grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/crypto/bytestring/internal.h

@@ -22,54 +22,54 @@ extern "C" {
 #endif
 
 
-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);
 
-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
                                                 uint8_t **out_storage,
                                                 unsigned outer_tag,
                                                 unsigned inner_tag);
 
-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
 int CBB_finish_i2d(CBB *cbb, uint8_t **outp);
 
 
 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif
 
-#endif  /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BYTESTRING_INTERNAL_H

data/third_party/boringssl/crypto/chacha/chacha.c

@@ -12,7 +12,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.
 
 #include <openssl/chacha.h>
 
@@ -32,7 +32,7 @@
     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
 
-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
 void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
                     const uint32_t key[8], const uint32_t counter[4]);
 
@@ -48,7 +48,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
 
   const uint32_t *key_ptr = (const uint32_t *)key;
 #if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
-  /* The assembly expects the key to be four-byte aligned. */
+  // The assembly expects the key to be four-byte aligned.
   uint32_t key_u32[8];
   if ((((uintptr_t)key) & 3) != 0) {
     key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
 
 #else
 
-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
 static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
                                    '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
 
@@ -83,15 +83,15 @@ static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
     (p)[3] = (v >> 24) & 0xff; \
   }
 
-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
 #define QUARTERROUND(a, b, c, d)                \
   x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
   x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
   x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
   x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);
 
-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
 static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
   uint32_t x[16];
   int i;

data/third_party/boringssl/crypto/{asn1/t_bitst.c → cipher_extra/cipher_extra.c}

@@ -54,50 +54,61 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <openssl/asn1.h>
+#include <openssl/cipher.h>
 
+#include <assert.h>
 #include <string.h>
 
+#include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/nid.h>
+
+#include "internal.h"
+#include "../internal.h"
 
-int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
-                               BIT_STRING_BITNAME *tbl, int indent)
-{
-    BIT_STRING_BITNAME *bnam;
-    char first = 1;
-    BIO_printf(out, "%*s", indent, "");
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
-            if (!first)
-                BIO_puts(out, ", ");
-            BIO_puts(out, bnam->lname);
-            first = 0;
-        }
-    }
-    BIO_puts(out, "\n");
-    return 1;
-}
 
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
-                            BIT_STRING_BITNAME *tbl)
-{
-    int bitnum;
-    bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
-    if (bitnum < 0)
-        return 0;
-    if (bs) {
-        if (!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
-            return 0;
-    }
-    return 1;
+const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
+  switch (nid) {
+    case NID_rc2_cbc:
+      return EVP_rc2_cbc();
+    case NID_rc2_40_cbc:
+      return EVP_rc2_40_cbc();
+    case NID_des_ede3_cbc:
+      return EVP_des_ede3_cbc();
+    case NID_des_ede_cbc:
+      return EVP_des_cbc();
+    case NID_aes_128_cbc:
+      return EVP_aes_128_cbc();
+    case NID_aes_192_cbc:
+      return EVP_aes_192_cbc();
+    case NID_aes_256_cbc:
+      return EVP_aes_256_cbc();
+    default:
+      return NULL;
+  }
 }
 
-int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
-{
-    BIT_STRING_BITNAME *bnam;
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (!strcmp(bnam->sname, name) || !strcmp(bnam->lname, name))
-            return bnam->bitnum;
-    }
-    return -1;
+const EVP_CIPHER *EVP_get_cipherbyname(const char *name) {
+  if (OPENSSL_strcasecmp(name, "rc4") == 0) {
+    return EVP_rc4();
+  } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) {
+    return EVP_des_cbc();
+  } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 ||
+             OPENSSL_strcasecmp(name, "3des") == 0) {
+    return EVP_des_ede3_cbc();
+  } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) {
+    return EVP_aes_128_cbc();
+  } else if (OPENSSL_strcasecmp(name, "aes-256-cbc") == 0) {
+    return EVP_aes_256_cbc();
+  } else if (OPENSSL_strcasecmp(name, "aes-128-ctr") == 0) {
+    return EVP_aes_128_ctr();
+  } else if (OPENSSL_strcasecmp(name, "aes-256-ctr") == 0) {
+    return EVP_aes_256_ctr();
+  } else if (OPENSSL_strcasecmp(name, "aes-128-ecb") == 0) {
+    return EVP_aes_128_ecb();
+  } else if (OPENSSL_strcasecmp(name, "aes-256-ecb") == 0) {
+    return EVP_aes_256_ecb();
+  }
+
+  return NULL;
 }

