Reorganize private crypto header files

Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

  #include "internal/file.h"      # located in 'include/internal'
  #include "internal/file_int.h"  # located in 'crypto/include/internal'

This commit moves the private crypto headers from

  'crypto/include/internal'  to  'include/crypto'

As a result, the include directives become unambiguous

  #include "internal/file.h"       # located in 'include/internal'
  #include "crypto/file.h"         # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)

36 files changed, 3224 insertions, 0 deletions

diff --git a/include/crypto/__DECC_INCLUDE_EPILOGUE.H b/include/crypto/__DECC_INCLUDE_EPILOGUE.H
new file mode 100644
index 0000000000..e57c0eab3e
--- /dev/null
+++ b/include/crypto/__DECC_INCLUDE_EPILOGUE.H
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* restore state.  Must correspond to the save in __decc_include_prologue.h */
+#pragma names restore
diff --git a/include/crypto/__DECC_INCLUDE_PROLOGUE.H b/include/crypto/__DECC_INCLUDE_PROLOGUE.H
new file mode 100644
index 0000000000..a013957557
--- /dev/null
+++ b/include/crypto/__DECC_INCLUDE_PROLOGUE.H
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* save state */
+#pragma names save
+/* have the compiler shorten symbols larger than 31 chars to 23 chars
+ * followed by a 8 hex char CRC
+ */
+#pragma names as_is,shortened
diff --git a/include/crypto/aria.h b/include/crypto/aria.h
new file mode 100644
index 0000000000..4bfbd5a74a
--- /dev/null
+++ b/include/crypto/aria.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2017, Oracle and/or its affiliates.  All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+ /* Copyright (c) 2017 National Security Research Institute.  All rights reserved. */
+
+#ifndef HEADER_ARIA_H
+# define HEADER_ARIA_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef OPENSSL_NO_ARIA
+#  error ARIA is disabled.
+# endif
+
+# define ARIA_ENCRYPT     1
+# define ARIA_DECRYPT     0
+
+# define ARIA_BLOCK_SIZE    16  /* Size of each encryption/decryption block */
+# define ARIA_MAX_KEYS      17  /* Number of keys needed in the worst case  */
+
+typedef union {
+    unsigned char c[ARIA_BLOCK_SIZE];
+    unsigned int u[ARIA_BLOCK_SIZE / sizeof(unsigned int)];
+} ARIA_u128;
+
+typedef unsigned char ARIA_c128[ARIA_BLOCK_SIZE];
+
+struct aria_key_st {
+    ARIA_u128 rd_key[ARIA_MAX_KEYS];
+    unsigned int rounds;
+};
+typedef struct aria_key_st ARIA_KEY;
+
+
+int aria_set_encrypt_key(const unsigned char *userKey, const int bits,
+                         ARIA_KEY *key);
+int aria_set_decrypt_key(const unsigned char *userKey, const int bits,
+                         ARIA_KEY *key);
+
+void aria_encrypt(const unsigned char *in, unsigned char *out,
+                  const ARIA_KEY *key);
+
+#endif
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
new file mode 100644
index 0000000000..674fa704a1
--- /dev/null
+++ b/include/crypto/asn1.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Internal ASN1 structures and functions: not for application use */
+
+/* ASN1 public key method structure */
+
+struct evp_pkey_asn1_method_st {
+    int pkey_id;
+    int pkey_base_id;
+    unsigned long pkey_flags;
+    char *pem_str;
+    char *info;
+    int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
+    int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
+    int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                      ASN1_PCTX *pctx);
+    int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
+    int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
+    int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                       ASN1_PCTX *pctx);
+    int (*pkey_size) (const EVP_PKEY *pk);
+    int (*pkey_bits) (const EVP_PKEY *pk);
+    int (*pkey_security_bits) (const EVP_PKEY *pk);
+    int (*param_decode) (EVP_PKEY *pkey,
+                         const unsigned char **pder, int derlen);
+    int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    int (*param_missing) (const EVP_PKEY *pk);
+    int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
+    int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                        ASN1_PCTX *pctx);
+    int (*sig_print) (BIO *out,
+                      const X509_ALGOR *sigalg, const ASN1_STRING *sig,
+                      int indent, ASN1_PCTX *pctx);
+    void (*pkey_free) (EVP_PKEY *pkey);
+    int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
+    /* Legacy functions for old PEM */
+    int (*old_priv_decode) (EVP_PKEY *pkey,
+                            const unsigned char **pder, int derlen);
+    int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    /* Custom ASN1 signature verification */
+    int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                        X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
+    int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                      X509_ALGOR *alg1, X509_ALGOR *alg2,
