GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c Lines: 183 222 82.4 %
Date: 2017-11-13 Branches: 50 69 72.5 %

Line Branch Exec Source
1
/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.14 2016/11/05 10:47:57 miod Exp $ */
2
/* ====================================================================
3
 * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 *
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 *
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in
14
 *    the documentation and/or other materials provided with the
15
 *    distribution.
16
 *
17
 * 3. All advertising materials mentioning features or use of this
18
 *    software must display the following acknowledgment:
19
 *    "This product includes software developed by the OpenSSL Project
20
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21
 *
22
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23
 *    endorse or promote products derived from this software without
24
 *    prior written permission. For written permission, please contact
25
 *    licensing@OpenSSL.org.
26
 *
27
 * 5. Products derived from this software may not be called "OpenSSL"
28
 *    nor may "OpenSSL" appear in their names without prior written
29
 *    permission of the OpenSSL Project.
30
 *
31
 * 6. Redistributions of any form whatsoever must retain the following
32
 *    acknowledgment:
33
 *    "This product includes software developed by the OpenSSL Project
34
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35
 *
36
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47
 * OF THE POSSIBILITY OF SUCH DAMAGE.
48
 * ====================================================================
49
 */
50
51
#include <stdio.h>
52
#include <string.h>
53
54
#include <openssl/opensslconf.h>
55
56
#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
57
58
#include <openssl/evp.h>
59
#include <openssl/objects.h>
60
#include <openssl/aes.h>
61
#include <openssl/sha.h>
62
#include "evp_locl.h"
63
#include "constant_time_locl.h"
64
65
#define TLS1_1_VERSION 0x0302
66
67
typedef struct {
68
	AES_KEY		ks;
69
	SHA_CTX		head, tail, md;
70
	size_t		payload_length;	/* AAD length in decrypt case */
71
	union {
72
		unsigned int	tls_ver;
73
		unsigned char	tls_aad[16];	/* 13 used */
74
	} aux;
75
} EVP_AES_HMAC_SHA1;
76
77
#define NO_PAYLOAD_LENGTH	((size_t)-1)
78
79
#if	defined(AES_ASM) &&	( \
80
	defined(__x86_64)	|| defined(__x86_64__)	|| \
81
	defined(_M_AMD64)	|| defined(_M_X64)	|| \
82
	defined(__INTEL__)	)
83
84
#include "x86_arch.h"
85
86
#if defined(__GNUC__) && __GNUC__>=2
87
# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
88
#endif
89
90
int aesni_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
91
int aesni_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
92
93
void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
94
    size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
95
96
void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks,
97
    const AES_KEY *key, unsigned char iv[16], SHA_CTX *ctx, const void *in0);
98
99
#define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
100
101
static int
102
aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *inkey,
103
    const unsigned char *iv, int enc)
104
{
105
432
	EVP_AES_HMAC_SHA1 *key = data(ctx);
106
	int ret;
107
108
216
	if (enc)
109
108
		ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks);
110
	else
111
108
		ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks);
112
113
216
	SHA1_Init(&key->head);	/* handy when benchmarking */
114
216
	key->tail = key->head;
115
216
	key->md = key->head;
116
117
