crypto/evp/e_aes_cbc_hmac_sha1.c

   1 /* ====================================================================
   2  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    licensing@OpenSSL.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  */
  49
  50 #include <openssl/opensslconf.h>
  51
  52 #include <stdio.h>
  53 #include <string.h>
  54
  55 #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
  56
  57 #include <openssl/evp.h>
  58 #include <openssl/objects.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/sha.h>
  61
  62 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
  63 #define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
  64 #define EVP_CTRL_AEAD_TLS1_AAD          0x16
  65 #define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
  66 #endif
  67
  68 #if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
  69 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0
  70 #endif
  71
  72 #define TLS1_1_VERSION 0x0302
  73
  74 typedef struct
  75     {
  76     AES_KEY             ks;
  77     SHA_CTX             head,tail,md;
  78     size_t              payload_length; /* AAD length in decrypt case */
  79     union {
  80         unsigned int    tls_ver;
  81         unsigned char   tls_aad[16];    /* 13 used */
  82     } aux;
  83     } EVP_AES_HMAC_SHA1;
  84
  85 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
  86
  87 #if     defined(AES_ASM) &&     ( \
  88         defined(__x86_64)       || defined(__x86_64__)  || \
  89         defined(_M_AMD64)       || defined(_M_X64)      || \
  90         defined(__INTEL__)      )
  91
  92 #if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
  93 # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
  94 #endif
  95
  96 extern unsigned int OPENSSL_ia32cap_P[2];
  97 #define AESNI_CAPABLE   (1<<(57-32))
  98
  99 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
 100                               AES_KEY *key);
 101 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
 102                               AES_KEY *key);
 103
 104 void aesni_cbc_encrypt(const unsigned char *in,
 105                            unsigned char *out,
 106                            size_t length,
 107                            const AES_KEY *key,
 108                            unsigned char *ivec, int enc);
 109
 110 void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks,
 111                 const AES_KEY *key, unsigned char iv[16],
 112                 SHA_CTX *ctx,const void *in0);
 113
 114 #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
 115
 116 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
 117                         const unsigned char *inkey,
 118                         const unsigned char *iv, int enc)
 119         {
 120         EVP_AES_HMAC_SHA1 *key = data(ctx);
 121         int ret;
 122
 123         if (enc)
 124                 ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks);
 125         else
 126                 ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks);
 127
 128         SHA1_Init(&key->head);  /* handy when benchmarking */
 129         key->tail = key->head;
 130         key->md   = key->head;
 131
 132         key->payload_length = NO_PAYLOAD_LENGTH;
 133
 134         return ret<0?0:1;
 135         }
 136
 137 #define STITCHED_CALL
 138
 139 #if !defined(STITCHED_CALL)
 140 #define aes_off 0
 141 #endif
 142
 143 void sha1_block_data_order (void *c,const void *p,size_t len);
 144
 145 static void sha1_update(SHA_CTX *c,const void *data,size_t len)
 146 {       const unsigned char *ptr = data;
 147         size_t res;
 148
 149         if ((res = c->num)) {
 150                 res = SHA_CBLOCK-res;
 151                 if (len<res) res=len;
 152                 SHA1_Update (c,ptr,res);
 153                 ptr += res;
 154                 len -= res;
 155         }
 156
 157         res = len % SHA_CBLOCK;
 158         len -= res;
 159
 160         if (len) {
 161                 sha1_block_data_order(c,ptr,len/SHA_CBLOCK);
 162
 163                 ptr += len;
 164                 c->Nh += len>>29;
 165                 c->Nl += len<<=3;
 166                 if (c->Nl<(unsigned int)len) c->Nh++;
 167         }
 168
 169         if (res)
 170                 SHA1_Update(c,ptr,res);
 171 }
 172
 173 #ifdef SHA1_Update
 174 #undef SHA1_Update
 175 #endif
 176 #define SHA1_Update sha1_update
 177
 178 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 179                       const unsigned char *in, size_t len)
 180         {
 181         EVP_AES_HMAC_SHA1 *key = data(ctx);
 182         unsigned int l;
 183         size_t  plen = key->payload_length,
 184                 iv = 0,         /* explicit IV in TLS 1.1 and later */
 185                 sha_off = 0;
 186 #if defined(STITCHED_CALL)
 187         size_t  aes_off = 0,
 188                 blocks;
 189
 190         sha_off = SHA_CBLOCK-key->md.num;
 191 #endif
 192
 193         key->payload_length = NO_PAYLOAD_LENGTH;
 194
 195         if (len%AES_BLOCK_SIZE) return 0;
 196
 197         if (ctx->encrypt) {
 198                 if (plen==NO_PAYLOAD_LENGTH)
 199                         plen = len;
 200                 else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE))
 201                         return 0;
 202                 else if (key->aux.tls_ver >= TLS1_1_VERSION)
 203                         iv = AES_BLOCK_SIZE;
 204
 205 #if defined(STITCHED_CALL)
 206                 if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) {
 207                         SHA1_Update(&key->md,in+iv,sha_off);
 208