+                      ASN1_BIT_STRING *sig);
+    int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+                       const ASN1_STRING *sig);
+    /* Check */
+    int (*pkey_check) (const EVP_PKEY *pk);
+    int (*pkey_public_check) (const EVP_PKEY *pk);
+    int (*pkey_param_check) (const EVP_PKEY *pk);
+    /* Get/set raw private/public key data */
+    int (*set_priv_key) (EVP_PKEY *pk, const unsigned char *priv, size_t len);
+    int (*set_pub_key) (EVP_PKEY *pk, const unsigned char *pub, size_t len);
+    int (*get_priv_key) (const EVP_PKEY *pk, unsigned char *priv, size_t *len);
+    int (*get_pub_key) (const EVP_PKEY *pk, unsigned char *pub, size_t *len);
+
+    /*
+     * TODO: Make sure these functions are defined for key types that are
+     * implemented in providers.
+     */
+    /* Exports to providers */
+    size_t (*dirty_cnt) (const EVP_PKEY *pk);
+    void *(*export_to) (const EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
+} /* EVP_PKEY_ASN1_METHOD */ ;
+
+DEFINE_STACK_OF_CONST(EVP_PKEY_ASN1_METHOD)
+
+extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5];
+extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed448_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD sm2_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth;
+
+extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2];
+extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD siphash_asn1_meth;
+
+/*
+ * These are used internally in the ASN1_OBJECT to keep track of whether the
+ * names and data need to be free()ed
+ */
+# define ASN1_OBJECT_FLAG_DYNAMIC         0x01/* internal use */
+# define ASN1_OBJECT_FLAG_CRITICAL        0x02/* critical x509v3 object id */
+# define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04/* internal use */
+# define ASN1_OBJECT_FLAG_DYNAMIC_DATA    0x08/* internal use */
+struct asn1_object_st {
+    const char *sn, *ln;
+    int nid;
+    int length;
+    const unsigned char *data;  /* data remains const after init */
+    int flags;                  /* Should we free this one */
+};
+
+/* ASN1 print context structure */
+
+struct asn1_pctx_st {
+    unsigned long flags;
+    unsigned long nm_flags;
+    unsigned long cert_flags;
+    unsigned long oid_flags;
+    unsigned long str_flags;
+} /* ASN1_PCTX */ ;
+
+int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
diff --git a/include/crypto/asn1_dsa.h b/include/crypto/asn1_dsa.h
new file mode 100644
index 0000000000..d2570516a1
--- /dev/null
+++ b/include/crypto/asn1_dsa.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_ASN1_DSA_H
+# define HEADER_ASN1_DSA_H
+
+#include "internal/packet.h"
+
+int encode_der_length(WPACKET *pkt, size_t cont_len);
+int encode_der_integer(WPACKET *pkt, const BIGNUM *n);
+int encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s);
+int decode_der_length(PACKET *pkt, PACKET *subpkt);
+int decode_der_integer(PACKET *pkt, BIGNUM *n);
+size_t decode_der_dsa_sig(BIGNUM *r, BIGNUM *s, const unsigned char **ppin,
+                          size_t len);
+
+#endif
diff --git a/include/crypto/async.h b/include/crypto/async.h
new file mode 100644
index 0000000000..e9a89da314
--- /dev/null
+++ b/include/crypto/async.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/async.h>
+
+int async_init(void);
+void async_deinit(void);
+
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
new file mode 100644
index 0000000000..cb8b17662a
--- /dev/null
+++ b/include/crypto/bn.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_BN_INT_H
+# define HEADER_BN_INT_H
+
+# include <openssl/bn.h>
+# include <limits.h>
+
+BIGNUM *bn_wexpand(BIGNUM *a, int words);
+BIGNUM *bn_expand2(BIGNUM *a, int words);
+
+void bn_correct_top(BIGNUM *a);
+
+/*
+ * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+ * This is an array r[] of values that are either zero or odd with an
+ * absolute value less than 2^w satisfying scalar = \sum_j r[j]*2^j where at
+ * most one of any w+1 consecutive digits is non-zero with the exception that
+ * the most significant digit may be only w-1 zeros away from that next
+ * non-zero digit.
+ */
+signed char *bn_compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len);
+
+int bn_get_top(const BIGNUM *a);
+
+int bn_get_dmax(const BIGNUM *a);
+
+/* Set all words to zero */
+void bn_set_all_zero(BIGNUM *a);
+
+/*
+ * Copy the internal BIGNUM words into out which holds size elements (and size
+ * must be bigger than top)
+ */
+int bn_copy_words(BN_ULONG *out, const BIGNUM *in, int size);
+
+BN_ULONG *bn_get_words(const BIGNUM *a);
+
+/*
+ * Set the internal data words in a to point to words which contains size
+ * elements. The BN_FLG_STATIC_DATA flag is set
+ */
+void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size);
+
+/*
+ * Copy words into the BIGNUM |a|, reallocating space as necessary.
+ * The negative flag of |a| is not modified.
+ * Returns 1 on success and 0 on failure.
+ */
+/*
+ * |num_words| is int because bn_expand2 takes an int. This is an internal