216
	key->payload_length = NO_PAYLOAD_LENGTH;
118
119
216
	return ret < 0 ? 0 : 1;
120
}
121
122
#define	STITCHED_CALL
123
124
#if !defined(STITCHED_CALL)
125
#define	aes_off 0
126
#endif
127
128
void sha1_block_data_order (void *c, const void *p, size_t len);
129
130
static void
131
sha1_update(SHA_CTX *c, const void *data, size_t len)
132
{
133
	const unsigned char *ptr = data;
134
	size_t res;
135
136
4968
	if ((res = c->num)) {
137
432
		res = SHA_CBLOCK - res;
138
432
		if (len < res)
139
324
			res = len;
140
432
		SHA1_Update(c, ptr, res);
141
432
		ptr += res;
142
432
		len -= res;
143
432
	}
144
145
2484
	res = len % SHA_CBLOCK;
146
2484
	len -= res;
147
148
2484
	if (len) {
149
432
		sha1_block_data_order(c, ptr, len / SHA_CBLOCK);
150
151
432
		ptr += len;
152
432
		c->Nh += len >> 29;
153
432
		c->Nl += len <<= 3;
154
432
		if (c->Nl < (unsigned int)len)
155
			c->Nh++;
156
	}
157
158
2484
	if (res)
159
1620
		SHA1_Update(c, ptr, res);
160
2484
}
161
162
#ifdef SHA1_Update
163
#undef SHA1_Update
164
#endif
165
#define SHA1_Update sha1_update
166
167
static int
168
aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
169
    const unsigned char *in, size_t len)
170
{
171
1512
	EVP_AES_HMAC_SHA1 *key = data(ctx);
172
	unsigned int l;
173
756
	size_t plen = key->payload_length,
174
	    iv = 0,		/* explicit IV in TLS 1.1 and later */
175
	    sha_off = 0;
176
#if defined(STITCHED_CALL)
177
	size_t aes_off = 0, blocks;
178
179
756
	sha_off = SHA_CBLOCK - key->md.num;
180
#endif
181
182
756
	key->payload_length = NO_PAYLOAD_LENGTH;
183
184
756
	if (len % AES_BLOCK_SIZE)
185
		return 0;
186
187
756
	if (ctx->encrypt) {
188
432
		if (plen == NO_PAYLOAD_LENGTH)
189
			plen = len;
190
432
		else if (len != ((plen + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) &
191
		    -AES_BLOCK_SIZE))
192
			return 0;
193
432
		else if (key->aux.tls_ver >= TLS1_1_VERSION)
194
			iv = AES_BLOCK_SIZE;
195
196
#if defined(STITCHED_CALL)
197

540
		if (plen > (sha_off + iv) &&
198
108
		    (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) {
199
108
			SHA1_Update(&key->md, in + iv, sha_off);
200
201
216
			aesni_cbc_sha1_enc(in, out, blocks, &key->ks,
202
108
			    ctx->iv, &key->md, in + iv + sha_off);
203
108
			blocks *= SHA_CBLOCK;
204
			aes_off += blocks;
205
108
			sha_off += blocks;
206
108
			key->md.Nh += blocks >> 29;
207
108
			key->md.Nl += blocks <<= 3;
208
108
			if (key->md.Nl < (unsigned int)blocks)
209
				key->md.Nh++;
210
		} else {
211
			sha_off = 0;
212
		}
213
#endif
214
432
		sha_off += iv;
215
432
		SHA1_Update(&key->md, in + sha_off, plen - sha_off);
216
217
432
		if (plen != len) {	/* "TLS" mode of operation */
218
432
			if (in != out)
219
				memcpy(out + aes_off, in + aes_off,
220
				    plen - aes_off);
221
222
			/* calculate HMAC and append it to payload */
223
432
			SHA1_Final(out + plen, &key->md);
224
432
			key->md = key->tail;
225
432
			SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH);
226
432
			SHA1_Final(out + plen, &key->md);
227
228
			/* pad the payload|hmac */
229
432
			plen += SHA_DIGEST_LENGTH;
230
10800
			for (l = len - plen - 1; plen < len; plen++)
231
4968
				out[plen] = l;
232
233
			/* encrypt HMAC|padding at once */
234
864
			aesni_cbc_encrypt(out + aes_off, out + aes_off,
235
432
			    len - aes_off, &key->ks, ctx->iv, 1);
236
432
		} else {
237
			aesni_cbc_encrypt(in + aes_off, out + aes_off,
238
			    len - aes_off, &key->ks, ctx->iv, 1);
239
		}
240
	} else {
241
324
		union {
242
			unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
243
			unsigned char c[32 + SHA_DIGEST_LENGTH];