 209                         aesni_cbc_sha1_enc(in,out,blocks,&key->ks,
 210                                 ctx->iv,&key->md,in+iv+sha_off);
 211                         blocks *= SHA_CBLOCK;
 212                         aes_off += blocks;
 213                         sha_off += blocks;
 214                         key->md.Nh += blocks>>29;
 215                         key->md.Nl += blocks<<=3;
 216                         if (key->md.Nl<(unsigned int)blocks) key->md.Nh++;
 217                 } else {
 218                         sha_off = 0;
 219                 }
 220 #endif
 221                 sha_off += iv;
 222                 SHA1_Update(&key->md,in+sha_off,plen-sha_off);
 223
 224                 if (plen!=len)  {       /* "TLS" mode of operation */
 225                         if (in!=out)
 226                                 memcpy(out+aes_off,in+aes_off,plen-aes_off);
 227
 228                         /* calculate HMAC and append it to payload */
 229                         SHA1_Final(out+plen,&key->md);
 230                         key->md = key->tail;
 231                         SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH);
 232                         SHA1_Final(out+plen,&key->md);
 233
 234                         /* pad the payload|hmac */
 235                         plen += SHA_DIGEST_LENGTH;
 236                         for (l=len-plen-1;plen<len;plen++) out[plen]=l;
 237                         /* encrypt HMAC|padding at once */
 238                         aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off,
 239                                         &key->ks,ctx->iv,1);
 240                 } else {
 241                         aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off,
 242                                         &key->ks,ctx->iv,1);
 243                 }
 244         } else {
 245                 union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
 246                         unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac;
 247
 248                 /* arrange cache line alignment */
 249                 pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32));
 250
 251                 /* decrypt HMAC|padding at once */
 252                 aesni_cbc_encrypt(in,out,len,
 253                                 &key->ks,ctx->iv,0);
 254
 255                 if (plen) {     /* "TLS" mode of operation */
 256                         size_t inp_len, mask, j, i;
 257                         unsigned int res, maxpad, pad, bitlen;
 258                         int ret = 1;
 259                         union { unsigned int  u[SHA_LBLOCK];
 260                                 unsigned char c[SHA_CBLOCK]; }
 261                                 *data = (void *)key->md.data;
 262
 263                         if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
 264                             >= TLS1_1_VERSION)
 265                                 iv = AES_BLOCK_SIZE;
 266
 267                         if (len<(iv+SHA_DIGEST_LENGTH+1))
 268                                 return 0;
 269
 270                         /* omit explicit iv */
 271                         out += iv;
 272                         len -= iv;
 273
 274                         /* figure out payload length */
 275                         pad = out[len-1];
 276                         maxpad = len-(SHA_DIGEST_LENGTH+1);
 277                         maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
 278                         maxpad &= 255;
 279
 280                         inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
 281                         mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
 282                         inp_len &= mask;
 283                         ret &= (int)mask;
 284
 285                         key->aux.tls_aad[plen-2] = inp_len>>8;
 286                         key->aux.tls_aad[plen-1] = inp_len;
 287
 288                         /* calculate HMAC */
 289                         key->md = key->head;
 290                         SHA1_Update(&key->md,key->aux.tls_aad,plen);
 291
 292 #if 1
 293                         len -= SHA_DIGEST_LENGTH;               /* amend mac */
 294                         if (len>=(256+SHA_CBLOCK)) {
 295                                 j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
 296                                 j += SHA_CBLOCK-key->md.num;
 297                                 SHA1_Update(&key->md,out,j);
 298                                 out += j;
 299                                 len -= j;
 300                                 inp_len -= j;
 301                         }
 302
 303                         /* but pretend as if we hashed padded payload */
 304                         bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
 305 #ifdef BSWAP
 306                         bitlen = BSWAP(bitlen);
 307 #else
 308                         mac.c[0] = 0;
 309                         mac.c[1] = (unsigned char)(bitlen>>16);
 310                         mac.c[2] = (unsigned char)(bitlen>>8);
 311                         mac.c[3] = (unsigned char)bitlen;
 312                         bitlen = mac.u[0];
 313 #endif
 314
 315                         pmac->u[0]=0;
 316                         pmac->u[1]=0;
 317                         pmac->u[2]=0;
 318                         pmac->u[3]=0;
 319                         pmac->u[4]=0;
 320
 321                         for (res=key->md.num, j=0;j<len;j++) {
 322                                 size_t c = out[j];
 323                                 mask = (j-inp_len)>>(sizeof(j)*8-8);
