAC_PARAMS kmac;
-            unsigned long long blocks;
-            union {
-                unsigned long long g[2];
-                unsigned char b[AES_BLOCK_SIZE];
-            } nonce;
-            union {
-                unsigned long long g[2];
-                unsigned char b[AES_BLOCK_SIZE];
-            } buf;
-            unsigned char dummy_pad[168];
-            unsigned int fc;    /* fc has same offset as ks.ks.rounds */
-        } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
-    } ccm;
-} PROV_AES_CCM_CTX;
-
-PROV_CIPHER_FUNC(int, CCM_cipher, (PROV_CCM_CTX *ctx, unsigned char *out,      \
-                                   size_t *padlen, const unsigned char *in,    \
-                                   size_t len));
-PROV_CIPHER_FUNC(int, CCM_setkey, (PROV_CCM_CTX *ctx,                          \
-                                   const unsigned char *key, size_t keylen));
-PROV_CIPHER_FUNC(int, CCM_setiv, (PROV_CCM_CTX *dat,                           \
-                                  const unsigned char *iv, size_t ivlen,       \
-                                  size_t mlen));
-PROV_CIPHER_FUNC(int, CCM_setaad, (PROV_CCM_CTX *ctx,                          \
-                                   const unsigned char *aad, size_t aadlen));
-PROV_CIPHER_FUNC(int, CCM_auth_encrypt, (PROV_CCM_CTX *ctx,                    \
-                                         const unsigned char *in,              \
-                                         unsigned char *out, size_t len,       \
-                                         unsigned char *tag, size_t taglen));
-PROV_CIPHER_FUNC(int, CCM_auth_decrypt, (PROV_CCM_CTX *ctx,                    \
-                                         const unsigned char *in,              \
-                                         unsigned char *out, size_t len,       \
-                                         unsigned char *tag, size_t taglen));
-PROV_CIPHER_FUNC(int, CCM_gettag, (PROV_CCM_CTX *ctx,                          \
-                                   unsigned char *tag,  size_t taglen));
-
-/*
- * CCM Mode internal method table used to handle hardware specific differences,
- * (and different algorithms).
- */
-struct prov_ccm_hw_st {
-    OSSL_CCM_setkey_fn setkey;
-    OSSL_CCM_setiv_fn setiv;
-    OSSL_CCM_setaad_fn setaad;
-    OSSL_CCM_auth_encrypt_fn auth_encrypt;
-    OSSL_CCM_auth_decrypt_fn auth_decrypt;
-    OSSL_CCM_gettag_fn gettag;
-};
-
-const PROV_CCM_HW *PROV_AES_HW_ccm(size_t keylen);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-# include "internal/aria.h"
-typedef struct prov_aria_ccm_ctx_st {
-    PROV_CCM_CTX base; /* Must be first */
-    union {
-        OSSL_UNION_ALIGN;
-        ARIA_KEY ks;
-    } ks;                       /* ARIA key schedule to use */
-} PROV_ARIA_CCM_CTX;
-
-const PROV_CCM_HW *PROV_ARIA_HW_ccm(size_t keylen);
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/ciphers_common.c b/providers/common/ciphers/ciphers_common.c
deleted file mode 100644 (file)
index 1423092..0000000
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/core_names.h>
-#include <openssl/params.h>
-#include "ciphers_locl.h"
-#include "internal/provider_algs.h"
-#include "internal/providercommonerr.h"
-
-/*-
- * Default cipher functions for OSSL_PARAM gettables and settables
- */
-static const OSSL_PARAM cipher_known_gettable_params[] = {
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_MODE, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
-    OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_gettable_params(void)
-{
-    return cipher_known_gettable_params;
-}
-
-int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
-                              int kbits, int blkbits, int ivbits)
-{
-    OSSL_PARAM *p;
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
-    if (p != NULL && !OSSL_PARAM_set_int(p, md)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS);
-    if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, kbits / 8)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
-    if (p != NULL && !OSSL_PARAM_set_int(p, blkbits / 8)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ivbits / 8)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    return 1;
-}
-
-static const OSSL_PARAM cipher_known_gettable_ctx_params[] = {
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
-    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_NUM, NULL),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
-    OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_gettable_ctx_params(void)
-{
-    return cipher_known_gettable_ctx_params;
-}
-
-static const OSSL_PARAM cipher_known_settable_ctx_params[] = {
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_PADDING, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_NUM, NULL),
-    OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_default_settable_ctx_params(void)
-{
-    return cipher_known_settable_ctx_params;
-}
-
-/*-
- * AEAD cipher functions for OSSL_PARAM gettables and settables
- */
-static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_IVLEN, NULL),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
-    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
-    OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_aead_gettable_ctx_params(void)
-{
-    return cipher_aead_known_gettable_ctx_params;
-}
-
-static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
-    OSSL_PARAM_int(OSSL_CIPHER_PARAM_KEYLEN, NULL),
-    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
-    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
-    OSSL_PARAM_END
-};
-const OSSL_PARAM *cipher_aead_settable_ctx_params(void)
-{
-    return cipher_aead_known_settable_ctx_params;
-}
diff --git a/providers/common/ciphers/ciphers_gcm.h b/providers/common/ciphers/ciphers_gcm.h
deleted file mode 100644 (file)
index 8b4698f..0000000
+++ /dev/null
@@ -1,148 +0,0 @@
-
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/aes.h>
-
-typedef struct prov_gcm_hw_st PROV_GCM_HW;
-
-#define GCM_IV_DEFAULT_SIZE 12/* IV's for AES_GCM should normally be 12 bytes */
-#define GCM_IV_MAX_SIZE     64
-#define GCM_TAG_MAX_SIZE    16
-
-
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-/*-
- * KMA-GCM-AES parameter block - begin
- * (see z/Architecture Principles of Operation >= SA22-7832-11)
- */
-typedef struct S390X_kma_params_st {
-    unsigned char reserved[12];
-    union {
-        unsigned int w;
-        unsigned char b[4];
-    } cv; /* 32 bit counter value */
-    union {
-        unsigned long long g[2];
-        unsigned char b[16];
-    } t; /* tag */
-    unsigned char h[16]; /* hash subkey */
-    unsigned long long taadl; /* total AAD length */
-    unsigned long long tpcl; /* total plaintxt/ciphertxt len */
-    union {
-        unsigned long long g[2];
-        unsigned int w[4];
-    } j0;                   /* initial counter value */
-    unsigned char k[32];    /* key */
-} S390X_KMA_PARAMS;
-
-#endif
-
-typedef struct prov_gcm_ctx_st {
-    int enc;                /* Set to 1 if we are encrypting or 0 otherwise */
-    int mode;               /* The mode that we are using */
-    size_t keylen;
-    int ivlen;
-    size_t ivlen_min;
-    int taglen;
-    int key_set;            /* Set if key initialised */
-    int iv_state;           /* set to one of IV_STATE_XXX */
-    int iv_gen_rand;        /* No IV was specified, so generate a rand IV */
-    int iv_gen;             /* It is OK to generate IVs */
-    int tls_aad_pad_sz;
-    int tls_aad_len;        /* TLS AAD length */
-    uint64_t tls_enc_records;   /* Number of TLS records encrypted */
-
-    /*
-     * num contains the number of bytes of |iv| which are valid for modes that
-     * manage partial blocks themselves.
-     */
-    size_t num;
-    size_t bufsz;           /* Number of bytes in buf */
-    uint64_t flags;
-
-    unsigned int pad : 1;   /* Whether padding should be used or not */
-
-    unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
-    unsigned char buf[AES_BLOCK_SIZE];     /* Buffer of partial blocks processed via update calls */
-
-    OPENSSL_CTX *libctx;    /* needed for rand calls */
-    const PROV_GCM_HW *hw;  /* hardware specific methods */
-    GCM128_CONTEXT gcm;
-    ctr128_f ctr;
-    const void *ks;
-} PROV_GCM_CTX;
-
-typedef struct prov_aes_gcm_ctx_st {
-    PROV_GCM_CTX base;          /* must be first entry in struct */
-    union {
-        OSSL_UNION_ALIGN;
-        AES_KEY ks;
-    } ks;                       /* AES key schedule to use */
-
-    /* Platform specific data */
-    union {
-        int dummy;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-        struct {
-            union {
-                OSSL_UNION_ALIGN;
-                S390X_KMA_PARAMS kma;
-            } param;
-            unsigned int fc;
-            unsigned char ares[16];
-            unsigned char mres[16];
-            unsigned char kres[16];
-            int areslen;
-            int mreslen;
-            int kreslen;
-            int res;
-        } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
-    } plat;
-} PROV_AES_GCM_CTX;
-
-PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key,
-                                   size_t keylen));
-PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv,
-                                  size_t ivlen));
-PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx,
-                                      const unsigned char *aad, size_t aadlen));
-PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx,
-                                         const unsigned char *in, size_t len,
-                                         unsigned char *out));
-PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag));
-PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad,
-                                    size_t aad_len, const unsigned char *in,
-                                    size_t in_len, unsigned char *out,
-                                    unsigned char *tag, size_t taglen));
-struct prov_gcm_hw_st {
-  OSSL_GCM_setkey_fn setkey;
-  OSSL_GCM_setiv_fn setiv;
-  OSSL_GCM_aadupdate_fn aadupdate;
-  OSSL_GCM_cipherupdate_fn cipherupdate;
-  OSSL_GCM_cipherfinal_fn cipherfinal;
-  OSSL_GCM_oneshot_fn oneshot;
-};
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-#include "internal/aria.h"
-
-typedef struct prov_aria_gcm_ctx_st {
-    PROV_GCM_CTX base;              /* must be first entry in struct */
-    union {
-        OSSL_UNION_ALIGN;
-        ARIA_KEY ks;
-    } ks;
-} PROV_ARIA_GCM_CTX;
-const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits);
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/ciphers_locl.h b/providers/common/ciphers/ciphers_locl.h
deleted file mode 100644 (file)
index 13a2952..0000000
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#include <openssl/aes.h>
-#include <openssl/params.h>
-#include <openssl/core_numbers.h>
-#include "internal/cryptlib.h"
-#include "internal/modes_int.h"
-
-#define IV_STATE_UNINITIALISED 0  /* initial state is not initialized */
-#define IV_STATE_BUFFERED      1  /* iv has been copied to the iv buffer */
-#define IV_STATE_COPIED        2  /* iv has been copied from the iv buffer */
-#define IV_STATE_FINISHED      3  /* the iv has been used - so don't reuse it */
-
-#define PROV_CIPHER_FUNC(type, name, args) typedef type (* OSSL_##name##_fn)args
-
-typedef struct prov_aes_cipher_st PROV_AES_CIPHER;
-
-typedef struct prov_aes_key_st {
-    union {
-        OSSL_UNION_ALIGN;
-        AES_KEY ks;
-    } ks;
-    block128_f block;
-    union {
-        cbc128_f cbc;
-        ctr128_f ctr;
-    } stream;
-
-    /* Platform specific data */
-    union {
-        int dummy;
-#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-        struct {
-            union {
-                OSSL_UNION_ALIGN;
-                /*-
-                 * KM-AES parameter block - begin
-                 * (see z/Architecture Principles of Operation >= SA22-7832-06)
-                 */
-                struct {
-                    unsigned char k[32];
-                } km;
-                /* KM-AES parameter block - end */
-                /*-
-                 * KMO-AES/KMF-AES parameter block - begin
-                 * (see z/Architecture Principles of Operation >= SA22-7832-08)
-                 */
-                struct {
-                    unsigned char cv[16];
-                    unsigned char k[32];
-                } kmo_kmf;
-                /* KMO-AES/KMF-AES parameter block - end */
-            } param;
-            unsigned int fc;
-            int res;
-        } s390x;
-#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
-    } plat;
-
-    /* The cipher functions we are going to use */
-    const PROV_AES_CIPHER *ciph;
-
-    /* The mode that we are using */
-    int mode;
-
-    /* Set to 1 if we are encrypting or 0 otherwise */
-    int enc;
-
-    unsigned char iv[AES_BLOCK_SIZE];
-
-    /*
-     * num contains the number of bytes of |iv| which are valid for modes that
-     * manage partial blocks themselves.
-     */
-    size_t num;
-
-    /* Buffer of partial blocks processed via update calls */
-    unsigned char buf[AES_BLOCK_SIZE];
-
-    /* Number of bytes in buf */
-    size_t bufsz;
-
-    uint64_t flags;
-
-    size_t keylen;
-
-    /* Whether padding should be used or not */
-    unsigned int pad : 1;
-} PROV_AES_KEY;
-
-struct prov_aes_cipher_st {
-    int (*init)(PROV_AES_KEY *dat, const uint8_t *key, size_t keylen);
-    int (*cipher)(PROV_AES_KEY *dat, uint8_t *out, const uint8_t *in,
