autobuild_mac80211_release/openwrt_patches-21.02/mtk_soc/0907-fsek-build-host-tool-aesgcm.patch - openwrt/feeds/mtk-openwrt-feeds - Gitiles

 diff --git a/tools/Makefile b/tools/Makefile
 index ccd60a5..e487530 100644
 --- a/tools/Makefile
 +++ b/tools/Makefile
 @@ -38,6 +38,7 @@ tools-$(CONFIG_TARGET_tegra) += cbootimage cbootimage-configs
  tools-$(CONFIG_USES_MINOR) += kernel2minor
  tools-$(CONFIG_USE_SPARSE) += sparse
  tools-y += openssl
 +tools-y += aesgcm

  # builddir dependencies
  $(curdir)/autoconf/compile := $(curdir)/m4/compile
 @@ -76,6 +77,7 @@ $(curdir)/squashfs/compile := $(curdir)/lzma-old/compile
  $(curdir)/squashfskit4/compile := $(curdir)/xz/compile $(curdir)/zlib/compile
  $(curdir)/zlib/compile := $(curdir)/cmake/compile
  $(curdir)/zstd/compile := $(curdir)/cmake/compile
 +$(curdir)/aesgcm/compile := $(curdir)/openssl/compile

  ifneq ($(HOST_OS),Linux)
    $(curdir)/squashfskit4/compile += $(curdir)/coreutils/compile
 diff --git a/tools/aesgcm/Makefile b/tools/aesgcm/Makefile
 new file mode 100644
 index 0000000..f7ffc53
 --- /dev/null
 +++ b/tools/aesgcm/Makefile
 @@ -0,0 +1,29 @@
 +#
 +# Copyright (C) 2022 MediaTek Inc. All rights reserved.
 +#
 +# This is free software, licensed under the GNU General Public License v2.
 +# See /LICENSE for more information.
 +#
 +include $(TOPDIR)/rules.mk
 +
 +PKG_NAME:=aesgcm
 +PKG_VERSION:=1.0
 +
 +include $(INCLUDE_DIR)/host-build.mk
 +
 +define Host/Compile
 +	$(MAKE) -C $(HOST_BUILD_DIR) \
 +	OPENSSL_INCS_LOCATION=-I$(STAGING_DIR_HOST)/include/openssl-3 \
 +	OPENSSL_LIBS_LOCATION=-L$(STAGING_DIR_HOST)/lib/openssl-3
 +endef
 +
 +define Host/Prepare
 +	mkdir -p $(HOST_BUILD_DIR)
 +	$(CP) -a ./src/* $(HOST_BUILD_DIR)/
 +endef
 +
 +define Host/Install
 +	$(CP) $(HOST_BUILD_DIR)/aesgcm $(STAGING_DIR_HOST)/bin/
 +endef
 +
 +$(eval $(call HostBuild))
 diff --git a/tools/aesgcm/src/Makefile b/tools/aesgcm/src/Makefile
 new file mode 100644
 index 0000000..18d2e7b
 --- /dev/null
 +++ b/tools/aesgcm/src/Makefile
 @@ -0,0 +1,12 @@
 +CFLAGS = $(OPENSSL_INCS_LOCATION)
 +LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto -ldl -lpthread
 +
 +all: aesgcm
 +
 +aesgcm: aesgcm.o
 +
 +aesgcm:
 +	$(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
 +
 +clean:
 +	$(RM) aesgcm
 diff --git a/tools/aesgcm/src/aesgcm.c b/tools/aesgcm/src/aesgcm.c
 new file mode 100644
 index 0000000..05aa373
 --- /dev/null
 +++ b/tools/aesgcm/src/aesgcm.c
 @@ -0,0 +1,364 @@
 +/*
 + * Copyright 2022 Mediatek Inc. All Rights Reserved.
 + *
 + * Licensed under the Apache License 2.0 (the "License").  You may not use
 + * this file except in compliance with the License.  You can obtain a copy
 + * in the file LICENSE in the source distribution or at
 + * https://www.openssl.org/source/license.html
 + */
 +
 +/*
 + * Simple AES GCM authenticated encryption with additional data (AEAD)
 + * demonstration program.
