From aab26e6f7b437f7d4bace03cd855a33d7a34d927 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 3 Apr 2019 15:34:08 +0100
Subject: [PATCH] Implement support for AES-256-ECB in the default provider

We also lay the ground work for various of other the basic AES ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
---
 crypto/evp/evp_enc.c                    |   2 +
 providers/common/build.info             |   2 +-
 providers/common/ciphers/aes.c          | 211 ++++++
 providers/common/ciphers/aes_basic.c    | 960 ++++++++++++++++++++++++
 providers/common/ciphers/block.c        | 113 +++
 providers/common/ciphers/build.info     |   4 +
 providers/common/ciphers/ciphers_locl.h |  76 ++
 providers/default/defltprov.c           |   9 +
 8 files changed, 1376 insertions(+), 1 deletion(-)
 create mode 100644 providers/common/ciphers/aes.c
 create mode 100644 providers/common/ciphers/aes_basic.c
 create mode 100644 providers/common/ciphers/block.c
 create mode 100644 providers/common/ciphers/build.info
 create mode 100644 providers/common/ciphers/ciphers_locl.h

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 09d51731a3..7b9fae39b8 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -139,6 +139,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 
     if (tmpcipher->prov == NULL) {
         switch(tmpcipher->nid) {
+        case NID_aes_256_ecb:
+            break;
         default:
             goto legacy;
         }
diff --git a/providers/common/build.info b/providers/common/build.info
index 5cb7e43830..2b6c16e103 100644
--- a/providers/common/build.info
+++ b/providers/common/build.info
@@ -1 +1 @@
-SUBDIRS=digests
+SUBDIRS=digests ciphers
diff --git a/providers/common/ciphers/aes.c b/providers/common/ciphers/aes.c
new file mode 100644
index 0000000000..8559d26238
--- /dev/null
+++ b/providers/common/ciphers/aes.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/params.h>
+#include "internal/cryptlib.h"
+#include "ciphers_locl.h"
+
+static void PROV_AES_KEY_generic_init(PROV_AES_KEY *ctx,
+                                      const unsigned char *iv,
+                                      int enc)
+{
+    if (iv != NULL)
+        memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
+    ctx->enc = enc;
+}
+
+static int aes_einit(void *vctx, const unsigned char *key,
+                           const unsigned char *iv)
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+
+    PROV_AES_KEY_generic_init(ctx, iv, 1);
+    if (key != NULL)
+        return ctx->ciph->init(ctx, key, ctx->keylen);
+
+    return 1;
+}
+
+static int aes_dinit(void *vctx, const unsigned char *key,
+                     const unsigned char *iv)
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+
+    PROV_AES_KEY_generic_init(ctx, iv, 0);
+    if (key != NULL)
+        return ctx->ciph->init(ctx, key, ctx->keylen);
+
+    return 1;
+}
+
+static int aes_update(void *vctx, unsigned char *out, size_t *outl,
+                      const unsigned char *in, size_t inl)
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+    size_t nextblocks = fillblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in,
+                                  &inl);
+    size_t outlint = 0;
+
+    /*
+     * If we're decrypting and we end an update on a block boundary we hold
+     * the last block back in case this is the last update call and the last
+     * block is padded.
+     */
+    if (ctx->bufsz == AES_BLOCK_SIZE
+            && (ctx->enc || inl > 0 || !ctx->pad)) {
+        if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE))
+            return 0;
+        ctx->bufsz = 0;
+        outlint = AES_BLOCK_SIZE;
+        out += AES_BLOCK_SIZE;
+    }
+    if (nextblocks > 0) {
+        if (!ctx->enc && ctx->pad && nextblocks == inl) {
+            if (!ossl_assert(inl >= AES_BLOCK_SIZE))
+                return 0;
+            nextblocks -= AES_BLOCK_SIZE;
+        }
+        if (!ctx->ciph->cipher(ctx, out, in, nextblocks))
+            return 0;
+        in += nextblocks;
+        inl -= nextblocks;
+        outlint += nextblocks;
+    }
+    if (!trailingdata(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE, &in, &inl))
+        return 0;
+
+    *outl = outlint;
+    return inl == 0;
+}
+
+static int aes_final(void *vctx, unsigned char *out, size_t *outl)
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+
+    if (ctx->enc) {
+        if (ctx->pad) {
+            padblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE);
+        } else if (ctx->bufsz == 0) {
+            *outl = 0;
+            return 1;
+        } else if (ctx->bufsz != AES_BLOCK_SIZE) {
+            /* TODO(3.0): What is the correct error code here? */
+            return 0;
+        }
+
+        if (!ctx->ciph->cipher(ctx, out, ctx->buf, AES_BLOCK_SIZE))
+            return 0;
+        ctx->bufsz = 0;
+        *outl = AES_BLOCK_SIZE;
+        return 1;
+    }
+
+    /* Decrypting */
+    /* TODO(3.0): What's the correct error here */
+    if (ctx->bufsz != AES_BLOCK_SIZE) {
+        if (ctx->bufsz == 0 && !ctx->pad) {
+            *outl = 0;
+            return 1;
+        }
+        return 0;
+    }
+
+    if (!ctx->ciph->cipher(ctx, ctx->buf, ctx->buf, AES_BLOCK_SIZE))
