blob: 4f48d513e9e9aa0cc1f61d3326b575d6a133d581 [file] [log] [blame]
diff -burN android-openssl-lhash2/openssl.config android-openssl/openssl.config
--- android-openssl-lhash2/openssl.config 2013-11-05 14:38:31.187575574 -0500
+++ android-openssl/openssl.config 2013-11-05 15:03:54.661551145 -0500
@@ -432,6 +432,7 @@
crypto/buffer/buf_err.c \
crypto/buffer/buf_str.c \
crypto/buffer/buffer.c \
+crypto/chacha/chacha_enc.c \
crypto/cmac/cm_ameth.c \
crypto/cmac/cm_pmeth.c \
crypto/cmac/cmac.c \
@@ -565,6 +566,7 @@
crypto/evp/e_aes.c \
crypto/evp/e_aes_cbc_hmac_sha1.c \
crypto/evp/e_bf.c \
+crypto/evp/e_chacha20poly1305.c \
crypto/evp/e_des.c \
crypto/evp/e_des3.c \
crypto/evp/e_null.c \
@@ -576,6 +578,7 @@
crypto/evp/e_xcbc_d.c \
crypto/evp/encode.c \
crypto/evp/evp_acnf.c \
+crypto/evp/evp_aead.c \
crypto/evp/evp_cnf.c \
crypto/evp/evp_enc.c \
crypto/evp/evp_err.c \
@@ -674,6 +677,7 @@
crypto/pkcs7/pk7_smime.c \
crypto/pkcs7/pkcs7err.c \
crypto/pqueue/pqueue.c \
+crypto/poly1305/poly1305.c \
crypto/rand/md_rand.c \
crypto/rand/rand_egd.c \
crypto/rand/rand_err.c \
@@ -789,7 +793,10 @@
crypto/aes/asm/aes-armv4.S \
crypto/bn/asm/armv4-gf2m.S \
crypto/bn/asm/armv4-mont.S \
+crypto/chacha/chacha_vec_arm.S \
crypto/modes/asm/ghash-armv4.S \
+crypto/poly1305/poly1305_arm.c \
+crypto/poly1305/poly1305_arm_asm.S \
crypto/sha/asm/sha1-armv4-large.S \
crypto/sha/asm/sha256-armv4.S \
crypto/sha/asm/sha512-armv4.S \
@@ -852,6 +863,7 @@
crypto/bn/asm/x86_64-gf2m.S \
crypto/bn/asm/x86_64-mont.S \
crypto/bn/asm/x86_64-mont5.S \
+crypto/chacha/chacha_vec.c \
crypto/md5/asm/md5-x86_64.S \
crypto/modes/asm/ghash-x86_64.S \
crypto/rc4/asm/rc4-md5-x86_64.S \
@@ -859,6 +871,7 @@
crypto/sha/asm/sha1-x86_64.S \
crypto/sha/asm/sha256-x86_64.S \
crypto/sha/asm/sha512-x86_64.S \
+crypto/poly1305/poly1305_vec.c \
crypto/x86_64cpuid.S \
"
@@ -866,7 +879,9 @@
crypto/aes/aes_cbc.c \
crypto/aes/aes_core.c \
crypto/bn/bn_asm.c \
+crypto/chacha/chacha_enc.c \
crypto/mem_clr.c \
+crypto/poly1305/poly1305.c \
crypto/rc4/rc4_enc.c \
crypto/rc4/rc4_skey.c \
"
@@ -998,6 +1013,12 @@
x509_hash_name_algorithm_change.patch \
reduce_client_hello_size.patch \
fix_lhash_iteration.patch \
+tls1_change_cipher_state_rewrite.patch \
+aead_support.patch \
+aead_ssl_support.patch \
+use_aead_for_aes_gcm.patch \
+chacha20poly1305.patch \
+neon_runtime.patch \
"
OPENSSL_PATCHES_progs_SOURCES="\
diff -burN android-openssl-lhash2/patches/aead_ssl_support.patch android-openssl/patches/aead_ssl_support.patch
--- android-openssl-lhash2/patches/aead_ssl_support.patch 1969-12-31 19:00:00.000000000 -0500
+++ android-openssl/patches/aead_ssl_support.patch 2013-11-05 14:14:34.631283497 -0500
@@ -0,0 +1,690 @@
+From dc8386dbb390f4b867019873cd072a5fe01ba4e9 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl@chromium.org>
+Date: Thu, 25 Jul 2013 17:35:23 -0400
+Subject: [PATCH 41/50] aead_ssl_support.
+
+This change allows AEADs to be used in ssl/ to implement SSL/TLS
+ciphersuites.
+---
+ ssl/s2_clnt.c | 2 +-
+ ssl/s2_enc.c | 2 +-
+ ssl/s2_srvr.c | 2 +-
+ ssl/s3_enc.c | 8 +-
+ ssl/s3_pkt.c | 4 +-
+ ssl/ssl.h | 15 +++-
+ ssl/ssl3.h | 1 +
+ ssl/ssl_ciph.c | 70 +++++++++++----
+ ssl/ssl_err.c | 3 +
+ ssl/ssl_lib.c | 12 +++
+ ssl/ssl_locl.h | 23 ++++-
+ ssl/ssl_txt.c | 2 +-
+ ssl/t1_enc.c | 262 +++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 13 files changed, 356 insertions(+), 50 deletions(-)
+
+diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
+index 03b6cf9..32adaf5 100644
+--- a/ssl/s2_clnt.c
++++ b/ssl/s2_clnt.c
+@@ -623,7 +623,7 @@ static int client_master_key(SSL *s)
+ if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
+ {
+
+- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c
+index ff3395f..087c4a2 100644
+--- a/ssl/s2_enc.c
++++ b/ssl/s2_enc.c
+@@ -68,7 +68,7 @@ int ssl2_enc_init(SSL *s, int client)
+ const EVP_MD *md;
+ int num;
+
+- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
+index 9b1a6ac..9392921 100644
+--- a/ssl/s2_srvr.c
++++ b/ssl/s2_srvr.c
+@@ -452,7 +452,7 @@ static int get_client_master_key(SSL *s)
+
+ is_export=SSL_C_IS_EXPORT(s->session->cipher);
+
+- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
++ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL))
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
+index e3cd4f0..191b86b 100644
+--- a/ssl/s3_enc.c
++++ b/ssl/s3_enc.c
+@@ -397,7 +397,13 @@ int ssl3_setup_key_block(SSL *s)
+ if (s->s3->tmp.key_block_length != 0)
+ return(1);
+
+- if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL,&comp))
++ if (!ssl_cipher_get_comp(s->session, &comp))
++ {
++ SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
++ return(0);
++ }
++
++ if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL))
+ {
+ SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ return(0);
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 33bb78a..5038f6c 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -790,7 +790,9 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ else
+ eivlen = 0;
+ }
+- else
++ else if (s->aead_write_ctx != NULL)
++ eivlen = s->aead_write_ctx->variable_nonce_len;
++ else
+ eivlen = 0;
+
+ /* lets setup the record stuff. */
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 672f3eb..0644cbf 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -406,7 +406,9 @@ struct ssl_cipher_st
+ unsigned long algorithm_ssl; /* (major) protocol version */
+
+ unsigned long algo_strength; /* strength and export flags */
+- unsigned long algorithm2; /* Extra flags */
++ unsigned long algorithm2; /* Extra flags. See SSL2_CF_* in ssl2.h
++ and algorithm2 section in
++ ssl_locl.h */
+ int strength_bits; /* Number of bits really used */
+ int alg_bits; /* Number of bits for algorithm */
+ };
+@@ -748,6 +750,9 @@ int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
+
+ #endif
+
++struct ssl_aead_ctx_st;
++typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
++
+ #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
+ #define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
+ #else
+@@ -1294,6 +1299,9 @@ struct ssl_st
+ /* These are the ones being used, the ones in SSL_SESSION are
+ * the ones to be 'copied' into these ones */
+ int mac_flags;
++ SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then
++ |enc_read_ctx| and |read_hash| are
++ ignored. */
+ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
+ EVP_MD_CTX *read_hash; /* used for mac generation */
+ #ifndef OPENSSL_NO_COMP
+@@ -1302,6 +1310,9 @@ struct ssl_st
+ char *expand;
+ #endif
+
++ SSL_AEAD_CTX *aead_write_ctx; /* AEAD context. If non-NULL, then
++ |enc_write_ctx| and |write_hash| are
++ ignored. */
+ EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
+ EVP_MD_CTX *write_hash; /* used for mac generation */
+ #ifndef OPENSSL_NO_COMP
+@@ -2437,8 +2448,10 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
+ #define SSL_F_SSL_VERIFY_CERT_CHAIN 207
+ #define SSL_F_SSL_WRITE 208
++#define SSL_F_TLS1_AEAD_CTX_INIT 339
+ #define SSL_F_TLS1_CERT_VERIFY_MAC 286
+ #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
++#define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD 340
+ #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338
+ #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
+ #define SSL_F_TLS1_ENC 210
+diff --git a/ssl/ssl3.h b/ssl/ssl3.h
+index a4f6d4a..6a5cdbe 100644
+--- a/ssl/ssl3.h
++++ b/ssl/ssl3.h
+@@ -517,6 +517,7 @@ typedef struct ssl3_state_st
+ unsigned char *key_block;
+
+ const EVP_CIPHER *new_sym_enc;
++ const EVP_AEAD *new_aead;
+ const EVP_MD *new_hash;
+ int new_mac_pkey_type;
+ int new_mac_secret_size;
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 2966ddf..7e780cd 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -484,32 +484,66 @@ static void load_builtin_compressions(void)
+ }
+ #endif
+
++/* ssl_cipher_get_comp sets |comp| to the correct SSL_COMP for the given
++ * session and returns 1. On error it returns 0. */
++int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
++ {
++ int i;
++
++ SSL_COMP ctmp;
++#ifndef OPENSSL_NO_COMP
++ load_builtin_compressions();
++#endif
++
++ *comp=NULL;
++ ctmp.id=s->compress_meth;
++ if (ssl_comp_methods != NULL)
++ {
++ i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
++ if (i >= 0)
++ *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
++ else
++ *comp=NULL;
++ }
++
++ return 1;
++ }
++
++/* ssl_cipher_get_evp_aead sets |*aead| to point to the correct EVP_AEAD object
++ * for |s->cipher|. It returns 1 on success and 0 on error. */
++int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
++ {
++ const SSL_CIPHER *c = s->cipher;
++
++ *aead = NULL;
++
++ if (c == NULL)
++ return 0;
++ if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0)
++ return 0;
++
++#ifndef OPENSSL_NO_AES
++ /* There is only one AEAD for now. */
++ *aead = EVP_aead_aes_128_gcm();
++ return 1;
++#endif
++
++ return 0;
++ }
++
+ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+- const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
++ const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
+ {
+ int i;
+ const SSL_CIPHER *c;
+
+ c=s->cipher;
+ if (c == NULL) return(0);
+- if (comp != NULL)
+- {
+- SSL_COMP ctmp;
+-#ifndef OPENSSL_NO_COMP
+- load_builtin_compressions();
+-#endif
+
+- *comp=NULL;
+- ctmp.id=s->compress_meth;
+- if (ssl_comp_methods != NULL)
+- {
+- i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
+- if (i >= 0)
+- *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
+- else
+- *comp=NULL;
+- }
+- }
++ /* This function doesn't deal with EVP_AEAD. See
++ * |ssl_cipher_get_aead_evp|. */
++ if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)
++ return(0);
+
+ if ((enc == NULL) || (md == NULL)) return(0);
+
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index 97b2a0d..ad3a7b9 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -280,6 +280,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
+ {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
+ {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"},
++{ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"},
++{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"},
++{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"},
+ {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"},
+ {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 3b264b6..8a0150c 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2881,6 +2881,18 @@ void ssl_clear_cipher_ctx(SSL *s)
+ OPENSSL_free(s->enc_write_ctx);
+ s->enc_write_ctx=NULL;
+ }
++ if (s->aead_read_ctx != NULL)
++ {
++ EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx);
++ OPENSSL_free(s->aead_read_ctx);
++ s->aead_read_ctx = NULL;
++ }
++ if (s->aead_write_ctx != NULL)
++ {
++ EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx);
++ OPENSSL_free(s->aead_write_ctx);
++ s->aead_write_ctx = NULL;
++ }
+ #ifndef OPENSSL_NO_COMP
+ if (s->expand != NULL)
+ {
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index 3d800af..63bc28b 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -380,6 +380,14 @@
+
+ #define TLSEXT_CHANNEL_ID_SIZE 128
+
++/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
++ * indicates that the cipher is implemented via an EVP_AEAD. */
++#define SSL_CIPHER_ALGORITHM2_AEAD (1<<23)
++
++/* SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
++ * for an SSL_CIPHER* with the SSL_CIPHER_ALGORITHM2_AEAD flag. */