 + */
 +
 +#include <stdlib.h>
 +#include <stddef.h>
 +#include <string.h>
 +#include <unistd.h>
 +#include <openssl/err.h>
 +#include <openssl/bio.h>
 +#include <openssl/evp.h>
 +#include <openssl/core_names.h>
 +
 +#define MAX_TEXT_LENGTH		4096
 +#define MAX_AAD_LENGTH		256
 +#define MAX_TAG_LENGTH		32
 +
 +#define ERR_ENC			1
 +#define ERR_DEC			2
 +#define ERR_UNK_MOD		3
 +
 +typedef enum {
 +	UNK,
 +	ENCRYPT,
 +	DECRYPT
 +} OPERATION;
 +
 +/*
 + * A library context and property query can be used to select & filter
 + * algorithm implementations. If they are NULL then the default library
 + * context and properties are used.
 + */
 +OSSL_LIB_CTX *libctx = NULL;
 +const char *propq = NULL;
 +
 +int aes_gcm_encrypt(uint8_t *key, uint8_t *iv, long iv_len, uint8_t *aad,
 +		    long aad_len, uint8_t *pt, long pt_len, BIO *out)
 +{
 +	int ret = 0;
 +	EVP_CIPHER_CTX *ctx;
 +	EVP_CIPHER *cipher = NULL;
 +	int outlen, tmplen;
 +	uint8_t *outbuf;
 +	uint8_t *outtag[16];
 +	OSSL_PARAM params[2] = {
 +		OSSL_PARAM_END, OSSL_PARAM_END
 +	};
 +
 +	outbuf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
 +	if (!outbuf)
 +		return 0;
 +
 +	/* Create a context for the encrypt operation */
 +	if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
 +		goto err;
 +
 +	/* Fetch the cipher implementation */
 +	if ((cipher = EVP_CIPHER_fetch(libctx, "AES-256-GCM", propq)) == NULL)
 +		goto err;
 +
 +	/* Set IV length if default 96 bits is not appropriate */
 +	params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
 +						&iv_len);
 +	/*
 +	 * Initialise an encrypt operation with the cipher/mode, key, IV and
 +	 * IV length parameter.
 +	 * For demonstration purposes the IV is being set here. In a compliant
 +	 * application the IV would be generated internally so the iv passed in
 +	 * would be NULL.
 +	 */
 +	if (!EVP_EncryptInit_ex2(ctx, cipher, key, iv, params))
 +		goto err;
 +
 +	/* Zero or more calls to specify any AAD */
 +	if (!EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len))
 +		goto err;
 +
 +	/* Encrypt plaintext */
 +	if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, pt, pt_len))
 +		goto err;
 +
 +	/* Finalise: note get no output for GCM */
 +	if (!EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))
 +		goto err;
 +
 +	/* Get tag */
 +	params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
 +						      outtag, 16);
 +
 +	if (!EVP_CIPHER_CTX_get_params(ctx, params))
 +		goto err;
 +
 +	/* Output IV */
 +	if (BIO_write(out, iv, iv_len) <= 0)
 +		goto err;
 +
 +	/* Output tag */
 +	if (BIO_write(out, outtag, 16) <= 0)
 +		goto err;
 +
 +	/* Output encrypted block */
 +	if (BIO_write(out, outbuf, outlen) <= 0)
 +		goto err;
 +
 +	ret = 1;
 +err:
 +	if (!ret)
 +		ERR_print_errors_fp(stderr);
 +
 +	free(outbuf);
 +	EVP_CIPHER_free(cipher);
 +	EVP_CIPHER_CTX_free(ctx);
 +
 +	return ret;
 +}
 +
 +int aes_gcm_decrypt(uint8_t *key, uint8_t *iv, long iv_len,
 +		    uint8_t *aad, long aad_len, uint8_t *ct, long ct_len,
 +		    uint8_t *tag, long tag_len, BIO *out)
 +{
 +	int ret = 0;
 +	EVP_CIPHER_CTX *ctx;
 +	EVP_CIPHER *cipher = NULL;
 +	int outlen, rv;
 +	uint8_t *outbuf;
 +	OSSL_PARAM params[2] = {
 +		OSSL_PARAM_END, OSSL_PARAM_END
 +	};
 +
 +	outbuf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
 +	if (!outbuf)
 +		return 0;
 +
 +	if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
 +		goto err;
 +
 +	/* Fetch the cipher implementation */
 +	if ((cipher = EVP_CIPHER_fetch(libctx, "AES-256-GCM", propq)) == NULL)
 +		goto err;
 +
 +	/* Set IV length if default 96 bits is not appropriate */
 +	params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
 +						&iv_len);
 +
 +	/*
 +	 * Initialise an encrypt operation with the cipher/mode, key, IV and
 +	 * IV length parameter.