+        return 0;
+
+    /* TODO(3.0): What is the correct error here */
+    if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, AES_BLOCK_SIZE))
+        return 0;
+
+    memcpy(out, ctx->buf, ctx->bufsz);
+    *outl = ctx->bufsz;
+    ctx->bufsz = 0;
+    return 1;
+}
+
+static void *aes_256_ecb_newctx(void)
+{
+    PROV_AES_KEY *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    ctx->pad = 1;
+    ctx->keylen = 256 / 8;
+    ctx->ciph = PROV_AES_CIPHER_ecb();
+    ctx->mode = EVP_CIPH_ECB_MODE;
+    return ctx;
+}
+
+static void aes_freectx(void *vctx)
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+static void *aes_dupctx(void *ctx)
+{
+    PROV_AES_KEY *in = (PROV_AES_KEY *)ctx;
+    PROV_AES_KEY *ret = OPENSSL_malloc(sizeof(*ret));
+
+    *ret = *in;
+
+    return ret;
+}
+
+static size_t key_length_256(void)
+{
+    return 256 / 8;
+}
+
+static int aes_get_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
+    if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->pad))
+        return 0;
+
+    return 1;
+}
+
+static int aes_set_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_AES_KEY *ctx = (PROV_AES_KEY *)vctx;
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
+    if (p != NULL) {
+        int pad;
+
+        if (!OSSL_PARAM_get_int(p, &pad))
+            return 0;
+        ctx->pad = pad ? 1 : 0;
+    }
+    return 1;
+}
+
+extern const OSSL_DISPATCH aes256ecb_functions[];
+const OSSL_DISPATCH aes256ecb_functions[] = {
+    { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))aes_256_ecb_newctx },
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_einit },
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_dinit },
+    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_update },
+    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_final },
+    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_freectx },
+    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_dupctx },
+    { OSSL_FUNC_CIPHER_KEY_LENGTH, (void (*)(void))key_length_256 },
+    { OSSL_FUNC_CIPHER_GET_PARAMS, (void (*)(void))aes_get_params },
+    { OSSL_FUNC_CIPHER_SET_PARAMS, (void (*)(void))aes_set_params },
+    { 0, NULL }
+};
diff --git a/providers/common/ciphers/aes_basic.c b/providers/common/ciphers/aes_basic.c
new file mode 100644
index 0000000000..edc6d38d42
--- /dev/null
+++ b/providers/common/ciphers/aes_basic.c
@@ -0,0 +1,960 @@
+/*
+ * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <string.h>
+#include <assert.h>
+#include <openssl/aes.h>
+#include "internal/evp_int.h"
+#include <openssl/rand.h>
+#include <openssl/cmac.h>
+#include "ciphers_locl.h"
+
+#define MAXBITCHUNK     ((size_t)1 << (sizeof(size_t) * 8 - 4))
+
+#ifdef VPAES_ASM
+int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+
+void vpaes_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void vpaes_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+
+void vpaes_cbc_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key, unsigned char *ivec, int enc);
+#endif
+#ifdef BSAES_ASM
+void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t length, const AES_KEY *key,
+                       unsigned char ivec[16], int enc);
+void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+                                size_t len, const AES_KEY *key,
+                                const unsigned char ivec[16]);
+#endif
+#ifdef AES_CTR_ASM
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const AES_KEY *key,
+                       const unsigned char ivec[AES_BLOCK_SIZE]);
+#endif
+
+
+#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
+# include "ppc_arch.h"
+# ifdef VPAES_ASM
+#  define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+# endif
+# define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
+# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
+# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+# define HWAES_encrypt aes_p8_encrypt
+# define HWAES_decrypt aes_p8_decrypt
+# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+# define HWAES_xts_encrypt aes_p8_xts_encrypt
+# define HWAES_xts_decrypt aes_p8_xts_decrypt
+#endif
+
+#if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
+        ((defined(__i386)       || defined(__i386__)    || \
+          defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
+        defined(__x86_64)       || defined(__x86_64__)  || \
+        defined(_M_AMD64)       || defined(_M_X64)      )
+
+extern unsigned int OPENSSL_ia32cap_P[];
+
+# ifdef VPAES_ASM
+#  define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+# endif
+# ifdef BSAES_ASM
+#  define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+# endif
+/*
+ * AES-NI section
+ */
+# define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+
+void aesni_ecb_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length, const AES_KEY *key, int enc);
+void aesni_cbc_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key, unsigned char *ivec, int enc);
+
+void aesni_ctr32_encrypt_blocks(const unsigned char *in,
+                                unsigned char *out,
+                                size_t blocks,
+                                const void *key, const unsigned char *ivec);
+
