crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c

   1 /* ====================================================================
   2  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    licensing@OpenSSL.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  * ====================================================================
  48  */
  49
  50 #include <openssl/opensslconf.h>
  51
  52 #include <stdio.h>
  53 #include <string.h>
  54
  55 #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
  56
  57 #include <openssl/evp.h>
  58 #include <openssl/objects.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/sha.h>
  61 #include "evp_locl.h"
  62
  63 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
  64 #define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
  65 #define EVP_CTRL_AEAD_TLS1_AAD          0x16
  66 #define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
  67 #endif
  68
  69 #if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
  70 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0
  71 #endif
  72
  73 #define TLS1_1_VERSION 0x0302
  74
  75 typedef struct
  76     {
  77     AES_KEY             ks;
  78     SHA_CTX             head,tail,md;
  79     size_t              payload_length; /* AAD length in decrypt case */
  80     union {
  81         unsigned int    tls_ver;
  82         unsigned char   tls_aad[16];    /* 13 used */
  83     } aux;
  84     } EVP_AES_HMAC_SHA1;
  85
  86 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
  87
  88 #if     defined(AES_ASM) &&     ( \
  89         defined(__x86_64)       || defined(__x86_64__)  || \
  90         defined(_M_AMD64)       || defined(_M_X64)      || \
  91         defined(__INTEL__)      )
  92
  93 #if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
  94 # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
  95 #endif
  96
  97 extern unsigned int OPENSSL_ia32cap_P[2];
  98 #define AESNI_CAPABLE   (1<<(57-32))
  99
 100 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
 101                               AES_KEY *key);
 102 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
 103                               AES_KEY *key);
 104
 105 void aesni_cbc_encrypt(const unsigned char *in,
 106                            unsigned char *out,
 107                            size_t length,
 108                            const AES_KEY *key,
 109                            unsigned char *ivec, int enc);
 110
 111 void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks,
 112                 const AES_KEY *key, unsigned char iv[16],
 113                 SHA_CTX *ctx,const void *in0);
 114
 115 #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
 116
 117 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
 118                         const unsigned char *inkey,
 119                         const unsigned char *iv, int enc)
 120         {
 121         EVP_AES_HMAC_SHA1 *key = data(ctx);
 122         int ret;
 123
 124         if (enc)
 125                 ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks);
 126         else
 127                 ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks);
 128
 129         SHA1_Init(&key->head);  /* handy when benchmarking */
 130         key->tail = key->head;
 131         key->md   = key->head;
 132
 133         key->payload_length = NO_PAYLOAD_LENGTH;
 134
 135         return ret<0?0:1;
 136         }
 137
 138 #define STITCHED_CALL
 139
 140 #if !defined(STITCHED_CALL)
 141 #define aes_off 0
 142 #endif
 143
 144 void sha1_block_data_order (void *c,const void *p,size_t len);
 145
 146 static void sha1_update(SHA_CTX *c,const void *data,size_t len)
 147 {       const unsigned char *ptr = data;
 148         size_t res;
 149
 150         if ((res = c->num)) {
 151                 res = SHA_CBLOCK-res;
 152                 if (len<res) res=len;
 153                 SHA1_Update (c,ptr,res);
 154                 ptr += res;
 155                 len -= res;
 156         }
 157
 158         res = len % SHA_CBLOCK;
 159         len -= res;
 160
 161         if (len) {
 162                 sha1_block_data_order(c,ptr,len/SHA_CBLOCK);
 163
 164                 ptr += len;
 165                 c->Nh += len>>29;
 166                 c->Nl += len<<=3;
 167                 if (c->Nl<(unsigned int)len) c->Nh++;
 168         }
 169
 170         if (res)
 171                 SHA1_Update(c,ptr,res);
 172 }
 173
 174 #ifdef SHA1_Update
 175 #undef SHA1_Update
 176 #endif
 177 #define SHA1_Update sha1_update
 178
 179 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 180                       const unsigned char *in, size_t len)
 181         {
 182         EVP_AES_HMAC_SHA1 *key = data(ctx);
 183         unsigned int l;
 184         size_t  plen = key->payload_length,
 185                 iv = 0,         /* explicit IV in TLS 1.1 and later */
 186                 sha_off = 0;
 187 #if defined(STITCHED_CALL)
 188         size_t  aes_off = 0,
 189                 blocks;
 190
 191         sha_off = SHA_CBLOCK-key->md.num;
 192 #endif
 193
 194         key->payload_length = NO_PAYLOAD_LENGTH;
 195
 196         if (len%AES_BLOCK_SIZE) return 0;
 197
 198         if (ctx->encrypt) {
 199                 if (plen==NO_PAYLOAD_LENGTH)
 200                         plen = len;
 201                 else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE))
 202                         return 0;
 203                 else if (key->aux.tls_ver >= TLS1_1_VERSION)
 204                         iv = AES_BLOCK_SIZE;
 205
