crypto/evp/e_aes_cbc_hmac_sha1.c

   1 /* ====================================================================
   2  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    licensing@OpenSSL.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  */
  49
  50 #include <openssl/opensslconf.h>
  51
  52 #include <stdio.h>
  53 #include <string.h>
  54
  55 #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
  56
  57 #include <openssl/evp.h>
  58 #include <openssl/objects.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/sha.h>
  61 #include "evp_locl.h"
  62
  63 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
  64 #define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
  65 #define EVP_CTRL_AEAD_TLS1_AAD          0x16
  66 #define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
  67 #endif
  68
  69 #if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
  70 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0
  71 #endif
  72
  73 #define TLS1_1_VERSION 0x0302
  74
  75 typedef struct
  76     {
  77     AES_KEY             ks;
  78     SHA_CTX             head,tail,md;
  79     size_t              payload_length; /* AAD length in decrypt case */
  80     union {
  81         unsigned int    tls_ver;
  82         unsigned char   tls_aad[16];    /* 13 used */
  83     } aux;
  84     } EVP_AES_HMAC_SHA1;
  85
  86 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
  87
  88 #if     defined(AES_ASM) &&     ( \
  89         defined(__x86_64)       || defined(__x86_64__)  || \
  90         defined(_M_AMD64)       || defined(_M_X64)      || \
  91         defined(__INTEL__)      )
  92
  93 #if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
  94 # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
  95 #endif
  96
  97 extern unsigned int OPENSSL_ia32cap_P[2];
  98 #define AESNI_CAPABLE   (1<<(57-32))
  99
 100 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
 101                               AES_KEY *key);
 102 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
 103                               AES_KEY *key);
 104
 105 void aesni_cbc_encrypt(const unsigned char *in,
 106                            unsigned char *out,
 107                            size_t length,
 108                            const AES_KEY *key,
 109                            unsigned char *ivec, int enc);
 110
 111 void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks,
 112                 const AES_KEY *key, unsigned char iv[16],
 113                 SHA_CTX *ctx,const void *in0);
 114
 115 #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
 116
 117 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
 118                         const unsigned char *inkey,
 119                         const unsigned char *iv, int enc)
 120         {
 121         EVP_AES_HMAC_SHA1 *key = data(ctx);
 122         int ret;
 123
 124         if (enc)
 125                 ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks);
 126         else
 127                 ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks);
 128
 129         SHA1_Init(&key->head);  /* handy when benchmarking */
 130         key->tail = key->head;
 131         key->md   = key->head;
 132
 133         key->payload_length = NO_PAYLOAD_LENGTH;
 134
 135         return ret<0?0:1;
 136         }
 137
 138 #define STITCHED_CALL
 139
 140 #if !defined(STITCHED_CALL)
 141 #define aes_off 0
 142 #endif
 143
 144 void sha1_block_data_order (void *c,const void *p,size_t len);
 145
 146 static void sha1_update(SHA_CTX *c,const void *data,size_t len)
 147 {       const unsigned char *ptr = data;
 148         size_t res;
 149
 150         if ((res = c->num)) {
 151                 res = SHA_CBLOCK-res;
 152                 if (len<res) res=len;
 153                 SHA1_Update (c,ptr,res);
 154                 ptr += res;
 155                 len -= res;
 156         }
 157
 158         res = len % SHA_CBLOCK;
 159         len -= res;
 160
 161         if (len) {
 162                 sha1_block_data_order(c,ptr,len/SHA_CBLOCK);
 163
 164                 ptr += len;
 165                 c->Nh += len>>29;
 166                 c->Nl += len<<=3;
 167                 if (c->Nl<(unsigned int)len) c->Nh++;
 168         }
 169
 170         if (res)
 171                 SHA1_Update(c,ptr,res);
 172 }
 173
 174 #ifdef SHA1_Update
 175 #undef SHA1_Update
 176 #endif
 177 #define SHA1_Update sha1_update
 178
 179 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 180                       const unsigned char *in, size_t len)
 181         {
 182         EVP_AES_HMAC_SHA1 *key = data(ctx);
 183         unsigned int l;
 184         size_t  plen = key->payload_length,
 185                 iv = 0,         /* explicit IV in TLS 1.1 and later */
 186                 sha_off = 0;
 187 #if defined(STITCHED_CALL)
 188         size_t  aes_off = 0,
 189                 blocks;
 190
 191         sha_off = SHA_CBLOCK-key->md.num;
 192 #endif
 193
 194         key->payload_length = NO_PAYLOAD_LENGTH;
 195
 196         if (len%AES_BLOCK_SIZE) return 0;
 197
 198         if (ctx->encrypt) {
 199                 if (plen==NO_PAYLOAD_LENGTH)
 200                         plen = len;
 201                 else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE))
 202                         return 0;
 203                 else if (key->aux.tls_ver >= TLS1_1_VERSION)
 204                         iv = AES_BLOCK_SIZE;
 205
 206 #if defined(STITCHED_CALL)
 207                 if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) {
 208                         SHA1_Update(&key->md,in+iv,sha_off);
