crypto/evp/e_aes_cbc_hmac_sha1.c

   1 /* ====================================================================
   2  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    licensing@OpenSSL.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  */
  49
  50 #include <openssl/opensslconf.h>
  51
  52 #include <stdio.h>
  53 #include <string.h>
  54
  55 #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
  56
  57 #include <openssl/evp.h>
  58 #include <openssl/objects.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/sha.h>
  61
  62 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
  63 #define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
  64 #define EVP_CTRL_AEAD_TLS1_AAD          0x16
  65 #define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
  66 #endif
  67
  68 #if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
  69 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0
  70 #endif
  71
  72 #define TLS1_1_VERSION 0x0302
  73
  74 typedef struct
  75     {
  76     AES_KEY             ks;
  77     SHA_CTX             head,tail,md;
  78     size_t              payload_length; /* AAD length in decrypt case */
  79     union {
  80         unsigned int    tls_ver;
  81         unsigned char   tls_aad[16];    /* 13 used */
  82     } aux;
  83     } EVP_AES_HMAC_SHA1;
  84
  85 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
  86
  87 #if     defined(AES_ASM) &&     ( \
  88         defined(__x86_64)       || defined(__x86_64__)  || \
  89         defined(_M_AMD64)       || defined(_M_X64)      || \
  90         defined(__INTEL__)      )
  91
  92 #if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
  93 # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
  94 #endif
  95
  96 extern unsigned int OPENSSL_ia32cap_P[2];
  97 #define AESNI_CAPABLE   (1<<(57-32))
  98
  99 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
 100                               AES_KEY *key);
 101 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
 102                               AES_KEY *key);
 103
 104 void aesni_cbc_encrypt(const unsigned char *in,
 105                            unsigned char *out,
 106                            size_t length,
 107                            const AES_KEY *key,
 108                            unsigned char *ivec, int enc);
 109
 110 void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks,
 111                 const AES_KEY *key, unsigned char iv[16],
 112                 SHA_CTX *ctx,const void *in0);
 113
 114 #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
 115
 116 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
 117                         const unsigned char *inkey,
 118                         const unsigned char *iv, int enc)
 119         {
 120         EVP_AES_HMAC_SHA1 *key = data(ctx);
 121         int ret;
 122
 123         if (enc)
 124                 ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks);
 125         else
 126                 ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks);
 127
 128         SHA1_Init(&key->head);  /* handy when benchmarking */
 129         key->tail = key->head;
 130         key->md   = key->head;
 131
 132         key->payload_length = NO_PAYLOAD_LENGTH;
 133
 134         return ret<0?0:1;
 135         }
 136
 137 #define STITCHED_CALL
 138
 139 #if !defined(STITCHED_CALL)
 140 #define aes_off 0
 141 #endif
 142
 143 void sha1_block_data_order (void *c,const void *p,size_t len);
 144
 145 static void sha1_update(SHA_CTX *c,const void *data,size_t len)
 146 {       const unsigned char *ptr = data;
 147         size_t res;
 148
 149         if ((res = c->num)) {
 150                 res = SHA_CBLOCK-res;
 151                 if (len<res) res=len;
 152                 SHA1_Update (c,ptr,res);
 153                 ptr += res;
 154                 len -= res;
 155         }
 156
 157         res = len % SHA_CBLOCK;
 158         len -= res;
 159
 160         if (len) {
 161                 sha1_block_data_order(c,ptr,len/SHA_CBLOCK);
 162
 163                 ptr += len;
 164                 c->Nh += len>>29;
 165                 c->Nl += len<<=3;
 166                 if (c->Nl<(unsigned int)len) c->Nh++;
 167         }
 168
 169         if (res)
 170                 SHA1_Update(c,ptr,res);
 171 }
 172
 173 #ifdef SHA1_Update
 174 #undef SHA1_Update
 175 #endif
 176 #define SHA1_Update sha1_update
 177
 178 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 179                       const unsigned char *in, size_t len)
 180         {
 181         EVP_AES_HMAC_SHA1 *key = data(ctx);
 182         unsigned int l;
 183         size_t  plen = key->payload_length,
 184                 iv = 0,         /* explicit IV in TLS 1.1 and later */
 185                 sha_off = 0;
 186 #if defined(STITCHED_CALL)
 187         size_t  aes_off = 0,
 188                 blocks;
 189
 190         sha_off = SHA_CBLOCK-key->md.num;
 191 #endif
 192
 193         key->payload_length = NO_PAYLOAD_LENGTH;
 194
 195         if (len%AES_BLOCK_SIZE) return 0;
 196
 197         if (ctx->encrypt) {
 198                 if (plen==NO_PAYLOAD_LENGTH)
 199                         plen = len;
 200                 else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE))
 201                         return 0;
 202                 else if (key->aux.tls_ver >= TLS1_1_VERSION)
 203                         iv = AES_BLOCK_SIZE;
 204
 205 #if defined(STITCHED_CALL)
 206                 if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) {