 206 #if defined(STITCHED_CALL)
 207                 if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) {
 208                         SHA1_Update(&key->md,in+iv,sha_off);
 209
 210                         aesni_cbc_sha1_enc(in,out,blocks,&key->ks,
 211                                 ctx->iv,&key->md,in+iv+sha_off);
 212                         blocks *= SHA_CBLOCK;
 213                         aes_off += blocks;
 214                         sha_off += blocks;
 215                         key->md.Nh += blocks>>29;
 216                         key->md.Nl += blocks<<=3;
 217                         if (key->md.Nl<(unsigned int)blocks) key->md.Nh++;
 218                 } else {
 219                         sha_off = 0;
 220                 }
 221 #endif
 222                 sha_off += iv;
 223                 SHA1_Update(&key->md,in+sha_off,plen-sha_off);
 224
 225                 if (plen!=len)  {       /* "TLS" mode of operation */
 226                         if (in!=out)
 227                                 memcpy(out+aes_off,in+aes_off,plen-aes_off);
 228
 229                         /* calculate HMAC and append it to payload */
 230                         SHA1_Final(out+plen,&key->md);
 231                         key->md = key->tail;
 232                         SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH);
 233                         SHA1_Final(out+plen,&key->md);
 234
 235                         /* pad the payload|hmac */
 236                         plen += SHA_DIGEST_LENGTH;
 237                         for (l=len-plen-1;plen<len;plen++) out[plen]=l;
 238                         /* encrypt HMAC|padding at once */
 239                         aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off,
 240                                         &key->ks,ctx->iv,1);
 241                 } else {
 242                         aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off,
 243                                         &key->ks,ctx->iv,1);
 244                 }
 245         } else {
 246                 union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
 247                         unsigned char c[SHA_DIGEST_LENGTH]; } mac;
 248
 249                 /* decrypt HMAC|padding at once */
 250                 aesni_cbc_encrypt(in,out,len,
 251                                 &key->ks,ctx->iv,0);
 252
 253                 if (plen) {     /* "TLS" mode of operation */
 254                         size_t inp_len, mask, j, i;
 255                         unsigned int res, maxpad, pad, bitlen;
 256                         int ret = 1;
 257                         union { unsigned int  u[SHA_LBLOCK];
 258                                 unsigned char c[SHA_CBLOCK]; }
 259                                 *data = (void *)key->md.data;
 260
 261                         if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
 262                             >= TLS1_1_VERSION)
 263                                 iv = AES_BLOCK_SIZE;
 264
 265                         if (len<(iv+SHA_DIGEST_LENGTH+1))
 266                                 return 0;
 267
 268                         /* omit explicit iv */
 269                         out += iv;
 270                         len -= iv;
 271
 272                         /* figure out payload length */
 273                         pad = out[len-1];
 274                         maxpad = len-(SHA_DIGEST_LENGTH+1);
 275                         maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
 276                         maxpad &= 255;
 277
 278                         inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
 279                         mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
 280                         inp_len &= mask;
 281                         ret &= (int)mask;
 282
 283                         key->aux.tls_aad[plen-2] = inp_len>>8;
 284                         key->aux.tls_aad[plen-1] = inp_len;
 285
 286                         /* calculate HMAC */
 287                         key->md = key->head;
 288                         SHA1_Update(&key->md,key->aux.tls_aad,plen);
 289
 290 #if 1
 291                         len -= SHA_DIGEST_LENGTH;               /* amend mac */
 292                         if (len>=(256+SHA_CBLOCK)) {
 293                                 j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
 294                                 j += SHA_CBLOCK-key->md.num;
 295                                 SHA1_Update(&key->md,out,j);
 296                                 out += j;
 297                                 len -= j;
 298                                 inp_len -= j;
 299                         }
 300
 301                         /* but pretend as if we hashed padded payload */
 302                         bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
 303                         mac.c[0] = 0;
 304                         mac.c[1] = (unsigned char)(bitlen>>16);
 305                         mac.c[2] = (unsigned char)(bitlen>>8);
 306                         mac.c[3] = (unsigned char)bitlen;
 307                         bitlen = mac.u[0];
 308
 309                         mac.u[0]=0;
 310                         mac.u[1]=0;
 311                         mac.u[2]=0;
 312                         mac.u[3]=0;
 313                         mac.u[4]=0;
 314
 315                         for (res=key->md.num, j=0;j<len;j++) {
 316                                 size_t c = out[j];
 317                                 mask = (j-inp_len)>>(sizeof(j)*8-8);