data/third_party/boringssl/crypto/{cipher → cipher_extra}/derive_key.c

@@ -61,8 +61,6 @@
 #include <openssl/digest.h>
 #include <openssl/mem.h>
 
-#include "internal.h"
-
 
 #define PKCS5_SALT_LEN 8
 

data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c

@@ -0,0 +1,281 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/aead.h>
+#include <openssl/cipher.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/sha.h>
+
+#include "../fipsmodule/cipher/internal.h"
+
+
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12
+
+struct aead_aes_ctr_hmac_sha256_ctx {
+  union {
+    double align;
+    AES_KEY ks;
+  } ks;
+  ctr128_f ctr;
+  block128_f block;
+  SHA256_CTX inner_init_state;
+  SHA256_CTX outer_init_state;
+};
+
+static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
+                      const uint8_t hmac_key[32]) {
+  static const size_t hmac_key_len = 32;
+  uint8_t block[SHA256_CBLOCK];
+  OPENSSL_memcpy(block, hmac_key, hmac_key_len);
+  OPENSSL_memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
+
+  unsigned i;
+  for (i = 0; i < hmac_key_len; i++) {
+    block[i] ^= 0x36;
+  }
+
+  SHA256_Init(out_inner);
+  SHA256_Update(out_inner, block, sizeof(block));
+
+  OPENSSL_memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
+  for (i = 0; i < hmac_key_len; i++) {
+    block[i] ^= (0x36 ^ 0x5c);
+  }
+
+  SHA256_Init(out_outer);
+  SHA256_Update(out_outer, block, sizeof(block));
+}
+
+static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                         size_t key_len, size_t tag_len) {
+  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx;
+  static const size_t hmac_key_len = 32;
+
+  if (key_len < hmac_key_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
+    return 0;  // EVP_AEAD_CTX_init should catch this.
+  }
+
+  const size_t aes_key_len = key_len - hmac_key_len;
+  if (aes_key_len != 16 && aes_key_len != 32) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
+    return 0;  // EVP_AEAD_CTX_init should catch this.
+  }
+
+  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
+    tag_len = EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN;
+  }
+
+  if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
+    return 0;
+  }
+
+  aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
+  if (aes_ctx == NULL) {
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  aes_ctx->ctr =
+      aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
+  ctx->tag_len = tag_len;
+  hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
+            key + aes_key_len);
+
+  ctx->aead_state = aes_ctx;
+
+  return 1;
+}
+
+static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
+  OPENSSL_free(ctx->aead_state);
+}
+
+static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
+  unsigned i;
+  uint8_t bytes[8];
+
+  for (i = 0; i < sizeof(bytes); i++) {
+    bytes[i] = value & 0xff;
+    value >>= 8;
+  }
+  SHA256_Update(sha256, bytes, sizeof(bytes));
+}
+
+static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
+                           const SHA256_CTX *inner_init_state,
+                           const SHA256_CTX *outer_init_state,
+                           const uint8_t *ad, size_t ad_len,
+                           const uint8_t *nonce, const uint8_t *ciphertext,
+                           size_t ciphertext_len) {
+  SHA256_CTX sha256;
+  OPENSSL_memcpy(&sha256, inner_init_state, sizeof(sha256));
+  hmac_update_uint64(&sha256, ad_len);
+  hmac_update_uint64(&sha256, ciphertext_len);
+  SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+  SHA256_Update(&sha256, ad, ad_len);
+
+  // Pad with zeros to the end of the SHA-256 block.
+  const unsigned num_padding =
+      (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
+                         EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
+                        SHA256_CBLOCK)) %
+      SHA256_CBLOCK;
+  uint8_t padding[SHA256_CBLOCK];