++#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
++ (((ssl_cipher->algorithm2 >> 24) & 0xf)*2)
+
+ /*
+ * Export and cipher strength information. For each cipher we have to decide
+@@ -588,6 +596,17 @@ typedef struct ssl3_enc_method
+ int use_context);
+ } SSL3_ENC_METHOD;
+
++/* ssl_aead_ctx_st contains information about an AEAD that is being used to
++ * encrypt an SSL connection. */
++struct ssl_aead_ctx_st
++ {
++ EVP_AEAD_CTX ctx;
++ /* fixed_nonce contains any bytes of the nonce that are fixed for all
++ * records. */
++ unsigned char fixed_nonce[8];
++ unsigned char fixed_nonce_len, variable_nonce_len, tag_len;
++ };
++
+ #ifndef OPENSSL_NO_COMP
+ /* Used for holding the relevant compression methods loaded into SSL_CTX */
+ typedef struct ssl3_comp_st
+@@ -834,8 +853,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
+ STACK_OF(SSL_CIPHER) **sorted,
+ const char *rule_str);
+ void ssl_update_cache(SSL *s, int mode);
++int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp);
++int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
+ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
+- const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
++ const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size);
+ int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
+ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
+ int ssl_undefined_function(SSL *s);
+diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
+index 6479d52..07826d5 100644
+--- a/ssl/ssl_txt.c
++++ b/ssl/ssl_txt.c
+@@ -216,7 +216,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
+ {
+ SSL_COMP *comp = NULL;
+
+- ssl_cipher_get_evp(x,NULL,NULL,NULL,NULL,&comp);
++ ssl_cipher_get_comp(x, &comp);
+ if (comp == NULL)
+ {
+ if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index e1f91ba..7af1a32 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -316,6 +316,66 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
+ return ret;
+ }
+
++/* tls1_aead_ctx_init allocates |*aead_ctx|, if needed and returns 1. It
++ * returns 0 on malloc error. */
++static int tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
++ {
++ if (*aead_ctx != NULL)
++ EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
++ else
++ {
++ *aead_ctx = (SSL_AEAD_CTX*) OPENSSL_malloc(sizeof(SSL_AEAD_CTX));
++ if (*aead_ctx == NULL)
++ {
++ SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ }
++
++ return 1;
++ }
++
++static int tls1_change_cipher_state_aead(SSL *s, char is_read,
++ const unsigned char *key, unsigned key_len,
++ const unsigned char *iv, unsigned iv_len)
++ {
++ const EVP_AEAD *aead = s->s3->tmp.new_aead;
++ SSL_AEAD_CTX *aead_ctx;
++
++ if (is_read)
++ {
++ if (!tls1_aead_ctx_init(&s->aead_read_ctx))
++ return 0;
++ aead_ctx = s->aead_read_ctx;
++ }
++ else
++ {
++ if (!tls1_aead_ctx_init(&s->aead_write_ctx))
++ return 0;
++ aead_ctx = s->aead_write_ctx;
++ }
++
++ if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
++ EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */))
++ return 0;
++ if (iv_len > sizeof(aead_ctx->fixed_nonce))
++ {
++ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ memcpy(aead_ctx->fixed_nonce, iv, iv_len);
++ aead_ctx->fixed_nonce_len = iv_len;
++ aead_ctx->variable_nonce_len = 8; /* always the case, currently. */
++ if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead))
++ {
++ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
++
++ return 1;
++ }
++
+ /* tls1_change_cipher_state_cipher performs the work needed to switch cipher
+ * states when using EVP_CIPHER. The argument |is_read| is true iff this
+ * function is being called due to reading, as opposed to writing, a
+@@ -494,6 +554,7 @@ int tls1_change_cipher_state(SSL *s, int which)
+ const unsigned char *client_write_key, *server_write_key, *key;
+ const unsigned char *client_write_iv, *server_write_iv, *iv;
+ const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc;
++ const EVP_AEAD *aead = s->s3->tmp.new_aead;
+ unsigned key_len, iv_len, mac_secret_len;
+ const unsigned char *key_data;
+ const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0;
+@@ -551,14 +612,22 @@ int tls1_change_cipher_state(SSL *s, int which)
+
+ mac_secret_len = s->s3->tmp.new_mac_secret_size;
+
+- key_len = EVP_CIPHER_key_length(cipher);
+- if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher))
+- key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher);
+-
+- if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
+- iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
++ if (aead != NULL)
++ {
++ key_len = EVP_AEAD_key_length(aead);
++ iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher);
++ }
+ else
+- iv_len = EVP_CIPHER_iv_length(cipher);
++ {
++ key_len = EVP_CIPHER_key_length(cipher);
++ if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher))
++ key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher);
++
++ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
++ iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
++ else
++ iv_len = EVP_CIPHER_iv_length(cipher);
++ }
+
+ key_data = s->s3->tmp.key_block;
+ client_write_mac_secret = key_data; key_data += mac_secret_len;
+@@ -587,12 +656,20 @@ int tls1_change_cipher_state(SSL *s, int which)
+ return 0;
+ }
+
+- if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys,
+- mac_secret, mac_secret_len,
+- key, key_len,
+- iv, iv_len)) {
+- return 0;
+- }
++ if (aead != NULL)
++ {
++ if (!tls1_change_cipher_state_aead(s, is_read,
++ key, key_len, iv, iv_len))
++ return 0;
++ }
++ else
++ {
++ if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys,
++ mac_secret, mac_secret_len,
++ key, key_len,
++ iv, iv_len))
++ return 0;
++ }
+
+ return 1;
+ err:
+@@ -603,13 +680,14 @@ err:
+ int tls1_setup_key_block(SSL *s)
+ {
+ unsigned char *p1,*p2=NULL;
+- const EVP_CIPHER *c;
+- const EVP_MD *hash;
++ const EVP_CIPHER *c = NULL;
++ const EVP_MD *hash = NULL;
++ const EVP_AEAD *aead = NULL;
+ int num;
+ SSL_COMP *comp;
+ int mac_type= NID_undef,mac_secret_size=0;
+ int ret=0;
+- int iv_len;
++ unsigned key_len, iv_len;
+
+ #ifdef KSSL_DEBUG
+ printf ("tls1_setup_key_block()\n");
+@@ -618,22 +696,36 @@ int tls1_setup_key_block(SSL *s)
+ if (s->s3->tmp.key_block_length != 0)
+ return(1);
+
+- if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp))
++ if (!ssl_cipher_get_comp(s->session, &comp))
++ goto cipher_unavailable_err;
++
++ if (s->session->cipher &&
++ (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD))
+ {
+- SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+- return(0);
++ if (!ssl_cipher_get_evp_aead(s->session, &aead))
++ goto cipher_unavailable_err;
++ key_len = EVP_AEAD_key_length(aead);
++ iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
+ }
+-
+- if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
+- iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
+ else
+- iv_len = EVP_CIPHER_iv_length(c);
++ {
++ if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size))
++ goto cipher_unavailable_err;
++ key_len = EVP_CIPHER_key_length(c);
+
++ if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
++ iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
++ else
++ iv_len = EVP_CIPHER_iv_length(c);
++ }
++
++ s->s3->tmp.new_aead=aead;
+ s->s3->tmp.new_sym_enc=c;
+ s->s3->tmp.new_hash=hash;
+ s->s3->tmp.new_mac_pkey_type = mac_type;
+ s->s3->tmp.new_mac_secret_size = mac_secret_size;
+- num=EVP_CIPHER_key_length(c)+mac_secret_size+iv_len;
++
++ num=key_len+mac_secret_size+iv_len;
+ num*=2;
+
+ ssl3_cleanup_key_block(s);
+@@ -696,6 +788,10 @@ err:
+ OPENSSL_free(p2);
+ }
+ return(ret);
++
++cipher_unavailable_err:
++ SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
++ return 0;
+ }
+
+ /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+@@ -714,6 +810,124 @@ int tls1_enc(SSL *s, int send)
+ unsigned long l;
+ int bs,i,j,k,pad=0,ret,mac_size=0;
+ const EVP_CIPHER *enc;
++ const SSL_AEAD_CTX *aead;
++
++ if (send)
++ rec = &s->s3->wrec;
++ else
++ rec = &s->s3->rrec;
++
++ if (send)
++ aead = s->aead_write_ctx;
++ else
++ aead = s->aead_read_ctx;
++
++ if (aead)
++ {
++ unsigned char ad[13], *seq, *in, *out, nonce[16];
++ unsigned nonce_used;
++ ssize_t n;
++
++ seq = send ? s->s3->write_sequence : s->s3->read_sequence;
++
++ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
++ {
++ unsigned char dtlsseq[9], *p = dtlsseq;
++
++ s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p);
++ memcpy(p, &seq[2], 6);
++ memcpy(ad, dtlsseq, 8);
++ }
++ else
++ {
++ memcpy(ad, seq, 8);
++ for (i=7; i>=0; i--) /* increment */
++ {
++ ++seq[i];
++ if (seq[i] != 0)
++ break;
++ }
++ }
++
++ ad[8] = rec->type;
++ ad[9] = (unsigned char)(s->version>>8);
++ ad[10] = (unsigned char)(s->version);
++
++ if (aead->fixed_nonce_len + aead->variable_nonce_len > sizeof(nonce) ||
++ aead->variable_nonce_len > 8)
++ return -1; /* internal error - should never happen. */
++
++ memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);
++ nonce_used = aead->fixed_nonce_len;
++
++ if (send)
++ {
++ size_t len = rec->length;
++ in = rec->input;
++ out = rec->data;
++
++ /* When sending we use the sequence number as the
++ * variable part of the nonce. */
++ if (aead->variable_nonce_len > 8)
++ return -1;
++ memcpy(nonce + nonce_used, ad, aead->variable_nonce_len);
++ nonce_used += aead->variable_nonce_len;
++
++ /* in do_ssl3_write, rec->input is moved forward by
++ * variable_nonce_len in order to leave space for the
++ * variable nonce. Thus we can copy the sequence number
++ * bytes into place without overwriting any of the
++ * plaintext. */
++ memcpy(out, ad, aead->variable_nonce_len);
++ len -= aead->variable_nonce_len;
++
++ ad[11] = len >> 8;
++ ad[12] = len & 0xff;
++
++ n = EVP_AEAD_CTX_seal(&aead->ctx,
++ out + aead->variable_nonce_len, len + aead->tag_len,
++ nonce, nonce_used,
++ in + aead->variable_nonce_len, len,
++ ad, sizeof(ad));
++ if (n >= 0)
++ n += aead->variable_nonce_len;
++ }
++ else
++ {
++ /* receive */
++ size_t len = rec->length;
++
++ if (rec->data != rec->input)
++ return -1; /* internal error - should never happen. */
++ out = in = rec->input;
++
++ if (len < aead->variable_nonce_len)
++ return 0;
++ memcpy(nonce + nonce_used, in, aead->variable_nonce_len);
++ nonce_used += aead->variable_nonce_len;
++
++ in += aead->variable_nonce_len;
++ len -= aead->variable_nonce_len;
++ out += aead->variable_nonce_len;
++
++ if (len < aead->tag_len)
++ return 0;
++ len -= aead->tag_len;
++
++ ad[11] = len >> 8;
++ ad[12] = len & 0xff;
++
++ n = EVP_AEAD_CTX_open(&aead->ctx, out, len, nonce, nonce_used,
++ in, len + aead->tag_len, ad, sizeof(ad));
++
++ rec->data = rec->input = out;
++ }
++
++ if (n == -1)
++ return -1;
++ rec->length = n;
++ return 1;
++ }
+
+ if (send)
+ {
+--
+1.8.4.1
+
diff -burN android-openssl-lhash2/patches/aead_support.patch android-openssl/patches/aead_support.patch
--- android-openssl-lhash2/patches/aead_support.patch 1969-12-31 19:00:00.000000000 -0500
+++ android-openssl/patches/aead_support.patch 2013-11-05 14:14:34.631283497 -0500
@@ -0,0 +1,811 @@
+From 98f0c6e114f55b4451bea824b05ab29db3351f12 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl@chromium.org>
+Date: Thu, 25 Jul 2013 16:52:35 -0400
+Subject: [PATCH 40/50] aead_support
+
+This change adds an AEAD interface to EVP and an AES-GCM implementation
+suitable for use in TLS.