 318                                 c &= mask;
 319                                 c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
 320                                 data->c[res++]=(unsigned char)c;
 321
 322                                 if (res!=SHA_CBLOCK) continue;
 323
 324                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 325                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 326                                 sha1_block_data_order(&key->md,data,1);
 327                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 328                                 mac.u[0] |= key->md.h0 & mask;
 329                                 mac.u[1] |= key->md.h1 & mask;
 330                                 mac.u[2] |= key->md.h2 & mask;
 331                                 mac.u[3] |= key->md.h3 & mask;
 332                                 mac.u[4] |= key->md.h4 & mask;
 333                                 res=0;
 334                         }
 335
 336                         for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
 337
 338                         if (res>SHA_CBLOCK-8) {
 339                                 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
 340                                 data->u[SHA_LBLOCK-1] |= bitlen&mask;
 341                                 sha1_block_data_order(&key->md,data,1);
 342                                 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 343                                 mac.u[0] |= key->md.h0 & mask;
 344                                 mac.u[1] |= key->md.h1 & mask;
 345                                 mac.u[2] |= key->md.h2 & mask;
 346                                 mac.u[3] |= key->md.h3 & mask;
 347                                 mac.u[4] |= key->md.h4 & mask;
 348
 349                                 memset(data,0,SHA_CBLOCK);
 350                                 j+=64;
 351                         }
 352                         data->u[SHA_LBLOCK-1] = bitlen;
 353                         sha1_block_data_order(&key->md,data,1);
 354                         mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
 355                         mac.u[0] |= key->md.h0 & mask;
 356                         mac.u[1] |= key->md.h1 & mask;
 357                         mac.u[2] |= key->md.h2 & mask;
 358                         mac.u[3] |= key->md.h3 & mask;
 359                         mac.u[4] |= key->md.h4 & mask;
 360
 361 #ifdef BSWAP
 362                         mac.u[0] = BSWAP(mac.u[0]);
 363                         mac.u[1] = BSWAP(mac.u[1]);
 364                         mac.u[2] = BSWAP(mac.u[2]);
 365                         mac.u[3] = BSWAP(mac.u[3]);
 366                         mac.u[4] = BSWAP(mac.u[4]);
 367 #else
 368                         for (i=0;i<5;i++) {
 369                                 res = mac.u[i];
 370                                 mac.c[4*i+0]=(unsigned char)(res>>24);
 371                                 mac.c[4*i+1]=(unsigned char)(res>>16);
 372                                 mac.c[4*i+2]=(unsigned char)(res>>8);
 373                                 mac.c[4*i+3]=(unsigned char)res;
 374                         }
 375 #endif
 376                         len += SHA_DIGEST_LENGTH;
 377 #else
 378                         SHA1_Update(&key->md,out,inp_len);
 379                         res = key->md.num;
 380                         SHA1_Final(mac.c,&key->md);
 381
 382                         {
 383                         unsigned int inp_blocks, pad_blocks;
 384
 385                         /* but pretend as if we hashed padded payload */
 386                         inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 387                         res += (unsigned int)(len-inp_len);
 388                         pad_blocks = res / SHA_CBLOCK;
 389                         res %= SHA_CBLOCK;
 390                         pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
 391                         for (;inp_blocks<pad_blocks;inp_blocks++)
 392                                 sha1_block_data_order(&key->md,data,1);
 393                         }
 394 #endif
 395                         key->md = key->tail;
 396                         SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
 397                         SHA1_Final(mac.c,&key->md);
 398
 399                         /* verify HMAC */
 400                         out += inp_len;
 401                         len -= inp_len;
 402 #if 1
 403                         {
 404                         unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
 405                         size_t off = out-p;
 406                         unsigned int c, cmask;
 407
 408                         maxpad += SHA_DIGEST_LENGTH;
 409                         for (res=0,i=0,j=0;j<maxpad;j++) {
 410                                 c = p[j];
 411                                 cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
 412                                 res |= (c^pad)&~cmask;  /* ... and padding */
 413                                 cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
 414                                 res |= (c^mac.c[i])&cmask;
 415                                 i += 1&cmask;
 416                         }
 417                         maxpad -= SHA_DIGEST_LENGTH;
 418
 419                         res = 0-((0-res)>>(sizeof(res)*8-1));
 420                         ret &= (int)~res;
 421                         }
 422 #else