 +	 */
 +	if (!EVP_DecryptInit_ex2(ctx, cipher, key, iv, params))
 +		goto err;
 +
 +	/* Zero or more calls to specify any AAD */
 +	if (!EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len))
 +		goto err;
 +
 +	/* Decrypt plaintext */
 +	if (!EVP_DecryptUpdate(ctx, outbuf, &outlen, ct, ct_len))
 +		goto err;
 +
 +	/* Output decrypted block */
 +	if (BIO_write(out, outbuf, outlen) <= 0)
 +		goto err;
 +
 +	/* Set expected tag value. */
 +	params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
 +						      (void *)tag, tag_len);
 +
 +	if (!EVP_CIPHER_CTX_set_params(ctx, params))
 +		goto err;
 +
 +	/* Finalise: note get no output for GCM */
 +	rv = EVP_DecryptFinal_ex(ctx, outbuf, &outlen);
 +	/*
 +	 * Print out return value. If this is not successful authentication
 +	 * failed and plaintext is not trustworthy.
 +	 */
 +	printf("Tag Verify %s\n", rv > 0 ? "Successful!" : "Failed!");
 +
 +	ret = rv > 0 ? 1 : 0;
 +err:
 +	if (!ret)
 +		ERR_print_errors_fp(stderr);
 +
 +	free(outbuf);
 +	EVP_CIPHER_free(cipher);
 +	EVP_CIPHER_CTX_free(ctx);
 +
 +	return ret;
 +}
 +
 +void usage(void)
 +{
 +	printf(
 +		"simple aes-256-gcm tool: \n"
 +		"Operations:\n"
 +		"-e 		- encrypt\n"
 +		"-d 		- decrypt\n"
 +		"Common requirement parameters:\n"
 +		"-i infile	- input file\n"
 +		"-o outfile	- out file\n"
 +		"-k key(hex) 	- key in hex\n"
 +		"-n iv(hex)	- initial vector in hex\n"
 +		"-a aad(hex)	- additional authentication data in hex\n"
 +		"Decryption requirement paremters:\n"
 +		"-t intagfile 	- tag file as input\n");
 +}
 +
 +int main(int argc, char **argv)
 +{
 +	int ret = 0, opt, oper = UNK;
 +	long key_len = 0, iv_len = 0, aad_len = 0, tag_len = 0, in_len = 0;
 +	BIO *in = NULL, *out = NULL, *in_tag = NULL;
 +	uint8_t *in_buf;
 +	uint8_t key[EVP_MAX_KEY_LENGTH] = {0};
 +	uint8_t iv[EVP_MAX_IV_LENGTH] = {0};
 +	uint8_t aad[MAX_AAD_LENGTH] = {0};
 +	uint8_t tag[MAX_TAG_LENGTH] = {0};
 +
 +	in_buf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
 +	if (!in_buf)
 +		return -ENOMEM;
 +
 +	while ((opt = getopt(argc, argv, "a:dei:g:k:n:o:t:")) > 0) {
 +		switch(opt) {
 +		case 'a':
 +			ret = OPENSSL_hexstr2buf_ex(aad, MAX_AAD_LENGTH,
 +						    &aad_len, optarg, '\0');
 +			if (!ret) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to read aad\n");
 +				goto end;
 +			}
 +			break;
 +		case 'd':
 +			if (oper) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Duplicate operations\n");
 +				goto end;
 +			}
 +			oper = DECRYPT;
 +			break;
 +		case 'e':
 +			if (oper) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Duplicate operations\n");
 +				goto end;
 +			}
 +			oper = ENCRYPT;
 +			break;
 +		case 'i':
 +			in = BIO_new_file(optarg, "rb");
 +			if (!in) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to open input file\n");
 +				goto end;
 +			}
 +
 +			in_len = BIO_read(in, in_buf, MAX_TEXT_LENGTH);
 +			if (in_len <= 0) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to read input file\n");
 +				goto end;