+---
+ crypto/evp/Makefile | 4 +-
+ crypto/evp/e_aes.c | 214 +++++++++++++++++++++++++++++++++++----
+ crypto/evp/evp.h | 111 ++++++++++++++++++++
+ crypto/evp/evp_aead.c | 192 +++++++++++++++++++++++++++++++++++
+ crypto/evp/evp_err.c | 8 ++
+ crypto/evp/evp_locl.h | 24 +++++
+ doc/crypto/EVP_AEAD_CTX_init.pod | 96 ++++++++++++++++++
+ 7 files changed, 626 insertions(+), 23 deletions(-)
+ create mode 100644 crypto/evp/evp_aead.c
+ create mode 100644 doc/crypto/EVP_AEAD_CTX_init.pod
+
+diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
+index 1e46ceb..b73038d 100644
+--- a/crypto/evp/Makefile
++++ b/crypto/evp/Makefile
+@@ -29,7 +29,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
+ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
+- e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
++ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c evp_aead.c
+
+ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
+@@ -42,7 +42,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
+- e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
++ e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o evp_aead.o
+
+ SRC= $(LIBSRC)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index ef44f63..e4485e4 100644
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -814,44 +814,45 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ }
+ }
+
+-static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+- const unsigned char *iv, int enc)
++static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
++ const unsigned char *key, size_t key_len)
+ {
+- EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
+- if (!iv && !key)
+- return 1;
+- if (key)
+- { do {
+ #ifdef BSAES_CAPABLE
+ if (BSAES_CAPABLE)
+ {
+- AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
+- CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
++ AES_set_encrypt_key(key,key_len*8,aes_key);
++ CRYPTO_gcm128_init(gcm_ctx,aes_key,
+ (block128_f)AES_encrypt);
+- gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
+- break;
++ return (ctr128_f)bsaes_ctr32_encrypt_blocks;
+ }
+- else
+ #endif
+ #ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE)
+ {
+- vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
+- CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
++ vpaes_set_encrypt_key(key,key_len*8,aes_key);
++ CRYPTO_gcm128_init(gcm_ctx,aes_key,
+ (block128_f)vpaes_encrypt);
+- gctx->ctr = NULL;
+- break;
++ return NULL;
+ }
+ #endif
+- AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
+- CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
++ AES_set_encrypt_key(key, key_len*8, aes_key);
++ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ #ifdef AES_CTR_ASM
+- gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
++ return (ctr128_f)AES_ctr32_encrypt;
+ #else
+- gctx->ctr = NULL;
++ return NULL;
+ #endif
+- } while (0);
++ }
+
++static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++ {
++ EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
++ if (!iv && !key)
++ return 1;
++ if (key)
++ {
++ gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key_len);
+ /* If we have an iv can set it directly, otherwise use
+ * saved IV.
+ */
+@@ -1310,5 +1311,176 @@ BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
+
++#define EVP_AEAD_AES_128_GCM_TAG_LEN 16
++
++struct aead_aes_128_gcm_ctx {
++ union { double align; AES_KEY ks; } ks;
++ GCM128_CONTEXT gcm;
++ ctr128_f ctr;
++ unsigned char tag_len;
++};
++
++static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx,
++ const unsigned char *key, size_t key_len, size_t tag_len)
++ {
++ struct aead_aes_128_gcm_ctx *gcm_ctx;
++
++ if (key_len*8 != 128)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH);
++ return 0; /* EVP_AEAD_CTX_init should catch this. */
++ }
++
++ if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
++ tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN;
++
++ if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE);
++ return 0;
++ }
++
++ gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx));
++ if (gcm_ctx == NULL)
++ return 0;
++
++#ifdef AESNI_CAPABLE
++ if (AESNI_CAPABLE)
++ {
++ aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks);
++ CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
++ (block128_f)aesni_encrypt);
++ gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
++ }
++ else
++#endif
++ {
++ gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
++ key, key_len);
++ }
++ gcm_ctx->tag_len = tag_len;
++ ctx->aead_state = gcm_ctx;
++
++ return 1;
++ }
++
++static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx)
++ {
++ struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++ OPENSSL_free(gcm_ctx);
++ }
++
++static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ size_t bulk = 0;
++ const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++ GCM128_CONTEXT gcm;
++
++ if (max_out_len < in_len + gcm_ctx->tag_len)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL);
++ return -1;
++ }
++
++ memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
++ CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
++
++ if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
++ return -1;
++
++ if (gcm_ctx->ctr)
++ {
++ if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
++ in_len - bulk, gcm_ctx->ctr))
++ return -1;
++ }
++ else
++ {
++ if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
++ in_len - bulk))
++ return -1;
++ }
++
++ CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
++ return in_len + gcm_ctx->tag_len;
++ }
++
++static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ size_t bulk = 0;
++ const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state;
++ unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN];
++ size_t out_len;
++ GCM128_CONTEXT gcm;
++
++ if (in_len < gcm_ctx->tag_len)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);
++ return -1;
++ }
++
++ out_len = in_len - gcm_ctx->tag_len;
++
++ if (max_out_len < out_len)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL);
++ return -1;
++ }
++
++ memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
++ CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
++
++ if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
++ return -1;
++
++ if (gcm_ctx->ctr)
++ {
++ if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
++ in_len-bulk-gcm_ctx->tag_len,
++ gcm_ctx->ctr))
++ return -1;
++ }
++ else
++ {
++ if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
++ in_len - bulk - gcm_ctx->tag_len))
++ return -1;
++ }
++
++ CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
++ if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0)
++ {
++ EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT);
++ return -1;
++ }
++
++ return out_len;
++ }
++
++static const EVP_AEAD aead_aes_128_gcm = {
++ 16, /* key len */
++ 12, /* nonce len */
++ EVP_AEAD_AES_128_GCM_TAG_LEN, /* overhead */
++ EVP_AEAD_AES_128_GCM_TAG_LEN, /* max tag length */
++
++ aead_aes_128_gcm_init,
++ aead_aes_128_gcm_cleanup,
++ aead_aes_128_gcm_seal,
++ aead_aes_128_gcm_open,
++};
++
++const EVP_AEAD *EVP_aead_aes_128_gcm()
++ {
++ return &aead_aes_128_gcm;
++ }
++
+ #endif
+ #endif
+diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
+index 5f18d4b..bd10642 100644
+--- a/crypto/evp/evp.h
++++ b/crypto/evp/evp.h
+@@ -1243,6 +1243,109 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (*ctrl_str)(EVP_PKEY_CTX *ctx,
+ const char *type, const char *value));
+
++/* Authenticated Encryption with Additional Data.
++ *
++ * AEAD couples confidentiality and integrity in a single primtive. AEAD
++ * algorithms take a key and then can seal and open individual messages. Each
++ * message has a unique, per-message nonce and, optionally, additional data
++ * which is authenticated but not included in the output. */
++
++struct evp_aead_st;
++typedef struct evp_aead_st EVP_AEAD;
++
++#ifndef OPENSSL_NO_AES
++/* EVP_aes_128_gcm is AES-128 in Galois Counter Mode. */
++const EVP_AEAD *EVP_aead_aes_128_gcm(void);
++#endif
++
++/* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
++ * |aead|. */
++size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
++
++/* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
++ * for |aead|. */
++size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);
++
++/* EVP_AEAD_max_overhead returns the maximum number of additional bytes added
++ * by the act of sealing data with |aead|. */
++size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);
++
++/* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
++ * is the largest value that can be passed as |tag_len| to
++ * |EVP_AEAD_CTX_init|. */
++size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
++
++/* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
++ * and message-independent IV. */
++typedef struct evp_aead_ctx_st {
++ const EVP_AEAD *aead;
++ /* aead_state is an opaque pointer to whatever state the AEAD needs to
++ * maintain. */
++ void *aead_state;
++} EVP_AEAD_CTX;
++
++#define EVP_AEAD_DEFAULT_TAG_LENGTH 0
++
++/* EVP_AEAD_init initializes |ctx| for the given AEAD algorithm from |impl|.
++ * The |impl| argument may be NULL to choose the default implementation.
++ * Authentication tags may be truncated by passing a size as |tag_len|. A
++ * |tag_len| of zero indicates the default tag length and this is defined as
++ * EVP_AEAD_DEFAULT_TAG_LENGTH for readability.
++ * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */
++int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++ const unsigned char *key, size_t key_len,
++ size_t tag_len, ENGINE *impl);
++
++/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */
++void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
++
++/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
++ * authenticates |ad_len| bytes from |ad| and writes the result to |out|,
++ * returning the number of bytes written, or -1 on error.
++ *
++ * This function may be called (with the same EVP_AEAD_CTX) concurrently with
++ * itself or EVP_AEAD_CTX_open.
++ *
++ * At most |max_out_len| bytes are written to |out| and, in order to ensure
++ * success, |max_out_len| should be |in_len| plus the result of
++ * EVP_AEAD_overhead.
++ *
++ * The length of |nonce|, |nonce_len|, must be equal to the result of
++ * EVP_AEAD_nonce_length for this AEAD.
++ *
++ * EVP_AEAD_CTX_seal never results in a partial output. If |max_out_len| is
++ * insufficient, -1 will be returned.
++ *
++ * If |in| and |out| alias then |out| must be <= |in|. */
++ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++
++/* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
++ * from |ad| and decrypts at most |in_len| bytes into |out|. It returns the
++ * number of bytes written, or -1 on error.
++ *
++ * This function may be called (with the same EVP_AEAD_CTX) concurrently with
++ * itself or EVP_AEAD_CTX_seal.
++ *
++ * At most |in_len| bytes are written to |out|. In order to ensure success,
++ * |max_out_len| should be at least |in_len|.
++ *
++ * The length of |nonce|, |nonce_len|, must be equal to the result of
++ * EVP_AEAD_nonce_length for this AEAD.
++ *
++ * EVP_AEAD_CTX_open never results in a partial output. If |max_out_len| is
++ * insufficient, -1 will be returned.
++ *
++ * If |in| and |out| alias then |out| must be <= |in|. */
++ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++
+ void EVP_add_alg_module(void);
+
+ /* BEGIN ERROR CODES */
+@@ -1254,6 +1357,11 @@ void ERR_load_EVP_strings(void);
+ /* Error codes for the EVP functions. */
+
+ /* Function codes. */
++#define EVP_F_AEAD_AES_128_GCM_INIT 183
++#define EVP_F_AEAD_AES_128_GCM_OPEN 181
++#define EVP_F_AEAD_AES_128_GCM_SEAL 182
++#define EVP_F_AEAD_CTX_OPEN 185
++#define EVP_F_AEAD_CTX_SEAL 186
+ #define EVP_F_AESNI_INIT_KEY 165
+ #define EVP_F_AESNI_XTS_CIPHER 176
+ #define EVP_F_AES_INIT_KEY 133
+@@ -1268,6 +1376,7 @@ void ERR_load_EVP_strings(void);
+ #define EVP_F_DSA_PKEY2PKCS8 135
+ #define EVP_F_ECDSA_PKEY2PKCS8 129
+ #define EVP_F_ECKEY_PKEY2PKCS8 132
++#define EVP_F_EVP_AEAD_CTX_INIT 180
+ #define EVP_F_EVP_CIPHERINIT_EX 123
+ #define EVP_F_EVP_CIPHER_CTX_COPY 163
+ #define EVP_F_EVP_CIPHER_CTX_CTRL 124
+@@ -1383,10 +1492,12 @@ void ERR_load_EVP_strings(void);
+ #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105
+ #define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
+ #define EVP_R_OPERATON_NOT_INITIALIZED 151
++#define EVP_R_OUTPUT_ALIASES_INPUT 170
+ #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117
+ #define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
+ #define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
+ #define EVP_R_PUBLIC_KEY_NOT_RSA 106
++#define EVP_R_TAG_TOO_LARGE 171
+ #define EVP_R_TOO_LARGE 164
+ #define EVP_R_UNKNOWN_CIPHER 160
+ #define EVP_R_UNKNOWN_DIGEST 161
+diff --git a/crypto/evp/evp_aead.c b/crypto/evp/evp_aead.c
+new file mode 100644
+index 0000000..91da561
+--- /dev/null
++++ b/crypto/evp/evp_aead.c
+@@ -0,0 +1,192 @@
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <limits.h>
++#include <string.h>
++
++#include <openssl/evp.h>
++#include <openssl/err.h>
++
++#include "evp_locl.h"
++
++size_t EVP_AEAD_key_length(const EVP_AEAD *aead)
++ {
++ return aead->key_len;
++ }
++
++size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead)
++ {
++ return aead->nonce_len;
++ }
++
++size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead)
++ {
++ return aead->overhead;
++ }
++
++size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
++ {
++ return aead->max_tag_len;
++ }
++
++int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++ const unsigned char *key, size_t key_len,
++ size_t tag_len, ENGINE *impl)
++ {
++ ctx->aead = aead;
++ if (key_len != aead->key_len)
++ {
++ EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
++ return 0;
++ }
++ return aead->init(ctx, key, key_len, tag_len);
++ }
++
++void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
++ {
++ if (ctx->aead == NULL)
++ return;
++ ctx->aead->cleanup(ctx);
++ ctx->aead = NULL;
++ }
++
++/* check_alias returns 0 if |out| points within the buffer determined by |in|
++ * and |in_len| and 1 otherwise.
++ *
++ * When processing, there's only an issue if |out| points within in[:in_len]
++ * and isn't equal to |in|. If that's the case then writing the output will
++ * stomp input that hasn't been read yet.