 423                         for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
 424                                 res |= out[i]^mac.c[i];
 425                         res = 0-((0-res)>>(sizeof(res)*8-1));
 426                         ret &= (int)~res;
 427
 428                         /* verify padding */
 429                         pad = (pad&~res) | (maxpad&res);
 430                         out = out+len-1-pad;
 431                         for (res=0,i=0;i<pad;i++)
 432                                 res |= out[i]^pad;
 433
 434                         res = (0-res)>>(sizeof(res)*8-1);
 435                         ret &= (int)~res;
 436 #endif
 437                         return ret;
 438                 } else {
 439                         SHA1_Update(&key->md,out,len);
 440                 }
 441         }
 442
 443         return 1;
 444         }
 445
 446 static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 447         {
 448         EVP_AES_HMAC_SHA1 *key = data(ctx);
 449
 450         switch (type)
 451                 {
 452         case EVP_CTRL_AEAD_SET_MAC_KEY:
 453                 {
 454                 unsigned int  i;
 455                 unsigned char hmac_key[64];
 456
 457                 memset (hmac_key,0,sizeof(hmac_key));
 458
 459                 if (arg > (int)sizeof(hmac_key)) {
 460                         SHA1_Init(&key->head);
 461                         SHA1_Update(&key->head,ptr,arg);
 462                         SHA1_Final(hmac_key,&key->head);
 463                 } else {
 464                         memcpy(hmac_key,ptr,arg);
 465                 }
 466
 467                 for (i=0;i<sizeof(hmac_key);i++)
 468                         hmac_key[i] ^= 0x36;            /* ipad */
 469                 SHA1_Init(&key->head);
 470                 SHA1_Update(&key->head,hmac_key,sizeof(hmac_key));
 471
 472                 for (i=0;i<sizeof(hmac_key);i++)
 473                         hmac_key[i] ^= 0x36^0x5c;       /* opad */
 474                 SHA1_Init(&key->tail);
 475                 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
 476
 477                 OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
 478
 479                 return 1;
 480                 }
 481         case EVP_CTRL_AEAD_TLS1_AAD:
 482                 {
 483                 unsigned char *p=ptr;
 484                 unsigned int   len=p[arg-2]<<8|p[arg-1];
 485
 486                 if (ctx->encrypt)
 487                         {
 488                         key->payload_length = len;
 489                         if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) {
 490                                 len -= AES_BLOCK_SIZE;
 491                                 p[arg-2] = len>>8;
 492                                 p[arg-1] = len;
 493                         }
 494                         key->md = key->head;
 495                         SHA1_Update(&key->md,p,arg);
 496
 497                         return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)
 498                                 - len);
 499                         }
 500                 else
 501                         {
 502                         if (arg>13) arg = 13;
 503                         memcpy(key->aux.tls_aad,ptr,arg);
 504                         key->payload_length = arg;
 505
 506                         return SHA_DIGEST_LENGTH;
 507                         }
 508                 }
 509         default:
 510                 return -1;
 511                 }
 512         }
 513
 514 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher =
 515         {
 516 #ifdef NID_aes_128_cbc_hmac_sha1
 517         NID_aes_128_cbc_hmac_sha1,
 518 #else
 519         NID_undef,
 520 #endif
 521         16,16,16,
 522         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 523         aesni_cbc_hmac_sha1_init_key,
 524         aesni_cbc_hmac_sha1_cipher,
 525         NULL,
 526         sizeof(EVP_AES_HMAC_SHA1),
 527         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 528         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 529         aesni_cbc_hmac_sha1_ctrl,
 530         NULL
 531         };
 532
 533 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher =
 534         {
 535 #ifdef NID_aes_256_cbc_hmac_sha1
 536         NID_aes_256_cbc_hmac_sha1,
 537 #else
 538         NID_undef,
 539 #endif
 540         16,32,16,
 541         EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER,
 542         aesni_cbc_hmac_sha1_init_key,
 543         aesni_cbc_hmac_sha1_cipher,
 544         NULL,
 545         sizeof(EVP_AES_HMAC_SHA1),
 546         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv,
 547         EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv,
 548         aesni_cbc_hmac_sha1_ctrl,
 549         NULL
 550         };
 551
 552 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 553         {
 554         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 555                 &aesni_128_cbc_hmac_sha1_cipher:NULL);
 556         }
 557
 558 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 559         {
 560         return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE?
 561                 &aesni_256_cbc_hmac_sha1_cipher:NULL);
 562         }
 563 #else
 564 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 565         {
 566         return NULL;
 567         }
 568 const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 569         {
 570         return NULL;
 571         }
 572 #endif
 573 #endif