-                size_t inl);
-};
-
-#include "ciphers_gcm.h"
-#include "ciphers_ccm.h"
-
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ecb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cbc(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ofb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb1(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb8(size_t keylen);
-const PROV_AES_CIPHER *PROV_AES_CIPHER_ctr(size_t keylen);
-
-size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
-                 const unsigned char **in, size_t *inlen);
-int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
-                 const unsigned char **in, size_t *inlen);
-void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
-int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);
-
-OSSL_OP_cipher_gettable_params_fn     cipher_default_gettable_params;
-OSSL_OP_cipher_gettable_ctx_params_fn cipher_default_gettable_ctx_params;
-OSSL_OP_cipher_settable_ctx_params_fn cipher_default_settable_ctx_params;
-OSSL_OP_cipher_gettable_ctx_params_fn cipher_aead_gettable_ctx_params;
-OSSL_OP_cipher_settable_ctx_params_fn cipher_aead_settable_ctx_params;
-
-int cipher_default_get_params(OSSL_PARAM params[], int md, unsigned long flags,
-                              int kbits, int blkbits, int ivbits);
-
-#define IMPLEMENT_aead_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits)  \
-    static OSSL_OP_cipher_get_params_fn alg##_##kbits##_##lc##_get_params;     \
-    static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[])          \
-    {                                                                          \
-        return cipher_default_get_params(params, EVP_CIPH_##UCMODE##_MODE,     \
-                                         flags, kbits, blkbits, ivbits);       \
-    }                                                                          \
-    static OSSL_OP_cipher_newctx_fn alg##kbits##lc##_newctx;                   \
-    static void * alg##kbits##lc##_newctx(void *provctx)                       \
-    {                                                                          \
-        return alg##_##lc##_newctx(provctx, kbits);                            \
-    }                                                                          \
-    const OSSL_DISPATCH alg##kbits##lc##_functions[] = {                       \
-        { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx },  \
-        { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx },    \
-        { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) lc##_einit },        \
-        { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) lc##_dinit },        \
-        { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void)) lc##_stream_update },      \
-        { OSSL_FUNC_CIPHER_FINAL, (void (*)(void)) lc##_stream_final },        \
-        { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void)) lc##_cipher },             \
-        { OSSL_FUNC_CIPHER_GET_PARAMS,                                         \
-            (void (*)(void)) alg##_##kbits##_##lc##_get_params },              \
-        { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                     \
-            (void (*)(void)) lc##_get_ctx_params },                            \
-        { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                     \
-            (void (*)(void)) lc##_set_ctx_params },                            \
-        { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                    \
-                (void (*)(void))cipher_default_gettable_params },              \
-        { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                \
-                (void (*)(void))cipher_aead_gettable_ctx_params },             \
-        { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                \
-                (void (*)(void))cipher_aead_settable_ctx_params },             \
-        { 0, NULL }                                                            \
-    }
diff --git a/providers/common/ciphers/gcm.c b/providers/common/ciphers/gcm.c
deleted file mode 100644 (file)
index 50f79f6..0000000
+++ /dev/null
@@ -1,570 +0,0 @@
-/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/evp.h>
-#include <openssl/params.h>
-#include <openssl/core_numbers.h>
-#include <openssl/core_names.h>
-#include "internal/rand_int.h"
-#include "internal/provider_algs.h"
-#include "internal/provider_ctx.h"
-#include "internal/providercommonerr.h"
-#include "ciphers_locl.h"
-
-/* TODO(3.0) Figure out what flags are really needed */
-#define AEAD_GCM_FLAGS (EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1 \
-                       | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER      \
-                       | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT        \
-                       | EVP_CIPH_CUSTOM_COPY)
-
-static OSSL_OP_cipher_encrypt_init_fn gcm_einit;
-static OSSL_OP_cipher_decrypt_init_fn gcm_dinit;
-static OSSL_OP_cipher_get_ctx_params_fn gcm_get_ctx_params;
-static OSSL_OP_cipher_set_ctx_params_fn gcm_set_ctx_params;
-static OSSL_OP_cipher_cipher_fn gcm_cipher;
-static OSSL_OP_cipher_update_fn gcm_stream_update;
-static OSSL_OP_cipher_final_fn gcm_stream_final;
-
-static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
-static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
-                                size_t len);
-static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
-                          const unsigned char *in, size_t len);
-static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
-                               size_t *padlen, const unsigned char *in,
-                               size_t len);
-
-static void gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
-                        const PROV_GCM_HW *hw, size_t ivlen_min)
-{
-    ctx->pad = 1;
-    ctx->mode = EVP_CIPH_GCM_MODE;
-    ctx->taglen = -1;
-    ctx->tls_aad_len = -1;
-    ctx->ivlen_min = ivlen_min;
-    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
-    ctx->keylen = keybits / 8;
-    ctx->hw = hw;
-    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
-}
-
-static void gcm_deinitctx(PROV_GCM_CTX *ctx)
-{
-    OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
-}
-
-static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
-    ctx->enc = enc;
-
-    if (iv != NULL) {
-        if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
-            return 0;
-        }
-        ctx->ivlen = ivlen;
-        memcpy(ctx->iv, iv, ctx->ivlen);
-        ctx->iv_state = IV_STATE_BUFFERED;
-    }
-
-    if (key != NULL) {
-        if (keylen != ctx->keylen) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-            return 0;
-        }
-        return ctx->hw->setkey(ctx, key, ctx->keylen);
-    }
-    return 1;
-}
-
-static int gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
-{
-    return gcm_init(vctx, key, keylen, iv, ivlen, 1);
-}
-
-static int gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
-{
-    return gcm_init(vctx, key, keylen, iv, ivlen, 0);
-}
-
-static int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-    OSSL_PARAM *p;
-    size_t sz;
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->ivlen)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL && !OSSL_PARAM_set_int(p, ctx->keylen)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
-    if (p != NULL) {
-        if (ctx->iv_gen != 1 && ctx->iv_gen_rand != 1)
-            return 0;
-        if (ctx->ivlen != (int)p->data_size) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
-            return 0;
-        }
-        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-            return 0;
-        }
-    }
-
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
-    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-        return 0;
-    }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
-    if (p != NULL) {
-        sz = p->data_size;
-        if (sz == 0 || sz > EVP_GCM_TLS_TAG_LEN || !ctx->enc || ctx->taglen < 0) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
-            return 0;
-        }
-        if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-static int gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-    const OSSL_PARAM *p;
-    size_t sz;
-    void *vp;
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
-    if (p != NULL) {
-        vp = ctx->buf;
-        if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        if (sz == 0 || ctx->enc) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
-            return 0;
-        }
-        ctx->taglen = sz;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
-    if (p != NULL) {
-        if (!OSSL_PARAM_get_size_t(p, &sz)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        if (sz == 0 || sz > sizeof(ctx->iv)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
-            return 0;
-        }
-        ctx->ivlen = sz;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
-    if (p != NULL) {
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        sz = gcm_tls_init(ctx, p->data, p->data_size);
-        if (sz == 0) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
-            return 0;
-        }
-        ctx->tls_aad_pad_sz = sz;
-    }
-
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
-    if (p != NULL) {
-        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-    }
-
-    /*
-     * TODO(3.0) Temporary solution to address fuzz test crash, which will be
-     * reworked once the discussion in PR #9510 is resolved. i.e- We need a
-     * general solution for handling missing parameters inside set_params and
-     * get_params methods.
-     */
-    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
-    if (p != NULL) {
-        int keylen;
-
-        if (!OSSL_PARAM_get_int(p, &keylen)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
-        /* The key length can not be modified for gcm mode */
-        if (keylen != (int)ctx->keylen)
-            return 0;
-    }
-
-    return 1;
-}
-
-static int gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
-                             size_t outsize, const unsigned char *in,
-                             size_t inl)
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return -1;
-    }
-
-    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
-        return -1;
-    }
-    return 1;
-}
-
-static int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
-                            size_t outsize)
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-    int i;
-
-    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
-    if (i <= 0)
-        return 0;
-
-    *outl = 0;
-    return 1;
-}
-
-static int gcm_cipher(void *vctx,
-                      unsigned char *out, size_t *outl, size_t outsize,
-                      const unsigned char *in, size_t inl)
-{
-    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
-
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return -1;
-    }
-
-    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
-        return -1;
-
-    *outl = inl;
-    return 1;
-}
-
-/*
- * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
- *
- * See also 8.2.2 RBG-based construction.
- * Random construction consists of a free field (which can be NULL) and a
- * random field which will use a DRBG that can return at least 96 bits of
- * entropy strength. (The DRBG must be seeded by the FIPS module).
- */
-static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
-{
-    int sz = ctx->ivlen - offset;
-
-    /* Must be at least 96 bits */
-    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
-        return 0;
-
-    /* Use DRBG to generate random iv */
-    if (rand_bytes_ex(ctx->libctx, ctx->iv + offset, sz) <= 0)
-        return 0;
-    ctx->iv_state = IV_STATE_BUFFERED;
-    ctx->iv_gen_rand = 1;
-    return 1;
-}
-
-static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
-                               size_t *padlen, const unsigned char *in,
-                               size_t len)
-{
-    size_t olen = 0;
-    int rv = 0;
-    const PROV_GCM_HW *hw = ctx->hw;
-
-    if (ctx->tls_aad_len >= 0)
-        return gcm_tls_cipher(ctx, out, padlen, in, len);
-
-    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
-        goto err;
-
-    /*
-     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
-     * The IV can still be set externally (the security policy will state that
-     * this is not FIPS compliant). There are some applications
-     * where setting the IV externally is the only option available.
-     */
-    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
-        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
-            goto err;
-    }
-
-    if (ctx->iv_state == IV_STATE_BUFFERED) {
-        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
-            goto err;
-        ctx->iv_state = IV_STATE_COPIED;
-    }
-
-    if (in != NULL) {
-        /*  The input is AAD if out is NULL */
-        if (out == NULL) {
-            if (!hw->aadupdate(ctx, in, len))
-                goto err;
-        } else {
-            /* The input is ciphertext OR plaintext */
-            if (!hw->cipherupdate(ctx, in, len, out))
-                goto err;
-        }
-    } else {
-        /* Finished when in == NULL */
-        if (!hw->cipherfinal(ctx, ctx->buf))
-            goto err;
-        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
-        goto finish;
-    }
-    olen = len;