 209
 210                         aesni_cbc_sha1_enc(in,out,blocks,&key->ks,
 211                                 ctx->iv,&key->md,in+iv+sha_off);
 212                         blocks *= SHA_CBLOCK;
 213                         aes_off += blocks;
 214                         sha_off += blocks;
 215                         key->md.Nh += blocks>>29;
 216                         key->md.Nl += blocks<<=3;
 217                         if (key->md.Nl<(unsigned int)blocks) key->md.Nh++;
 218                 } else {
 219                         sha_off = 0;
 220                 }
 221 #endif
 222                 sha_off += iv;
 223                 SHA1_Update(&key->md,in+sha_off,plen-sha_off);
 224
 225                 if (plen!=len)  {       /* "TLS" mode of operation */
 226                         if (in!=out)
 227                                 memcpy(out+aes_off,in+aes_off,plen-aes_off);
 228
 229                         /* calculate HMAC and append it to payload */
 230                         SHA1_Final(out+plen,&key->md);
 231                         key->md = key->tail;
 232                         SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH);
 233                         SHA1_Final(out+plen,&key->md);
 234
 235                         /* pad the payload|hmac */
 236                         plen += SHA_DIGEST_LENGTH;
 237                         for (l=len-plen-1;plen<len;plen++) out[plen]=l;
 238                         /* encrypt HMAC|padding at once */
 239                         aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off,
 240                                         &key->ks,ctx->iv,1);
 241                 } else {
 242                         aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off,
 243                                         &key->ks,ctx->iv,1);
 244                 }
 245         } else {
 246                 union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
 247                         unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac;
 248
 249                 /* arrange cache line alignment */
 250                 pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32));
 251
 252                 /* decrypt HMAC|padding at once */
 253                 aesni_cbc_encrypt(in,out,len,
 254                                 &key->ks,ctx->iv,0);
 255
 256                 if (plen) {     /* "TLS" mode of operation */
 257                         size_t inp_len, mask, j, i;
 258                         unsigned int res, maxpad, pad, bitlen;
 259                         int ret = 1;
 260                         union { unsigned int  u[SHA_LBLOCK];
 261                                 unsigned char c[SHA_CBLOCK]; }
 262                                 *data = (void *)key->md.data;
 263
 264                         if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
 265                             >= TLS1_1_VERSION)
 266                                 iv = AES_BLOCK_SIZE;
 267
 268                         if (len<(iv+SHA_DIGEST_LENGTH+1))
 269                                 return 0;
 270
 271                         /* omit explicit iv */
 272                         out += iv;
 273                         len -= iv;
 274
 275                         /* figure out payload length */
 276                         pad = out[len-1];
 277                         maxpad = len-(SHA_DIGEST_LENGTH+1);
 278                         maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
 279                         maxpad &= 255;
 280
 281                         inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
 282                         mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
 283                         inp_len &= mask;
 284                         ret &= (int)mask;
 285
 286                         key->aux.tls_aad[plen-2] = inp_len>>8;
 287                         key->aux.tls_aad[plen-1] = inp_len;
 288
 289                         /* calculate HMAC */
 290                         key->md = key->head;
 291                         SHA1_Update(&key->md,key->aux.tls_aad,plen);
 292
 293 #if 1
 294                         len -= SHA_DIGEST_LENGTH;               /* amend mac */
 295                         if (len>=(256+SHA_CBLOCK)) {
 296                                 j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
 297                                 j += SHA_CBLOCK-key->md.num;
 298                                 SHA1_Update(&key->md,out,j);
 299                                 out += j;
 300                                 len -= j;
 301                                 inp_len -= j;
 302                         }
 303
 304                         /* but pretend as if we hashed padded payload */
 305                         bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
 306 #ifdef BSWAP
 307                         bitlen = BSWAP(bitlen);
 308 #else
 309                         mac.c[0] = 0;
 310                         mac.c[1] = (unsigned char)(bitlen>>16);
 311                         mac.c[2] = (unsigned char)(bitlen>>8);
 312                         mac.c[3] = (unsigned char)bitlen;
 313                         bitlen = mac.u[0];
 314 #endif
 315
 316                         pmac->u[0]=0;
 317                         pmac->u[1]=0;
 318                         pmac->u[2]=0;
 319                         pmac->u[3]=0;
 320                         pmac->u[4]=0;
 321
 322                         for (res=key->md.num, j=0;j<len;j++) {
 323                                 size_t c = out[j];
 324                                 mask = (j-inp_len)>>(sizeof(j)*8-8);