+  OPENSSL_memset(padding, 0, num_padding);
+  SHA256_Update(&sha256, padding, num_padding);
+
+  SHA256_Update(&sha256, ciphertext, ciphertext_len);
+
+  uint8_t inner_digest[SHA256_DIGEST_LENGTH];
+  SHA256_Final(inner_digest, &sha256);
+
+  OPENSSL_memcpy(&sha256, outer_init_state, sizeof(sha256));
+  SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));
+  SHA256_Final(out, &sha256);
+}
+
+static void aead_aes_ctr_hmac_sha256_crypt(
+    const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
+    const uint8_t *in, size_t len, const uint8_t *nonce) {
+  // Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+  // bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it.
+  uint8_t partial_block_buffer[AES_BLOCK_SIZE];
+  unsigned partial_block_offset = 0;
+  OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
+
+  uint8_t counter[AES_BLOCK_SIZE];
+  OPENSSL_memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+  OPENSSL_memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
+
+  if (aes_ctx->ctr) {
+    CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,
+                                partial_block_buffer, &partial_block_offset,
+                                aes_ctx->ctr);
+  } else {
+    CRYPTO_ctr128_encrypt(in, out, len, &aes_ctx->ks.ks, counter,
+                          partial_block_buffer, &partial_block_offset,
+                          aes_ctx->block);
+  }
+}
+
+static int aead_aes_ctr_hmac_sha256_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  const uint64_t in_len_64 = in_len;
+
+  if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
+     // This input is so large it would overflow the 32-bit block counter.
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  if (max_out_tag_len < ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);
+
+  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+                 &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
+  OPENSSL_memcpy(out_tag, hmac_result, ctx->tag_len);
+  *out_tag_len = ctx->tag_len;
+
+  return 1;
+}
+
+static int aead_aes_ctr_hmac_sha256_open_gather(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+
+  if (in_tag_len != ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+                 &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
+                 in_len);
+  if (CRYPTO_memcmp(hmac_result, in_tag, ctx->tag_len) != 0) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);
+
+  return 1;
+}
+
+static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
+    16 /* AES key */ + 32 /* HMAC key */,
+    12,                                    // nonce length
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // overhead
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // max tag length
+    0,                                     // seal_scatter_supports_extra_in
+
+    aead_aes_ctr_hmac_sha256_init,
+    NULL /* init_with_direction */,
+    aead_aes_ctr_hmac_sha256_cleanup,
+    NULL /* open */,
+    aead_aes_ctr_hmac_sha256_seal_scatter,
+    aead_aes_ctr_hmac_sha256_open_gather,
+    NULL /* get_iv */,
+    NULL /* tag_len */,
+};
+
+static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
+    32 /* AES key */ + 32 /* HMAC key */,
+    12,                                    // nonce length
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // overhead
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,  // max tag length
+    0,                                     // seal_scatter_supports_extra_in
+
+    aead_aes_ctr_hmac_sha256_init,
+    NULL /* init_with_direction */,
+    aead_aes_ctr_hmac_sha256_cleanup,
+    NULL /* open */,
+    aead_aes_ctr_hmac_sha256_seal_scatter,
+    aead_aes_ctr_hmac_sha256_open_gather,
+    NULL /* get_iv */,
+    NULL /* tag_len */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
+  return &aead_aes_128_ctr_hmac_sha256;
+}
+
+const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {
+  return &aead_aes_256_ctr_hmac_sha256;
+}