-finish:
-    rv = 1;
-err:
-    *padlen = olen;
-    return rv;
-}
-
-static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
-{
-    unsigned char *buf;
-    size_t len;
-
-    if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
-       return 0;
-
-    /* Save the aad for later use. */
-    buf = dat->buf;
-    memcpy(buf, aad, aad_len);
-    dat->tls_aad_len = aad_len;
-    dat->tls_enc_records = 0;
-
-    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
-    /* Correct length for explicit iv. */
-    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
-        return 0;
-    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
-
-    /* If decrypting correct for tag too. */
-    if (!dat->enc) {
-        if (len < EVP_GCM_TLS_TAG_LEN)
-            return 0;
-        len -= EVP_GCM_TLS_TAG_LEN;
-    }
-    buf[aad_len - 2] = (unsigned char)(len >> 8);
-    buf[aad_len - 1] = (unsigned char)(len & 0xff);
-    /* Extra padding: tag appended to record. */
-    return EVP_GCM_TLS_TAG_LEN;
-}
-
-static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
-                                size_t len)
-{
-    /* Special case: -1 length restores whole IV */
-    if (len == (size_t)-1) {
-        memcpy(ctx->iv, iv, ctx->ivlen);
-        ctx->iv_gen = 1;
-        ctx->iv_state = IV_STATE_BUFFERED;
-        return 1;
-    }
-    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
-    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
-        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
-            return 0;
-    if (len > 0)
-        memcpy(ctx->iv, iv, len);
-    if (ctx->enc
-        && rand_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len) <= 0)
-            return 0;
-    ctx->iv_gen = 1;
-    ctx->iv_state = IV_STATE_BUFFERED;
-    return 1;
-}
-
-/* increment counter (64-bit int) by 1 */
-static void ctr64_inc(unsigned char *counter)
-{
-    int n = 8;
-    unsigned char c;
-
-    do {
-        --n;
-        c = counter[n];
-        ++c;
-        counter[n] = c;
-        if (c > 0)
-            return;
-    } while (n > 0);
-}
-
-/*
- * Handle TLS GCM packet format. This consists of the last portion of the IV
- * followed by the payload and finally the tag. On encrypt generate IV,
- * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
- * and verify tag.
- */
-static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
-                          const unsigned char *in, size_t len)
-{
-    int rv = 0, arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
-    size_t plen = 0;
-    unsigned char *tag = NULL;
-
-    if (!ctx->key_set)
-        goto err;
-
-    /* Encrypt/decrypt must be performed in place */
-    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
-        goto err;
-
-    /*
-     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
-     * Requirements from SP 800-38D".  The requirements is for one party to the
-     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
-     * side only.
-     */
-    if (ctx->enc && ++ctx->tls_enc_records == 0) {
-        ERR_raise(ERR_LIB_PROV, EVP_R_TOO_MANY_RECORDS);
-        goto err;
-    }
-
-    if (ctx->iv_gen == 0)
-        goto err;
-    /*
-     * Set IV from start of buffer or generate IV and write to start of
-     * buffer.
-     */
-    if (ctx->enc) {
-        if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
-            goto err;
-        if (arg > ctx->ivlen)
-            arg = ctx->ivlen;
-        memcpy(out, ctx->iv + ctx->ivlen - arg, arg);
-        /*
-         * Invocation field will be at least 8 bytes in size and so no need
-         * to check wrap around or increment more than last 8 bytes.
-         */
-        ctr64_inc(ctx->iv + ctx->ivlen - 8);
-    } else {
-        memcpy(ctx->iv + ctx->ivlen - arg, out, arg);
-        if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
-            goto err;
-    }
-    ctx->iv_state = IV_STATE_COPIED;
-
-    /* Fix buffer and length to point to payload */
-    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
-
-    tag = ctx->enc ? out + len : (unsigned char *)in + len;
-    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
-                          EVP_GCM_TLS_TAG_LEN)) {
-        if (!ctx->enc)
-            OPENSSL_cleanse(out, len);
-        goto err;
-    }
-    if (ctx->enc)
-        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
-    else
-        plen = len;
-
-    rv = 1;
-err:
-    ctx->iv_state = IV_STATE_FINISHED;
-    ctx->tls_aad_len = -1;
-    *padlen = plen;
-    return rv;
-}
-
-static void *aes_gcm_newctx(void *provctx, size_t keybits)
-{
-    PROV_AES_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    if (ctx != NULL)
-        gcm_initctx(provctx, (PROV_GCM_CTX *)ctx, keybits,
-                    PROV_AES_HW_gcm(keybits), 8);
-    return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aes_gcm_freectx;
-static void aes_gcm_freectx(void *vctx)
-{
-    PROV_AES_GCM_CTX *ctx = (PROV_AES_GCM_CTX *)vctx;
-
-    gcm_deinitctx((PROV_GCM_CTX *)ctx);
-    OPENSSL_clear_free(ctx,  sizeof(*ctx));
-}
-
-/* aes128gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 128, 8, 96);
-/* aes192gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 192, 8, 96);
-/* aes256gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_GCM_FLAGS, 256, 8, 96);
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-static void *aria_gcm_newctx(void *provctx, size_t keybits)
-{
-    PROV_ARIA_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    if (ctx != NULL)
-        gcm_initctx(provctx, (PROV_GCM_CTX *)ctx, keybits,
-                    PROV_ARIA_HW_gcm(keybits), 4);
-    return ctx;
-}
-
-static OSSL_OP_cipher_freectx_fn aria_gcm_freectx;
-static void aria_gcm_freectx(void *vctx)
-{
-    PROV_ARIA_GCM_CTX *ctx = (PROV_ARIA_GCM_CTX *)vctx;
-
-    gcm_deinitctx((PROV_GCM_CTX *)ctx);
-    OPENSSL_clear_free(ctx,  sizeof(*ctx));
-}
-
-/* aria128gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 128, 8, 96);
-/* aria192gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 192, 8, 96);
-/* aria256gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_GCM_FLAGS, 256, 8, 96);
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/gcm_hw.c b/providers/common/ciphers/gcm_hw.c
deleted file mode 100644 (file)
index e8c5f66..0000000
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "ciphers_locl.h"
-#include "internal/aes_platform.h"
-
-static const PROV_GCM_HW aes_gcm;
-
-static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
-static int gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
-                          size_t aad_len);
-static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
-static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
-                        const unsigned char *in, size_t in_len,
-                        unsigned char *out, unsigned char *tag, size_t tag_len);
-static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
-                             size_t len, unsigned char *out);
-
-#define SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr)                   \
-    ctx->ks = ks;                                                              \
-    fn_set_enc_key(key, keylen * 8, ks);                                       \
-    CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block);                   \
-    ctx->ctr = (ctr128_f)fn_ctr;                                               \
-    ctx->key_set = 1;
-
-#if defined(AESNI_CAPABLE)
-
-/* AES-NI section */
-static int aesni_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
-                              size_t keylen)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    AES_KEY *ks = &actx->ks.ks;
-
-    SET_KEY_CTR_FN(ks, aesni_set_encrypt_key, aesni_encrypt,
-                   aesni_ctr32_encrypt_blocks);
-    return 1;
-}
-
-static const PROV_GCM_HW aesni_gcm = {
-    aesni_gcm_init_key,
-    gcm_setiv,
-    gcm_aad_update,
-    gcm_cipher_update,
-    gcm_cipher_final,
-    gcm_one_shot
-};
-
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
-    return AESNI_CAPABLE ? &aesni_gcm : &aes_gcm;
-}
-
-#elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
-
-/* Fujitsu SPARC64 X support */
-
-static int t4_aes_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
-                               size_t keylen)
-{
-    ctr128_f ctr;
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    AES_KEY *ks = &actx->ks.ks;
-
-
-    switch (keylen) {
-    case 16:
-        ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
-        break;
-    case 24:
-        ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
-        break;
-    case 32:
-        ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
-        break;
-    default:
-        return 0;
-    }
-
-    SET_KEY_CTR_FN(ks, aes_t4_set_encrypt_key, aes_t4_encrypt, ctr);
-    return 1;
-}
-
-static const PROV_GCM_HW t4_aes_gcm = {
-    t4_aes_gcm_init_key,
-    gcm_setiv,
-    gcm_aad_update,
-    gcm_cipher_update,
-    gcm_cipher_final,
-    gcm_one_shot
-};
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
-    return SPARC_AES_CAPABLE ? &t4_aes_gcm : &aes_gcm;
-}
-
-#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-# include "gcm_s390x.c"
-#else
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
-    return &aes_gcm;
-}
-#endif
-
-static int generic_aes_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
-                                    size_t keylen)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    AES_KEY *ks = &actx->ks.ks;
-
-# ifdef HWAES_CAPABLE
-    if (HWAES_CAPABLE) {
-#  ifdef HWAES_ctr32_encrypt_blocks
-        SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt,
-                       HWAES_ctr32_encrypt_blocks);
-#  else
-        SET_KEY_CTR_FN(ks, HWAES_set_encrypt_key, HWAES_encrypt, NULL);
-#  endif /* HWAES_ctr32_encrypt_blocks */
-    } else
-# endif /* HWAES_CAPABLE */
-
-# ifdef BSAES_CAPABLE
-    if (BSAES_CAPABLE) {
-        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt,
-                       bsaes_ctr32_encrypt_blocks);
-    } else
-# endif /* BSAES_CAPABLE */
-
-# ifdef VPAES_CAPABLE
-    if (VPAES_CAPABLE) {
-        SET_KEY_CTR_FN(ks, vpaes_set_encrypt_key, vpaes_encrypt, NULL);
-    } else
-# endif /* VPAES_CAPABLE */
-
-    {
-# ifdef AES_CTR_ASM
-        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, AES_ctr32_encrypt);
-# else
-        SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, NULL);
-# endif /* AES_CTR_ASM */
-    }
-    ctx->key_set = 1;
-    return 1;
-}
-
-static int gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen)
-{
-    CRYPTO_gcm128_setiv(&ctx->gcm, iv, ivlen);
-    return 1;
-}
-
-static int gcm_aad_update(PROV_GCM_CTX *ctx,
-                          const unsigned char *aad, size_t aad_len)
-{
-    return CRYPTO_gcm128_aad(&ctx->gcm, aad, aad_len) == 0;
-}
-
-static int gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
-                             size_t len, unsigned char *out)
-{
-    if (ctx->enc) {
-        if (ctx->ctr != NULL) {
-#if defined(AES_GCM_ASM)
-            size_t bulk = 0;
-
-            if (len >= 32 && AES_GCM_ASM(ctx)) {
-                size_t res = (16 - ctx->gcm.mres) % 16;
-
-                if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res))
-                    return 0;
-                bulk = aesni_gcm_encrypt(in + res, out + res, len - res,
-                                         ctx->gcm.key,
-                                         ctx->gcm.Yi.c, ctx->gcm.Xi.u);
-                ctx->gcm.len.u[1] += bulk;
-                bulk += res;
-            }
-            if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
-                                            len - bulk, ctx->ctr))
-                return 0;
-#else
-            if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
-                return 0;
-#endif /* AES_GCM_ASM */
-        } else {
-            if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
-                return 0;
-        }
-    } else {
-        if (ctx->ctr != NULL) {
-#if defined(AES_GCM_ASM)
-            size_t bulk = 0;
-
-            if (len >= 16 && AES_GCM_ASM(ctx)) {
-                size_t res = (16 - ctx->gcm.mres) % 16;
-
-                if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res))
-                    return -1;
-
-                bulk = aesni_gcm_decrypt(in + res, out + res, len - res,
-                                         ctx->gcm.key,
-                                         ctx->gcm.Yi.c, ctx->gcm.Xi.u);
-                ctx->gcm.len.u[1] += bulk;
-                bulk += res;
-            }
-            if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,
-                                            len - bulk, ctx->ctr))
-                return 0;
-#else
-            if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr))
-                return 0;
-#endif /* AES_GCM_ASM */
-        } else {
-            if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
-                return 0;
-        }
-    }
-    return 1;
-}
-
-static int gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
-{
-    if (ctx->enc) {
-        CRYPTO_gcm128_tag(&ctx->gcm, tag, GCM_TAG_MAX_SIZE);
-        ctx->taglen = GCM_TAG_MAX_SIZE;
-    } else {
-        if (ctx->taglen < 0
-            || CRYPTO_gcm128_finish(&ctx->gcm, tag, ctx->taglen) != 0)
-            return 0;
-    }
-    return 1;
-}
-
-static int gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
-                        const unsigned char *in, size_t in_len,