 325                                 c &= mask;
 326                                 c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
 327                                 data->c[res++]=(unsigned char)c;
 328
 329                                 if (res!=SHA_CBLOCK) continue;
 330
 331                                 /* j is not incremented yet */
 332                                 mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
 333                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 334                                 sha1_block_data_order(&key->md,data,1);
 335                                 mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
 336                                 pmac->u[0] |= key->md.h0 & mask;
 337                                 pmac->u[1] |= key->md.h1 & mask;
 338                                 pmac->u[2] |= key->md.h2 & mask;
 339                                 pmac->u[3] |= key->md.h3 & mask;
 340                                 pmac->u[4] |= key->md.h4 & mask;
 341                                 res=0;
 342                         }
 343
 344                         for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
 345
 346                         if (res>SHA_CBLOCK-8) {
 347                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 348                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 349                                 sha1_block_data_order(&key->md,data,1);
 350                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 351                                 pmac->u[0] |= key->md.h0 & mask;
 352                                 pmac->u[1] |= key->md.h1 & mask;
 353                                 pmac->u[2] |= key->md.h2 & mask;
 354                                 pmac->u[3] |= key->md.h3 & mask;
 355                                 pmac->u[4] |= key->md.h4 & mask;
 356
 357                                 memset(data,0,SHA_CBLOCK);
 358                                 j+=64;
 359                         }
 360                         data->u[SHA_LBLOCK-1] = bitlen;
 361                         sha1_block_data_order(&key->md,data,1);
 362                         mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 363                         pmac->u[0] |= key->md.h0 & mask;
 364                         pmac->u[1] |= key->md.h1 & mask;
 365                         pmac->u[2] |= key->md.h2 & mask;
 366                         pmac->u[3] |= key->md.h3 & mask;
 367                         pmac->u[4] |= key->md.h4 & mask;
 368
 369 #ifdef BSWAP
 370                         pmac->u[0] = BSWAP(pmac->u[0]);
 371                         pmac->u[1] = BSWAP(pmac->u[1]);
 372                         pmac->u[2] = BSWAP(pmac->u[2]);
 373                         pmac->u[3] = BSWAP(pmac->u[3]);
 374                         pmac->u[4] = BSWAP(pmac->u[4]);
 375 #else
 376                         for (i=0;i<5;i++) {
 377                                 res = pmac->u[i];
 378                                 pmac->c[4*i+0]=(unsigned char)(res>>24);
 379                                 pmac->c[4*i+1]=(unsigned char)(res>>16);
 380                                 pmac->c[4*i+2]=(unsigned char)(res>>8);
 381                                 pmac->c[4*i+3]=(unsigned char)res;
 382                         }
 383 #endif
 384                         len += SHA_DIGEST_LENGTH;
 385 #else
 386                         SHA1_Update(&key->md,out,inp_len);
 387                         res = key->md.num;
 388                         SHA1_Final(pmac->c,&key->md);
 389
 390                         {
 391                         unsigned int inp_blocks, pad_blocks;
 392
 393                         /* but pretend as if we hashed padded payload */
 394                         inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 395                         res += (unsigned int)(len-inp_len);
 396                         pad_blocks = res / SHA_CBLOCK;
 397                         res %= SHA_CBLOCK;
 398                         pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 399                         for (;inp_blocks<pad_blocks;inp_blocks++)
 400                                 sha1_block_data_order(&key->md,data,1);
 401                         }
 402 #endif
 403                         key->md = key->tail;
 404                         SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH);
 405                         SHA1_Final(pmac->c,&key->md);
 406
 407                         /* verify HMAC */
 408                         out += inp_len;
 409                         len -= inp_len;
 410 #if 1
 411                         {
 412                         unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
 413                         size_t off = out-p;
 414                         unsigned int c, cmask;
 415
 416                         maxpad += SHA_DIGEST_LENGTH;
 417                         for (res=0,i=0,j=0;j<maxpad;j++) {
 418                                 c = p[j];
 419                                 cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
 420                                 res |= (c^pad)&~cmask;  /* ... and padding */
 421                                 cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
 422                                 res |= (c^pmac->c[i])&cmask;
 423                                 i += 1&cmask;
 424                         }
 425                         maxpad -= SHA_DIGEST_LENGTH;
 426
 427                         res = 0-((0-res)>>(sizeof(res)*8-1));