 207                         SHA1_Update(&key->md,in+iv,sha_off);
 208
 209                         aesni_cbc_sha1_enc(in,out,blocks,&key->ks,
 210                                 ctx->iv,&key->md,in+iv+sha_off);
 211                         blocks *= SHA_CBLOCK;
 212                         aes_off += blocks;
 213                         sha_off += blocks;
 214                         key->md.Nh += blocks>>29;
 215                         key->md.Nl += blocks<<=3;
 216                         if (key->md.Nl<(unsigned int)blocks) key->md.Nh++;
 217                 } else {
 218                         sha_off = 0;
 219                 }
 220 #endif
 221                 sha_off += iv;
 222                 SHA1_Update(&key->md,in+sha_off,plen-sha_off);
 223
 224                 if (plen!=len)  {       /* "TLS" mode of operation */
 225                         if (in!=out)
 226                                 memcpy(out+aes_off,in+aes_off,plen-aes_off);
 227
 228                         /* calculate HMAC and append it to payload */
 229                         SHA1_Final(out+plen,&key->md);
 230                         key->md = key->tail;
 231                         SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH);
 232                         SHA1_Final(out+plen,&key->md);
 233
 234                         /* pad the payload|hmac */
 235                         plen += SHA_DIGEST_LENGTH;
 236                         for (l=len-plen-1;plen<len;plen++) out[plen]=l;
 237                         /* encrypt HMAC|padding at once */
 238                         aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off,
 239                                         &key->ks,ctx->iv,1);
 240                 } else {
 241                         aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off,
 242                                         &key->ks,ctx->iv,1);
 243                 }
 244         } else {
 245                 union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
 246                         unsigned char c[SHA_DIGEST_LENGTH]; } mac;
 247
 248                 /* decrypt HMAC|padding at once */
 249                 aesni_cbc_encrypt(in,out,len,
 250                                 &key->ks,ctx->iv,0);
 251
 252                 if (plen) {     /* "TLS" mode of operation */
 253                         size_t inp_len, mask, j, i;
 254                         unsigned int res, maxpad, pad, bitlen;
 255                         int ret = 1;
 256                         union { unsigned int  u[SHA_LBLOCK];
 257                                 unsigned char c[SHA_CBLOCK]; }
 258                                 *data = (void *)key->md.data;
 259
 260                         if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
 261                             >= TLS1_1_VERSION)
 262                                 iv = AES_BLOCK_SIZE;
 263
 264                         if (len<(iv+SHA_DIGEST_LENGTH+1))
 265                                 return 0;
 266
 267                         /* omit explicit iv */
 268                         out += iv;
 269                         len -= iv;
 270
 271                         /* figure out payload length */
 272                         pad = out[len-1];
 273                         maxpad = len-(SHA_DIGEST_LENGTH+1);
 274                         maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
 275                         maxpad &= 255;
 276
 277                         inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
 278                         mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
 279                         inp_len &= mask;
 280                         ret &= (int)mask;
 281
 282                         key->aux.tls_aad[plen-2] = inp_len>>8;
 283                         key->aux.tls_aad[plen-1] = inp_len;
 284
 285                         /* calculate HMAC */
 286                         key->md = key->head;
 287                         SHA1_Update(&key->md,key->aux.tls_aad,plen);
 288
 289 #if 1
 290                         len -= SHA_DIGEST_LENGTH;               /* amend mac */
 291                         if (len>=(256+SHA_CBLOCK)) {
 292                                 j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
 293                                 j += SHA_CBLOCK-key->md.num;
 294                                 SHA1_Update(&key->md,out,j);
 295                                 out += j;
 296                                 len -= j;
 297                                 inp_len -= j;
 298                         }
 299
 300                         /* but pretend as if we hashed padded payload */
 301                         bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
 302                         mac.c[0] = 0;
 303                         mac.c[1] = (unsigned char)(bitlen>>16);
 304                         mac.c[2] = (unsigned char)(bitlen>>8);
 305                         mac.c[3] = (unsigned char)bitlen;
 306                         bitlen = mac.u[0];
 307
 308                         mac.u[0]=0;
 309                         mac.u[1]=0;
 310                         mac.u[2]=0;
 311                         mac.u[3]=0;
 312                         mac.u[4]=0;
 313
 314                         for (res=key->md.num, j=0;j<len;j++) {
 315                                 size_t c = out[j];
 316                                 mask = (j-inp_len)>>(sizeof(j)*8-8);