+ * function so we simply trust callers not to pass negative values.
+ */
+int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+
+/*
+ * Some BIGNUM functions assume most significant limb to be non-zero, which
+ * is customarily arranged by bn_correct_top. Output from below functions
+ * is not processed with bn_correct_top, and for this reason it may not be
+ * returned out of public API. It may only be passed internally into other
+ * functions known to support non-minimal or zero-padded BIGNUMs. Even
+ * though the goal is to facilitate constant-time-ness, not each subroutine
+ * is constant-time by itself. They all have pre-conditions, consult source
+ * code...
+ */
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                          BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                         BN_CTX *ctx);
+int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                           BN_CTX *ctx);
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m);
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m);
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+                     const BIGNUM *d, BN_CTX *ctx);
+
+#define BN_PRIMETEST_COMPOSITE                    0
+#define BN_PRIMETEST_COMPOSITE_WITH_FACTOR        1
+#define BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME 2
+#define BN_PRIMETEST_PROBABLY_PRIME               3
+
+int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
+                             BN_GENCB *cb, int enhanced, int *status);
+
+const BIGNUM *bn_get0_small_factors(void);
+
+int bn_rsa_fips186_4_prime_MR_min_checks(int nbits);
+
+int bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
+                                     BIGNUM *p1, BIGNUM *p2,
+                                     const BIGNUM *Xp, const BIGNUM *Xp1,
+                                     const BIGNUM *Xp2, int nlen,
+                                     const BIGNUM *e, BN_CTX *ctx,
+                                     BN_GENCB *cb);
+
+int bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
+                                  const BIGNUM *r1, const BIGNUM *r2, int nlen,
+                                  const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+
+OPENSSL_CTX *bn_get_lib_ctx(BN_CTX *ctx);
+#endif
diff --git a/include/crypto/bn_conf.h.in b/include/crypto/bn_conf.h.in
new file mode 100644
index 0000000000..9061d20d82
--- /dev/null
+++ b/include/crypto/bn_conf.h.in
@@ -0,0 +1,27 @@
+{- join("\n",map { "/* $_ */" } @autowarntext) -}
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_BN_CONF_H
+# define HEADER_BN_CONF_H
+
+/*
+ * The contents of this file are not used in the UEFI build, as
+ * both 32-bit and 64-bit builds are supported from a single run
+ * of the Configure script.
+ */
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+{- $config{b64l} ? "#define" : "#undef" -} SIXTY_FOUR_BIT_LONG
+{- $config{b64}  ? "#define" : "#undef" -} SIXTY_FOUR_BIT
+{- $config{b32}  ? "#define" : "#undef" -} THIRTY_TWO_BIT
+
+#endif
diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h
new file mode 100644
index 0000000000..9077234250
--- /dev/null
+++ b/include/crypto/bn_dh.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#define declare_dh_bn(x) \
+    extern const BIGNUM _bignum_dh##x##_p;              \
+    extern const BIGNUM _bignum_dh##x##_g;              \
+    extern const BIGNUM _bignum_dh##x##_q;
+
+declare_dh_bn(1024_160)
+declare_dh_bn(2048_224)
+declare_dh_bn(2048_256)
+
+extern const BIGNUM _bignum_ffdhe2048_p;
+extern const BIGNUM _bignum_ffdhe3072_p;
+extern const BIGNUM _bignum_ffdhe4096_p;
+extern const BIGNUM _bignum_ffdhe6144_p;
+extern const BIGNUM _bignum_ffdhe8192_p;
+extern const BIGNUM _bignum_const_2;
diff --git a/include/crypto/bn_srp.h b/include/crypto/bn_srp.h
new file mode 100644
index 0000000000..897618cd9e
--- /dev/null
+++ b/include/crypto/bn_srp.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_SRP
+
+extern const BIGNUM bn_group_1024;
+
+extern const BIGNUM bn_group_1536;
+
+extern const BIGNUM bn_group_2048;
+
+extern const BIGNUM bn_group_3072;
+
+extern const BIGNUM bn_group_4096;
+
+extern const BIGNUM bn_group_6144;
+
+extern const BIGNUM bn_group_8192;
+
+extern const BIGNUM bn_generator_19;
+
+extern const BIGNUM bn_generator_5;
+
+extern const BIGNUM bn_generator_2;
+
+#endif
diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
new file mode 100644
index 0000000000..e095522c50
--- /dev/null
+++ b/include/crypto/chacha.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_CHACHA_H
+#define HEADER_CHACHA_H
+
+#include <stddef.h>
+
+/*
+ * ChaCha20_ctr32 encrypts |len| bytes from |inp| with the given key and
+ * nonce and writes the result to |out|, which may be equal to |inp|.
+ * The |key| is not 32 bytes of verbatim key material though, but the
+ * said material collected into 8 32-bit elements array in host byte
+ * order. Same approach applies to nonce: the |counter| argument is