+static int aesni_init_key(PROV_AES_KEY *dat, const unsigned char *key,
+                          size_t keylen)
+{
+    int ret;
+
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+        ret = aesni_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f) aesni_decrypt;
+        dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+            (cbc128_f) aesni_cbc_encrypt : NULL;
+    } else {
+        ret = aesni_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f) aesni_encrypt;
+        if (dat->mode == EVP_CIPH_CBC_MODE)
+            dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
+        else if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
+        else
+            dat->stream.cbc = NULL;
+    }
+
+    if (ret < 0) {
+        EVPerr(EVP_F_AESNI_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+static int aesni_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                            const unsigned char *in, size_t len)
+{
+    aesni_cbc_encrypt(in, out, len, &ctx->ks.ks, ctx->iv, ctx->enc);
+
+    return 1;
+}
+
+static int aesni_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                            const unsigned char *in, size_t len)
+{
+    if (len < AES_BLOCK_SIZE)
+        return 1;
+
+    aesni_ecb_encrypt(in, out, len, &ctx->ks.ks, ctx->enc);
+
+    return 1;
+}
+
+# define aesni_ofb_cipher aes_ofb_cipher
+static int aesni_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                            const unsigned char *in, size_t len);
+
+# define aesni_cfb_cipher aes_cfb_cipher
+static int aesni_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                            const unsigned char *in, size_t len);
+
+# define aesni_cfb8_cipher aes_cfb8_cipher
+static int aesni_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aesni_cfb1_cipher aes_cfb1_cipher
+static int aesni_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aesni_ctr_cipher aes_ctr_cipher
+static int aesni_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                            const unsigned char *in, size_t len);
+
+# define BLOCK_CIPHER_generic_prov(mode) \
+static const PROV_AES_CIPHER aesni_##mode = { \
+        aesni_init_key,                 \
+        aesni_##mode##_cipher};         \
+static const PROV_AES_CIPHER aes_##mode = { \
+        aes_init_key,                   \
+        aes_##mode##_cipher}; \
+const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(void) \
+{ return AESNI_CAPABLE?&aesni_##mode:&aes_##mode; }
+
+
+#elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+
+# include "sparc_arch.h"
+
+extern unsigned int OPENSSL_sparcv9cap_P[];
+
+/*
+ * Fujitsu SPARC64 X support
+ */
+# define HWAES_CAPABLE           (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
+# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
+# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
+# define HWAES_encrypt aes_fx_encrypt
+# define HWAES_decrypt aes_fx_decrypt
+# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
+# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
+
+# define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
+
+void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
+void aes_t4_encrypt(const unsigned char *in, unsigned char *out,
+                    const AES_KEY *key);
+void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
+                    const AES_KEY *key);
+/*
+ * Key-length specific subroutines were chosen for following reason.
+ * Each SPARC T4 core can execute up to 8 threads which share core's
+ * resources. Loading as much key material to registers allows to
+ * minimize references to shared memory interface, as well as amount
+ * of instructions in inner loops [much needed on T4]. But then having
+ * non-key-length specific routines would require conditional branches
+ * either in inner loops or on subroutines' entries. Former is hardly
+ * acceptable, while latter means code size increase to size occupied
+ * by multiple key-length specific subroutines, so why fight?
+ */
+void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
+                           size_t len, const AES_KEY *key,
+                           unsigned char *ivec);
+void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+void aes192_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+void aes256_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                             size_t blocks, const AES_KEY *key,
+                             unsigned char *ivec);
+
+static int aes_t4_init_key(PROV_AES_KEY *dat, const unsigned char *key,
+                           size_t keylen)
+{
+    int ret, bits;
+
+    bits = keylen * 8;
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+        ret = 0;
+        aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
+        dat->block = (block128_f) aes_t4_decrypt;
+        switch (bits) {
+        case 128:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes128_t4_cbc_decrypt : NULL;
+            break;
+        case 192:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes192_t4_cbc_decrypt : NULL;
+            break;
+        case 256:
+            dat->stream.cbc = dat->mode == EVP_CIPH_CBC_MODE ?