244
		} mac, *pmac;
245
246
		/* arrange cache line alignment */
247
324
		pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32));
248
249
		/* decrypt HMAC|padding at once */
250
324
		aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0);
251
252
324
		if (plen) {	/* "TLS" mode of operation */
253
			size_t inp_len, mask, j, i;
254
			unsigned int res, maxpad, pad, bitlen;
255
			int ret = 1;
256
			union {
257
				unsigned int u[SHA_LBLOCK];
258
				unsigned char c[SHA_CBLOCK];
259
			}
260
324
			*data = (void *)key->md.data;
261
262
972
			if ((key->aux.tls_aad[plen - 4] << 8 |
263
648
			    key->aux.tls_aad[plen - 3]) >= TLS1_1_VERSION)
264
				iv = AES_BLOCK_SIZE;
265
266
324
			if (len < (iv + SHA_DIGEST_LENGTH + 1))
267
				return 0;
268
269
			/* omit explicit iv */
270
324
			out += iv;
271
324
			len -= iv;
272
273
			/* figure out payload length */
274
324
			pad = out[len - 1];
275
324
			maxpad = len - (SHA_DIGEST_LENGTH + 1);
276
324
			maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
277
324
			maxpad &= 255;
278
279
324
			ret &= constant_time_ge(maxpad, pad);
280
281
324
			inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
282
324
			mask = (0 - ((inp_len - len) >>
283
			    (sizeof(inp_len) * 8 - 1)));
284
324
			inp_len &= mask;
285
324
			ret &= (int)mask;
286
287
324
			key->aux.tls_aad[plen - 2] = inp_len >> 8;
288
324
			key->aux.tls_aad[plen - 1] = inp_len;
289
290
			/* calculate HMAC */
291
324
			key->md = key->head;
292
324
			SHA1_Update(&key->md, key->aux.tls_aad, plen);
293
294
#if 1
295
324
			len -= SHA_DIGEST_LENGTH;		/* amend mac */
296
324
			if (len >= (256 + SHA_CBLOCK)) {
297
				j = (len - (256 + SHA_CBLOCK)) &
298
				    (0 - SHA_CBLOCK);
299
				j += SHA_CBLOCK - key->md.num;
300
				SHA1_Update(&key->md, out, j);
301
				out += j;
302
				len -= j;
303
				inp_len -= j;
304
			}
305
306
			/* but pretend as if we hashed padded payload */
307
324
			bitlen = key->md.Nl + (inp_len << 3);	/* at most 18 bits */
308
#ifdef BSWAP
309
324
			bitlen = BSWAP(bitlen);
310
#else
311
			mac.c[0] = 0;
312
			mac.c[1] = (unsigned char)(bitlen >> 16);
313
			mac.c[2] = (unsigned char)(bitlen >> 8);
314
			mac.c[3] = (unsigned char)bitlen;
315
			bitlen = mac.u[0];
316
#endif
317
318
324
			pmac->u[0] = 0;
319
324
			pmac->u[1] = 0;
320
324
			pmac->u[2] = 0;
321
324
			pmac->u[3] = 0;
322
324
			pmac->u[4] = 0;
323
324
67176
			for (res = key->md.num, j = 0; j < len; j++) {
325
33264
				size_t c = out[j];
326
33264
				mask = (j - inp_len) >> (sizeof(j) * 8 - 8);
327
33264
				c &= mask;
328
66528
				c |= 0x80 & ~mask &
329
33264
				    ~((inp_len - j) >> (sizeof(j) * 8 - 8));
330
33264
				data->c[res++] = (unsigned char)c;
331
332
33264
				if (res != SHA_CBLOCK)
333
32832
					continue;
334
335
				/* j is not incremented yet */
336
432
				mask = 0 - ((inp_len + 7 - j) >>
337
				    (sizeof(j) * 8 - 1));
338
432
				data->u[SHA_LBLOCK - 1] |= bitlen&mask;
339
432
				sha1_block_data_order(&key->md, data, 1);
340
432
				mask &= 0 - ((j - inp_len - 72) >>
341
				    (sizeof(j) * 8 - 1));
342
432
				pmac->u[0] |= key->md.h0 & mask;
343
432
				pmac->u[1] |= key->md.h1 & mask;
344
432
				pmac->u[2] |= key->md.h2 & mask;
345
432
				pmac->u[3] |= key->md.h3 & mask;
346
432
				pmac->u[4] |= key->md.h4 & mask;
347
				res = 0;
348
432
			}
349
350
22464
			for (i = res; i < SHA_CBLOCK; i++, j++)
351
10908
				data->c[i] = 0;
352
353
324
			if (res > SHA_CBLOCK - 8) {
354
				mask = 0 - ((inp_len + 8 - j) >>
355
				    (sizeof(j) * 8 - 1));
356
				data->u[SHA_LBLOCK - 1] |= bitlen & mask;
357