 324                                 c &= mask;
 325                                 c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
 326                                 data->c[res++]=(unsigned char)c;
 327
 328                                 if (res!=SHA_CBLOCK) continue;
 329
 330                                 /* j is not incremented yet */
 331                                 mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
 332                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 333                                 sha1_block_data_order(&key->md,data,1);
 334                                 mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
 335                                 pmac->u[0] |= key->md.h0 & mask;
 336                                 pmac->u[1] |= key->md.h1 & mask;
 337                                 pmac->u[2] |= key->md.h2 & mask;
 338                                 pmac->u[3] |= key->md.h3 & mask;
 339                                 pmac->u[4] |= key->md.h4 & mask;
 340                                 res=0;
 341                         }
 342
 343                         for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
 344
 345                         if (res>SHA_CBLOCK-8) {
 346                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 347                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 348                                 sha1_block_data_order(&key->md,data,1);
 349                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 350                                 pmac->u[0] |= key->md.h0 & mask;
 351                                 pmac->u[1] |= key->md.h1 & mask;
 352                                 pmac->u[2] |= key->md.h2 & mask;
 353                                 pmac->u[3] |= key->md.h3 & mask;
 354                                 pmac->u[4] |= key->md.h4 & mask;
 355
 356                                 memset(data,0,SHA_CBLOCK);
 357                                 j+=64;
 358                         }
 359                         data->u[SHA_LBLOCK-1] = bitlen;
 360                         sha1_block_data_order(&key->md,data,1);
 361                         mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 362                         pmac->u[0] |= key->md.h0 & mask;
 363                         pmac->u[1] |= key->md.h1 & mask;
 364                         pmac->u[2] |= key->md.h2 & mask;
 365                         pmac->u[3] |= key->md.h3 & mask;
 366                         pmac->u[4] |= key->md.h4 & mask;
 367
 368 #ifdef BSWAP
 369                         pmac->u[0] = BSWAP(pmac->u[0]);
 370                         pmac->u[1] = BSWAP(pmac->u[1]);
 371                         pmac->u[2] = BSWAP(pmac->u[2]);
 372                         pmac->u[3] = BSWAP(pmac->u[3]);
 373                         pmac->u[4] = BSWAP(pmac->u[4]);
 374 #else
 375                         for (i=0;i<5;i++) {
 376                                 res = pmac->u[i];
 377                                 pmac->c[4*i+0]=(unsigned char)(res>>24);
 378                                 pmac->c[4*i+1]=(unsigned char)(res>>16);
 379                                 pmac->c[4*i+2]=(unsigned char)(res>>8);
 380                                 pmac->c[4*i+3]=(unsigned char)res;
 381                         }
 382 #endif
 383                         len += SHA_DIGEST_LENGTH;
 384 #else
 385                         SHA1_Update(&key->md,out,inp_len);
 386                         res = key->md.num;
 387                         SHA1_Final(pmac->c,&key->md);
 388
 389                         {
 390                         unsigned int inp_blocks, pad_blocks;
 391
 392                         /* but pretend as if we hashed padded payload */
 393                         inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 394                         res += (unsigned int)(len-inp_len);
 395                         pad_blocks = res / SHA_CBLOCK;
 396                         res %= SHA_CBLOCK;
 397                         pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 398                         for (;inp_blocks<pad_blocks;inp_blocks++)
 399                                 sha1_block_data_order(&key->md,data,1);
 400                         }
 401 #endif
 402                         key->md = key->tail;
 403                         SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH);
 404                         SHA1_Final(pmac->c,&key->md);
 405
 406                         /* verify HMAC */
 407                         out += inp_len;
 408                         len -= inp_len;
 409 #if 1
 410                         {
 411                         unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
 412                         size_t off = out-p;
 413                         unsigned int c, cmask;
 414
 415                         maxpad += SHA_DIGEST_LENGTH;
 416                         for (res=0,i=0,j=0;j<maxpad;j++) {
 417                                 c = p[j];
 418                                 cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
 419                                 res |= (c^pad)&~cmask;  /* ... and padding */
 420                                 cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
 421                                 res |= (c^pmac->c[i])&cmask;
 422                                 i += 1&cmask;
 423                         }
 424                         maxpad -= SHA_DIGEST_LENGTH;
 425
 426                         res = 0-((0-res)>>(sizeof(res)*8-1));