++ *
++ * This function checks for that case. */
++static int check_alias(const unsigned char *in, size_t in_len,
++ const unsigned char *out)
++ {
++ if (out <= in)
++ return 1;
++ if (in + in_len <= out)
++ return 1;
++ return 0;
++ }
++
++ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ size_t possible_out_len = in_len + ctx->aead->overhead;
++ ssize_t r;
++
++ if (possible_out_len < in_len /* overflow */ ||
++ possible_out_len > SSIZE_MAX /* return value cannot be
++ represented */)
++ {
++ EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
++ goto error;
++ }
++
++ if (!check_alias(in, in_len, out))
++ {
++ EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
++ goto error;
++ }
++
++ r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
++ in, in_len, ad, ad_len);
++ if (r >= 0)
++ return r;
++
++error:
++ /* In the event of an error, clear the output buffer so that a caller
++ * that doesn't check the return value doesn't send raw data. */
++ memset(out, 0, max_out_len);
++ return -1;
++ }
++
++ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ ssize_t r;
++
++ if (in_len > SSIZE_MAX)
++ {
++ EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
++ goto error; /* may not be able to represent return value. */
++ }
++
++ if (!check_alias(in, in_len, out))
++ {
++ EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
++ goto error;
++ }
++
++ r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
++ in, in_len, ad, ad_len);
++
++ if (r >= 0)
++ return r;
++
++error:
++ /* In the event of an error, clear the output buffer so that a caller
++ * that doesn't check the return value doesn't try and process bad
++ * data. */
++ memset(out, 0, max_out_len);
++ return -1;
++ }
+diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
+index 08eab98..c47969c 100644
+--- a/crypto/evp/evp_err.c
++++ b/crypto/evp/evp_err.c
+@@ -70,6 +70,11 @@
+
+ static ERR_STRING_DATA EVP_str_functs[]=
+ {
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_INIT), "AEAD_AES_128_GCM_INIT"},
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_OPEN), "AEAD_AES_128_GCM_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_SEAL), "AEAD_AES_128_GCM_SEAL"},
++{ERR_FUNC(EVP_F_AEAD_CTX_OPEN), "AEAD_CTX_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_CTX_SEAL), "AEAD_CTX_SEAL"},
+ {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
+ {ERR_FUNC(EVP_F_AESNI_XTS_CIPHER), "AESNI_XTS_CIPHER"},
+ {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
+@@ -84,6 +89,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
+ {ERR_FUNC(EVP_F_DSA_PKEY2PKCS8), "DSA_PKEY2PKCS8"},
+ {ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8), "ECDSA_PKEY2PKCS8"},
+ {ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8), "ECKEY_PKEY2PKCS8"},
++{ERR_FUNC(EVP_F_EVP_AEAD_CTX_INIT), "EVP_AEAD_CTX_init"},
+ {ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"},
+ {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_COPY), "EVP_CIPHER_CTX_copy"},
+ {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL), "EVP_CIPHER_CTX_ctrl"},
+@@ -202,10 +208,12 @@ static ERR_STRING_DATA EVP_str_reasons[]=
+ {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
+ {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
+ {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED),"operaton not initialized"},
++{ERR_REASON(EVP_R_OUTPUT_ALIASES_INPUT) ,"output aliases input"},
+ {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
+ {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
++{ERR_REASON(EVP_R_TAG_TOO_LARGE) ,"tag too large"},
+ {ERR_REASON(EVP_R_TOO_LARGE) ,"too large"},
+ {ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
+ {ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
+diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
+index 08c0a66..c0f9fdf 100644
+--- a/crypto/evp/evp_locl.h
++++ b/crypto/evp/evp_locl.h
+@@ -348,6 +348,30 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+ ASN1_TYPE *param,
+ const EVP_CIPHER *c, const EVP_MD *md, int en_de);
+
++/* EVP_AEAD represents a specific AEAD algorithm. */
++struct evp_aead_st {
++ unsigned char key_len;
++ unsigned char nonce_len;
++ unsigned char overhead;
++ unsigned char max_tag_len;
++
++ int (*init) (struct evp_aead_ctx_st*, const unsigned char *key,
++ size_t key_len, size_t tag_len);
++ void (*cleanup) (struct evp_aead_ctx_st*);
++
++ ssize_t (*seal) (const struct evp_aead_ctx_st *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++
++ ssize_t (*open) (const struct evp_aead_ctx_st *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++};
++
+ #ifdef OPENSSL_FIPS
+
+ #ifdef OPENSSL_DOING_MAKEDEPEND
+diff --git a/doc/crypto/EVP_AEAD_CTX_init.pod b/doc/crypto/EVP_AEAD_CTX_init.pod
+new file mode 100644
+index 0000000..20e455d
+--- /dev/null
++++ b/doc/crypto/EVP_AEAD_CTX_init.pod
+@@ -0,0 +1,96 @@
++=pod
++
++=head1 NAME
++
++EVP_AEAD_CTX_init, EVP_AEAD_CTX_cleanup, EVP_AEAD_CTX_seal, EVP_AEAD_CTX_open - authenticated encryption functions.
++
++=head1 SYNOPSIS
++
++ #include <openssl/evp.h>
++
++ int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
++ const unsigned char *key, size_t key_len,
++ size_t tag_len, ENGINE *impl);
++ void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
++ ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++ ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len);
++
++=head1 DESCRIPTION
++
++The EVP_AEAD_CTX_init() function initialises an B<EVP_AEAD_CTX> structure and
++performs any precomputation needed to use B<aead> with B<key>. The length of
++the key, B<key_len>, is given in bytes.
++
++The B<tag_len> argument contains the length of the tags, in bytes, and allows
++for the processing of truncated authenticators. A zero value indicates that the
++default tag length should be used and this is defined as
++C<EVP_AEAD_DEFAULT_TAG_LENGTH> in order to make the code clear. Using truncated
++tags increases an attacker's chance of creating a valid forgery. Be aware that
++the attacker's chance may increase more than exponentially as would naively be
++expected.
++
++When no longer needed, the initialised B<EVP_AEAD_CTX> structure must be passed
++to EVP_AEAD_CTX_cleanup(), which will deallocate any memory used.
++
++With an B<EVP_AEAD_CTX> in hand, one can seal and open messages. These
++operations are intended to meet the standard notions of privacy and
++authenticity for authenticated encryption. For formal definitions see I<Bellare
++and Namprempre>, "Authenticated encryption: relations among notions and
++analysis of the generic composition paradigm," Lecture Notes in Computer
++Science B<1976> (2000), 531–545,
++L<http://www-cse.ucsd.edu/~mihir/papers/oem.html>.
++
++When sealing messages, a nonce must be given. The length of the nonce is fixed
++by the AEAD in use and is returned by EVP_AEAD_nonce_length(). I<The nonce must
++be unique for all messages with the same key>. This is critically important -
++nonce reuse may completely undermine the security of the AEAD. Nonces may be
++predictable and public, so long as they are unique. Uniqueness may be achieved
++with a simple counter or, if long enough, may be generated randomly. The nonce
++must be passed into the "open" operation by the receiver so must either be
++implicit (e.g. a counter), or must be transmitted along with the sealed message.
++
++The "seal" and "open" operations are atomic - an entire message must be
++encrypted or decrypted in a single call. Large messages may have to be split up
++in order to accomodate this. When doing so, be mindful of the need not to
++repeat nonces and the possibility that an attacker could duplicate, reorder or
++drop message chunks. For example, using a single key for a given (large)
++message and sealing chunks with nonces counting from zero would be secure as
++long as the number of chunks was securely transmitted. (Otherwise an attacker
++could truncate the message by dropping chunks from the end.)
++
++The number of chunks could be transmitted by prefixing it to the plaintext, for
++example. This also assumes that no other message would ever use the same key
++otherwise the rule that nonces must be unique for a given key would be
++violated.
++
++The "seal" and "open" operations also permit additional data to be
++authenticated via the B<ad> parameter. This data is not included in the
++ciphertext and must be identical for both the "seal" and "open" call. This
++permits implicit context to be authenticated but may be C<NULL> if not needed.
++
++The "seal" and "open" operations may work inplace if the B<out> and B<in>
++arguments are equal. They may also be used to shift the data left inside the
++same buffer if B<out> is less than B<in>. However, B<out> may not point inside
++the input data otherwise the input may be overwritten before it has been read.
++This case will cause an error.
++
++=head1 RETURN VALUES
++
++The "seal" and "open" operations return an C<ssize_t> with value -1 on error,
++otherwise they return the number of output bytes written. An error will be
++returned if the input length is large enough that the output size exceeds the
++range of a C<ssize_t>.
++
++=head1 HISTORY
++
++These functions were first added to OpenSSL 1.0.2.
++
++=cut
+--
+1.8.4.1
+
diff -burN android-openssl-lhash2/patches/chacha20poly1305.patch android-openssl/patches/chacha20poly1305.patch
--- android-openssl-lhash2/patches/chacha20poly1305.patch 1969-12-31 19:00:00.000000000 -0500
+++ android-openssl/patches/chacha20poly1305.patch 2013-11-05 15:15:28.454480948 -0500
@@ -0,0 +1,5740 @@
+From 2688f00904e4ffd647afcff69bb8fe6df8c5902b Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl@chromium.org>
+Date: Mon, 9 Sep 2013 12:13:24 -0400
+Subject: [PATCH 43/52] chacha20poly1305
+
+Add support for Chacha20 + Poly1305.
+---
+ .gitignore | 1 +
+ Configure | 56 +-
+ Makefile.org | 6 +-
+ apps/speed.c | 64 +-
+ crypto/chacha/Makefile | 80 ++
+ crypto/chacha/chacha.h | 85 ++
+ crypto/chacha/chacha_enc.c | 167 +++
+ crypto/chacha/chacha_vec.c | 345 +++++++
+ crypto/chacha/chachatest.c | 211 ++++
+ crypto/evp/Makefile | 35 +-
+ crypto/evp/e_chacha20poly1305.c | 261 +++++
+ crypto/evp/evp.h | 8 +
+ crypto/evp/evp_err.c | 3 +
+ crypto/poly1305/Makefile | 81 ++
+ crypto/poly1305/poly1305.c | 320 ++++++
+ crypto/poly1305/poly1305.h | 88 ++
+ crypto/poly1305/poly1305_arm.c | 335 ++++++
+ crypto/poly1305/poly1305_arm_asm.s | 2009 ++++++++++++++++++++++++++++++++++++
+ crypto/poly1305/poly1305_vec.c | 733 +++++++++++++
+ crypto/poly1305/poly1305test.c | 166 +++
+ ssl/s3_lib.c | 75 +-
+ ssl/s3_pkt.c | 5 +-
+ ssl/ssl.h | 1 +
+ ssl/ssl_ciph.c | 16 +-
+ ssl/ssl_locl.h | 10 +
+ ssl/t1_enc.c | 30 +-
+ ssl/tls1.h | 8 +
+ test/Makefile | 23 +-
+ 28 files changed, 5166 insertions(+), 56 deletions(-)
+ create mode 100644 crypto/chacha/Makefile
+ create mode 100644 crypto/chacha/chacha.h
+ create mode 100644 crypto/chacha/chacha_enc.c
+ create mode 100644 crypto/chacha/chacha_vec.c
+ create mode 100644 crypto/chacha/chachatest.c
+ create mode 100644 crypto/evp/e_chacha20poly1305.c
+ create mode 100644 crypto/poly1305/Makefile
+ create mode 100644 crypto/poly1305/poly1305.c
+ create mode 100644 crypto/poly1305/poly1305.h
+ create mode 100644 crypto/poly1305/poly1305_arm.c
+ create mode 100644 crypto/poly1305/poly1305_arm_asm.s
+ create mode 100644 crypto/poly1305/poly1305_vec.c
+ create mode 100644 crypto/poly1305/poly1305test.c
+
+diff --git a/openssl/ssl/ssl_ciph.c b/openssl/ssl/ssl_ciph.c
+index db85b29..cebb18a 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1442,7 +1442,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+ ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+
+- /* AES is our preferred symmetric cipher */
++ /* CHACHA20 is fast and safe on all hardware and is thus our preferred
++ * symmetric cipher, with AES second. */
++ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+
+ /* Temporarily enable everything else for sorting */
+diff --git a/Configure b/Configure
+index 9c803dc..1b95384 100755
+--- a/Configure
++++ b/Configure
+@@ -124,24 +124,24 @@ my $tlib="-lnsl -lsocket";
+ my $bits1="THIRTY_TWO_BIT ";
+ my $bits2="SIXTY_FOUR_BIT ";
+
+-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
++my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:::";
+
+ my $x86_elf_asm="$x86_asm:elf";
+
+-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
+-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
+-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
+-my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
+-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
+-my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
+-my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
+-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
+-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
+-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
+-my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
+-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
+-my $no_asm=":::::::::::::::void";
++my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o::chacha_vec.o:poly1305_vec.o";
++my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::::void";
++my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::::void";
++my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::::void";
++my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::::void";
++my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::::";
++my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::::";
++my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::::ghash-s390x.o:";
++my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::chacha_vec.o:poly1305_arm.o poly1305_arm_asm.o:void";
++my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::::32";
++my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::::64";
++my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::::";
++my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::::";
++my $no_asm=":::::::::::::::::void";
+
+ # As for $BSDthreads. Idea is to maintain "collective" set of flags,
+ # which would cover all BSD flavors. -pthread applies to them all,
+@@ -152,7 +152,7 @@ my $no_asm=":::::::::::::::void";
+ # seems to be sufficient?