 428                         ret &= (int)~res;
 429                         }
 430 #else
 431                         for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
 432                                 res |= out[i]^pmac->c[i];
 433                         res = 0-((0-res)>>(sizeof(res)*8-1));
 434                         ret &= (int)~res;
 435
 436                         /* verify padding */
 437                         pad = (pad&~res) | (maxpad&res);
 438                         out = out+len-1-pad;
 439                         for (res=0,i=0;i<pad;i++)
 440                                 res |= out[i]^pad;
 441
 442                         res = (0-res)>>(sizeof(res)*8-1);
 443                         ret &= (int)~res;
 444 #endif
 445                         return ret;
 446                 } else {
 447                         SHA1_Update(&key->md,out,len);
 448                 }
 449         }
 450
 451         return 1;
 452         }
 453
 454 static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 455         {
 456         EVP_AES_HMAC_SHA1 *key = data(ctx);
 457
 458         switch (type)
 459                 {
 460         case EVP_CTRL_AEAD_SET_MAC_KEY:
 461                 {
 462                 unsigned int  i;
 463                 unsigned char hmac_key[64];
 464
 465                 memset (hmac_key,0,sizeof(hmac_key));
 466
 467                 if (arg > (int)sizeof(hmac_key)) {
 468                         SHA1_Init(&key->head);
 469                         SHA1_Update(&key->head,ptr,arg);
 470                         SHA1_Final(hmac_key,&key->head);
 471                 } else {
 472                         memcpy(hmac_key,ptr,arg);
 473                 }
 474
 475                 for (i=0;i<sizeof(hmac_key);i++)
 476                         hmac_key[i] ^= 0x36;            /* ipad */
 477                 SHA1_Init(&key->head);
 478                 SHA1_Update(&key->head,hmac_key,sizeof(hmac_key));
 479
 480                 for (i=0;i<sizeof(hmac_key);i++)
 481                         hmac_key[i] ^= 0x36^0x5c;       /* opad */
 482                 SHA1_Init(&key->tail);
 483                 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
 484
 485                 OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
 486
 487                 return 1;
 488                 }
 489         case EVP_CTRL_AEAD_TLS1_AAD:
 490                 {
 491                 unsigned char *p=ptr;
 492                 unsigned int   len=p[arg-2]<<8|p[arg-1];
 493
 494                 if (ctx->encrypt)
 495                         {
 496                         key->payload_length = len;
 497                         if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) {
 498                                 len -= AES_BLOCK_SIZE;
 499                                 p[arg-2] = len>>8;
 500                                 p[arg-1] = len;
 501                         }
 502                         key->md = key->head;
 503                         SHA1_Update(&key->md,p,arg);
 504
 505                         return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)
 506                                 - len);
 507                         }
 508                 else
 509                         {
 510                         if (arg>13) arg = 13;
 511                         memcpy(key->aux.tls_aad,ptr,arg);
 512                         key->payload_length = arg;
 513
 514                         return SHA_DIGEST_LENGTH;
 515                         }
 516                 }
 517         default:
 518                 return -1;
 519                 }
 520         }
 521
 522 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher =
 523         {
 524 #ifdef NID_aes_128_cbc_hmac_sha1
 525         NID_aes_128_cbc_hmac_sha1,
 526 #else
 527         NID_undef,
 528 #endif
 529         16,16,16,
 530         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 531         aesni_cbc_hmac_sha1_init_key,
 532         aesni_cbc_hmac_sha1_cipher,
 533         NULL,
 534         sizeof(EVP_AES_HMAC_SHA1),
 535         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 536         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 537         aesni_cbc_hmac_sha1_ctrl,
 538         NULL
 539         };
 540
 541 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher =
 542         {
 543 #ifdef NID_aes_256_cbc_hmac_sha1
 544         NID_aes_256_cbc_hmac_sha1,
 545 #else
 546         NID_undef,
 547 #endif
 548         16,32,16,
 549         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 550         aesni_cbc_hmac_sha1_init_key,
 551         aesni_cbc_hmac_sha1_cipher,
 552         NULL,
 553         sizeof(EVP_AES_HMAC_SHA1),
 554         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 555         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 556         aesni_cbc_hmac_sha1_ctrl,
 557         NULL
 558         };
 559
 560 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 561         {
 562         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 563                 &aesni_128_cbc_hmac_sha1_cipher:NULL);
 564         }
 565
 566 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 567         {
 568         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 569                 &aesni_256_cbc_hmac_sha1_cipher:NULL);
 570         }
 571 #else
 572 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 573         {
 574         return NULL;
 575         }
 576 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 577         {
 578         return NULL;
 579         }
 580 #endif
 581 #endif