 +			}
 +			break;
 +		case 'k':
 +			ret = OPENSSL_hexstr2buf_ex(key, EVP_MAX_KEY_LENGTH,
 +				    		    &key_len, optarg, '\0');
 +			if (!ret) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to read key\n");
 +				goto end;
 +			}
 +			break;
 +			case 'n':
 +			ret = OPENSSL_hexstr2buf_ex(iv, EVP_MAX_IV_LENGTH,
 +				    		    &iv_len, optarg, '\0');
 +			if (!ret) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to read iv\n");
 +				goto end;
 +			}
 +			break;
 +		case 'o':
 +			out = BIO_new_file(optarg, "w");
 +			if (!out) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to open output file\n");
 +				goto end;
 +			}
 +			break;
 +		case 't':
 +			in_tag = BIO_new_file(optarg, "rb");
 +			if (!in_tag) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to open tag file\n");
 +				goto end;
 +			}
 +
 +			tag_len = BIO_read(in_tag, tag, MAX_TAG_LENGTH);
 +			if (tag_len <= 0) {
 +				ret = -EINVAL;
 +				fprintf(stderr, "Failed to read tag file\n");
 +				goto end;
 +			}
 +			break;
 +		default:
 +			break;
 +		}
 +
 +	}
 +
 +	if (!key_len || !iv_len || !aad_len || !in_len || !out) {
 +		ret = -EINVAL;
 +		goto end;
 +	}
 +
 +	if (oper == ENCRYPT) {
 +		ret = aes_gcm_encrypt(key, iv, iv_len, aad, aad_len,
 +				      in_buf, in_len, out);
 +		if (!ret) {
 +			ret = -ERR_ENC;
 +			goto end;
 +		}
 +	} else if (oper == DECRYPT) {
 +		if (!tag_len) {
 +			ret = -EINVAL;
 +			goto end;
 +		}
 +
 +		ret = aes_gcm_decrypt(key, iv, iv_len, aad, aad_len,
 +				      in_buf, in_len, tag, tag_len, out);
 +		if (!ret) {
 +			ret = -ERR_DEC;
 +			goto end;
 +		}
 +	} else {
 +		ret = -ERR_UNK_MOD;
 +		goto end;
 +	}
 +
 +end:
 +	free(in_buf);
 +	if (in)
 +		BIO_free(in);
 +	if (out)
 +		BIO_free(out);
 +	if (in_tag)
 +		BIO_free(in_tag);
 +
 +	if (ret == -EINVAL)
 +		usage();
 +
 +	return ret;
 +}
	diff --git a/tools/Makefile b/tools/Makefile
	index ccd60a5..e487530 100644
	--- a/tools/Makefile
	+++ b/tools/Makefile
	@@ -38,6 +38,7 @@ tools-$(CONFIG_TARGET_tegra) += cbootimage cbootimage-configs
	tools-$(CONFIG_USES_MINOR) += kernel2minor
	tools-$(CONFIG_USE_SPARSE) += sparse
	tools-y += openssl
	+tools-y += aesgcm

	# builddir dependencies
	$(curdir)/autoconf/compile := $(curdir)/m4/compile
	@@ -76,6 +77,7 @@ $(curdir)/squashfs/compile := $(curdir)/lzma-old/compile
	$(curdir)/squashfskit4/compile := $(curdir)/xz/compile $(curdir)/zlib/compile
	$(curdir)/zlib/compile := $(curdir)/cmake/compile
	$(curdir)/zstd/compile := $(curdir)/cmake/compile
	+$(curdir)/aesgcm/compile := $(curdir)/openssl/compile

	ifneq ($(HOST_OS),Linux)
	$(curdir)/squashfskit4/compile += $(curdir)/coreutils/compile
	diff --git a/tools/aesgcm/Makefile b/tools/aesgcm/Makefile
	new file mode 100644
	index 0000000..f7ffc53
	--- /dev/null
	+++ b/tools/aesgcm/Makefile
	@@ -0,0 +1,29 @@
	+#
	+# Copyright (C) 2022 MediaTek Inc. All rights reserved.
	+#
	+# This is free software, licensed under the GNU General Public License v2.
	+# See /LICENSE for more information.