+ my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
+
+-#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
++#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $chacha_obj : $poly1305_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib :
+
+ my %table=(
+ # File 'TABLE' (created by 'make TABLE') contains the data from this list,
+@@ -647,6 +647,8 @@ my $idx_wp_obj = $idx++;
+ my $idx_cmll_obj = $idx++;
+ my $idx_modes_obj = $idx++;
+ my $idx_engines_obj = $idx++;
++my $idx_chacha_obj = $idx++;
++my $idx_poly1305_obj = $idx++;
+ my $idx_perlasm_scheme = $idx++;
+ my $idx_dso_scheme = $idx++;
+ my $idx_shared_target = $idx++;
+@@ -692,6 +694,8 @@ my $aes_enc="aes_core.o aes_cbc.o";
+ my $bf_enc ="bf_enc.o";
+ my $cast_enc="c_enc.o";
+ my $rc4_enc="rc4_enc.o rc4_skey.o";
++my $chacha_enc="chacha_enc.o";
++my $poly1305 ="poly1305.o";
+ my $rc5_enc="rc5_enc.o";
+ my $md5_obj="";
+ my $sha1_obj="";
+@@ -1144,7 +1148,7 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/]
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+-my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++my @fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+ my $cc = $fields[$idx_cc];
+ # Allow environment CC to override compiler...
+ if($ENV{CC}) {
+@@ -1181,6 +1185,8 @@ my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
+ my $ar = $ENV{'AR'} || "ar";
+ my $arflags = $fields[$idx_arflags];
+ my $multilib = $fields[$idx_multilib];
++my $chacha_obj = $fields[$idx_chacha_obj];
++my $poly1305_obj = $fields[$idx_poly1305_obj];
+
+ # if $prefix/lib$multilib is not an existing directory, then
+ # assume that it's not searched by linker automatically, in
+@@ -1477,6 +1483,8 @@ $des_obj=$des_enc unless ($des_obj =~ /\.o$/);
+ $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
+ $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/);
+ $rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/);
++$chacha_obj=$chacha_enc unless ($chacha_obj =~ /\.o$/);
++$poly1305_obj=$poly1305 unless ($poly1305_obj =~ /\.o$/);
+ $rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/);
+ if ($sha1_obj =~ /\.o$/)
+ {
+@@ -1637,6 +1645,8 @@ while (<IN>)
+ s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
+ s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
+ s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
++ s/^CHACHA_ENC=.*$/CHACHA_ENC= $chacha_obj/;
++ s/^POLY1305=.*$/POLY1305= $poly1305_obj/;
+ s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
+ s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
+ s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
+@@ -1698,6 +1708,8 @@ print "AES_ENC =$aes_obj\n";
+ print "BF_ENC =$bf_obj\n";
+ print "CAST_ENC =$cast_obj\n";
+ print "RC4_ENC =$rc4_obj\n";
++print "CHACHA_ENC =$chacha_obj\n";
++print "POLY1305 =$poly1305_obj\n";
+ print "RC5_ENC =$rc5_obj\n";
+ print "MD5_OBJ_ASM =$md5_obj\n";
+ print "SHA1_OBJ_ASM =$sha1_obj\n";
+@@ -2096,11 +2108,11 @@ sub print_table_entry
+
+ (my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
+ my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
+- my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
+- my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
++ my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $chacha_obj,my $poly1305_obj,
++ my $rmd160_obj, my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
+ my $perlasm_scheme,my $dso_scheme,my $shared_target,my $shared_cflag,
+ my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags,my $multilib)=
+- split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++ split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+
+ print <<EOF
+
+@@ -2121,6 +2133,8 @@ sub print_table_entry
+ \$sha1_obj = $sha1_obj
+ \$cast_obj = $cast_obj
+ \$rc4_obj = $rc4_obj
++\$chacha_obj = $chacha_obj
++\$poly1305_obj = $poly1305_obj
+ \$rmd160_obj = $rmd160_obj
+ \$rc5_obj = $rc5_obj
+ \$wp_obj = $wp_obj
+@@ -2150,7 +2164,7 @@ sub test_sanity
+
+ foreach $target (sort keys %table)
+ {
+- @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
++ @fields = split(/\s*:\s*/,$table{$target} . ":" x 31 , -1);
+
+ if ($fields[$idx_dso_scheme-1] =~ /^(beos|dl|dlfcn|win32|vms)$/)
+ {
+diff --git a/Makefile.org b/Makefile.org
+index 2db31ea..919466d 100644
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -94,6 +94,8 @@ BF_ENC= bf_enc.o
+ CAST_ENC= c_enc.o
+ RC4_ENC= rc4_enc.o
+ RC5_ENC= rc5_enc.o
++CHACHA_ENC= chacha_enc.o
++POLY1305= poly1305.o
+ MD5_ASM_OBJ=
+ SHA1_ASM_OBJ=
+ RMD160_ASM_OBJ=
+@@ -147,7 +149,7 @@ SDIRS= \
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake srp store cmac
++ cms pqueue ts jpake srp store cmac poly1305 chacha
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -232,6 +234,8 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
+ WP_ASM_OBJ='$(WP_ASM_OBJ)' \
+ MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
+ ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \
++ CHACHA_ENC='$(CHACHA_ENC)' \
++ POLY1305='$(POLY1305)' \
+ PERLASM_SCHEME='$(PERLASM_SCHEME)' \
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSDIR='${FIPSDIR}' \
+diff --git a/crypto/chacha/Makefile b/crypto/chacha/Makefile
+new file mode 100644
+index 0000000..289933b
+--- /dev/null
++++ b/crypto/chacha/Makefile
+@@ -0,0 +1,80 @@
++#
++# OpenSSL/crypto/chacha/Makefile
++#
++
++DIR= chacha
++TOP= ../..
++CC= cc
++CPP= $(CC) -E
++INCLUDES=
++CFLAG=-g
++AR= ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++ASFLAGS= $(INCLUDES) $(ASFLAG)
++AFLAGS= $(ASFLAGS)
++
++CHACHA_ENC=chacha_enc.o
++
++GENERAL=Makefile
++TEST=chachatest.o
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=
++LIBOBJ=$(CHACHA_ENC)
++
++SRC= $(LIBSRC)
++
++EXHEADER=chacha.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
+diff --git a/crypto/chacha/chacha.h b/crypto/chacha/chacha.h
+new file mode 100644
+index 0000000..d56519d
+--- /dev/null
++++ b/crypto/chacha/chacha.h
+@@ -0,0 +1,85 @@
++/*
++ * Chacha stream algorithm.
++ *
++ * Created on: Jun, 2013
++ * Author: Elie Bursztein (elieb@google.com)
++ *
++ * Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++#ifndef HEADER_CHACHA_H
++#define HEADER_CHACHA_H
++
++#include <openssl/opensslconf.h>
++
++#if defined(OPENSSL_NO_CHACHA)
++#error ChaCha support is disabled.
++#endif
++
++#include <stddef.h>
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
++ * nonce and writes the result to |out|, which may be equal to |in|. The
++ * initial block counter is specified by |counter|. */
++void CRYPTO_chacha_20(unsigned char *out,
++ const unsigned char *in, size_t in_len,
++ const unsigned char key[32],
++ const unsigned char nonce[8],
++ size_t counter);
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif
+diff --git a/crypto/chacha/chacha_enc.c b/crypto/chacha/chacha_enc.c
+new file mode 100644
+index 0000000..54d1ca3
+--- /dev/null
++++ b/crypto/chacha/chacha_enc.c
+@@ -0,0 +1,167 @@
++/*
++ * Chacha stream algorithm.
++ *
++ * Created on: Jun, 2013
++ * Author: Elie Bursztein (elieb@google.com)
++ *
++ * Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdint.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA)
++
++#include <openssl/chacha.h>
++
++/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
++static const char sigma[16] = "expand 32-byte k";
++
++#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
++#define XOR(v, w) ((v) ^ (w))
++#define PLUS(x, y) ((x) + (y))
++#define PLUSONE(v) (PLUS((v), 1))
++
++#define U32TO8_LITTLE(p, v) \
++ { (p)[0] = (v >> 0) & 0xff; (p)[1] = (v >> 8) & 0xff; \
++ (p)[2] = (v >> 16) & 0xff; (p)[3] = (v >> 24) & 0xff; }
++#define U8TO32_LITTLE(p) \
++ (((uint32_t)((p)[0]) ) | ((uint32_t)((p)[1]) << 8) | \
++ ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24) )
++
++/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
++#define QUARTERROUND(a,b,c,d) \
++ x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]),16); \
++ x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]),12); \
++ x[a] = PLUS(x[a],x[b]); x[d] = ROTATE(XOR(x[d],x[a]), 8); \
++ x[c] = PLUS(x[c],x[d]); x[b] = ROTATE(XOR(x[b],x[c]), 7);
++
++typedef unsigned int uint32_t;
++
++/* chacha_core performs |num_rounds| rounds of ChaCha20 on the input words in
++ * |input| and writes the 64 output bytes to |output|. */
++static void chacha_core(unsigned char output[64], const uint32_t input[16],
++ int num_rounds)
++ {
++ uint32_t x[16];
++ int i;
++
++ memcpy(x, input, sizeof(uint32_t) * 16);
++ for (i = 20; i > 0; i -= 2)
++ {
++ QUARTERROUND( 0, 4, 8,12)
++ QUARTERROUND( 1, 5, 9,13)
++ QUARTERROUND( 2, 6,10,14)
++ QUARTERROUND( 3, 7,11,15)
++ QUARTERROUND( 0, 5,10,15)
++ QUARTERROUND( 1, 6,11,12)
++ QUARTERROUND( 2, 7, 8,13)
++ QUARTERROUND( 3, 4, 9,14)
++ }
++
++ for (i = 0; i < 16; ++i)
++ x[i] = PLUS(x[i], input[i]);
++ for (i = 0; i < 16; ++i)
++ U32TO8_LITTLE(output + 4 * i, x[i]);
++ }
++
++void CRYPTO_chacha_20(unsigned char *out,
++ const unsigned char *in, size_t in_len,
++ const unsigned char key[32],
++ const unsigned char nonce[8],
++ size_t counter)
++ {
++ uint32_t input[16];
++ unsigned char buf[64];
++ size_t todo, i;
++
++ input[0] = U8TO32_LITTLE(sigma + 0);
++ input[1] = U8TO32_LITTLE(sigma + 4);
++ input[2] = U8TO32_LITTLE(sigma + 8);
++ input[3] = U8TO32_LITTLE(sigma + 12);
++
++ input[4] = U8TO32_LITTLE(key + 0);
++ input[5] = U8TO32_LITTLE(key + 4);
++ input[6] = U8TO32_LITTLE(key + 8);
++ input[7] = U8TO32_LITTLE(key + 12);
++
++ input[8] = U8TO32_LITTLE(key + 16);
++ input[9] = U8TO32_LITTLE(key + 20);
++ input[10] = U8TO32_LITTLE(key + 24);
++ input[11] = U8TO32_LITTLE(key + 28);
++
++ input[12] = counter;
++ input[13] = ((uint64_t) counter) >> 32;
++ input[14] = U8TO32_LITTLE(nonce + 0);
++ input[15] = U8TO32_LITTLE(nonce + 4);
++
++ while (in_len > 0)
++ {
++ todo = sizeof(buf);
++ if (in_len < todo)
++ todo = in_len;
++
++ chacha_core(buf, input, 20);
++ for (i = 0; i < todo; i++)
++ out[i] = in[i] ^ buf[i];
++
++ out += todo;
++ in += todo;
++ in_len -= todo;
++
++ input[12]++;
++ if (input[12] == 0)
++ input[13]++;
++ }
++ }
++
++#endif /* !OPENSSL_NO_CHACHA */
+diff --git a/crypto/chacha/chacha_vec.c b/crypto/chacha/chacha_vec.c
+new file mode 100644
+index 0000000..33b2238
+--- /dev/null
++++ b/crypto/chacha/chacha_vec.c
+@@ -0,0 +1,345 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
++ * marked as public domain. It was been altered to allow for non-aligned inputs
++ * and to allow the block counter to be passed in specifically. */
++
++#include <string.h>
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA)
++
++#include <openssl/chacha.h>
++
++#ifndef CHACHA_RNDS
++#define CHACHA_RNDS 20 /* 8 (high speed), 20 (conservative), 12 (middle) */
++#endif
++
++/* Architecture-neutral way to specify 16-byte vector of ints */
++typedef unsigned vec __attribute__ ((vector_size (16)));
++
++/* This implementation is designed for Neon, SSE and AltiVec machines. The
++ * following specify how to do certain vector operations efficiently on
++ * each architecture, using intrinsics.
++ * This implementation supports parallel processing of multiple blocks,
++ * including potentially using general-purpose registers.