 427                         ret &= (int)~res;
 428                         }
 429 #else
 430                         for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
 431                                 res |= out[i]^pmac->c[i];
 432                         res = 0-((0-res)>>(sizeof(res)*8-1));
 433                         ret &= (int)~res;
 434
 435                         /* verify padding */
 436                         pad = (pad&~res) | (maxpad&res);
 437                         out = out+len-1-pad;
 438                         for (res=0,i=0;i<pad;i++)
 439                                 res |= out[i]^pad;
 440
 441                         res = (0-res)>>(sizeof(res)*8-1);
 442                         ret &= (int)~res;
 443 #endif
 444                         return ret;
 445                 } else {
 446                         SHA1_Update(&key->md,out,len);
 447                 }
 448         }
 449
 450         return 1;
 451         }
 452
 453 static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 454         {
 455         EVP_AES_HMAC_SHA1 *key = data(ctx);
 456
 457         switch (type)
 458                 {
 459         case EVP_CTRL_AEAD_SET_MAC_KEY:
 460                 {
 461                 unsigned int  i;
 462                 unsigned char hmac_key[64];
 463
 464                 memset (hmac_key,0,sizeof(hmac_key));
 465
 466                 if (arg > (int)sizeof(hmac_key)) {
 467                         SHA1_Init(&key->head);
 468                         SHA1_Update(&key->head,ptr,arg);
 469                         SHA1_Final(hmac_key,&key->head);
 470                 } else {
 471                         memcpy(hmac_key,ptr,arg);
 472                 }
 473
 474                 for (i=0;i<sizeof(hmac_key);i++)
 475                         hmac_key[i] ^= 0x36;            /* ipad */
 476                 SHA1_Init(&key->head);
 477                 SHA1_Update(&key->head,hmac_key,sizeof(hmac_key));
 478
 479                 for (i=0;i<sizeof(hmac_key);i++)
 480                         hmac_key[i] ^= 0x36^0x5c;       /* opad */
 481                 SHA1_Init(&key->tail);
 482                 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
 483
 484                 OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
 485
 486                 return 1;
 487                 }
 488         case EVP_CTRL_AEAD_TLS1_AAD:
 489                 {
 490                 unsigned char *p=ptr;
 491                 unsigned int   len=p[arg-2]<<8|p[arg-1];
 492
 493                 if (ctx->encrypt)
 494                         {
 495                         key->payload_length = len;
 496                         if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) {
 497                                 len -= AES_BLOCK_SIZE;
 498                                 p[arg-2] = len>>8;
 499                                 p[arg-1] = len;
 500                         }
 501                         key->md = key->head;
 502                         SHA1_Update(&key->md,p,arg);
 503
 504                         return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)
 505                                 - len);
 506                         }
 507                 else
 508                         {
 509                         if (arg>13) arg = 13;
 510                         memcpy(key->aux.tls_aad,ptr,arg);
 511                         key->payload_length = arg;
 512
 513                         return SHA_DIGEST_LENGTH;
 514                         }
 515                 }
 516         default:
 517                 return -1;
 518                 }
 519         }
 520
 521 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher =
 522         {
 523 #ifdef NID_aes_128_cbc_hmac_sha1
 524         NID_aes_128_cbc_hmac_sha1,
 525 #else
 526         NID_undef,
 527 #endif
 528         16,16,16,
 529         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 530         aesni_cbc_hmac_sha1_init_key,
 531         aesni_cbc_hmac_sha1_cipher,
 532         NULL,
 533         sizeof(EVP_AES_HMAC_SHA1),
 534         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 535         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 536         aesni_cbc_hmac_sha1_ctrl,
 537         NULL
 538         };
 539
 540 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher =
 541         {
 542 #ifdef NID_aes_256_cbc_hmac_sha1
 543         NID_aes_256_cbc_hmac_sha1,
 544 #else
 545         NID_undef,
 546 #endif
 547         16,32,16,
 548         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 549         aesni_cbc_hmac_sha1_init_key,
 550         aesni_cbc_hmac_sha1_cipher,
 551         NULL,
 552         sizeof(EVP_AES_HMAC_SHA1),
 553         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 554         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 555         aesni_cbc_hmac_sha1_ctrl,
 556         NULL
 557         };
 558
 559 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 560         {
 561         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 562                 &aesni_128_cbc_hmac_sha1_cipher:NULL);
 563         }
 564
 565 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 566         {
 567         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 568                 &aesni_256_cbc_hmac_sha1_cipher:NULL);
 569         }
 570 #else
 571 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 572         {
 573         return NULL;
 574         }
 575 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 576         {
 577         return NULL;
 578         }
 579 #endif
 580 #endif