 317                                 c &= mask;
 318                                 c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
 319                                 data->c[res++]=(unsigned char)c;
 320
 321                                 if (res!=SHA_CBLOCK) continue;
 322
 323                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 324                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 325                                 sha1_block_data_order(&key->md,data,1);
 326                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 327                                 mac.u[0] |= key->md.h0 & mask;
 328                                 mac.u[1] |= key->md.h1 & mask;
 329                                 mac.u[2] |= key->md.h2 & mask;
 330                                 mac.u[3] |= key->md.h3 & mask;
 331                                 mac.u[4] |= key->md.h4 & mask;
 332                                 res=0;
 333                         }
 334
 335                         for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
 336
 337                         if (res>SHA_CBLOCK-8) {
 338                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 339                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 340                                 sha1_block_data_order(&key->md,data,1);
 341                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 342                                 mac.u[0] |= key->md.h0 & mask;
 343                                 mac.u[1] |= key->md.h1 & mask;
 344                                 mac.u[2] |= key->md.h2 & mask;
 345                                 mac.u[3] |= key->md.h3 & mask;
 346                                 mac.u[4] |= key->md.h4 & mask;
 347
 348                                 memset(data,0,SHA_CBLOCK);
 349                                 j+=64;
 350                         }
 351                         data->u[SHA_LBLOCK-1] = bitlen;
 352                         sha1_block_data_order(&key->md,data,1);
 353                         mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 354                         mac.u[0] |= key->md.h0 & mask;
 355                         mac.u[1] |= key->md.h1 & mask;
 356                         mac.u[2] |= key->md.h2 & mask;
 357                         mac.u[3] |= key->md.h3 & mask;
 358                         mac.u[4] |= key->md.h4 & mask;
 359
 360 #ifdef BSWAP
 361                         mac.u[0] = BSWAP(mac.u[0]);
 362                         mac.u[1] = BSWAP(mac.u[1]);
 363                         mac.u[2] = BSWAP(mac.u[2]);
 364                         mac.u[3] = BSWAP(mac.u[3]);
 365                         mac.u[4] = BSWAP(mac.u[4]);
 366 #else
 367                         for (i=0;i<5;i++) {
 368                                 res = mac.u[i];
 369                                 mac.c[4*i+0]=(unsigned char)(res>>24);
 370                                 mac.c[4*i+1]=(unsigned char)(res>>16);
 371                                 mac.c[4*i+2]=(unsigned char)(res>>8);
 372                                 mac.c[4*i+3]=(unsigned char)res;
 373                         }
 374 #endif
 375                         len += SHA_DIGEST_LENGTH;
 376 #else
 377                         SHA1_Update(&key->md,out,inp_len);
 378                         res = key->md.num;
 379                         SHA1_Final(mac.c,&key->md);
 380
 381                         {
 382                         unsigned int inp_blocks, pad_blocks;
 383
 384                         /* but pretend as if we hashed padded payload */
 385                         inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 386                         res += (unsigned int)(len-inp_len);
 387                         pad_blocks = res / SHA_CBLOCK;
 388                         res %= SHA_CBLOCK;
 389                         pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 390                         for (;inp_blocks<pad_blocks;inp_blocks++)
 391                                 sha1_block_data_order(&key->md,data,1);
 392                         }
 393 #endif
 394                         key->md = key->tail;
 395                         SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
 396                         SHA1_Final(mac.c,&key->md);
 397
 398                         /* verify HMAC */
 399                         out += inp_len;
 400                         len -= inp_len;
 401 #if 1
 402                         {
 403                         unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
 404                         size_t off = out-p;
 405                         unsigned int c, cmask;
 406
 407                         maxpad += SHA_DIGEST_LENGTH;
 408                         for (res=0,i=0,j=0;j<maxpad;j++) {
 409                                 c = p[j];
 410                                 cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
 411                                 res |= (c^pad)&~cmask;  /* ... and padding */
 412                                 cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
 413                                 res |= (c^mac.c[i])&cmask;
 414                                 i += 1&cmask;
 415                         }
 416                         maxpad -= SHA_DIGEST_LENGTH;
 417
 418                         res = 0-((0-res)>>(sizeof(res)*8-1));
 419                         ret &= (int)~res;
 420                         }
 421 #else