++ */
++#if __ARM_NEON__
++#include <arm_neon.h>
++#define GPR_TOO 1
++#define VBPI 2
++#define ONE (vec)vsetq_lane_u32(1,vdupq_n_u32(0),0)
++#define LOAD(m) (vec)(*((vec*)(m)))
++#define STORE(m,r) (*((vec*)(m))) = (r)
++#define ROTV1(x) (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,1)
++#define ROTV2(x) (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,2)
++#define ROTV3(x) (vec)vextq_u32((uint32x4_t)x,(uint32x4_t)x,3)
++#define ROTW16(x) (vec)vrev32q_u16((uint16x8_t)x)
++#if __clang__
++#define ROTW7(x) (x << ((vec){ 7, 7, 7, 7})) ^ (x >> ((vec){25,25,25,25}))
++#define ROTW8(x) (x << ((vec){ 8, 8, 8, 8})) ^ (x >> ((vec){24,24,24,24}))
++#define ROTW12(x) (x << ((vec){12,12,12,12})) ^ (x >> ((vec){20,20,20,20}))
++#else
++#define ROTW7(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,7),(uint32x4_t)x,25)
++#define ROTW8(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,8),(uint32x4_t)x,24)
++#define ROTW12(x) (vec)vsriq_n_u32(vshlq_n_u32((uint32x4_t)x,12),(uint32x4_t)x,20)
++#endif
++#elif __SSE2__
++#include <emmintrin.h>
++#define GPR_TOO 0
++#if __clang__
++#define VBPI 4
++#else
++#define VBPI 3
++#endif
++#define ONE (vec)_mm_set_epi32(0,0,0,1)
++#define LOAD(m) (vec)_mm_loadu_si128((__m128i*)(m))
++#define STORE(m,r) _mm_storeu_si128((__m128i*)(m), (__m128i) (r))
++#define ROTV1(x) (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(0,3,2,1))
++#define ROTV2(x) (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(1,0,3,2))
++#define ROTV3(x) (vec)_mm_shuffle_epi32((__m128i)x,_MM_SHUFFLE(2,1,0,3))
++#define ROTW7(x) (vec)(_mm_slli_epi32((__m128i)x, 7) ^ _mm_srli_epi32((__m128i)x,25))
++#define ROTW12(x) (vec)(_mm_slli_epi32((__m128i)x,12) ^ _mm_srli_epi32((__m128i)x,20))
++#if __SSSE3__
++#include <tmmintrin.h>
++#define ROTW8(x) (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))
++#define ROTW16(x) (vec)_mm_shuffle_epi8((__m128i)x,_mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))
++#else
++#define ROTW8(x) (vec)(_mm_slli_epi32((__m128i)x, 8) ^ _mm_srli_epi32((__m128i)x,24))
++#define ROTW16(x) (vec)(_mm_slli_epi32((__m128i)x,16) ^ _mm_srli_epi32((__m128i)x,16))
++#endif
++#else
++#error -- Implementation supports only machines with neon or SSE2
++#endif
++
++#ifndef REVV_BE
++#define REVV_BE(x) (x)
++#endif
++
++#ifndef REVW_BE
++#define REVW_BE(x) (x)
++#endif
++
++#define BPI (VBPI + GPR_TOO) /* Blocks computed per loop iteration */
++
++#define DQROUND_VECTORS(a,b,c,d) \
++ a += b; d ^= a; d = ROTW16(d); \
++ c += d; b ^= c; b = ROTW12(b); \
++ a += b; d ^= a; d = ROTW8(d); \
++ c += d; b ^= c; b = ROTW7(b); \
++ b = ROTV1(b); c = ROTV2(c); d = ROTV3(d); \
++ a += b; d ^= a; d = ROTW16(d); \
++ c += d; b ^= c; b = ROTW12(b); \
++ a += b; d ^= a; d = ROTW8(d); \
++ c += d; b ^= c; b = ROTW7(b); \
++ b = ROTV3(b); c = ROTV2(c); d = ROTV1(d);
++
++#define QROUND_WORDS(a,b,c,d) \
++ a = a+b; d ^= a; d = d<<16 | d>>16; \
++ c = c+d; b ^= c; b = b<<12 | b>>20; \
++ a = a+b; d ^= a; d = d<< 8 | d>>24; \
++ c = c+d; b ^= c; b = b<< 7 | b>>25;
++
++#define WRITE_XOR(in, op, d, v0, v1, v2, v3) \
++ STORE(op + d + 0, LOAD(in + d + 0) ^ REVV_BE(v0)); \
++ STORE(op + d + 4, LOAD(in + d + 4) ^ REVV_BE(v1)); \
++ STORE(op + d + 8, LOAD(in + d + 8) ^ REVV_BE(v2)); \
++ STORE(op + d +12, LOAD(in + d +12) ^ REVV_BE(v3));
++
++void CRYPTO_chacha_20(
++ unsigned char *out,
++ const unsigned char *in,
++ size_t inlen,
++ const unsigned char key[32],
++ const unsigned char nonce[8],
++ size_t counter)
++ {
++ unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
++#if defined(__ARM_NEON__)
++ unsigned *np;
++#endif
++ vec s0, s1, s2, s3;
++#if !defined(__ARM_NEON__) && !defined(__SSE2__)
++ __attribute__ ((aligned (16))) unsigned key[8], nonce[4];
++#endif
++ __attribute__ ((aligned (16))) unsigned chacha_const[] =
++ {0x61707865,0x3320646E,0x79622D32,0x6B206574};
++#if defined(__ARM_NEON__) || defined(__SSE2__)
++ kp = (unsigned *)key;
++#else
++ ((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
++ ((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
++ nonce[0] = REVW_BE(((unsigned *)nonce)[0]);
++ nonce[1] = REVW_BE(((unsigned *)nonce)[1]);
++ nonce[2] = REVW_BE(((unsigned *)nonce)[2]);
++ nonce[3] = REVW_BE(((unsigned *)nonce)[3]);
++ kp = (unsigned *)key;
++ np = (unsigned *)nonce;
++#endif
++#if defined(__ARM_NEON__)
++ np = (unsigned*) nonce;
++#endif
++ s0 = LOAD(chacha_const);
++ s1 = LOAD(&((vec*)kp)[0]);
++ s2 = LOAD(&((vec*)kp)[1]);
++ s3 = (vec){
++ counter & 0xffffffff,
++#if __ARM_NEON__
++ 0, /* can't right-shift 32 bits on a 32-bit system. */
++#else
++ counter >> 32,
++#endif
++ ((uint32_t*)nonce)[0],
++ ((uint32_t*)nonce)[1]
++ };
++
++ for (iters = 0; iters < inlen/(BPI*64); iters++)
++ {
++#if GPR_TOO
++ register unsigned x0, x1, x2, x3, x4, x5, x6, x7, x8,
++ x9, x10, x11, x12, x13, x14, x15;
++#endif
++#if VBPI > 2
++ vec v8,v9,v10,v11;
++#endif
++#if VBPI > 3
++ vec v12,v13,v14,v15;
++#endif
++
++ vec v0,v1,v2,v3,v4,v5,v6,v7;
++ v4 = v0 = s0; v5 = v1 = s1; v6 = v2 = s2; v3 = s3;
++ v7 = v3 + ONE;
++#if VBPI > 2
++ v8 = v4; v9 = v5; v10 = v6;
++ v11 = v7 + ONE;
++#endif
++#if VBPI > 3
++ v12 = v8; v13 = v9; v14 = v10;
++ v15 = v11 + ONE;
++#endif
++#if GPR_TOO
++ x0 = chacha_const[0]; x1 = chacha_const[1];
++ x2 = chacha_const[2]; x3 = chacha_const[3];
++ x4 = kp[0]; x5 = kp[1]; x6 = kp[2]; x7 = kp[3];
++ x8 = kp[4]; x9 = kp[5]; x10 = kp[6]; x11 = kp[7];
++ x12 = counter+BPI*iters+(BPI-1); x13 = 0;
++ x14 = np[0]; x15 = np[1];
++#endif
++ for (i = CHACHA_RNDS/2; i; i--)
++ {
++ DQROUND_VECTORS(v0,v1,v2,v3)
++ DQROUND_VECTORS(v4,v5,v6,v7)
++#if VBPI > 2
++ DQROUND_VECTORS(v8,v9,v10,v11)
++#endif
++#if VBPI > 3
++ DQROUND_VECTORS(v12,v13,v14,v15)
++#endif
++#if GPR_TOO
++ QROUND_WORDS( x0, x4, x8,x12)
++ QROUND_WORDS( x1, x5, x9,x13)
++ QROUND_WORDS( x2, x6,x10,x14)
++ QROUND_WORDS( x3, x7,x11,x15)
++ QROUND_WORDS( x0, x5,x10,x15)
++ QROUND_WORDS( x1, x6,x11,x12)
++ QROUND_WORDS( x2, x7, x8,x13)
++ QROUND_WORDS( x3, x4, x9,x14)
++#endif
++ }
++
++ WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
++ s3 += ONE;
++ WRITE_XOR(ip, op, 16, v4+s0, v5+s1, v6+s2, v7+s3)
++ s3 += ONE;
++#if VBPI > 2
++ WRITE_XOR(ip, op, 32, v8+s0, v9+s1, v10+s2, v11+s3)
++ s3 += ONE;
++#endif
++#if VBPI > 3
++ WRITE_XOR(ip, op, 48, v12+s0, v13+s1, v14+s2, v15+s3)
++ s3 += ONE;
++#endif
++ ip += VBPI*16;
++ op += VBPI*16;
++#if GPR_TOO
++ op[0] = REVW_BE(REVW_BE(ip[0]) ^ (x0 + chacha_const[0]));
++ op[1] = REVW_BE(REVW_BE(ip[1]) ^ (x1 + chacha_const[1]));
++ op[2] = REVW_BE(REVW_BE(ip[2]) ^ (x2 + chacha_const[2]));
++ op[3] = REVW_BE(REVW_BE(ip[3]) ^ (x3 + chacha_const[3]));
++ op[4] = REVW_BE(REVW_BE(ip[4]) ^ (x4 + kp[0]));
++ op[5] = REVW_BE(REVW_BE(ip[5]) ^ (x5 + kp[1]));
++ op[6] = REVW_BE(REVW_BE(ip[6]) ^ (x6 + kp[2]));
++ op[7] = REVW_BE(REVW_BE(ip[7]) ^ (x7 + kp[3]));
++ op[8] = REVW_BE(REVW_BE(ip[8]) ^ (x8 + kp[4]));
++ op[9] = REVW_BE(REVW_BE(ip[9]) ^ (x9 + kp[5]));
++ op[10] = REVW_BE(REVW_BE(ip[10]) ^ (x10 + kp[6]));
++ op[11] = REVW_BE(REVW_BE(ip[11]) ^ (x11 + kp[7]));
++ op[12] = REVW_BE(REVW_BE(ip[12]) ^ (x12 + counter+BPI*iters+(BPI-1)));
++ op[13] = REVW_BE(REVW_BE(ip[13]) ^ (x13));
++ op[14] = REVW_BE(REVW_BE(ip[14]) ^ (x14 + np[0]));
++ op[15] = REVW_BE(REVW_BE(ip[15]) ^ (x15 + np[1]));
++ s3 += ONE;
++ ip += 16;
++ op += 16;
++#endif
++ }
++
++ for (iters = inlen%(BPI*64)/64; iters != 0; iters--)
++ {
++ vec v0 = s0, v1 = s1, v2 = s2, v3 = s3;
++ for (i = CHACHA_RNDS/2; i; i--)
++ {
++ DQROUND_VECTORS(v0,v1,v2,v3);
++ }
++ WRITE_XOR(ip, op, 0, v0+s0, v1+s1, v2+s2, v3+s3)
++ s3 += ONE;
++ ip += 16;
++ op += 16;
++ }
++
++ inlen = inlen % 64;
++ if (inlen)
++ {
++ __attribute__ ((aligned (16))) vec buf[4];
++ vec v0,v1,v2,v3;
++ v0 = s0; v1 = s1; v2 = s2; v3 = s3;
++ for (i = CHACHA_RNDS/2; i; i--)
++ {
++ DQROUND_VECTORS(v0,v1,v2,v3);
++ }
++
++ if (inlen >= 16)
++ {
++ STORE(op + 0, LOAD(ip + 0) ^ REVV_BE(v0 + s0));
++ if (inlen >= 32)
++ {
++ STORE(op + 4, LOAD(ip + 4) ^ REVV_BE(v1 + s1));
++ if (inlen >= 48)
++ {
++ STORE(op + 8, LOAD(ip + 8) ^
++ REVV_BE(v2 + s2));
++ buf[3] = REVV_BE(v3 + s3);
++ }
++ else
++ buf[2] = REVV_BE(v2 + s2);
++ }
++ else
++ buf[1] = REVV_BE(v1 + s1);
++ }
++ else
++ buf[0] = REVV_BE(v0 + s0);
++
++ for (i=inlen & ~15; i<inlen; i++)
++ ((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
++ }
++ }
++
++#endif /* !OPENSSL_NO_CHACHA */
+diff --git a/crypto/chacha/chachatest.c b/crypto/chacha/chachatest.c
+new file mode 100644
+index 0000000..b2a9389
+--- /dev/null
++++ b/crypto/chacha/chachatest.c
+@@ -0,0 +1,211 @@
++/*
++ * Chacha stream algorithm.