-                        unsigned char *out, unsigned char *tag, size_t tag_len)
-{
-    int ret = 0;
-
-    /* Use saved AAD */
-    if (!ctx->hw->aadupdate(ctx, aad, aad_len))
-        goto err;
-    if (!ctx->hw->cipherupdate(ctx, in, in_len, out))
-        goto err;
-    ctx->taglen = GCM_TAG_MAX_SIZE;
-    if (!ctx->hw->cipherfinal(ctx, tag))
-        goto err;
-    ret = 1;
-
-err:
-    return ret;
-}
-
-static const PROV_GCM_HW aes_gcm = {
-    generic_aes_gcm_init_key,
-    gcm_setiv,
-    gcm_aad_update,
-    gcm_cipher_update,
-    gcm_cipher_final,
-    gcm_one_shot
-};
-
-#if !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE)
-
-static int aria_gcm_init_key(PROV_GCM_CTX *ctx, const unsigned char *key,
-                             size_t keylen)
-{
-    PROV_ARIA_GCM_CTX *actx = (PROV_ARIA_GCM_CTX *)ctx;
-    ARIA_KEY *ks = &actx->ks.ks;
-
-    SET_KEY_CTR_FN(ks, aria_set_encrypt_key, aria_encrypt, NULL);
-    return 1;
-}
-
-static int aria_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
-                              size_t len, unsigned char *out)
-{
-    if (ctx->enc) {
-        if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))
-            return 0;
-    } else {
-        if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))
-            return 0;
-    }
-    return 1;
-}
-
-static const PROV_GCM_HW aria_gcm = {
-    aria_gcm_init_key,
-    gcm_setiv,
-    gcm_aad_update,
-    aria_cipher_update,
-    gcm_cipher_final,
-    gcm_one_shot
-};
-const PROV_GCM_HW *PROV_ARIA_HW_gcm(size_t keybits)
-{
-    return &aria_gcm;
-}
-
-#endif /* !defined(OPENSSL_NO_ARIA) && !defined(FIPS_MODE) */
diff --git a/providers/common/ciphers/gcm_s390x.c b/providers/common/ciphers/gcm_s390x.c
deleted file mode 100644 (file)
index 68b06c8..0000000
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * IBM S390X AES GCM support
- * Note this file is included by aes_gcm_hw.c
- */
-
-/* iv + padding length for iv lengths != 12 */
-#define S390X_gcm_ivpadlen(i)  ((((i) + 15) >> 4 << 4) + 16)
-
-static int s390x_aes_gcm_init_key(PROV_GCM_CTX *ctx,
-                                  const unsigned char *key, size_t keylen)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-
-    ctx->key_set = 1;
-    memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
-    actx->plat.s390x.fc = S390X_AES_FC(keylen);
-    if (!ctx->enc)
-        actx->plat.s390x.fc |= S390X_DECRYPT;
-    return 1;
-}
-
-static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
-                               size_t ivlen)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-
-    kma->t.g[0] = 0;
-    kma->t.g[1] = 0;
-    kma->tpcl = 0;
-    kma->taadl = 0;
-    actx->plat.s390x.mreslen = 0;
-    actx->plat.s390x.areslen = 0;
-    actx->plat.s390x.kreslen = 0;
-
-    if (ivlen == GCM_IV_DEFAULT_SIZE) {
-        memcpy(&kma->j0, iv, ivlen);
-        kma->j0.w[3] = 1;
-        kma->cv.w = 1;
-    } else {
-        unsigned long long ivbits = ivlen << 3;
-        size_t len = S390X_gcm_ivpadlen(ivlen);
-        unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
-        /*
-         * The IV length needs to be zero padded to be a multiple of 16 bytes
-         * followed by 8 bytes of zeros and 8 bytes for the IV length.
-         * The GHASH of this value can then be calculated.
-         */
-        memcpy(iv_zero_pad, iv, ivlen);
-        memset(iv_zero_pad + ivlen, 0, len - ivlen);
-        memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
-        /*
-         * Calculate the ghash of the iv - the result is stored into the tag
-         * param.
-         */
-        s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
-        actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */
-
-        /* Copy the 128 bit GHASH result into J0 and clear the tag */
-        kma->j0.g[0] = kma->t.g[0];
-        kma->j0.g[1] = kma->t.g[1];
-        kma->t.g[0] = 0;
-        kma->t.g[1] = 0;
-        /* Set the 32 bit counter */
-        kma->cv.w = kma->j0.w[3];
-    }
-    return 1;
-}
-
-static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-    unsigned char out[AES_BLOCK_SIZE];
-    int rc;
-
-    kma->taadl <<= 3;
-    kma->tpcl <<= 3;
-    s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
-              actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
-              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
-
-    /* gctx->mres already returned to the caller */
-    OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
-
-    if (ctx->enc) {
-        ctx->taglen = GCM_TAG_MAX_SIZE;
-        memcpy(tag, kma->t.b, ctx->taglen);
-        rc = 1;
-    } else {
-        if (ctx->taglen < 0)
-            rc = 0;
-        else
-            rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
-    }
-    return rc;
-}
-
-static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
-                                  unsigned char *aad, size_t aad_len,
-                                  const unsigned char *in, size_t in_len,
-                                  unsigned char *out,
-                                  unsigned char *tag, size_t taglen)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-    int rc;
-
-    kma->taadl = aad_len << 3;
-    kma->tpcl = in_len << 3;
-    s390x_kma(aad, aad_len, in, in_len, out,
-              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);
-
-    if (ctx->enc) {
-        memcpy(tag, kma->t.b, taglen);
-        rc = 1;
-    } else {
-        rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
-    }
-    return rc;
-}
-
-/*
- * Process additional authenticated data. Returns 1 on success. Code is
- * big-endian.
- */
-static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
-                                    const unsigned char *aad, size_t len)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-    unsigned long long alen;
-    int n, rem;
-
-    /* If already processed pt/ct then error */
-    if (kma->tpcl != 0)
-        return 0;
-
-    /* update the total aad length */
-    alen = kma->taadl + len;
-    if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
-        return 0;
-    kma->taadl = alen;
-
-    /* check if there is any existing aad data from a previous add */
-    n = actx->plat.s390x.areslen;
-    if (n) {
-        /* add additional data to a buffer until it has 16 bytes */
-        while (n && len) {
-            actx->plat.s390x.ares[n] = *aad;
-            ++aad;
-            --len;
-            n = (n + 1) & 0xf;
-        }
-        /* ctx->ares contains a complete block if offset has wrapped around */
-        if (!n) {
-            s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
-                      actx->plat.s390x.fc, kma);
-            actx->plat.s390x.fc |= S390X_KMA_HS;
-        }
-        actx->plat.s390x.areslen = n;
-    }
-
-    /* If there are leftover bytes (< 128 bits) save them for next time */
-    rem = len & 0xf;
-    /* Add any remaining 16 byte blocks (128 bit each) */
-    len &= ~(size_t)0xf;
-    if (len) {
-        s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
-        actx->plat.s390x.fc |= S390X_KMA_HS;
-        aad += len;
-    }
-
-    if (rem) {
-        actx->plat.s390x.areslen = rem;
-
-        do {
-            --rem;
-            actx->plat.s390x.ares[rem] = aad[rem];
-        } while (rem);
-    }
-    return 1;
-}
-
-/*-
- * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
- * success. Code is big-endian.
- */
-static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
-                                       const unsigned char *in, size_t len,
-                                       unsigned char *out)
-{
-    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
-    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
-    const unsigned char *inptr;
-    unsigned long long mlen;
-    union {
-        unsigned int w[4];
-        unsigned char b[16];
-    } buf;
-    size_t inlen;
-    int n, rem, i;
-
-    mlen = kma->tpcl + len;
-    if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
-        return 0;
-    kma->tpcl = mlen;
-
-    n = actx->plat.s390x.mreslen;
-    if (n) {
-        inptr = in;
-        inlen = len;
-        while (n && inlen) {
-            actx->plat.s390x.mres[n] = *inptr;
-            n = (n + 1) & 0xf;
-            ++inptr;
-            --inlen;
-        }
-        /* ctx->mres contains a complete block if offset has wrapped around */
-        if (!n) {
-            s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
-                      actx->plat.s390x.mres, 16, buf.b,
-                      actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
-            actx->plat.s390x.fc |= S390X_KMA_HS;
-            actx->plat.s390x.areslen = 0;
-
-            /* previous call already encrypted/decrypted its remainder,
-             * see comment below */
-            n = actx->plat.s390x.mreslen;
-            while (n) {
-                *out = buf.b[n];
-                n = (n + 1) & 0xf;
-                ++out;
-                ++in;
-                --len;
-            }
-            actx->plat.s390x.mreslen = 0;
-        }
-    }
-
-    rem = len & 0xf;
-
-    len &= ~(size_t)0xf;
-    if (len) {
-        s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
-                  actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
-        in += len;
-        out += len;
-        actx->plat.s390x.fc |= S390X_KMA_HS;
-        actx->plat.s390x.areslen = 0;
-    }
-
-    /*-
-     * If there is a remainder, it has to be saved such that it can be
-     * processed by kma later. However, we also have to do the for-now
-     * unauthenticated encryption/decryption part here and now...
-     */
-    if (rem) {
-        if (!actx->plat.s390x.mreslen) {
-            buf.w[0] = kma->j0.w[0];
-            buf.w[1] = kma->j0.w[1];
-            buf.w[2] = kma->j0.w[2];
-            buf.w[3] = kma->cv.w + 1;
-            s390x_km(buf.b, 16, actx->plat.s390x.kres,
-                     actx->plat.s390x.fc & 0x1f, &kma->k);
-        }
-
-        n = actx->plat.s390x.mreslen;
-        for (i = 0; i < rem; i++) {
-            actx->plat.s390x.mres[n + i] = in[i];
-            out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
-        }
-        actx->plat.s390x.mreslen += rem;
-    }
-    return 1;
-}
-
-static const PROV_GCM_HW s390x_aes_gcm = {
-    s390x_aes_gcm_init_key,
-    s390x_aes_gcm_setiv,
-    s390x_aes_gcm_aad_update,
-    s390x_aes_gcm_cipher_update,
-    s390x_aes_gcm_cipher_final,
-    s390x_aes_gcm_one_shot
-};
-
-const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
-{
-    if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
-         || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
-         || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
-        return &s390x_aes_gcm;
-    return &aes_gcm;
-}
index c32fa3b82de26de815c8d379f2258d474387d1f7..cfa88dff421f1d72db4d55131716b767d08a64cd 100644 (file)
@@ -69,7 +69,51 @@ extern const OSSL_DISPATCH aria128gcm_functions[];
 extern const OSSL_DISPATCH aria256ccm_functions[];
 extern const OSSL_DISPATCH aria192ccm_functions[];
 extern const OSSL_DISPATCH aria128ccm_functions[];
+extern const OSSL_DISPATCH aria256ecb_functions[];
+extern const OSSL_DISPATCH aria192ecb_functions[];
+extern const OSSL_DISPATCH aria128ecb_functions[];
+extern const OSSL_DISPATCH aria256cbc_functions[];
+extern const OSSL_DISPATCH aria192cbc_functions[];
+extern const OSSL_DISPATCH aria128cbc_functions[];
+extern const OSSL_DISPATCH aria256ofb_functions[];
+extern const OSSL_DISPATCH aria192ofb_functions[];
+extern const OSSL_DISPATCH aria128ofb_functions[];
+extern const OSSL_DISPATCH aria256cfb_functions[];
+extern const OSSL_DISPATCH aria192cfb_functions[];
+extern const OSSL_DISPATCH aria128cfb_functions[];
+extern const OSSL_DISPATCH aria256cfb1_functions[];
+extern const OSSL_DISPATCH aria192cfb1_functions[];
+extern const OSSL_DISPATCH aria128cfb1_functions[];
+extern const OSSL_DISPATCH aria256cfb8_functions[];
+extern const OSSL_DISPATCH aria192cfb8_functions[];
+extern const OSSL_DISPATCH aria128cfb8_functions[];
+extern const OSSL_DISPATCH aria256ctr_functions[];
+extern const OSSL_DISPATCH aria192ctr_functions[];
+extern const OSSL_DISPATCH aria128ctr_functions[];
 #endif /* OPENSSL_NO_ARIA */
+#ifndef OPENSSL_NO_CAMELLIA
+extern const OSSL_DISPATCH camellia256ecb_functions[];
+extern const OSSL_DISPATCH camellia192ecb_functions[];
+extern const OSSL_DISPATCH camellia128ecb_functions[];
+extern const OSSL_DISPATCH camellia256cbc_functions[];
+extern const OSSL_DISPATCH camellia192cbc_functions[];
+extern const OSSL_DISPATCH camellia128cbc_functions[];
+extern const OSSL_DISPATCH camellia256ofb_functions[];
+extern const OSSL_DISPATCH camellia192ofb_functions[];
+extern const OSSL_DISPATCH camellia128ofb_functions[];
+extern const OSSL_DISPATCH camellia256cfb_functions[];
+extern const OSSL_DISPATCH camellia192cfb_functions[];
+extern const OSSL_DISPATCH camellia128cfb_functions[];
+extern const OSSL_DISPATCH camellia256cfb1_functions[];
+extern const OSSL_DISPATCH camellia192cfb1_functions[];
+extern const OSSL_DISPATCH camellia128cfb1_functions[];
+extern const OSSL_DISPATCH camellia256cfb8_functions[];
+extern const OSSL_DISPATCH camellia192cfb8_functions[];
+extern const OSSL_DISPATCH camellia128cfb8_functions[];
+extern const OSSL_DISPATCH camellia256ctr_functions[];
+extern const OSSL_DISPATCH camellia192ctr_functions[];
+extern const OSSL_DISPATCH camellia128ctr_functions[];
+#endif /* OPENSSL_NO_CAMELLIA */
 