+                (cbc128_f) aes256_t4_cbc_decrypt : NULL;
+            break;
+        default:
+            ret = -1;
+        }
+    } else {
+        ret = 0;
+        aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
+        dat->block = (block128_f)aes_t4_encrypt;
+        switch (bits) {
+        case 128:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        case 192:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        case 256:
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
+            else if (dat->mode == EVP_CIPH_CTR_MODE)
+                dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
+            else
+                dat->stream.cbc = NULL;
+            break;
+        default:
+            ret = -1;
+        }
+    }
+
+    if (ret < 0) {
+        EVPerr(EVP_F_AES_T4_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+# define aes_t4_cbc_cipher aes_cbc_cipher
+static int aes_t4_cbc_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aes_t4_ecb_cipher aes_ecb_cipher
+static int aes_t4_ecb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aes_t4_ofb_cipher aes_ofb_cipher
+static int aes_t4_ofb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aes_t4_cfb_cipher aes_cfb_cipher
+static int aes_t4_cfb_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define aes_t4_cfb8_cipher aes_cfb8_cipher
+static int aes_t4_cfb8_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                              const unsigned char *in, size_t len);
+
+# define aes_t4_cfb1_cipher aes_cfb1_cipher
+static int aes_t4_cfb1_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                              const unsigned char *in, size_t len);
+
+# define aes_t4_ctr_cipher aes_ctr_cipher
+static int aes_t4_ctr_cipher(PROV_AES_KEY *ctx, unsigned char *out,
+                             const unsigned char *in, size_t len);
+
+# define BLOCK_CIPHER_generic_prov(mode) \
+static const PROV_AES_CIPHER aes_t4_##mode = { \
+        aes_t4_init_key,                 \
+        aes_t4_##mode##_cipher};         \
+static const PROV_AES_CIPHER aes_##mode = { \
+        aes_init_key,                   \
+        aes_##mode##_cipher}; \
+const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(void) \
+{ return SPARC_AES_CAPABLE?&aes_t4_##mode:&aes_##mode; }
+
+
+#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+/*
+ * IBM S390X support
+ */
+# include "s390x_arch.h"
+
+typedef struct {
+    union {
+        double align;
+        /*-
+         * KM-AES parameter block - begin
+         * (see z/Architecture Principles of Operation >= SA22-7832-06)
+         */
+        struct {
+            unsigned char k[32];
+        } param;
+        /* KM-AES parameter block - end */
+    } km;
+    unsigned int fc;
+} S390X_AES_ECB_CTX;
+
+typedef struct {
+    union {
+        double align;
+        /*-
+         * KMO-AES parameter block - begin
+         * (see z/Architecture Principles of Operation >= SA22-7832-08)
+         */
+        struct {
+            unsigned char cv[16];
+            unsigned char k[32];
+        } param;
+        /* KMO-AES parameter block - end */
+    } kmo;
+    unsigned int fc;
+
+    int res;
+} S390X_AES_OFB_CTX;
+
+typedef struct {
+    union {
+        double align;
+        /*-
+         * KMF-AES parameter block - begin
+         * (see z/Architecture Principles of Operation >= SA22-7832-08)
+         */
+        struct {
+            unsigned char cv[16];
+            unsigned char k[32];
+        } param;
+        /* KMF-AES parameter block - end */
+    } kmf;
+    unsigned int fc;
+
+    int res;
+} S390X_AES_CFB_CTX;
+
+/* Convert key size to function code: [16,24,32] -> [18,19,20]. */
+# define S390X_AES_FC(keylen)  (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6))
+
+/* Most modes of operation need km for partial block processing. */
+# define S390X_aes_128_CAPABLE (OPENSSL_s390xcap_P.km[0] &	\
+                                S390X_CAPBIT(S390X_AES_128))
+# define S390X_aes_192_CAPABLE (OPENSSL_s390xcap_P.km[0] &	\
+                                S390X_CAPBIT(S390X_AES_192))
+# define S390X_aes_256_CAPABLE (OPENSSL_s390xcap_P.km[0] &	\
+                                S390X_CAPBIT(S390X_AES_256))
+
+# define s390x_aes_init_key aes_init_key
+static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                              const unsigned char *iv, int enc);
+
+# define S390X_aes_128_cbc_CAPABLE	1	/* checked by callee */
+# define S390X_aes_192_cbc_CAPABLE	1
+# define S390X_aes_256_cbc_CAPABLE	1
+# define S390X_AES_CBC_CTX		PROV_AES_KEY
+
+# define s390x_aes_cbc_init_key aes_init_key
+
+# define s390x_aes_cbc_cipher aes_cbc_cipher
+static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, size_t len);
+
+# define S390X_aes_128_ecb_CAPABLE	S390X_aes_128_CAPABLE
+# define S390X_aes_192_ecb_CAPABLE	S390X_aes_192_CAPABLE
+# define S390X_aes_256_ecb_CAPABLE	S390X_aes_256_CAPABLE
+
+static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx,
+                                  const unsigned char *key,
+                                  const unsigned char *iv, int enc)
+{
+    S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
+    const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+
+    cctx->fc = S390X_AES_FC(keylen);
+    if (!enc)
+        cctx->fc |= S390X_DECRYPT;
+
+    memcpy(cctx->km.param.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, size_t len)
+{
+    S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
+
+    s390x_km(in, len, out, cctx->fc, &cctx->km.param);
+    return 1;
+}
+