	+#
	+include $(TOPDIR)/rules.mk
	+
	+PKG_NAME:=aesgcm
	+PKG_VERSION:=1.0
	+
	+include $(INCLUDE_DIR)/host-build.mk
	+
	+define Host/Compile
	+ $(MAKE) -C $(HOST_BUILD_DIR) \
	+ OPENSSL_INCS_LOCATION=-I$(STAGING_DIR_HOST)/include/openssl-3 \
	+ OPENSSL_LIBS_LOCATION=-L$(STAGING_DIR_HOST)/lib/openssl-3
	+endef
	+
	+define Host/Prepare
	+ mkdir -p $(HOST_BUILD_DIR)
	+ $(CP) -a ./src/* $(HOST_BUILD_DIR)/
	+endef
	+
	+define Host/Install
	+ $(CP) $(HOST_BUILD_DIR)/aesgcm $(STAGING_DIR_HOST)/bin/
	+endef
	+
	+$(eval $(call HostBuild))
	diff --git a/tools/aesgcm/src/Makefile b/tools/aesgcm/src/Makefile
	new file mode 100644
	index 0000000..18d2e7b
	--- /dev/null
	+++ b/tools/aesgcm/src/Makefile
	@@ -0,0 +1,12 @@
	+CFLAGS = $(OPENSSL_INCS_LOCATION)
	+LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto -ldl -lpthread
	+
	+all: aesgcm
	+
	+aesgcm: aesgcm.o
	+
	+aesgcm:
	+ $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
	+
	+clean:
	+ $(RM) aesgcm
	diff --git a/tools/aesgcm/src/aesgcm.c b/tools/aesgcm/src/aesgcm.c
	new file mode 100644
	index 0000000..05aa373
	--- /dev/null
	+++ b/tools/aesgcm/src/aesgcm.c
	@@ -0,0 +1,364 @@
	+/*
	+ * Copyright 2022 Mediatek Inc. All Rights Reserved.
	+ *
	+ * Licensed under the Apache License 2.0 (the "License"). You may not use
	+ * this file except in compliance with the License. You can obtain a copy
	+ * in the file LICENSE in the source distribution or at
	+ * https://www.openssl.org/source/license.html
	+ */
	+
	+/*
	+ * Simple AES GCM authenticated encryption with additional data (AEAD)
	+ * demonstration program.
	+ */
	+
	+#include <stdlib.h>
	+#include <stddef.h>
	+#include <string.h>
	+#include <unistd.h>
	+#include <openssl/err.h>
	+#include <openssl/bio.h>
	+#include <openssl/evp.h>
	+#include <openssl/core_names.h>
	+
	+#define MAX_TEXT_LENGTH 4096
	+#define MAX_AAD_LENGTH 256
	+#define MAX_TAG_LENGTH 32
	+
	+#define ERR_ENC 1
	+#define ERR_DEC 2
	+#define ERR_UNK_MOD 3
	+
	+typedef enum {
	+ UNK,
	+ ENCRYPT,
	+ DECRYPT
	+} OPERATION;
	+
	+/*
	+ * A library context and property query can be used to select & filter
	+ * algorithm implementations. If they are NULL then the default library
	+ * context and properties are used.
	+ */
	+OSSL_LIB_CTX *libctx = NULL;
	+const char *propq = NULL;
	+
	+int aes_gcm_encrypt(uint8_t key, uint8_t iv, long iv_len, uint8_t *aad,
	+ long aad_len, uint8_t pt, long pt_len, BIO out)
	+{
	+ int ret = 0;
	+ EVP_CIPHER_CTX *ctx;
	+ EVP_CIPHER *cipher = NULL;
	+ int outlen, tmplen;
	+ uint8_t *outbuf;
	+ uint8_t *outtag[16];
	+ OSSL_PARAM params[2] = {
	+ OSSL_PARAM_END, OSSL_PARAM_END
	+ };
	+
	+ outbuf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
	+ if (!outbuf)
	+ return 0;
	+
	+ /* Create a context for the encrypt operation */
	+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
	+ goto err;
	+
	+ /* Fetch the cipher implementation */
	+ if ((cipher = EVP_CIPHER_fetch(libctx, "AES-256-GCM", propq)) == NULL)
	+ goto err;
	+
	+ /* Set IV length if default 96 bits is not appropriate */
	+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
	+ &iv_len);
	+ /*
	+ * Initialise an encrypt operation with the cipher/mode, key, IV and
	+ * IV length parameter.
	+ * For demonstration purposes the IV is being set here. In a compliant
	+ * application the IV would be generated internally so the iv passed in
	+ * would be NULL.