 /* MACs */
 extern const OSSL_DISPATCH blake2bmac_functions[];
index bf8f451d32cfd399b351525925fb7d3eb50f99ce..da5644b50da6bcc143998d55094db83df684a7c5 100644 (file)
@@ -41,7 +41,7 @@ int ERR_load_PROV_strings(void);
 #  define PROV_F_GMAC_SET_PARAMS                           0
 #  define PROV_F_KMAC_SET_PARAMS                           0
 #  define PROV_F_POLY1305_SET_PARAMS                       0
-#  define PROV_F_PROV_AES_KEY_GENERIC_INIT                 0
+#  define PROV_F_PROV_AES_CTX_GENERIC_INIT                 0
 #  define PROV_F_TRAILINGDATA                              0
 #  define PROV_F_UNPADBLOCK                                0
 # endif
index a20e7ddb9bc5972b0c624e0c37ea0b90bac52a50..5664fbe3b2c3c50338ade5a4bda9c2ae7a3f95a8 100644 (file)
@@ -128,7 +128,51 @@ static const OSSL_ALGORITHM deflt_ciphers[] = {
     { "ARIA-256-CCM", "default=yes", aria256ccm_functions },
     { "ARIA-192-CCM", "default=yes", aria192ccm_functions },
     { "ARIA-128-CCM", "default=yes", aria128ccm_functions },
+    { "ARIA-256-ECB", "default=yes", aria256ecb_functions },
+    { "ARIA-192-ECB", "default=yes", aria192ecb_functions },
+    { "ARIA-128-ECB", "default=yes", aria128ecb_functions },
+    { "ARIA-256-CBC", "default=yes", aria256cbc_functions },
+    { "ARIA-192-CBC", "default=yes", aria192cbc_functions },
+    { "ARIA-128-CBC", "default=yes", aria128cbc_functions },
+    { "ARIA-256-OFB", "default=yes", aria256ofb_functions },
+    { "ARIA-192-OFB", "default=yes", aria192ofb_functions },
+    { "ARIA-128-OFB", "default=yes", aria128ofb_functions },
+    { "ARIA-256-CFB", "default=yes", aria256cfb_functions },
+    { "ARIA-192-CFB", "default=yes", aria192cfb_functions },
+    { "ARIA-128-CFB", "default=yes", aria128cfb_functions },
+    { "ARIA-256-CFB1", "default=yes", aria256cfb1_functions },
+    { "ARIA-192-CFB1", "default=yes", aria192cfb1_functions },
+    { "ARIA-128-CFB1", "default=yes", aria128cfb1_functions },
+    { "ARIA-256-CFB8", "default=yes", aria256cfb8_functions },
+    { "ARIA-192-CFB8", "default=yes", aria192cfb8_functions },
+    { "ARIA-128-CFB8", "default=yes", aria128cfb8_functions },
+    { "ARIA-256-CTR", "default=yes", aria256ctr_functions },
+    { "ARIA-192-CTR", "default=yes", aria192ctr_functions },
+    { "ARIA-128-CTR", "default=yes", aria128ctr_functions },
 #endif /* OPENSSL_NO_ARIA */
+#ifndef OPENSSL_NO_CAMELLIA
+    { "CAMELLIA-256-ECB", "default=yes", camellia256ecb_functions },
+    { "CAMELLIA-192-ECB", "default=yes", camellia192ecb_functions },
+    { "CAMELLIA-128-ECB", "default=yes", camellia128ecb_functions },
+    { "CAMELLIA-256-CBC", "default=yes", camellia256cbc_functions },
+    { "CAMELLIA-192-CBC", "default=yes", camellia192cbc_functions },
+    { "CAMELLIA-128-CBC", "default=yes", camellia128cbc_functions },
+    { "CAMELLIA-256-OFB", "default=yes", camellia256ofb_functions },
+    { "CAMELLIA-192-OFB", "default=yes", camellia192ofb_functions },
+    { "CAMELLIA-128-OFB", "default=yes", camellia128ofb_functions },
+    { "CAMELLIA-256-CFB", "default=yes", camellia256cfb_functions },
+    { "CAMELLIA-192-CFB", "default=yes", camellia192cfb_functions },
+    { "CAMELLIA-128-CFB", "default=yes", camellia128cfb_functions },
+    { "CAMELLIA-256-CFB1", "default=yes", camellia256cfb1_functions },
+    { "CAMELLIA-192-CFB1", "default=yes", camellia192cfb1_functions },
+    { "CAMELLIA-128-CFB1", "default=yes", camellia128cfb1_functions },
+    { "CAMELLIA-256-CFB8", "default=yes", camellia256cfb8_functions },
+    { "CAMELLIA-192-CFB8", "default=yes", camellia192cfb8_functions },
+    { "CAMELLIA-128-CFB8", "default=yes", camellia128cfb8_functions },
+    { "CAMELLIA-256-CTR", "default=yes", camellia256ctr_functions },
+    { "CAMELLIA-192-CTR", "default=yes", camellia192ctr_functions },
+    { "CAMELLIA-128-CTR", "default=yes", camellia128ctr_functions },
+#endif /* OPENSSL_NO_CAMELLIA */
     { NULL, NULL, NULL }
 };
 