+# define S390X_aes_128_ofb_CAPABLE (S390X_aes_128_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmo[0] &	\
+                                     S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_ofb_CAPABLE (S390X_aes_192_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmo[0] &	\
+                                     S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_ofb_CAPABLE (S390X_aes_256_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmo[0] &	\
+                                     S390X_CAPBIT(S390X_AES_256)))
+
+static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
+                                  const unsigned char *key,
+                                  const unsigned char *ivec, int enc)
+{
+    S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
+    const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+    const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+    const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+
+    memcpy(cctx->kmo.param.cv, iv, ivlen);
+    memcpy(cctx->kmo.param.k, key, keylen);
+    cctx->fc = S390X_AES_FC(keylen);
+    cctx->res = 0;
+    return 1;
+}
+
+static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, size_t len)
+{
+    S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
+    int n = cctx->res;
+    int rem;
+
+    while (n && len) {
+        *out = *in ^ cctx->kmo.param.cv[n];
+        n = (n + 1) & 0xf;
+        --len;
+        ++in;
+        ++out;
+    }
+
+    rem = len & 0xf;
+
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kmo(in, len, out, cctx->fc, &cctx->kmo.param);
+
+        out += len;
+        in += len;
+    }
+
+    if (rem) {
+        s390x_km(cctx->kmo.param.cv, 16, cctx->kmo.param.cv, cctx->fc,
+                 cctx->kmo.param.k);
+
+        while (rem--) {
+            out[n] = in[n] ^ cctx->kmo.param.cv[n];
+            ++n;
+        }
+    }
+
+    cctx->res = n;
+    return 1;
+}
+
+# define S390X_aes_128_cfb_CAPABLE (S390X_aes_128_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_128)))
+# define S390X_aes_192_cfb_CAPABLE (S390X_aes_192_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_192)))
+# define S390X_aes_256_cfb_CAPABLE (S390X_aes_256_CAPABLE &&		\
+                                    (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_256)))
+
+static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
+                                  const unsigned char *key,
+                                  const unsigned char *ivec, int enc)
+{
+    S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
+    const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+    const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+    const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+
+    cctx->fc = S390X_AES_FC(keylen);
+    cctx->fc |= 16 << 24;   /* 16 bytes cipher feedback */
+    if (!enc)
+        cctx->fc |= S390X_DECRYPT;
+
+    cctx->res = 0;
+    memcpy(cctx->kmf.param.cv, iv, ivlen);
+    memcpy(cctx->kmf.param.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, size_t len)
+{
+    S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
+    const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+    const int enc = EVP_CIPHER_CTX_encrypting(ctx);
+    int n = cctx->res;
+    int rem;
+    unsigned char tmp;
+
+    while (n && len) {
+        tmp = *in;
+        *out = cctx->kmf.param.cv[n] ^ tmp;
+        cctx->kmf.param.cv[n] = enc ? *out : tmp;
+        n = (n + 1) & 0xf;
+        --len;
+        ++in;
+        ++out;
+    }
+
+    rem = len & 0xf;
+
+    len &= ~(size_t)0xf;
+    if (len) {
+        s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
+
+        out += len;
+        in += len;
+    }
+
+    if (rem) {
+        s390x_km(cctx->kmf.param.cv, 16, cctx->kmf.param.cv,
+                 S390X_AES_FC(keylen), cctx->kmf.param.k);
+
+        while (rem--) {
+            tmp = in[n];
+            out[n] = cctx->kmf.param.cv[n] ^ tmp;
+            cctx->kmf.param.cv[n] = enc ? out[n] : tmp;
+            ++n;
+        }
+    }
+
+    cctx->res = n;
+    return 1;
+}
+
+# define S390X_aes_128_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_128))
+# define S390X_aes_192_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_192))
+# define S390X_aes_256_cfb8_CAPABLE (OPENSSL_s390xcap_P.kmf[0] &	\
+                                     S390X_CAPBIT(S390X_AES_256))
+
+static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx,
+                                   const unsigned char *key,
+                                   const unsigned char *ivec, int enc)
+{
+    S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
+    const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+    const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+    const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+
+    cctx->fc = S390X_AES_FC(keylen);
+    cctx->fc |= 1 << 24;   /* 1 byte cipher feedback */
+    if (!enc)
+        cctx->fc |= S390X_DECRYPT;
+
+    memcpy(cctx->kmf.param.cv, iv, ivlen);
+    memcpy(cctx->kmf.param.k, key, keylen);
+    return 1;
+}
+
+static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                 const unsigned char *in, size_t len)
+{
+    S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
+
+    s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param);
+    return 1;
+}
+
+# define S390X_aes_128_cfb1_CAPABLE	0
+# define S390X_aes_192_cfb1_CAPABLE	0
+# define S390X_aes_256_cfb1_CAPABLE	0
+
+# define s390x_aes_cfb1_init_key aes_init_key
+
+# define s390x_aes_cfb1_cipher aes_cfb1_cipher