	+ */
	+ if (!EVP_EncryptInit_ex2(ctx, cipher, key, iv, params))
	+ goto err;
	+
	+ /* Zero or more calls to specify any AAD */
	+ if (!EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len))
	+ goto err;
	+
	+ /* Encrypt plaintext */
	+ if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, pt, pt_len))
	+ goto err;
	+
	+ /* Finalise: note get no output for GCM */
	+ if (!EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))
	+ goto err;
	+
	+ /* Get tag */
	+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
	+ outtag, 16);
	+
	+ if (!EVP_CIPHER_CTX_get_params(ctx, params))
	+ goto err;
	+
	+ /* Output IV */
	+ if (BIO_write(out, iv, iv_len) <= 0)
	+ goto err;
	+
	+ /* Output tag */
	+ if (BIO_write(out, outtag, 16) <= 0)
	+ goto err;
	+
	+ /* Output encrypted block */
	+ if (BIO_write(out, outbuf, outlen) <= 0)
	+ goto err;
	+
	+ ret = 1;
	+err:
	+ if (!ret)
	+ ERR_print_errors_fp(stderr);
	+
	+ free(outbuf);
	+ EVP_CIPHER_free(cipher);
	+ EVP_CIPHER_CTX_free(ctx);
	+
	+ return ret;
	+}
	+
	+int aes_gcm_decrypt(uint8_t key, uint8_t iv, long iv_len,
	+ uint8_t aad, long aad_len, uint8_t ct, long ct_len,
	+ uint8_t tag, long tag_len, BIO out)
	+{
	+ int ret = 0;
	+ EVP_CIPHER_CTX *ctx;
	+ EVP_CIPHER *cipher = NULL;
	+ int outlen, rv;
	+ uint8_t *outbuf;
	+ OSSL_PARAM params[2] = {
	+ OSSL_PARAM_END, OSSL_PARAM_END
	+ };
	+
	+ outbuf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
	+ if (!outbuf)
	+ return 0;
	+
	+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
	+ goto err;
	+
	+ /* Fetch the cipher implementation */
	+ if ((cipher = EVP_CIPHER_fetch(libctx, "AES-256-GCM", propq)) == NULL)
	+ goto err;
	+
	+ /* Set IV length if default 96 bits is not appropriate */
	+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
	+ &iv_len);
	+
	+ /*
	+ * Initialise an encrypt operation with the cipher/mode, key, IV and
	+ * IV length parameter.
	+ */
	+ if (!EVP_DecryptInit_ex2(ctx, cipher, key, iv, params))
	+ goto err;
	+
	+ /* Zero or more calls to specify any AAD */
	+ if (!EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len))
	+ goto err;
	+
	+ /* Decrypt plaintext */
	+ if (!EVP_DecryptUpdate(ctx, outbuf, &outlen, ct, ct_len))
	+ goto err;
	+
	+ /* Output decrypted block */
	+ if (BIO_write(out, outbuf, outlen) <= 0)
	+ goto err;
	+
	+ /* Set expected tag value. */
	+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
	+ (void *)tag, tag_len);
	+
	+ if (!EVP_CIPHER_CTX_set_params(ctx, params))
	+ goto err;
	+
	+ /* Finalise: note get no output for GCM */
	+ rv = EVP_DecryptFinal_ex(ctx, outbuf, &outlen);
	+ /*
	+ * Print out return value. If this is not successful authentication
	+ * failed and plaintext is not trustworthy.