++ *
++ * Created on: Jun, 2013
++ * Author: Elie Bursztein (elieb@google.com)
++ *
++ * Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <stdint.h>
++
++#include <openssl/chacha.h>
++
++struct chacha_test {
++ const char *keyhex;
++ const char *noncehex;
++ const char *outhex;
++};
++
++static const struct chacha_test chacha_tests[] = {
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0000000000000000",
++ "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000001",
++ "0000000000000000",
++ "4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea817e9ad275ae546963",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0000000000000001",
++ "de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df137821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e445f41e31afab757",
++ },
++ {
++ "0000000000000000000000000000000000000000000000000000000000000000",
++ "0100000000000000",
++ "ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd138e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d6bbdb0041b2f586b",
++ },
++ {
++ "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
++ "0001020304050607",
++ "f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb",
++ },
++};
++
++static unsigned char hex_digit(char h)
++ {
++ if (h >= '0' && h <= '9')
++ return h - '0';
++ else if (h >= 'a' && h <= 'f')
++ return h - 'a' + 10;
++ else if (h >= 'A' && h <= 'F')
++ return h - 'A' + 10;
++ else
++ abort();
++ }
++
++static void hex_decode(unsigned char *out, const char* hex)
++ {
++ size_t j = 0;
++
++ while (*hex != 0)
++ {
++ unsigned char v = hex_digit(*hex++);
++ v <<= 4;
++ v |= hex_digit(*hex++);
++ out[j++] = v;
++ }
++ }
++
++static void hexdump(unsigned char *a, size_t len)
++ {
++ size_t i;
++
++ for (i = 0; i < len; i++)
++ printf("%02x", a[i]);
++ }
++
++/* misalign returns a pointer that points 0 to 15 bytes into |in| such that the
++ * returned pointer has alignment 1 mod 16. */
++static void* misalign(void* in)
++ {
++ intptr_t x = (intptr_t) in;
++ x += (17 - (x % 16)) % 16;
++ return (void*) x;
++ }
++
++int main()
++ {
++ static const unsigned num_tests =
++ sizeof(chacha_tests) / sizeof(struct chacha_test);
++ unsigned i;
++ unsigned char key_bytes[32 + 16];
++ unsigned char nonce_bytes[8 + 16] = {0};
++
++ unsigned char *key = misalign(key_bytes);
++ unsigned char *nonce = misalign(nonce_bytes);
++
++ for (i = 0; i < num_tests; i++)
++ {
++ const struct chacha_test *test = &chacha_tests[i];
++ unsigned char *expected, *out_bytes, *zero_bytes, *out, *zeros;
++ size_t len = strlen(test->outhex);
++
++ if (strlen(test->keyhex) != 32*2 ||
++ strlen(test->noncehex) != 8*2 ||
++ (len & 1) == 1)
++ return 1;
++
++ len /= 2;
++
++ hex_decode(key, test->keyhex);
++ hex_decode(nonce, test->noncehex);
++
++ expected = malloc(len);
++ out_bytes = malloc(len+16);
++ zero_bytes = malloc(len+16);
++ /* Attempt to test unaligned inputs. */
++ out = misalign(out_bytes);
++ zeros = misalign(zero_bytes);
++ memset(zeros, 0, len);
++
++ hex_decode(expected, test->outhex);
++ CRYPTO_chacha_20(out, zeros, len, key, nonce, 0);
++
++ if (memcmp(out, expected, len) != 0)
++ {
++ printf("ChaCha20 test #%d failed.\n", i);
++ printf("got: ");
++ hexdump(out, len);
++ printf("\nexpected: ");
++ hexdump(expected, len);
++ printf("\n");
++ return 1;
++ }
++
++ /* The last test has a large output. We test whether the
++ * counter works as expected by skipping the first 64 bytes of
++ * it. */
++ if (i == num_tests - 1)
++ {
++ CRYPTO_chacha_20(out, zeros, len - 64, key, nonce, 1);
++ if (memcmp(out, expected + 64, len - 64) != 0)
++ {
++ printf("ChaCha20 skip test failed.\n");
++ return 1;
++ }
++ }
++
++ free(expected);
++ free(zero_bytes);
++ free(out_bytes);
++ }
++
++
++ printf("PASS\n");
++ return 0;
++ }
+diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
+index b73038d..86b0504 100644
+--- a/crypto/evp/Makefile
++++ b/crypto/evp/Makefile
+@@ -29,7 +29,8 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
+ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
+- e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c evp_aead.c
++ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c evp_aead.c \
++ e_chacha20poly1305.c
+
+ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
+@@ -42,7 +43,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
+- e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o evp_aead.o
++ e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o evp_aead.o e_chacha20poly1305.o
+
+ SRC= $(LIBSRC)
+
+@@ -239,6 +240,21 @@ e_cast.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
++e_chacha20poly1305.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++e_chacha20poly1305.o: ../../include/openssl/chacha.h
++e_chacha20poly1305.o: ../../include/openssl/crypto.h
++e_chacha20poly1305.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++e_chacha20poly1305.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
++e_chacha20poly1305.o: ../../include/openssl/obj_mac.h
++e_chacha20poly1305.o: ../../include/openssl/objects.h
++e_chacha20poly1305.o: ../../include/openssl/opensslconf.h
++e_chacha20poly1305.o: ../../include/openssl/opensslv.h
++e_chacha20poly1305.o: ../../include/openssl/ossl_typ.h
++e_chacha20poly1305.o: ../../include/openssl/poly1305.h
++e_chacha20poly1305.o: ../../include/openssl/safestack.h
++e_chacha20poly1305.o: ../../include/openssl/stack.h
++e_chacha20poly1305.o: ../../include/openssl/symhacks.h e_chacha20poly1305.c
++e_chacha20poly1305.o: evp_locl.h
+ e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+@@ -258,9 +274,10 @@ e_des3.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ e_des3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ e_des3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ e_des3.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+-e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+-e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+-e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h
++e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
++e_des3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++e_des3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
++e_des3.o: ../cryptlib.h e_des3.c evp_locl.h
+ e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -356,6 +373,14 @@ evp_acnf.o: ../../include/openssl/opensslconf.h
+ evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
++evp_aead.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++evp_aead.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++evp_aead.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++evp_aead.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++evp_aead.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
++evp_aead.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++evp_aead.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++evp_aead.o: ../../include/openssl/symhacks.h evp_aead.c
+ evp_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+ evp_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+ evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+diff --git a/crypto/evp/e_chacha20poly1305.c b/crypto/evp/e_chacha20poly1305.c
+new file mode 100644
+index 0000000..1c0c0fb
+--- /dev/null
++++ b/crypto/evp/e_chacha20poly1305.c
+@@ -0,0 +1,267 @@
++/* ====================================================================
++ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#include <stdint.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
++
++#include <openssl/chacha.h>
++#include <openssl/poly1305.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include "evp_locl.h"
++
++#define POLY1305_TAG_LEN 16
++#define CHACHA20_NONCE_LEN 8
++
++struct aead_chacha20_poly1305_ctx
++ {
++ unsigned char key[32];
++ unsigned char tag_len;
++ };
++
++static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, size_t tag_len)
++ {
++ struct aead_chacha20_poly1305_ctx *c20_ctx;
++
++ if (tag_len == 0)
++ tag_len = POLY1305_TAG_LEN;
++
++ if (tag_len > POLY1305_TAG_LEN)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_INIT, EVP_R_TOO_LARGE);
++ return 0;
++ }
++
++ if (key_len != sizeof(c20_ctx->key))
++ return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
++
++ c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
++ if (c20_ctx == NULL)
++ return 0;
++
++ memcpy(&c20_ctx->key[0], key, key_len);
++ c20_ctx->tag_len = tag_len;
++ ctx->aead_state = c20_ctx;
++
++ return 1;
++ }
++
++static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx)
++ {
++ struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++ OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
++ OPENSSL_free(c20_ctx);
++ }
++
++static void poly1305_update_with_length(poly1305_state *poly1305,
++ const unsigned char *data, size_t data_len)
++ {
++ size_t j = data_len;
++ unsigned char length_bytes[8];
++ unsigned i;
++
++ for (i = 0; i < sizeof(length_bytes); i++)
++ {
++ length_bytes[i] = j;
++ j >>= 8;
++ }
++
++ CRYPTO_poly1305_update(poly1305, data, data_len);
++ CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
++}
++
++#if __arm__
++#define ALIGNED __attribute__((aligned(16)))
++#else
++#define ALIGNED
++#endif
++
++static ssize_t aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++ unsigned char poly1305_key[32] ALIGNED;
++ poly1305_state poly1305;
++ const uint64_t in_len_64 = in_len;
++
++ /* The underlying ChaCha implementation may not overflow the block
++ * counter into the second counter word. Therefore we disallow
++ * individual operations that work on more than 2TB at a time.
++ * |in_len_64| is needed because, on 32-bit platforms, size_t is only
++ * 32-bits and this produces a warning because it's always false.
++ * Casting to uint64_t inside the conditional is not sufficient to stop
++ * the warning. */
++ if (in_len_64 >= (1ull << 32)*64-64)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_TOO_LARGE);
++ return -1;
++ }
++
++ if (max_out_len < in_len + c20_ctx->tag_len)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_BUFFER_TOO_SMALL);
++ return -1;
++ }
++
++ if (nonce_len != CHACHA20_NONCE_LEN)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_IV_TOO_LARGE);
++ return -1;
++ }
++
++ memset(poly1305_key, 0, sizeof(poly1305_key));
++ CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0);
++
++ CRYPTO_poly1305_init(&poly1305, poly1305_key);
++ poly1305_update_with_length(&poly1305, ad, ad_len);
++ CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
++ poly1305_update_with_length(&poly1305, out, in_len);
++
++ if (c20_ctx->tag_len != POLY1305_TAG_LEN)
++ {
++ unsigned char tag[POLY1305_TAG_LEN];
++ CRYPTO_poly1305_finish(&poly1305, tag);
++ memcpy(out + in_len, tag, c20_ctx->tag_len);
++ return in_len + c20_ctx->tag_len;
++ }
++
++ CRYPTO_poly1305_finish(&poly1305, out + in_len);
++ return in_len + POLY1305_TAG_LEN;
++ }
++
++static ssize_t aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx,
++ unsigned char *out, size_t max_out_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *in, size_t in_len,
++ const unsigned char *ad, size_t ad_len)
++ {
++ const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
++ unsigned char mac[POLY1305_TAG_LEN];
++ unsigned char poly1305_key[32] ALIGNED;
++ size_t out_len;
++ poly1305_state poly1305;
++ const uint64_t in_len_64 = in_len;
++
++ if (in_len < c20_ctx->tag_len)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT);
++ return -1;
++ }
++
++ /* The underlying ChaCha implementation may not overflow the block
++ * counter into the second counter word. Therefore we disallow
++ * individual operations that work on more than 2TB at a time.
++ * |in_len_64| is needed because, on 32-bit platforms, size_t is only
++ * 32-bits and this produces a warning because it's always false.