				sha1_block_data_order(&key->md, data, 1);
358
				mask &= 0 - ((j - inp_len - 73) >>
359
				    (sizeof(j) * 8 - 1));
360
				pmac->u[0] |= key->md.h0 & mask;
361
				pmac->u[1] |= key->md.h1 & mask;
362
				pmac->u[2] |= key->md.h2 & mask;
363
				pmac->u[3] |= key->md.h3 & mask;
364
				pmac->u[4] |= key->md.h4 & mask;
365
366
				memset(data, 0, SHA_CBLOCK);
367
				j += 64;
368
			}
369
324
			data->u[SHA_LBLOCK - 1] = bitlen;
370
324
			sha1_block_data_order(&key->md, data, 1);
371
324
			mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1));
372
324
			pmac->u[0] |= key->md.h0 & mask;
373
324
			pmac->u[1] |= key->md.h1 & mask;
374
324
			pmac->u[2] |= key->md.h2 & mask;
375
324
			pmac->u[3] |= key->md.h3 & mask;
376
324
			pmac->u[4] |= key->md.h4 & mask;
377
378
#ifdef BSWAP
379
324
			pmac->u[0] = BSWAP(pmac->u[0]);
380
324
			pmac->u[1] = BSWAP(pmac->u[1]);
381
324
			pmac->u[2] = BSWAP(pmac->u[2]);
382
324
			pmac->u[3] = BSWAP(pmac->u[3]);
383
324
			pmac->u[4] = BSWAP(pmac->u[4]);
384
#else
385
			for (i = 0; i < 5; i++) {
386
				res = pmac->u[i];
387
				pmac->c[4 * i + 0] = (unsigned char)(res >> 24);
388
				pmac->c[4 * i + 1] = (unsigned char)(res >> 16);
389
				pmac->c[4 * i + 2] = (unsigned char)(res >> 8);
390
				pmac->c[4 * i + 3] = (unsigned char)res;
391
			}
392
#endif
393
324
			len += SHA_DIGEST_LENGTH;
394
#else
395
			SHA1_Update(&key->md, out, inp_len);
396
			res = key->md.num;
397
			SHA1_Final(pmac->c, &key->md);
398
399
			{
400
				unsigned int inp_blocks, pad_blocks;
401
402
				/* but pretend as if we hashed padded payload */
403
				inp_blocks = 1 + ((SHA_CBLOCK - 9 - res) >>
404
				    (sizeof(res) * 8 - 1));
405
				res += (unsigned int)(len - inp_len);
406
				pad_blocks = res / SHA_CBLOCK;
407
				res %= SHA_CBLOCK;
408
				pad_blocks += 1 + ((SHA_CBLOCK - 9 - res) >>
409
				    (sizeof(res) * 8 - 1));
410
				for (; inp_blocks < pad_blocks; inp_blocks++)
411
					sha1_block_data_order(&key->md,
412
					    data, 1);
413
			}
414
#endif
415
324
			key->md = key->tail;
416
324
			SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH);
417
324
			SHA1_Final(pmac->c, &key->md);
418
419
			/* verify HMAC */
420
324
			out += inp_len;
421
324
			len -= inp_len;
422
#if 1
423
			{
424
				unsigned char *p =
425
324
				    out + len - 1 - maxpad - SHA_DIGEST_LENGTH;
426
324
				size_t off = out - p;
427
				unsigned int c, cmask;
428
429
324
				maxpad += SHA_DIGEST_LENGTH;
430
76896
				for (res = 0, i = 0, j = 0; j < maxpad; j++) {
431
38124
					c = p[j];
432
38124
					cmask = ((int)(j - off -
433
38124
					    SHA_DIGEST_LENGTH)) >>
434
					    (sizeof(int) * 8 - 1);
435
38124
					res |= (c ^ pad) & ~cmask;	/* ... and padding */
436
38124
					cmask &= ((int)(off - 1 - j)) >>
437
					    (sizeof(int) * 8 - 1);
438
38124
					res |= (c ^ pmac->c[i]) & cmask;
439
38124
					i += 1 & cmask;
440
				}
441
				maxpad -= SHA_DIGEST_LENGTH;
442
443
324
				res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
444
324
				ret &= (int)~res;
445
			}
446
#else
447
			for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++)
448
				res |= out[i] ^ pmac->c[i];
449
			res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
450
			ret &= (int)~res;
451
452
			/* verify padding */
453
			pad = (pad & ~res) | (maxpad & res);
454
			out = out + len - 1 - pad;
455
			for (res = 0, i = 0; i < pad; i++)
456
				res |= out[i] ^ pad;
457
458
			res = (0 - res) >> (sizeof(res) * 8 - 1);
459
			ret &= (int)~res;
460
#endif
461
324
			return ret;
462
		} else {
463
			SHA1_Update(&key->md, out, len);
464
		}
465
324
	}