+static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                 const unsigned char *in, size_t len);
+
+# define S390X_aes_128_ctr_CAPABLE	1	/* checked by callee */
+# define S390X_aes_192_ctr_CAPABLE	1
+# define S390X_aes_256_ctr_CAPABLE	1
+# define S390X_AES_CTR_CTX		PROV_AES_KEY
+
+# define s390x_aes_ctr_init_key aes_init_key
+
+# define s390x_aes_ctr_cipher aes_ctr_cipher
+static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, size_t len);
+
+
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,	\
+                              MODE,flags)				\
+static const EVP_CIPHER s390x_aes_##keylen##_##mode = {			\
+    nid##_##keylen##_##nmode,blocksize,					\
+    keylen / 8,								\
+    ivlen,								\
+    flags | EVP_CIPH_##MODE##_MODE,					\
+    s390x_aes_##mode##_init_key,					\
+    s390x_aes_##mode##_cipher,						\
+    NULL,								\
+    sizeof(S390X_AES_##MODE##_CTX),					\
+    NULL,								\
+    NULL,								\
+    NULL,								\
+    NULL								\
+};									\
+static const EVP_CIPHER aes_##keylen##_##mode = {			\
+    nid##_##keylen##_##nmode,						\
+    blocksize,								\
+    keylen / 8,								\
+    ivlen,								\
+    flags | EVP_CIPH_##MODE##_MODE,					\
+    aes_init_key,							\
+    aes_##mode##_cipher,						\
+    NULL,								\
+    sizeof(PROV_AES_KEY),						\
+    NULL,								\
+    NULL,								\
+    NULL,								\
+    NULL								\
+};									\
+const EVP_CIPHER *EVP_aes_##keylen##_##mode(void)			\
+{									\
+    return S390X_aes_##keylen##_##mode##_CAPABLE ?			\
+           &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode;	\
+}
+
+#else
+
+# define BLOCK_CIPHER_generic_prov(mode) \
+static const PROV_AES_CIPHER aes_##mode = { \
+        aes_init_key,                   \
+        aes_##mode##_cipher}; \
+const PROV_AES_CIPHER *PROV_AES_CIPHER_##mode(void) \
+{ return &aes_##mode; }
+
+#endif
+
+#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
+# include "arm_arch.h"
+# if __ARM_MAX_ARCH__>=7
+#  if defined(BSAES_ASM)
+#   define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#  endif
+#  if defined(VPAES_ASM)
+#   define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#  endif
+#  define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
+#  define HWAES_set_encrypt_key aes_v8_set_encrypt_key
+#  define HWAES_set_decrypt_key aes_v8_set_decrypt_key
+#  define HWAES_encrypt aes_v8_encrypt
+#  define HWAES_decrypt aes_v8_decrypt
+#  define HWAES_cbc_encrypt aes_v8_cbc_encrypt
+#  define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
+# endif
+#endif
+
+#if defined(HWAES_CAPABLE)
+int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                          AES_KEY *key);
+int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                          AES_KEY *key);
+void HWAES_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void HWAES_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t length, const AES_KEY *key,
+                       unsigned char *ivec, const int enc);
+void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+                                size_t len, const AES_KEY *key,
+                                const unsigned char ivec[16]);
+#endif
+
+static int aes_init_key(PROV_AES_KEY *dat, const unsigned char *key,
+                        size_t keylen)
+{
+    int ret;
+
+    if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+        && !dat->enc) {
+#ifdef HWAES_CAPABLE
+        if (HWAES_CAPABLE) {
+            ret = HWAES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
+            dat->block = (block128_f)HWAES_decrypt;
+            dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+            if (dat->mode == EVP_CIPH_CBC_MODE)
+                dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+# endif
+        } else
+#endif
+#ifdef BSAES_CAPABLE
+        if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CBC_MODE) {
+            ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
+            dat->block = (block128_f)AES_decrypt;
+            dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
+        } else
+#endif
+#ifdef VPAES_CAPABLE
+        if (VPAES_CAPABLE) {
+            ret = vpaes_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
+            dat->block = (block128_f)vpaes_decrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ?(cbc128_f)vpaes_cbc_encrypt : NULL;
+        } else
+#endif
+        {
+            ret = AES_set_decrypt_key(key, keylen * 8, &dat->ks.ks);
+            dat->block = (block128_f)AES_decrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ? (cbc128_f)AES_cbc_encrypt : NULL;
+        }
+    } else
+#ifdef HWAES_CAPABLE
+    if (HWAES_CAPABLE) {
+        ret = HWAES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f)HWAES_encrypt;
+        dat->stream.cbc = NULL;
+# ifdef HWAES_cbc_encrypt
+        if (dat->mode == EVP_CIPH_CBC_MODE)
+            dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
+        else
+# endif
+# ifdef HWAES_ctr32_encrypt_blocks
+        if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
+        else
+# endif
+            (void)0;            /* terminate potentially open 'else' */
+    } else
+#endif
+#ifdef BSAES_CAPABLE
+    if (BSAES_CAPABLE && dat->mode == EVP_CIPH_CTR_MODE) {
+        ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f)AES_encrypt;
+        dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
+    } else
+#endif
+#ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE) {
+        ret = vpaes_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f)vpaes_encrypt;
+        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                          ? (cbc128_f)vpaes_cbc_encrypt : NULL;