++ * Casting to uint64_t inside the conditional is not sufficient to stop
++ * the warning. */
++ if (in_len_64 >= (1ull << 32)*64-64)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_TOO_LARGE);
++ return -1;
++ }
++
++ if (nonce_len != CHACHA20_NONCE_LEN)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_IV_TOO_LARGE);
++ return -1;
++ }
++
++ out_len = in_len - c20_ctx->tag_len;
++
++ if (max_out_len < out_len)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BUFFER_TOO_SMALL);
++ return -1;
++ }
++
++ memset(poly1305_key, 0, sizeof(poly1305_key));
++ CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0);
++
++ CRYPTO_poly1305_init(&poly1305, poly1305_key);
++ poly1305_update_with_length(&poly1305, ad, ad_len);
++ poly1305_update_with_length(&poly1305, in, out_len);
++ CRYPTO_poly1305_finish(&poly1305, mac);
++
++ if (CRYPTO_memcmp(mac, in + out_len, c20_ctx->tag_len) != 0)
++ {
++ EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT);
++ return -1;
++ }
++
++ CRYPTO_chacha_20(out, in, out_len, c20_ctx->key, nonce, 1);
++ return out_len;
++ }
++
++static const EVP_AEAD aead_chacha20_poly1305 =
++ {
++ 32, /* key len */
++ CHACHA20_NONCE_LEN, /* nonce len */
++ POLY1305_TAG_LEN, /* overhead */
++ POLY1305_TAG_LEN, /* max tag length */
++
++ aead_chacha20_poly1305_init,
++ aead_chacha20_poly1305_cleanup,
++ aead_chacha20_poly1305_seal,
++ aead_chacha20_poly1305_open,
++ };
++
++const EVP_AEAD *EVP_aead_chacha20_poly1305()
++ {
++ return &aead_chacha20_poly1305;
++ }
++
++#endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
+diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
+index bd10642..7dc1656 100644
+--- a/crypto/evp/evp.h
++++ b/crypto/evp/evp.h
+@@ -1258,6 +1258,11 @@ typedef struct evp_aead_st EVP_AEAD;
+ const EVP_AEAD *EVP_aead_aes_128_gcm(void);
+ #endif
+
++#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
++/* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */
++const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
++#endif
++
+ /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
+ * |aead|. */
+ size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
+@@ -1360,6 +1365,9 @@ void ERR_load_EVP_strings(void);
+ #define EVP_F_AEAD_AES_128_GCM_INIT 183
+ #define EVP_F_AEAD_AES_128_GCM_OPEN 181
+ #define EVP_F_AEAD_AES_128_GCM_SEAL 182
++#define EVP_F_AEAD_CHACHA20_POLY1305_INIT 187
++#define EVP_F_AEAD_CHACHA20_POLY1305_OPEN 184
++#define EVP_F_AEAD_CHACHA20_POLY1305_SEAL 183
+ #define EVP_F_AEAD_CTX_OPEN 185
+ #define EVP_F_AEAD_CTX_SEAL 186
+ #define EVP_F_AESNI_INIT_KEY 165
+diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
+index c47969c..fb747e5 100644
+--- a/crypto/evp/evp_err.c
++++ b/crypto/evp/evp_err.c
+@@ -73,6 +73,9 @@ static ERR_STRING_DATA EVP_str_functs[]=
+ {ERR_FUNC(EVP_F_AEAD_AES_128_GCM_INIT), "AEAD_AES_128_GCM_INIT"},
+ {ERR_FUNC(EVP_F_AEAD_AES_128_GCM_OPEN), "AEAD_AES_128_GCM_OPEN"},
+ {ERR_FUNC(EVP_F_AEAD_AES_128_GCM_SEAL), "AEAD_AES_128_GCM_SEAL"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_INIT), "AEAD_CHACHA20_POLY1305_INIT"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_OPEN), "AEAD_CHACHA20_POLY1305_OPEN"},
++{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_SEAL), "AEAD_CHACHA20_POLY1305_SEAL"},
+ {ERR_FUNC(EVP_F_AEAD_CTX_OPEN), "AEAD_CTX_OPEN"},
+ {ERR_FUNC(EVP_F_AEAD_CTX_SEAL), "AEAD_CTX_SEAL"},
+ {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
+diff --git a/crypto/poly1305/Makefile b/crypto/poly1305/Makefile
+new file mode 100644
+index 0000000..397d7cd
+--- /dev/null
++++ b/crypto/poly1305/Makefile
+@@ -0,0 +1,81 @@
++#
++# OpenSSL/crypto/poly1305/Makefile
++#
++
++DIR= poly1305
++TOP= ../..
++CC= cc
++CPP= $(CC) -E
++INCLUDES=
++CFLAG=-g
++AR= ar r
++
++POLY1305=poly1305_vec.o
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++ASFLAGS= $(INCLUDES) $(ASFLAG)
++AFLAGS= $(ASFLAGS)
++
++GENERAL=Makefile
++TEST=
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=poly1305_vec.c
++LIBOBJ=$(POLY1305)
++
++SRC= $(LIBSRC)
++
++EXHEADER=poly1305.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++poly1305_vec.o: ../../include/openssl/poly1305.h poly1305_vec.c
+diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c
+new file mode 100644
+index 0000000..2e5621d
+--- /dev/null
++++ b/crypto/poly1305/poly1305.c
+@@ -0,0 +1,321 @@
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++/* This implementation of poly1305 is by Andrew Moon
++ * (https://github.com/floodyberry/poly1305-donna) and released as public
++ * domain. */
++
++#include <string.h>
++#include <stdint.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_POLY1305)
++
++#include <openssl/poly1305.h>
++#include <openssl/crypto.h>
++
++#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
++/* We can assume little-endian. */
++static uint32_t U8TO32_LE(const unsigned char *m)
++ {
++ uint32_t r;
++ memcpy(&r, m, sizeof(r));
++ return r;
++ }
++
++static void U32TO8_LE(unsigned char *m, uint32_t v)
++ {
++ memcpy(m, &v, sizeof(v));
++ }
++#else
++static uint32_t U8TO32_LE(const unsigned char *m)
++ {
++ return (uint32_t)m[0] |
++ (uint32_t)m[1] << 8 |
++ (uint32_t)m[2] << 16 |
++ (uint32_t)m[3] << 24;
++ }
++
++static void U32TO8_LE(unsigned char *m, uint32_t v)
++ {
++ m[0] = v;
++ m[1] = v >> 8;
++ m[2] = v >> 16;
++ m[3] = v >> 24;
++ }
++#endif
++
++static uint64_t
++mul32x32_64(uint32_t a, uint32_t b)
++ {
++ return (uint64_t)a * b;
++ }
++
++
++struct poly1305_state_st
++ {
++ uint32_t r0,r1,r2,r3,r4;
++ uint32_t s1,s2,s3,s4;
++ uint32_t h0,h1,h2,h3,h4;
++ unsigned char buf[16];
++ unsigned int buf_used;
++ unsigned char key[16];
++ };
++
++/* poly1305_blocks updates |state| given some amount of input data. This
++ * function may only be called with a |len| that is not a multiple of 16 at the
++ * end of the data. Otherwise the input must be buffered into 16 byte blocks.
++ * */
++static void poly1305_update(struct poly1305_state_st *state,
++ const unsigned char *in, size_t len)
++ {
++ uint32_t t0,t1,t2,t3;
++ uint64_t t[5];
++ uint32_t b;
++ uint64_t c;
++ size_t j;
++ unsigned char mp[16];
++
++ if (len < 16)
++ goto poly1305_donna_atmost15bytes;
++
++poly1305_donna_16bytes:
++ t0 = U8TO32_LE(in);
++ t1 = U8TO32_LE(in+4);
++ t2 = U8TO32_LE(in+8);
++ t3 = U8TO32_LE(in+12);
++
++ in += 16;
++ len -= 16;
++
++ state->h0 += t0 & 0x3ffffff;
++ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++ state->h4 += (t3 >> 8) | (1 << 24);
++
++poly1305_donna_mul:
++ t[0] = mul32x32_64(state->h0,state->r0) +
++ mul32x32_64(state->h1,state->s4) +
++ mul32x32_64(state->h2,state->s3) +
++ mul32x32_64(state->h3,state->s2) +
++ mul32x32_64(state->h4,state->s1);
++ t[1] = mul32x32_64(state->h0,state->r1) +
++ mul32x32_64(state->h1,state->r0) +
++ mul32x32_64(state->h2,state->s4) +
++ mul32x32_64(state->h3,state->s3) +
++ mul32x32_64(state->h4,state->s2);
++ t[2] = mul32x32_64(state->h0,state->r2) +
++ mul32x32_64(state->h1,state->r1) +
++ mul32x32_64(state->h2,state->r0) +
++ mul32x32_64(state->h3,state->s4) +
++ mul32x32_64(state->h4,state->s3);
++ t[3] = mul32x32_64(state->h0,state->r3) +
++ mul32x32_64(state->h1,state->r2) +
++ mul32x32_64(state->h2,state->r1) +
++ mul32x32_64(state->h3,state->r0) +
++ mul32x32_64(state->h4,state->s4);
++ t[4] = mul32x32_64(state->h0,state->r4) +
++ mul32x32_64(state->h1,state->r3) +
++ mul32x32_64(state->h2,state->r2) +
++ mul32x32_64(state->h3,state->r1) +
++ mul32x32_64(state->h4,state->r0);
++
++ state->h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26);
++ t[1] += c; state->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
++ t[2] += b; state->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
++ t[3] += b; state->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
++ t[4] += b; state->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
++ state->h0 += b * 5;
++
++ if (len >= 16)
++ goto poly1305_donna_16bytes;
++
++ /* final bytes */
++poly1305_donna_atmost15bytes:
++ if (!len)
++ return;
++
++ for (j = 0; j < len; j++)
++ mp[j] = in[j];
++ mp[j++] = 1;
++ for (; j < 16; j++)
++ mp[j] = 0;
++ len = 0;
++
++ t0 = U8TO32_LE(mp+0);
++ t1 = U8TO32_LE(mp+4);
++ t2 = U8TO32_LE(mp+8);
++ t3 = U8TO32_LE(mp+12);
++
++ state->h0 += t0 & 0x3ffffff;
++ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
++ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
++ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
++ state->h4 += (t3 >> 8);
++
++ goto poly1305_donna_mul;
++ }
++
++void CRYPTO_poly1305_init(poly1305_state *statep, const unsigned char key[32])
++ {
++ struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++ uint32_t t0,t1,t2,t3;
++
++ t0 = U8TO32_LE(key+0);
++ t1 = U8TO32_LE(key+4);
++ t2 = U8TO32_LE(key+8);
++ t3 = U8TO32_LE(key+12);
++
++ /* precompute multipliers */
++ state->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
++ state->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
++ state->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
++ state->r3 = t2 & 0x3f03fff; t3 >>= 8;
++ state->r4 = t3 & 0x00fffff;
++
++ state->s1 = state->r1 * 5;
++ state->s2 = state->r2 * 5;
++ state->s3 = state->r3 * 5;
++ state->s4 = state->r4 * 5;
++
++ /* init state */
++ state->h0 = 0;
++ state->h1 = 0;
++ state->h2 = 0;
++ state->h3 = 0;
++ state->h4 = 0;
++
++ state->buf_used = 0;
++ memcpy(state->key, key + 16, sizeof(state->key));
++ }
++
++void CRYPTO_poly1305_update(poly1305_state *statep, const unsigned char *in,
++ size_t in_len)
++ {
++ unsigned int i;
++ struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++
++ if (state->buf_used)
++ {
++ unsigned int todo = 16 - state->buf_used;
++ if (todo > in_len)
++ todo = in_len;
++ for (i = 0; i < todo; i++)
++ state->buf[state->buf_used + i] = in[i];
++ state->buf_used += todo;
++ in_len -= todo;
++ in += todo;
++
++ if (state->buf_used == 16)
++ {
++ poly1305_update(state, state->buf, 16);
++ state->buf_used = 0;
++ }
++ }
++
++ if (in_len >= 16)
++ {
++ size_t todo = in_len & ~0xf;
++ poly1305_update(state, in, todo);
++ in += todo;
++ in_len &= 0xf;
++ }
++
++ if (in_len)
++ {
++ for (i = 0; i < in_len; i++)
++ state->buf[i] = in[i];
++ state->buf_used = in_len;
++ }
++ }
++
++void CRYPTO_poly1305_finish(poly1305_state *statep, unsigned char mac[16])
++ {
++ struct poly1305_state_st *state = (struct poly1305_state_st*) statep;
++ uint64_t f0,f1,f2,f3;
++ uint32_t g0,g1,g2,g3,g4;
++ uint32_t b, nb;
++
++ if (state->buf_used)
++ poly1305_update(state, state->buf, state->buf_used);
++
++ b = state->h0 >> 26; state->h0 = state->h0 & 0x3ffffff;
++ state->h1 += b; b = state->h1 >> 26; state->h1 = state->h1 & 0x3ffffff;
++ state->h2 += b; b = state->h2 >> 26; state->h2 = state->h2 & 0x3ffffff;
++ state->h3 += b; b = state->h3 >> 26; state->h3 = state->h3 & 0x3ffffff;
++ state->h4 += b; b = state->h4 >> 26; state->h4 = state->h4 & 0x3ffffff;
++ state->h0 += b * 5;
++
++ g0 = state->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
++ g1 = state->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
++ g2 = state->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
++ g3 = state->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
++ g4 = state->h4 + b - (1 << 26);
++
++ b = (g4 >> 31) - 1;
++ nb = ~b;
++ state->h0 = (state->h0 & nb) | (g0 & b);
++ state->h1 = (state->h1 & nb) | (g1 & b);
++ state->h2 = (state->h2 & nb) | (g2 & b);
++ state->h3 = (state->h3 & nb) | (g3 & b);
++ state->h4 = (state->h4 & nb) | (g4 & b);
++
++ f0 = ((state->h0 ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
++ f1 = ((state->h1 >> 6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
++ f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
++ f3 = ((state->h3 >> 18) | (state->h4 << 8)) + (uint64_t)U8TO32_LE(&state->key[12]);
++
++ U32TO8_LE(&mac[ 0], f0); f1 += (f0 >> 32);
++ U32TO8_LE(&mac[ 4], f1); f2 += (f1 >> 32);
++ U32TO8_LE(&mac[ 8], f2); f3 += (f2 >> 32);
++ U32TO8_LE(&mac[12], f3);
++ }
++
++#endif /* !OPENSSL_NO_POLY1305 */
+diff --git a/crypto/poly1305/poly1305.h b/crypto/poly1305/poly1305.h
+new file mode 100644
+index 0000000..28f85ed
+--- /dev/null
++++ b/crypto/poly1305/poly1305.h
+@@ -0,0 +1,88 @@
++/*
++ * Poly1305
++ *
++ * Created on: Jun, 2013
++ * Author: Elie Bursztein (elieb@google.com)
++ *
++ * Adapted from the estream code by D. Bernstein.
++ */
++/* ====================================================================
++ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;