466
467
432
	return 1;
468
756
}
469
470
static int
471
aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
472
{
473
1944
	EVP_AES_HMAC_SHA1 *key = data(ctx);
474
475
972
	switch (type) {
476
	case EVP_CTRL_AEAD_SET_MAC_KEY:
477
		{
478
			unsigned int  i;
479
216
			unsigned char hmac_key[64];
480
481
216
			memset(hmac_key, 0, sizeof(hmac_key));
482
483
216
			if (arg > (int)sizeof(hmac_key)) {
484
				SHA1_Init(&key->head);
485
				SHA1_Update(&key->head, ptr, arg);
486
				SHA1_Final(hmac_key, &key->head);
487
			} else {
488
216
				memcpy(hmac_key, ptr, arg);
489
			}
490
491
28080
			for (i = 0; i < sizeof(hmac_key); i++)
492
13824
				hmac_key[i] ^= 0x36;		/* ipad */
493
216
			SHA1_Init(&key->head);
494
216
			SHA1_Update(&key->head, hmac_key, sizeof(hmac_key));
495
496
28080
			for (i = 0; i < sizeof(hmac_key); i++)
497
13824
				hmac_key[i] ^= 0x36 ^ 0x5c;	/* opad */
498
216
			SHA1_Init(&key->tail);
499
216
			SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key));
500
501
216
			explicit_bzero(hmac_key, sizeof(hmac_key));
502
503
			return 1;
504
216
		}
505
	case EVP_CTRL_AEAD_TLS1_AAD:
506
		{
507
			unsigned char *p = ptr;
508
756
			unsigned int len = p[arg - 2] << 8 | p[arg - 1];
509
510
756
			if (ctx->encrypt) {
511
432
				key->payload_length = len;
512
1296
				if ((key->aux.tls_ver = p[arg - 4] << 8 |
513
864
				    p[arg - 3]) >= TLS1_1_VERSION) {
514
					len -= AES_BLOCK_SIZE;
515
					p[arg - 2] = len >> 8;
516
					p[arg - 1] = len;
517
				}
518
432
				key->md = key->head;
519
432
				SHA1_Update(&key->md, p, arg);
520
521
864
				return (int)(((len + SHA_DIGEST_LENGTH +
522
432
				    AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len);
523
			} else {
524
324
				if (arg > 13)
525
					arg = 13;
526
324
				memcpy(key->aux.tls_aad, ptr, arg);
527
324
				key->payload_length = arg;
528
529
324
				return SHA_DIGEST_LENGTH;
530
			}
531
		}
532
	default:
533
		return -1;
534
	}
535
972
}
536
537
static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
538
#ifdef NID_aes_128_cbc_hmac_sha1
539
	.nid = NID_aes_128_cbc_hmac_sha1,
540
#else
541
	.nid = NID_undef,
542
#endif
543
	.block_size = 16,
544
	.key_len = 16,
545
	.iv_len = 16,
546
	.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
547
	    EVP_CIPH_FLAG_AEAD_CIPHER,
548
	.init = aesni_cbc_hmac_sha1_init_key,
549
	.do_cipher = aesni_cbc_hmac_sha1_cipher,
550
	.ctx_size = sizeof(EVP_AES_HMAC_SHA1),
551
	.ctrl = aesni_cbc_hmac_sha1_ctrl
552
};
553
554
static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = {
555
#ifdef NID_aes_256_cbc_hmac_sha1
556
	.nid = NID_aes_256_cbc_hmac_sha1,
557
#else
558
	.nid = NID_undef,
559
#endif
560
	.block_size = 16,
561
	.key_len = 32,
562
	.iv_len = 16,
563
	.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
564
	    EVP_CIPH_FLAG_AEAD_CIPHER,
565
	.init = aesni_cbc_hmac_sha1_init_key,
566
	.do_cipher = aesni_cbc_hmac_sha1_cipher,
567
	.ctx_size = sizeof(EVP_AES_HMAC_SHA1),
568
	.ctrl = aesni_cbc_hmac_sha1_ctrl
569
};
570
571
const EVP_CIPHER *
572
EVP_aes_128_cbc_hmac_sha1(void)
573
{
574
8610
	return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ?
575
	    &aesni_128_cbc_hmac_sha1_cipher : NULL;
576
}
577
578
const EVP_CIPHER *
579
EVP_aes_256_cbc_hmac_sha1(void)
580
{
581
8610
	return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ?
582
	    &aesni_256_cbc_hmac_sha1_cipher : NULL;
583
}
584
#else
585
const EVP_CIPHER *
586
EVP_aes_128_cbc_hmac_sha1(void)
587
{
588
	return NULL;
589
}
590
591
const EVP_CIPHER *
592
EVP_aes_256_cbc_hmac_sha1(void)
593
{
594
	    return NULL;
595
}
596
#endif
597
#endif