 422                         for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
 423                                 res |= out[i]^mac.c[i];
 424                         res = 0-((0-res)>>(sizeof(res)*8-1));
 425                         ret &= (int)~res;
 426
 427                         /* verify padding */
 428                         pad = (pad&~res) | (maxpad&res);
 429                         out = out+len-1-pad;
 430                         for (res=0,i=0;i<pad;i++)
 431                                 res |= out[i]^pad;
 432
 433                         res = (0-res)>>(sizeof(res)*8-1);
 434                         ret &= (int)~res;
 435 #endif
 436                         return ret;
 437                 } else {
 438                         SHA1_Update(&key->md,out,len);
 439                 }
 440         }
 441
 442         return 1;
 443         }
 444
 445 static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 446         {
 447         EVP_AES_HMAC_SHA1 *key = data(ctx);
 448
 449         switch (type)
 450                 {
 451         case EVP_CTRL_AEAD_SET_MAC_KEY:
 452                 {
 453                 unsigned int  i;
 454                 unsigned char hmac_key[64];
 455
 456                 memset (hmac_key,0,sizeof(hmac_key));
 457
 458                 if (arg > (int)sizeof(hmac_key)) {
 459                         SHA1_Init(&key->head);
 460                         SHA1_Update(&key->head,ptr,arg);
 461                         SHA1_Final(hmac_key,&key->head);
 462                 } else {
 463                         memcpy(hmac_key,ptr,arg);
 464                 }
 465
 466                 for (i=0;i<sizeof(hmac_key);i++)
 467                         hmac_key[i] ^= 0x36;            /* ipad */
 468                 SHA1_Init(&key->head);
 469                 SHA1_Update(&key->head,hmac_key,sizeof(hmac_key));
 470
 471                 for (i=0;i<sizeof(hmac_key);i++)
 472                         hmac_key[i] ^= 0x36^0x5c;       /* opad */
 473                 SHA1_Init(&key->tail);
 474                 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
 475
 476                 OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
 477
 478                 return 1;
 479                 }
 480         case EVP_CTRL_AEAD_TLS1_AAD:
 481                 {
 482                 unsigned char *p=ptr;
 483                 unsigned int   len=p[arg-2]<<8|p[arg-1];
 484
 485                 if (ctx->encrypt)
 486                         {
 487                         key->payload_length = len;
 488                         if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) {
 489                                 len -= AES_BLOCK_SIZE;
 490                                 p[arg-2] = len>>8;
 491                                 p[arg-1] = len;
 492                         }
 493                         key->md = key->head;
 494                         SHA1_Update(&key->md,p,arg);
 495
 496                         return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)
 497                                 - len);
 498                         }
 499                 else
 500                         {
 501                         if (arg>13) arg = 13;
 502                         memcpy(key->aux.tls_aad,ptr,arg);
 503                         key->payload_length = arg;
 504
 505                         return SHA_DIGEST_LENGTH;
 506                         }
 507                 }
 508         default:
 509                 return -1;
 510                 }
 511         }
 512
 513 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher =
 514         {
 515 #ifdef NID_aes_128_cbc_hmac_sha1
 516         NID_aes_128_cbc_hmac_sha1,
 517 #else
 518         NID_undef,
 519 #endif
 520         16,16,16,
 521         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 522         aesni_cbc_hmac_sha1_init_key,
 523         aesni_cbc_hmac_sha1_cipher,
 524         NULL,
 525         sizeof(EVP_AES_HMAC_SHA1),
 526         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 527         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 528         aesni_cbc_hmac_sha1_ctrl,
 529         NULL
 530         };
 531
 532 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher =
 533         {
 534 #ifdef NID_aes_256_cbc_hmac_sha1
 535         NID_aes_256_cbc_hmac_sha1,
 536 #else
 537         NID_undef,
 538 #endif
 539         16,32,16,
 540         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 541         aesni_cbc_hmac_sha1_init_key,
 542         aesni_cbc_hmac_sha1_cipher,
 543         NULL,
 544         sizeof(EVP_AES_HMAC_SHA1),
 545         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 546         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 547         aesni_cbc_hmac_sha1_ctrl,
 548         NULL
 549         };
 550
 551 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 552         {
 553         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 554                 &aesni_128_cbc_hmac_sha1_cipher:NULL);
 555         }
 556
 557 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 558         {
 559         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 560                 &aesni_256_cbc_hmac_sha1_cipher:NULL);
 561         }
 562 #else
 563 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 564         {
 565         return NULL;
 566         }
 567 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 568         {
 569         return NULL;
 570         }
 571 #endif
 572 #endif