index 4bff1c2dbfb9f349c7b77c1403614702d82f8f65..bd2778e398f77b146621f8c8dbd308a045486541 100644 (file)
@@ -1550,34 +1550,40 @@ Title = Camellia tests from RFC3713
 # For all ECB encrypts and decrypts, the transformed sequence is
 #   CAMELLIA-bits-ECB:key::plaintext:ciphertext:encdec
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 0123456789abcdeffedcba9876543210
 Plaintext = 0123456789abcdeffedcba9876543210
 Ciphertext = 67673138549669730857065648eabe43
 
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 0123456789abcdeffedcba98765432100011223344556677
 Plaintext = 0123456789abcdeffedcba9876543210
 Ciphertext = b4993401b3e996f84ee5cee7d79b09b9
 
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff
 Plaintext = 0123456789abcdeffedcba9876543210
 Ciphertext = 9acc237dff16d76c20ef7c919e3a7509
 
 # ECB-CAMELLIA128.Encrypt
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
 Plaintext = 00112233445566778899AABBCCDDEEFF
 Ciphertext = 77CF412067AF8270613529149919546F
 
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F1011121314151617
 Operation = ENCRYPT
 Plaintext = 00112233445566778899AABBCCDDEEFF
 Ciphertext = B22F3C36B72D31329EEE8ADDC2906C68
 
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Operation = ENCRYPT
 Plaintext = 00112233445566778899AABBCCDDEEFF
@@ -1586,21 +1592,25 @@ Ciphertext = 2EDF1F3418D53B88841FC8985FB1ECF2
 
 # ECB-CAMELLIA128.Encrypt and ECB-CAMELLIA128.Decrypt
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 432FC5DCD628115B7C388D770B270C96
 
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 0BE1F14023782A22E8384C5ABB7FAB2B
 
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = A0A1ABCD1893AB6FE0FE5B65DF5F8636
 
 Cipher = CAMELLIA-128-ECB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
 Ciphertext = E61925E0D5DFAA9BB29F815B3076E51A
@@ -1608,21 +1618,25 @@ Ciphertext = E61925E0D5DFAA9BB29F815B3076E51A
 
 # ECB-CAMELLIA192.Encrypt and ECB-CAMELLIA192.Decrypt
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = CCCC6C4E138B45848514D48D0D3439D3
 
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 5713C62C14B2EC0F8393B6AFD6F5785A
 
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = B40ED2B60EB54D09D030CF511FEEF366
 
 Cipher = CAMELLIA-192-ECB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
 Ciphertext = 909DBD95799096748CB27357E73E1D26
@@ -1630,21 +1644,25 @@ Ciphertext = 909DBD95799096748CB27357E73E1D26
 
 # ECB-CAMELLIA256.Encrypt and ECB-CAMELLIA256.Decrypt
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = BEFD219B112FA00098919CD101C9CCFA
 
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = C91D3A8F1AEA08A9386CF4B66C0169EA
 
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = A623D711DC5F25A51BB8A80D56397D28
 
 Cipher = CAMELLIA-256-ECB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
 Ciphertext = 7960109FB6DC42947FCFE59EA3C5EB6B
@@ -1654,24 +1672,28 @@ Ciphertext = 7960109FB6DC42947FCFE59EA3C5EB6B
 #   CAMELLIA-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CBC-CAMELLIA128.Encrypt and CBC-CAMELLIA128.Decrypt
 Cipher = CAMELLIA-128-CBC
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 000102030405060708090A0B0C0D0E0F
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 1607CF494B36BBF00DAEB0B503C831AB
 
 Cipher = CAMELLIA-128-CBC
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 1607CF494B36BBF00DAEB0B503C831AB
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = A2F2CF671629EF7840C5A5DFB5074887
 
 Cipher = CAMELLIA-128-CBC
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = A2F2CF671629EF7840C5A5DFB5074887
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 0F06165008CF8B8B5A63586362543E54
 
 Cipher = CAMELLIA-128-CBC
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 36A84CDAFD5F9A85ADA0F0A993D6D577
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
@@ -1680,24 +1702,28 @@ Ciphertext = 74C64268CDB8B8FAF5B34E8AF3732980
 
 # CBC-CAMELLIA192.Encrypt and CBC-CAMELLIA192.Decrypt
 Cipher = CAMELLIA-192-CBC
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 000102030405060708090A0B0C0D0E0F
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 2A4830AB5AC4A1A2405955FD2195CF93
 
 Cipher = CAMELLIA-192-CBC
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 2A4830AB5AC4A1A2405955FD2195CF93
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 5D5A869BD14CE54264F892A6DD2EC3D5
 