+    } else
+#endif
+    {
+        ret = AES_set_encrypt_key(key, keylen * 8, &dat->ks.ks);
+        dat->block = (block128_f)AES_encrypt;
+        dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                          ? (cbc128_f)AES_cbc_encrypt : NULL;
+#ifdef AES_CTR_ASM
+        if (dat->mode == EVP_CIPH_CTR_MODE)
+            dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
+#endif
+    }
+
+    if (ret < 0) {
+        EVPerr(EVP_F_AES_INIT_KEY, EVP_R_AES_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+static int aes_cbc_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    if (dat->stream.cbc)
+        (*dat->stream.cbc) (in, out, len, &dat->ks, dat->iv, dat->enc);
+    else if (dat->enc)
+        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, dat->iv, dat->block);
+    else
+        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, dat->iv, dat->block);
+
+    return 1;
+}
+
+static int aes_ecb_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    size_t i;
+
+    if (len < AES_BLOCK_SIZE)
+        return 1;
+
+    for (i = 0, len -= AES_BLOCK_SIZE; i <= len; i += AES_BLOCK_SIZE)
+        (*dat->block) (in + i, out + i, &dat->ks);
+
+    return 1;
+}
+
+static int aes_ofb_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+    CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+static int aes_cfb_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+    CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
+                          dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+static int aes_cfb8_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                           const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+    CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, dat->iv, &num, dat->enc,
+                            dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+static int aes_cfb1_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                           const unsigned char *in, size_t len)
+{
+    int num = dat->num;
+
+    if ((dat->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
+        CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, dat->iv, &num,
+                                dat->enc, dat->block);
+        dat->num = num;
+        return 1;
+    }
+
+    while (len >= MAXBITCHUNK) {
+        CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
+                                dat->iv, &num, dat->enc, dat->block);
+        len -= MAXBITCHUNK;
+        out += MAXBITCHUNK;
+        in  += MAXBITCHUNK;
+    }
+    if (len)
+        CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, dat->iv, &num,
+                                dat->enc, dat->block);
+
+    dat->num = num;
+
+    return 1;
+}
+
+static int aes_ctr_cipher(PROV_AES_KEY *dat, unsigned char *out,
+                          const unsigned char *in, size_t len)
+{
+    unsigned int num = dat->num;
+
+    if (dat->stream.ctr)
+        CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, dat->iv, dat->buf,
+                                    &num, dat->stream.ctr);
+    else
+        CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, dat->iv, dat->buf,
+                              &num, dat->block);
+    dat->num = num;
+
+    return 1;
+}
+
+BLOCK_CIPHER_generic_prov(cbc)
+BLOCK_CIPHER_generic_prov(ecb)
+BLOCK_CIPHER_generic_prov(ofb)
+BLOCK_CIPHER_generic_prov(cfb)
+BLOCK_CIPHER_generic_prov(cfb1)
+BLOCK_CIPHER_generic_prov(cfb8)
+BLOCK_CIPHER_generic_prov(ctr)
+
diff --git a/providers/common/ciphers/block.c b/providers/common/ciphers/block.c
new file mode 100644
index 0000000000..fc15c5e55a
--- /dev/null
+++ b/providers/common/ciphers/block.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include "ciphers_locl.h"
+#include <assert.h>
+
+/*
+ * Fills a single block of buffered data from the input, and returns the amount
+ * of data remaining in the input that is a multiple of the blocksize. The buffer
+ * is only filled if it already has some data in it, isn't full already or we
+ * don't have at least one block in the input.
+ *
+ * buf: a buffer of blocksize bytes
+ * buflen: contains the amount of data already in buf on entry. Updated with the
+ *         amount of data in buf at the end. On entry *buflen must always be
+ *         less than the blocksize
+ * blocksize: size of a block. Must be greater than 0 and a power of 2
+ * in: pointer to a pointer containing the input data
+ * inlen: amount of input data available
+ *
+ * On return buf is filled with as much data as possible up to a full block,
+ * *buflen is updated containing the amount of data in buf. *in is updated to
+ * the new location where input data should be read from, *inlen is updated with
+ * the remaining amount of data in *in. Returns the largest value <= *inlen
+ * which is a multiple of the blocksize.
+ */
+size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen)
+{
+    size_t blockmask = ~(blocksize - 1);
+
+    assert(*buflen <= blocksize);
+    assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
+
+    if (*buflen != blocksize && (*buflen != 0 || *inlen < blocksize)) {
+        size_t bufremain = blocksize - *buflen;
+
+        if (*inlen < bufremain)
+            bufremain = *inlen;
+        memcpy(buf + *buflen, *in, bufremain);
+        *in += bufremain;
+        *inlen -= bufremain;
+        *buflen += bufremain;
+    }
+
+    return *inlen & blockmask;
+}
+
+/*
+ * Fills the buffer with trailing data from an encryption/decryption that didn't
+ * fit into a full block.