+ * pointer to concatenated nonce and counter values collected into 4
+ * 32-bit elements. This, passing crypto material collected into 32-bit
+ * elements as opposite to passing verbatim byte vectors, is chosen for
+ * efficiency in multi-call scenarios.
+ */
+void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp,
+                    size_t len, const unsigned int key[8],
+                    const unsigned int counter[4]);
+/*
+ * You can notice that there is no key setup procedure. Because it's
+ * as trivial as collecting bytes into 32-bit elements, it's reckoned
+ * that below macro is sufficient.
+ */
+#define CHACHA_U8TOU32(p)  ( \
+                ((unsigned int)(p)[0])     | ((unsigned int)(p)[1]<<8) | \
+                ((unsigned int)(p)[2]<<16) | ((unsigned int)(p)[3]<<24)  )
+
+#define CHACHA_KEY_SIZE         32
+#define CHACHA_CTR_SIZE         16
+#define CHACHA_BLK_SIZE         64
+
+#endif
diff --git a/include/crypto/ciphermode_platform.h b/include/crypto/ciphermode_platform.h
new file mode 100644
index 0000000000..b16062fa93
--- /dev/null
+++ b/include/crypto/ciphermode_platform.h
@@ -0,0 +1,448 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+# define HEADER_INTERNAL_CIPHERMODE_PLATFORM_H
+
+# include "openssl/aes.h"
+
+# ifdef VPAES_ASM
+int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+void vpaes_encrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void vpaes_decrypt(const unsigned char *in, unsigned char *out,
+                   const AES_KEY *key);
+void vpaes_cbc_encrypt(const unsigned char *in,
+                       unsigned char *out,
+                       size_t length,
+                       const AES_KEY *key, unsigned char *ivec, int enc);
+# endif /* VPAES_ASM */
+
+# ifdef BSAES_ASM
+void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t length, const AES_KEY *key,
+                       unsigned char ivec[16], int enc);
+void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+                                size_t len, const AES_KEY *key,
+                                const unsigned char ivec[16]);
+void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
+                       size_t len, const AES_KEY *key1,
+                       const AES_KEY *key2, const unsigned char iv[16]);
+# endif /* BSAES_ASM */
+
+# ifdef AES_CTR_ASM
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t blocks, const AES_KEY *key,
+                       const unsigned char ivec[AES_BLOCK_SIZE]);
+# endif /*  AES_CTR_ASM */
+
+# ifdef AES_XTS_ASM
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
+                     const AES_KEY *key1, const AES_KEY *key2,
+                     const unsigned char iv[16]);
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
+                     const AES_KEY *key1, const AES_KEY *key2,
+                     const unsigned char iv[16]);
+# endif /* AES_XTS_ASM */
+
+# if defined(OPENSSL_CPUID_OBJ)
+#  if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
+#   include "ppc_arch.h"
+#   ifdef VPAES_ASM
+#    define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+#   endif
+#   define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
+#   define HWAES_set_encrypt_key aes_p8_set_encrypt_key
+#   define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+#   define HWAES_encrypt aes_p8_encrypt
+#   define HWAES_decrypt aes_p8_decrypt
+#   define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+#   define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+#   define HWAES_xts_encrypt aes_p8_xts_encrypt
+#   define HWAES_xts_decrypt aes_p8_xts_decrypt
+#  endif /* PPC */
+
+#  if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
+#   include "arm_arch.h"
+#   if __ARM_MAX_ARCH__>=7
+#    if defined(BSAES_ASM)
+#     define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#    endif
+#    if defined(VPAES_ASM)
+#     define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#    endif
+#    define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
+#    define HWAES_set_encrypt_key aes_v8_set_encrypt_key
+#    define HWAES_set_decrypt_key aes_v8_set_decrypt_key
+#    define HWAES_encrypt aes_v8_encrypt
+#    define HWAES_decrypt aes_v8_decrypt
+#    define HWAES_cbc_encrypt aes_v8_cbc_encrypt
+#    define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
+#   endif
+#  endif
+# endif /* OPENSSL_CPUID_OBJ */
+
+# if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
+         ((defined(__i386)       || defined(__i386__)    || \
+           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
+         defined(__x86_64)       || defined(__x86_64__)  || \
+         defined(_M_AMD64)       || defined(_M_X64)      )
+
+/* AES-NI section */
+
+#  define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+#  ifdef VPAES_ASM
+#   define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
+#  ifdef BSAES_ASM
+#   define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+                          AES_KEY *key);
+
+void aesni_encrypt(c