 Cipher = CAMELLIA-192-CBC
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 5D5A869BD14CE54264F892A6DD2EC3D5
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 37D359C3349836D884E310ADDF68C449
 
 Cipher = CAMELLIA-192-CBC
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 37D359C3349836D884E310ADDF68C449
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
@@ -1706,24 +1732,28 @@ Ciphertext = 01FAAA930B4AB9916E9668E1428C6B08
 
 # CBC-CAMELLIA256.Encrypt and CBC-CAMELLIA256.Decrypt
 Cipher = CAMELLIA-256-CBC
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 000102030405060708090A0B0C0D0E0F
 Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = E6CFA35FC02B134A4D2C0B6737AC3EDA
 
 Cipher = CAMELLIA-256-CBC
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = E6CFA35FC02B134A4D2C0B6737AC3EDA
 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 36CBEB73BD504B4070B1B7DE2B21EB50
 
 Cipher = CAMELLIA-256-CBC
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 36CBEB73BD504B4070B1B7DE2B21EB50
 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = E31A6055297D96CA3330CDF1B1860A83
 
 Cipher = CAMELLIA-256-CBC
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = E31A6055297D96CA3330CDF1B1860A83
 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
@@ -1735,6 +1765,7 @@ Ciphertext = 5D563F6D1CCCF236051C0C5C1C58F28F
 #   CAMELLIA-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CFB128-CAMELLIA128.Encrypt
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -1742,6 +1773,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 14F7646187817EB586599146B82BD719
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 14F7646187817EB586599146B82BD719
 Operation = ENCRYPT
@@ -1749,6 +1781,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = A53D28BB82DF741103EA4F921A44880B
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = A53D28BB82DF741103EA4F921A44880B
 Operation = ENCRYPT
@@ -1756,6 +1789,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 9C2157A664626D1DEF9EA420FDE69B96
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 9C2157A664626D1DEF9EA420FDE69B96
 Operation = ENCRYPT
@@ -1765,6 +1799,7 @@ Ciphertext = 742A25F0542340C7BAEF24CA8482BB09
 
 # CFB128-CAMELLIA128.Decrypt
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -1772,6 +1807,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 14F7646187817EB586599146B82BD719
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 14F7646187817EB586599146B82BD719
 Operation = DECRYPT
@@ -1779,6 +1815,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = A53D28BB82DF741103EA4F921A44880B
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = A53D28BB82DF741103EA4F921A44880B
 Operation = DECRYPT
@@ -1786,6 +1823,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 9C2157A664626D1DEF9EA420FDE69B96
 
 Cipher = CAMELLIA-128-CFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 9C2157A664626D1DEF9EA420FDE69B96
 Operation = DECRYPT
@@ -1795,6 +1833,7 @@ Ciphertext = 742A25F0542340C7BAEF24CA8482BB09
 
 # CFB128-CAMELLIA192.Encrypt
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -1802,6 +1841,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = C832BB9780677DAA82D9B6860DCD565E
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = C832BB9780677DAA82D9B6860DCD565E
 Operation = ENCRYPT
@@ -1809,6 +1849,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 86F8491627906D780C7A6D46EA331F98
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 86F8491627906D780C7A6D46EA331F98
 Operation = ENCRYPT
@@ -1816,6 +1857,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 69511CCE594CF710CB98BB63D7221F01
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 69511CCE594CF710CB98BB63D7221F01
 Operation = ENCRYPT
@@ -1825,6 +1867,7 @@ Ciphertext = D5B5378A3ABED55803F25565D8907B84
 
 # CFB128-CAMELLIA192.Decrypt
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -1832,6 +1875,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = C832BB9780677DAA82D9B6860DCD565E
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = C832BB9780677DAA82D9B6860DCD565E
 Operation = DECRYPT
@@ -1839,6 +1883,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 86F8491627906D780C7A6D46EA331F98
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 86F8491627906D780C7A6D46EA331F98
 Operation = DECRYPT
@@ -1846,6 +1891,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 69511CCE594CF710CB98BB63D7221F01
 
 Cipher = CAMELLIA-192-CFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 69511CCE594CF710CB98BB63D7221F01
 Operation = DECRYPT
@@ -1855,6 +1901,7 @@ Ciphertext = D5B5378A3ABED55803F25565D8907B84
 
 # CFB128-CAMELLIA256.Encrypt
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -1862,6 +1909,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 Operation = ENCRYPT
@@ -1869,6 +1917,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 89BEDB4CCDD864EA11BA4CBE849B5E2B
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 89BEDB4CCDD864EA11BA4CBE849B5E2B
 Operation = ENCRYPT
@@ -1876,6 +1925,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 555FC3F34BDD2D54C62D9E3BF338C1C4
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 555FC3F34BDD2D54C62D9E3BF338C1C4
 Operation = ENCRYPT
@@ -1885,6 +1935,7 @@ Ciphertext = 5953ADCE14DB8C7F39F1BD39F359BFFA
 
 # CFB128-CAMELLIA256.Decrypt
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -1892,6 +1943,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 Operation = DECRYPT
@@ -1899,6 +1951,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 89BEDB4CCDD864EA11BA4CBE849B5E2B
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 89BEDB4CCDD864EA11BA4CBE849B5E2B
 Operation = DECRYPT
@@ -1906,6 +1959,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 555FC3F34BDD2D54C62D9E3BF338C1C4
 
 Cipher = CAMELLIA-256-CFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 555FC3F34BDD2D54C62D9E3BF338C1C4
 Operation = DECRYPT
@@ -1917,6 +1971,7 @@ Ciphertext = 5953ADCE14DB8C7F39F1BD39F359BFFA
 #   CAMELLIA-bits-OFB:key:IV/output':plaintext:ciphertext:encdec
 # OFB-CAMELLIA128.Encrypt
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -1924,6 +1979,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 14F7646187817EB586599146B82BD719
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 50FE67CC996D32B6DA0937E99BAFEC60
 Operation = ENCRYPT
@@ -1931,6 +1987,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 25623DB569CA51E01482649977E28D84
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = D9A4DADA0892239F6B8B3D7680E15674
 Operation = ENCRYPT
@@ -1938,6 +1995,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = C776634A60729DC657D12B9FCA801E98
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = A78819583F0308E7A6BF36B1386ABF23
 Operation = ENCRYPT
@@ -1947,6 +2005,7 @@ Ciphertext = D776379BE0E50825E681DA1A4C980E8E
 
 # OFB-CAMELLIA128.Decrypt
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -1954,6 +2013,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = 14F7646187817EB586599146B82BD719
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = 50FE67CC996D32B6DA0937E99BAFEC60
 Operation = DECRYPT
@@ -1961,6 +2021,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 25623DB569CA51E01482649977E28D84
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = D9A4DADA0892239F6B8B3D7680E15674
 Operation = DECRYPT
@@ -1968,6 +2029,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = C776634A60729DC657D12B9FCA801E98
 
 Cipher = CAMELLIA-128-OFB
+Availablein = default
 Key = 2B7E151628AED2A6ABF7158809CF4F3C
 IV = A78819583F0308E7A6BF36B1386ABF23
 Operation = DECRYPT
@@ -1977,6 +2039,7 @@ Ciphertext = D776379BE0E50825E681DA1A4C980E8E
 
 # OFB-CAMELLIA192.Encrypt
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -1984,6 +2047,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = C832BB9780677DAA82D9B6860DCD565E
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = A609B38DF3B1133DDDFF2718BA09565E
 Operation = ENCRYPT
@@ -1991,6 +2055,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 8ECEB7D0350D72C7F78562AEBDF99339
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 52EF01DA52602FE0975F78AC84BF8A50
 Operation = ENCRYPT
@@ -1998,6 +2063,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = BDD62DBBB9700846C53B507F544696F0
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = BD5286AC63AABD7EB067AC54B553F71D
 Operation = ENCRYPT
@@ -2007,6 +2073,7 @@ Ciphertext = E28014E046B802F385C4C2E13EAD4A72
 
 # OFB-CAMELLIA192.Decrypt
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -2014,6 +2081,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = C832BB9780677DAA82D9B6860DCD565E
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = A609B38DF3B1133DDDFF2718BA09565E
 Operation = DECRYPT
@@ -2021,6 +2089,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 8ECEB7D0350D72C7F78562AEBDF99339
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = 52EF01DA52602FE0975F78AC84BF8A50
 Operation = DECRYPT
@@ -2028,6 +2097,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = BDD62DBBB9700846C53B507F544696F0
 
 Cipher = CAMELLIA-192-OFB
+Availablein = default
 Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
 IV = BD5286AC63AABD7EB067AC54B553F71D
 Operation = DECRYPT
@@ -2037,6 +2107,7 @@ Ciphertext = E28014E046B802F385C4C2E13EAD4A72
 
 # OFB-CAMELLIA256.Encrypt
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = ENCRYPT
@@ -2044,6 +2115,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
 Operation = ENCRYPT
@@ -2051,6 +2123,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 127AD97E8E3994E4820027D7BA109368
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = E1C656305ED1A7A6563805746FE03EDC
 Operation = ENCRYPT
@@ -2058,6 +2131,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 6BFF6265A6A6B7A535BC65A80B17214E
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 41635BE625B48AFC1666DD42A09D96E7
 Operation = ENCRYPT
@@ -2067,6 +2141,7 @@ Ciphertext = 0A4A0404E26AA78A27CB271E8BF3CF20
 
 # OFB-CAMELLIA256.Decrypt
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 000102030405060708090A0B0C0D0E0F
 Operation = DECRYPT
@@ -2074,6 +2149,7 @@ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
 Ciphertext = CF6107BB0CEA7D7FB1BD31F5E7B06C93
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
 Operation = DECRYPT
@@ -2081,6 +2157,7 @@ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
 Ciphertext = 127AD97E8E3994E4820027D7BA109368
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = E1C656305ED1A7A6563805746FE03EDC
 Operation = DECRYPT
@@ -2088,6 +2165,7 @@ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
 Ciphertext = 6BFF6265A6A6B7A535BC65A80B17214E
 