	+ */
	+ printf("Tag Verify %s\n", rv > 0 ? "Successful!" : "Failed!");
	+
	+ ret = rv > 0 ? 1 : 0;
	+err:
	+ if (!ret)
	+ ERR_print_errors_fp(stderr);
	+
	+ free(outbuf);
	+ EVP_CIPHER_free(cipher);
	+ EVP_CIPHER_CTX_free(ctx);
	+
	+ return ret;
	+}
	+
	+void usage(void)
	+{
	+ printf(
	+ "simple aes-256-gcm tool: \n"
	+ "Operations:\n"
	+ "-e - encrypt\n"
	+ "-d - decrypt\n"
	+ "Common requirement parameters:\n"
	+ "-i infile - input file\n"
	+ "-o outfile - out file\n"
	+ "-k key(hex) - key in hex\n"
	+ "-n iv(hex) - initial vector in hex\n"
	+ "-a aad(hex) - additional authentication data in hex\n"
	+ "Decryption requirement paremters:\n"
	+ "-t intagfile - tag file as input\n");
	+}
	+
	+int main(int argc, char **argv)
	+{
	+ int ret = 0, opt, oper = UNK;
	+ long key_len = 0, iv_len = 0, aad_len = 0, tag_len = 0, in_len = 0;
	+ BIO in = NULL, out = NULL, *in_tag = NULL;
	+ uint8_t *in_buf;
	+ uint8_t key[EVP_MAX_KEY_LENGTH] = {0};
	+ uint8_t iv[EVP_MAX_IV_LENGTH] = {0};
	+ uint8_t aad[MAX_AAD_LENGTH] = {0};
	+ uint8_t tag[MAX_TAG_LENGTH] = {0};
	+
	+ in_buf = calloc(MAX_TEXT_LENGTH, sizeof(uint8_t));
	+ if (!in_buf)
	+ return -ENOMEM;
	+
	+ while ((opt = getopt(argc, argv, "a:dei:g:k:n:o:t:")) > 0) {
	+ switch(opt) {
	+ case 'a':
	+ ret = OPENSSL_hexstr2buf_ex(aad, MAX_AAD_LENGTH,
	+ &aad_len, optarg, '\0');
	+ if (!ret) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to read aad\n");
	+ goto end;
	+ }
	+ break;
	+ case 'd':
	+ if (oper) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Duplicate operations\n");
	+ goto end;
	+ }
	+ oper = DECRYPT;
	+ break;
	+ case 'e':
	+ if (oper) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Duplicate operations\n");
	+ goto end;
	+ }
	+ oper = ENCRYPT;
	+ break;
	+ case 'i':
	+ in = BIO_new_file(optarg, "rb");
	+ if (!in) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to open input file\n");
	+ goto end;
	+ }
	+
	+ in_len = BIO_read(in, in_buf, MAX_TEXT_LENGTH);
	+ if (in_len <= 0) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to read input file\n");
	+ goto end;
	+ }
	+ break;
	+ case 'k':
	+ ret = OPENSSL_hexstr2buf_ex(key, EVP_MAX_KEY_LENGTH,
	+ &key_len, optarg, '\0');
	+ if (!ret) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to read key\n");
	+ goto end;
	+ }
	+ break;
	+ case 'n':
	+ ret = OPENSSL_hexstr2buf_ex(iv, EVP_MAX_IV_LENGTH,
	+ &iv_len, optarg, '\0');
	+ if (!ret) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to read iv\n");
	+ goto end;
	+ }
	+ break;
	+ case 'o':
	+ out = BIO_new_file(optarg, "w");
	+ if (!out) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to open output file\n");
	+ goto end;
	+ }
	+ break;
	+ case 't':
	+ in_tag = BIO_new_file(optarg, "rb");
	+ if (!in_tag) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to open tag file\n");
	+ goto end;
	+ }
	+
	+ tag_len = BIO_read(in_tag, tag, MAX_TAG_LENGTH);
	+ if (tag_len <= 0) {
	+ ret = -EINVAL;
	+ fprintf(stderr, "Failed to read tag file\n");
	+ goto end;
	+ }
	+ break;
	+ default:
	+ break;
	+ }
	+
	+ }
	+
	+ if (!key_len \|\| !iv_len \|\| !aad_len \|\| !in_len \|\| !out) {
	+ ret = -EINVAL;
	+ goto end;
	+ }
	+
	+ if (oper == ENCRYPT) {
	+ ret = aes_gcm_encrypt(key, iv, iv_len, aad, aad_len,
	+ in_buf, in_len, out);
	+ if (!ret) {
	+ ret = -ERR_ENC;
	+ goto end;
	+ }
	+ } else if (oper == DECRYPT) {
	+ if (!tag_len) {
	+ ret = -EINVAL;
	+ goto end;
	+ }
	+
	+ ret = aes_gcm_decrypt(key, iv, iv_len, aad, aad_len,
	+ in_buf, in_len, tag, tag_len, out);
	+ if (!ret) {
	+ ret = -ERR_DEC;
	+ goto end;
	+ }
	+ } else {
	+ ret = -ERR_UNK_MOD;
	+ goto end;
	+ }
	+
	+end:
	+ free(in_buf);
	+ if (in)
	+ BIO_free(in);
	+ if (out)
	+ BIO_free(out);
	+ if (in_tag)
	+ BIO_free(in_tag);
	+
	+ if (ret == -EINVAL)
	+ usage();
	+
	+ return ret;
	+}