+ */
+int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen)
+{
+    if (*inlen == 0)
+        return 1;
+
+    if (*buflen + *inlen > blocksize)
+        return 0;
+
+    memcpy(buf + *buflen, *in, *inlen);
+    *buflen += *inlen;
+    *inlen = 0;
+
+    return 1;
+}
+
+/* Pad the final block for encryption */
+void padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
+{
+    size_t i;
+    unsigned char pad = (unsigned char)(blocksize - *buflen);
+
+    for (i = *buflen; i < blocksize; i++)
+        buf[i] = pad;
+}
+
+int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
+{
+    size_t pad, i;
+    size_t len = *buflen;
+
+    if(len != blocksize)
+        return 0;
+
+    /*
+     * The following assumes that the ciphertext has been authenticated.
+     * Otherwise it provides a padding oracle.
+     */
+    pad = buf[blocksize - 1];
+    if (pad == 0 || pad > blocksize) {
+        EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
+        return 0;
+    }
+    for (i = 0; i < pad; i++) {
+        if (buf[--len] != pad) {
+            EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
+            return 0;
+        }
+    }
+    *buflen = len;
+    return 1;
+}
diff --git a/providers/common/ciphers/build.info b/providers/common/ciphers/build.info
new file mode 100644
index 0000000000..f4ff2ce875
--- /dev/null
+++ b/providers/common/ciphers/build.info
@@ -0,0 +1,4 @@
+LIBS=../../../libcrypto
+SOURCE[../../../libcrypto]=\
+        block.c aes.c aes_basic.c
+INCLUDE[../../../libcrypto]=. ../../../crypto
diff --git a/providers/common/ciphers/ciphers_locl.h b/providers/common/ciphers/ciphers_locl.h
new file mode 100644
index 0000000000..3799b714d0
--- /dev/null
+++ b/providers/common/ciphers/ciphers_locl.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+#include <openssl/modes.h>
+
+typedef struct prov_aes_cipher_st PROV_AES_CIPHER;
+
+typedef struct prov_aes_key_st {
+    union {
+        double align;
+        AES_KEY ks;
+    } ks;
+    block128_f block;
+    union {
+        cbc128_f cbc;
+        ctr128_f ctr;
+    } stream;
+
+    /* The cipher functions we are going to use */
+    const PROV_AES_CIPHER *ciph;
+
+    /* The mode that we are using */
+    int mode;
+
+    /* Set to 1 if we are encrypting or 0 otherwise */
+    int enc;
+
+    unsigned char iv[AES_BLOCK_SIZE];
+
+    /*
+     * num contains the number of bytes of |iv| which are valid for modes that
+     * manage partial blocks themselves.
+     */
+    size_t num;
+
+    /* Buffer of partial blocks processed via update calls */
+    unsigned char buf[AES_BLOCK_SIZE];
+
+    /* Number of bytes in buf */
+    size_t bufsz;
+
+    uint64_t flags;
+
+    size_t keylen;
+
+    /* Whether padding should be used or not */
+    unsigned int pad : 1;
+} PROV_AES_KEY;
+
+struct prov_aes_cipher_st {
+  int (*init)(PROV_AES_KEY *dat, const uint8_t *key, size_t keylen);
+  int (*cipher)(PROV_AES_KEY *dat, uint8_t *out, const uint8_t *in,
+                size_t inl);
+};
+
+const PROV_AES_CIPHER *PROV_AES_CIPHER_ecb(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_cbc(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_ofb(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb1(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_cfb8(void);
+const PROV_AES_CIPHER *PROV_AES_CIPHER_ctr(void);
+
+size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
+int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);
diff --git a/providers/default/defltprov.c b/providers/default/defltprov.c
index 9b52429b50..dcc70800db 100644
--- a/providers/default/defltprov.c
+++ b/providers/default/defltprov.c
@@ -56,6 +56,13 @@ static const OSSL_ALGORITHM deflt_digests[] = {
     { NULL, NULL, NULL }
 };
 
+extern const OSSL_DISPATCH aes256ecb_functions[];
+
+static const OSSL_ALGORITHM deflt_ciphers[] = {
+    { "AES-256-ECB", "default=yes", aes256ecb_functions },
+    { NULL, NULL, NULL }
+};
+
 static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov,
                                          int operation_id,
                                          int *no_cache)
@@ -64,6 +71,8 @@ static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov,
     switch (operation_id) {
     case OSSL_OP_DIGEST:
         return deflt_digests;
+    case OSSL_OP_CIPHER:
+        return deflt_ciphers;
     }
     return NULL;
 }
-- 
2.39.2