 Cipher = CAMELLIA-256-OFB
+Availablein = default
 Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
 IV = 41635BE625B48AFC1666DD42A09D96E7
 Operation = DECRYPT
@@ -2097,6 +2175,7 @@ Ciphertext = 0A4A0404E26AA78A27CB271E8BF3CF20
 
 # Camellia test vectors from RFC5528
 Cipher = CAMELLIA-128-CTR
+Availablein = default
 Key = AE6852F8121067CC4BF7A5765577F39E
 IV = 00000030000000000000000000000001
 Operation = ENCRYPT
@@ -2104,6 +2183,7 @@ Plaintext = 53696E676C6520626C6F636B206D7367
 Ciphertext = D09DC29A8214619A20877C76DB1F0B3F
 
 Cipher = CAMELLIA-128-CTR
+Availablein = default
 Key = 7E24067817FAE0D743D6CE1F32539163
 IV = 006CB6DBC0543B59DA48D90B00000001
 Operation = ENCRYPT
@@ -2111,6 +2191,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Ciphertext = DBF3C78DC08396D4DA7C907765BBCB442B8E8E0F31F0DCA72C7417E35360E048
 
 Cipher = CAMELLIA-128-CTR
+Availablein = default
 Key = 7691BE035E5020A8AC6E618529F9A0DC
 IV = 00E0017B27777F3F4A1786F000000001
 Operation = ENCRYPT
@@ -2118,6 +2199,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = B19D1FCDCB75EB882F849CE24D85CF739CE64B2B5C9D73F14F2D5D9DCE9889CDDF508696
 
 Cipher = CAMELLIA-192-CTR
+Availablein = default
 Key = 16AF5B145FC9F579C175F93E3BFB0EED863D06CCFDB78515
 IV = 0000004836733C147D6D93CB00000001
 Operation = ENCRYPT
@@ -2125,6 +2207,7 @@ Plaintext = 53696E676C6520626C6F636B206D7367
 Ciphertext = 2379399E8A8D2B2B16702FC78B9E9696
 
 Cipher = CAMELLIA-192-CTR
+Availablein = default
 Key = 7C5CB2401B3DC33C19E7340819E0F69C678C3DB8E6F6A91A
 IV = 0096B03B020C6EADC2CB500D00000001
 Operation = ENCRYPT
@@ -2132,6 +2215,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Ciphertext = 7DEF34F7A5D0E415674B7FFCAE67C75DD018B86FF23051E056392A99F35A4CED
 
 Cipher = CAMELLIA-192-CTR
+Availablein = default
 Key = 02BF391EE8ECB159B959617B0965279BF59B60A786D3E0FE
 IV = 0007BDFD5CBD60278DCC091200000001
 Operation = ENCRYPT
@@ -2139,6 +2223,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 5710E556E1487A20B5AC0E73F19E4E7876F37FDC91B1EF4D4DADE8E666A64D0ED557AB57
 
 Cipher = CAMELLIA-256-CTR
+Availablein = default
 Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104
 IV = 00000060DB5672C97AA8F0B200000001
 Operation = ENCRYPT
@@ -2146,6 +2231,7 @@ Plaintext = 53696E676C6520626C6F636B206D7367
 Ciphertext = 3401F9C8247EFFCEBD6994714C1BBB11
 
 Cipher = CAMELLIA-256-CTR
+Availablein = default
 Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884
 IV = 00FAAC24C1585EF15A43D87500000001
 Operation = ENCRYPT
@@ -2153,6 +2239,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Ciphertext = D6C30392246F7808A83C2B22A8839E45E51CD48A1CDF406EBC9CC2D3AB834108
 
 Cipher = CAMELLIA-256-CTR
+Availablein = default
 Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D
 IV = 001CC5B751A51D70A1C1114800000001
 Operation = ENCRYPT
@@ -2193,121 +2280,142 @@ Ciphertext = C2B4759E78AC3CF43D0852F4E8D5F9FD7256E8A5FCB65A350EE00630912E44492A0
 Title = ARIA test vectors from RFC5794 (and others)
 
 Cipher = ARIA-128-ECB
+Availablein = default
 Key = 000102030405060708090a0b0c0d0e0f
 Plaintext = 00112233445566778899aabbccddeeff
 Ciphertext = d718fbd6ab644c739da95f3be6451778
 
 Cipher = ARIA-192-ECB
+Availablein = default
 Key = 000102030405060708090a0b0c0d0e0f1011121314151617
 Plaintext = 00112233445566778899aabbccddeeff
 Ciphertext = 26449c1805dbe7aa25a468ce263a9e79
 
 Cipher = ARIA-256-ECB
+Availablein = default
 Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
 Plaintext = 00112233445566778899aabbccddeeff
 Ciphertext = f92bd7c79fb72e2f2b8f80c1972d24fc
 
 # Additional ARIA mode vectors from http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
 Cipher = ARIA-128-ECB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8
 
 Cipher = ARIA-128-CBC
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a
 
 Cipher = ARIA-128-CFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11
 
 Cipher = ARIA-128-CFB8
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 373c8f6a965599ec785cc8f8149f6c81b632ccb8e0c6eb6a9707ae52c59257a41f94701c1096933127a90195ed0c8e98690547572423bb45c3d70e4a18ee56b967c10e000ba4df5fba7c404134a343d8375d04b151d161ef83417fe1748447d30a6723c406733df7d18aa39a20752d2381942e244811bb97f72eae446b1815aa690cd1b1adcbd007c0088ecdc91cb2e2caf0e11e72459878137eea64ac62a9a1
 
 Cipher = ARIA-128-OFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 3720e53ba7d615383406b09f0a05a2000063063f0560083483faeb041c8adecef30cf80cefb002a0d280759168ec01db3d49f61aced260bd43eec0a2731730eec6fa4f2304319cf8ccac2d7be7833e4f8ae6ce967012c1c6badc5d28e7e4144f6bf5cebe01253ee202afce4bc61f28dec069a6f16f6c8a7dd2afae44148f6ff4d0029d5c607b5fa6b8c8a6301cde5c7033565cd0b8f0974ab490b236197ba04a
 
 Cipher = ARIA-128-CTR
+Availablein = default
 Key = 00112233445566778899aabbccddeeff
 IV = 00000000000000000000000000000000
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = ac5d7de805a0bf1c57c854501af60fa11497e2a34519dea1569e91e5b5ccae2ff3bfa1bf975f4571f48be191613546c3911163c085f871f0e7ae5f2a085b81851c2a3ddf20ecb8fa51901aec8ee4ba32a35dab67bb72cd9140ad188a967ac0fbbdfa94ea6cce47dcf8525ab5a814cfeb2bb60ee2b126e2d9d847c1a9e96f9019e3e6a7fe40d3829afb73db1cc245646addb62d9b907baaafbe46a73dbc131d3d
 
 Cipher = ARIA-192-ECB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0
 
 Cipher = ARIA-192-CBC
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c
 
 Cipher = ARIA-192-CFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4
 
 Cipher = ARIA-192-CFB8
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 411d3b4f57f705aa4d13c46e2cf426af7c8c916ed7923d889f0047bbf11471b6d54f8757ef519339105be3cb69babb976a57d5631fc23cc3051fe9d36e8b8e27a2b2c0c4d31928ccbf30ea8239b46ba1b77f6198e7ecd2ce27b35958148e826f06aaf385bd30362ff141583e7c1d8924d44d36a1133094074631e18adafa9d2e55de98f6895c89d4266ebd33f3d4be5153a96fa12132ece2e81e66e55baa7ade
 
 Cipher = ARIA-192-OFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 4171f7192bf4495494d2736129640f5cc224d26d364b5a06ddde13d0f1e74faa846de354c63cda77469d1a2d425c47ff41734c71b3fa1fcdc11e0b2de22bfeed54898e233df652c75ae136e61de6524e62b3f806fb2e8e616eb410a1b9500537e327ffb04f19f7f82fde2b122100261f81b82723bf936be7beaaf3067d1c036001f1ade71422268d274d7dc6c6ae1970b27a5f2c2f39c1d241fe8cac5ccd74e9
 
 Cipher = ARIA-192-CTR
+Availablein = default
 Key = 00112233445566778899aabbccddeeff0011223344556677
 IV = 00000000000000000000000000000000
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531
 
 Cipher = ARIA-256-ECB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00
 
 Cipher = ARIA-256-CBC
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de
 
 Cipher = ARIA-256-CFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be
 
 Cipher = ARIA-256-CFB8
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 26baa33651e1f66434fec88ef27fd2b9a79e246dd89a3ffa00e8bdb37155433e6c24bd0b87d9a85baa9f485ccb984f5ec24d6a3ef5e3c81396177f039cf580dfdb55d6e1c47a28921dfe369e12fd357b289ad3a5544e1c1bd616d454db9c5f91f603373f29d5b2ed1b4b51de80f28537bbd43d5e3b5dd071dc91153cbbe732dfc325821b06ed8acaae656dcf2da9f13e4f29db671476f1e644ff06d9b67d6bd4
 
 Cipher = ARIA-256-OFB
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 IV = 0f1e2d3c4b5a69788796a5b4c3d2e1f0
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 26834705b0f2c0e2588d4a7f0900963584c256815c4292b59f8d3f966a75b52345b4f5f98c785d3f368a8d5ff89b7f950ceab3cd63773c2621d652b8ef98b4196afb2c2b30496bc5b7d9e7f9084f9d855f63a511751c8909e7a6deadbe0a67a4fb89383ca5d209c6f66f793fc471195c476fb9c1eab2ac91e680e454b4f3ed9a67fb52f09c29b965b23cfa6f3f6bbb2a86c6cdbaa2857bf2486f543231892a52
 
 Cipher = ARIA-256-CTR
+Availablein = default
 Key = 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
 IV = 00000000000000000000000000000000
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd