OpenCoverage

e_aes_cbc_hmac_sha1.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10#include <openssl/opensslconf.h>-
11-
12#include <stdio.h>-
13#include <string.h>-
14-
15#include <openssl/evp.h>-
16#include <openssl/objects.h>-
17#include <openssl/aes.h>-
18#include <openssl/sha.h>-
19#include <openssl/rand.h>-
20#include "modes_lcl.h"-
21#include "internal/evp_int.h"-
22#include "internal/constant_time_locl.h"-
23-
24typedef struct {-
25 AES_KEY ks;-
26 SHA_CTX head, tail, md;-
27 size_t payload_length; /* AAD length in decrypt case */-
28 union {-
29 unsigned int tls_ver;-
30 unsigned char tls_aad[16]; /* 13 used */-
31 } aux;-
32} EVP_AES_HMAC_SHA1;-
33-
34#define NO_PAYLOAD_LENGTH ((size_t)-1)-
35-
36#if defined(AES_ASM) && ( \-
37 defined(__x86_64) || defined(__x86_64__) || \-
38 defined(_M_AMD64) || defined(_M_X64) )-
39-
40extern unsigned int OPENSSL_ia32cap_P[];-
41# define AESNI_CAPABLE (1<<(57-32))-
42-
43int aesni_set_encrypt_key(const unsigned char *userKey, int bits,-
44 AES_KEY *key);-
45int aesni_set_decrypt_key(const unsigned char *userKey, int bits,-
46 AES_KEY *key);-
47-
48void aesni_cbc_encrypt(const unsigned char *in,-
49 unsigned char *out,-
50 size_t length,-
51 const AES_KEY *key, unsigned char *ivec, int enc);-
52-
53void aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks,-
54 const AES_KEY *key, unsigned char iv[16],-
55 SHA_CTX *ctx, const void *in0);-
56-
57void aesni256_cbc_sha1_dec(const void *inp, void *out, size_t blocks,-
58 const AES_KEY *key, unsigned char iv[16],-
59 SHA_CTX *ctx, const void *in0);-
60-
61# define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx))-
62-
63static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,-
64 const unsigned char *inkey,-
65 const unsigned char *iv, int enc)-
66{-
67 EVP_AES_HMAC_SHA1 *key = data(ctx);-
68 int ret;-
69-
70 if (enc)
encDescription
TRUEnever evaluated
FALSEnever evaluated
0
71 ret = aesni_set_encrypt_key(inkey,
never executed: ret = aesni_set_encrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
72 EVP_CIPHER_CTX_key_length(ctx) * 8,
never executed: ret = aesni_set_encrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
73 &key->ks);
never executed: ret = aesni_set_encrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
74 else-
75 ret = aesni_set_decrypt_key(inkey,
never executed: ret = aesni_set_decrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
76 EVP_CIPHER_CTX_key_length(ctx) * 8,
never executed: ret = aesni_set_decrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
77 &key->ks);
never executed: ret = aesni_set_decrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, &key->ks);
0
78-
79 SHA1_Init(&key->head); /* handy when benchmarking */-
80 key->tail = key->head;-
81 key->md = key->head;-
82-
83 key->payload_length = NO_PAYLOAD_LENGTH;-
84-
85 return ret < 0 ? 0 : 1;
never executed: return ret < 0 ? 0 : 1;
ret < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
86}-
87-
88# define STITCHED_CALL-
89# undef STITCHED_DECRYPT_CALL-
90-
91# if !defined(STITCHED_CALL)-
92# define aes_off 0-
93# endif-
94-
95void sha1_block_data_order(void *c, const void *p, size_t len);-
96-
97static void sha1_update(SHA_CTX *c, const void *data, size_t len)-
98{-
99 const unsigned char *ptr = data;-
100 size_t res;-
101-
102 if ((res = c->num)) {
(res = c->num)Description
TRUEnever evaluated
FALSEnever evaluated
0
103 res = SHA_CBLOCK - res;-
104 if (len < res)
len < resDescription
TRUEnever evaluated
FALSEnever evaluated
0
105 res = len;
never executed: res = len;
0
106 SHA1_Update(c, ptr, res);-
107 ptr += res;-
108 len -= res;-
109 }
never executed: end of block
0
110-
111 res = len % SHA_CBLOCK;-
112 len -= res;-
113-
114 if (len) {
lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
115 sha1_block_data_order(c, ptr, len / SHA_CBLOCK);-
116-
117 ptr += len;-
118 c->Nh += len >> 29;-
119 c->Nl += len <<= 3;-
120 if (c->Nl < (unsigned int)len)
c->Nl < (unsigned int)lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
121 c->Nh++;
never executed: c->Nh++;
0
122 }
never executed: end of block
0
123-
124 if (res)
resDescription
TRUEnever evaluated
FALSEnever evaluated
0
125 SHA1_Update(c, ptr, res);
never executed: SHA1_Update(c, ptr, res);
0
126}
never executed: end of block
0
127-
128# ifdef SHA1_Update-
129# undef SHA1_Update-
130# endif-
131# define SHA1_Update sha1_update-
132-
133# if !defined(OPENSSL_NO_MULTIBLOCK)-
134-
135typedef struct {-
136 unsigned int A[8], B[8], C[8], D[8], E[8];-
137} SHA1_MB_CTX;-
138typedef struct {-
139 const unsigned char *ptr;-
140 int blocks;-
141} HASH_DESC;-
142-
143void sha1_multi_block(SHA1_MB_CTX *, const HASH_DESC *, int);-
144-
145typedef struct {-
146 const unsigned char *inp;-
147 unsigned char *out;-
148 int blocks;-
149 u64 iv[2];-
150} CIPH_DESC;-
151-
152void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int);-
153-
154static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,-
155 unsigned char *out,-
156 const unsigned char *inp,-
157 size_t inp_len, int n4x)-
158{ /* n4x is 1 or 2 */-
159 HASH_DESC hash_d[8], edges[8];-
160 CIPH_DESC ciph_d[8];-
161 unsigned char storage[sizeof(SHA1_MB_CTX) + 32];-
162 union {-
163 u64 q[16];-
164 u32 d[32];-
165 u8 c[128];-
166 } blocks[8];-
167 SHA1_MB_CTX *ctx;-
168 unsigned int frag, last, packlen, i, x4 = 4 * n4x, minblocks, processed =-
169 0;-
170 size_t ret = 0;-
171 u8 *IVs;-
172# if defined(BSWAP8)-
173 u64 seqnum;-
174# endif-
175-
176 /* ask for IVs in bulk */-
177 if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
RAND_bytes((IV... 16 * x4) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
178 return 0;
never executed: return 0;
0
179-
180 ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */-
181-
182 frag = (unsigned int)inp_len >> (1 + n4x);-
183 last = (unsigned int)inp_len + frag - (frag << (1 + n4x));-
184 if (last > frag && ((last + 13 + 9) % 64) < (x4 - 1)) {
last > fragDescription
TRUEnever evaluated
FALSEnever evaluated
((last + 13 + ...64) < (x4 - 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
185 frag++;-
186 last -= x4 - 1;-
187 }
never executed: end of block
0
188-
189 packlen = 5 + 16 + ((frag + 20 + 16) & -16);-
190-
191 /* populate descriptors with pointers and IVs */-
192 hash_d[0].ptr = inp;-
193 ciph_d[0].inp = inp;-
194 /* 5+16 is place for header and explicit IV */-
195 ciph_d[0].out = out + 5 + 16;-
196 memcpy(ciph_d[0].out - 16, IVs, 16);-
197 memcpy(ciph_d[0].iv, IVs, 16);-
198 IVs += 16;-
199-
200 for (i = 1; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
201 ciph_d[i].inp = hash_d[i].ptr = hash_d[i - 1].ptr + frag;-
202 ciph_d[i].out = ciph_d[i - 1].out + packlen;-
203 memcpy(ciph_d[i].out - 16, IVs, 16);-
204 memcpy(ciph_d[i].iv, IVs, 16);-
205 IVs += 16;-
206 }
never executed: end of block
0
207-
208# if defined(BSWAP8)-
209 memcpy(blocks[0].c, key->md.data, 8);-
210 seqnum = BSWAP8(blocks[0].q[0]);-
211# endif-
212 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
213 unsigned int len = (i == (x4 - 1) ? last : frag);
i == (x4 - 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
214# if !defined(BSWAP8)-
215 unsigned int carry, j;-
216# endif-
217-
218 ctx->A[i] = key->md.h0;-
219 ctx->B[i] = key->md.h1;-
220 ctx->C[i] = key->md.h2;-
221 ctx->D[i] = key->md.h3;-
222 ctx->E[i] = key->md.h4;-
223-
224 /* fix seqnum */-
225# if defined(BSWAP8)-
226 blocks[i].q[0] = BSWAP8(seqnum + i);-
227# else-
228 for (carry = i, j = 8; j--;) {-
229 blocks[i].c[j] = ((u8 *)key->md.data)[j] + carry;-
230 carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1);-
231 }-
232# endif-
233 blocks[i].c[8] = ((u8 *)key->md.data)[8];-
234 blocks[i].c[9] = ((u8 *)key->md.data)[9];-
235 blocks[i].c[10] = ((u8 *)key->md.data)[10];-
236 /* fix length */-
237 blocks[i].c[11] = (u8)(len >> 8);-
238 blocks[i].c[12] = (u8)(len);-
239-
240 memcpy(blocks[i].c + 13, hash_d[i].ptr, 64 - 13);-
241 hash_d[i].ptr += 64 - 13;-
242 hash_d[i].blocks = (len - (64 - 13)) / 64;-
243-
244 edges[i].ptr = blocks[i].c;-
245 edges[i].blocks = 1;-
246 }
never executed: end of block
0
247-
248 /* hash 13-byte headers and first 64-13 bytes of inputs */-
249 sha1_multi_block(ctx, edges, n4x);-
250 /* hash bulk inputs */-
251# define MAXCHUNKSIZE 2048-
252# if MAXCHUNKSIZE%64-
253# error "MAXCHUNKSIZE is not divisible by 64"-
254# elif MAXCHUNKSIZE-
255 /*-
256 * goal is to minimize pressure on L1 cache by moving in shorter steps,-
257 * so that hashed data is still in the cache by the time we encrypt it-
258 */-
259 minblocks = ((frag <= last ? frag : last) - (64 - 13)) / 64;
frag <= lastDescription
TRUEnever evaluated
FALSEnever evaluated
0
260 if (minblocks > MAXCHUNKSIZE / 64) {
minblocks > 2048 / 64Description
TRUEnever evaluated
FALSEnever evaluated
0
261 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
262 edges[i].ptr = hash_d[i].ptr;-
263 edges[i].blocks = MAXCHUNKSIZE / 64;-
264 ciph_d[i].blocks = MAXCHUNKSIZE / 16;-
265 }
never executed: end of block
0
266 do {-
267 sha1_multi_block(ctx, edges, n4x);-
268 aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x);-
269-
270 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
271 edges[i].ptr = hash_d[i].ptr += MAXCHUNKSIZE;-
272 hash_d[i].blocks -= MAXCHUNKSIZE / 64;-
273 edges[i].blocks = MAXCHUNKSIZE / 64;-
274 ciph_d[i].inp += MAXCHUNKSIZE;-
275 ciph_d[i].out += MAXCHUNKSIZE;-
276 ciph_d[i].blocks = MAXCHUNKSIZE / 16;-
277 memcpy(ciph_d[i].iv, ciph_d[i].out - 16, 16);-
278 }
never executed: end of block
0
279 processed += MAXCHUNKSIZE;-
280 minblocks -= MAXCHUNKSIZE / 64;-
281 } while (minblocks > MAXCHUNKSIZE / 64);
never executed: end of block
minblocks > 2048 / 64Description
TRUEnever evaluated
FALSEnever evaluated
0
282 }
never executed: end of block
0
283# endif-
284# undef MAXCHUNKSIZE-
285 sha1_multi_block(ctx, hash_d, n4x);-
286-
287 memset(blocks, 0, sizeof(blocks));-
288 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
289 unsigned int len = (i == (x4 - 1) ? last : frag),
i == (x4 - 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
290 off = hash_d[i].blocks * 64;-
291 const unsigned char *ptr = hash_d[i].ptr + off;-
292-
293 off = (len - processed) - (64 - 13) - off; /* remainder actually */-
294 memcpy(blocks[i].c, ptr, off);-
295 blocks[i].c[off] = 0x80;-
296 len += 64 + 13; /* 64 is HMAC header */-
297 len *= 8; /* convert to bits */-
298 if (off < (64 - 8)) {
off < (64 - 8)Description
TRUEnever evaluated
FALSEnever evaluated
0
299# ifdef BSWAP4-
300 blocks[i].d[15] = BSWAP4(len);-
301# else-
302 PUTU32(blocks[i].c + 60, len);-
303# endif-
304 edges[i].blocks = 1;-
305 } else {
never executed: end of block
0
306# ifdef BSWAP4-
307 blocks[i].d[31] = BSWAP4(len);-
308# else-
309 PUTU32(blocks[i].c + 124, len);-
310# endif-
311 edges[i].blocks = 2;-
312 }
never executed: end of block
0
313 edges[i].ptr = blocks[i].c;-
314 }
never executed: end of block
0
315-
316 /* hash input tails and finalize */-
317 sha1_multi_block(ctx, edges, n4x);-
318-
319 memset(blocks, 0, sizeof(blocks));-
320 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
321# ifdef BSWAP4-
322 blocks[i].d[0] = BSWAP4(ctx->A[i]);-
323 ctx->A[i] = key->tail.h0;-
324 blocks[i].d[1] = BSWAP4(ctx->B[i]);-
325 ctx->B[i] = key->tail.h1;-
326 blocks[i].d[2] = BSWAP4(ctx->C[i]);-
327 ctx->C[i] = key->tail.h2;-
328 blocks[i].d[3] = BSWAP4(ctx->D[i]);-
329 ctx->D[i] = key->tail.h3;-
330 blocks[i].d[4] = BSWAP4(ctx->E[i]);-
331 ctx->E[i] = key->tail.h4;-
332 blocks[i].c[20] = 0x80;-
333 blocks[i].d[15] = BSWAP4((64 + 20) * 8);-
334# else-
335 PUTU32(blocks[i].c + 0, ctx->A[i]);-
336 ctx->A[i] = key->tail.h0;-
337 PUTU32(blocks[i].c + 4, ctx->B[i]);-
338 ctx->B[i] = key->tail.h1;-
339 PUTU32(blocks[i].c + 8, ctx->C[i]);-
340 ctx->C[i] = key->tail.h2;-
341 PUTU32(blocks[i].c + 12, ctx->D[i]);-
342 ctx->D[i] = key->tail.h3;-
343 PUTU32(blocks[i].c + 16, ctx->E[i]);-
344 ctx->E[i] = key->tail.h4;-
345 blocks[i].c[20] = 0x80;-
346 PUTU32(blocks[i].c + 60, (64 + 20) * 8);-
347# endif-
348 edges[i].ptr = blocks[i].c;-
349 edges[i].blocks = 1;-
350 }
never executed: end of block
0
351-
352 /* finalize MACs */-
353 sha1_multi_block(ctx, edges, n4x);-
354-
355 for (i = 0; i < x4; i++) {
i < x4Description
TRUEnever evaluated
FALSEnever evaluated
0
356 unsigned int len = (i == (x4 - 1) ? last : frag), pad, j;
i == (x4 - 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
357 unsigned char *out0 = out;-
358-
359 memcpy(ciph_d[i].out, ciph_d[i].inp, len - processed);-
360 ciph_d[i].inp = ciph_d[i].out;-
361-
362 out += 5 + 16 + len;-
363-
364 /* write MAC */-
365 PUTU32(out + 0, ctx->A[i]);-
366 PUTU32(out + 4, ctx->B[i]);-
367 PUTU32(out + 8, ctx->C[i]);-
368 PUTU32(out + 12, ctx->D[i]);-
369 PUTU32(out + 16, ctx->E[i]);-
370 out += 20;-
371 len += 20;-
372-
373 /* pad */-
374 pad = 15 - len % 16;-
375 for (j = 0; j <= pad; j++)
j <= padDescription
TRUEnever evaluated
FALSEnever evaluated
0
376 *(out++) = pad;
never executed: *(out++) = pad;
0
377 len += pad + 1;-
378-
379 ciph_d[i].blocks = (len - processed) / 16;-
380 len += 16; /* account for explicit iv */-
381-
382 /* arrange header */-
383 out0[0] = ((u8 *)key->md.data)[8];-
384 out0[1] = ((u8 *)key->md.data)[9];-
385 out0[2] = ((u8 *)key->md.data)[10];-
386 out0[3] = (u8)(len >> 8);-
387 out0[4] = (u8)(len);-
388-
389 ret += len + 5;-
390 inp += frag;-
391 }
never executed: end of block
0
392-
393 aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x);-
394-
395 OPENSSL_cleanse(blocks, sizeof(blocks));-
396 OPENSSL_cleanse(ctx, sizeof(*ctx));-
397-
398 return ret;
never executed: return ret;
0
399}-
400# endif-
401-
402static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,-
403 const unsigned char *in, size_t len)-
404{-
405 EVP_AES_HMAC_SHA1 *key = data(ctx);-
406 unsigned int l;-
407 size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and-
408 * later */-
409 sha_off = 0;-
410# if defined(STITCHED_CALL)-
411 size_t aes_off = 0, blocks;-
412-
413 sha_off = SHA_CBLOCK - key->md.num;-
414# endif-
415-
416 key->payload_length = NO_PAYLOAD_LENGTH;-
417-
418 if (len % AES_BLOCK_SIZE)
len % 16Description
TRUEnever evaluated
FALSEnever evaluated
0
419 return 0;
never executed: return 0;
0
420-
421 if (EVP_CIPHER_CTX_encrypting(ctx)) {
EVP_CIPHER_CTX_encrypting(ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
422 if (plen == NO_PAYLOAD_LENGTH)
plen == ((size_t)-1)Description
TRUEnever evaluated
FALSEnever evaluated
0
423 plen = len;
never executed: plen = len;
0
424 else if (len !=
len != ((plen ...0 + 16) & -16)Description
TRUEnever evaluated
FALSEnever evaluated
0
425 ((plen + SHA_DIGEST_LENGTH +
len != ((plen ...0 + 16) & -16)Description
TRUEnever evaluated
FALSEnever evaluated
0
426 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE))
len != ((plen ...0 + 16) & -16)Description
TRUEnever evaluated
FALSEnever evaluated
0
427 return 0;
never executed: return 0;
0
428 else if (key->aux.tls_ver >= TLS1_1_VERSION)
key->aux.tls_ver >= 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
429 iv = AES_BLOCK_SIZE;
never executed: iv = 16;
0
430-
431# if defined(STITCHED_CALL)-
432 if (plen > (sha_off + iv)
plen > (sha_off + iv)Description
TRUEnever evaluated
FALSEnever evaluated
0
433 && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) {
(blocks = (ple...iv)) / (16*4))Description
TRUEnever evaluated
FALSEnever evaluated
0
434 SHA1_Update(&key->md, in + iv, sha_off);-
435-
436 aesni_cbc_sha1_enc(in, out, blocks, &key->ks,-
437 EVP_CIPHER_CTX_iv_noconst(ctx),-
438 &key->md, in + iv + sha_off);-
439 blocks *= SHA_CBLOCK;-
440 aes_off += blocks;-
441 sha_off += blocks;-
442 key->md.Nh += blocks >> 29;-
443 key->md.Nl += blocks <<= 3;-
444 if (key->md.Nl < (unsigned int)blocks)
key->md.Nl < (...ned int)blocksDescription
TRUEnever evaluated
FALSEnever evaluated
0
445 key->md.Nh++;
never executed: key->md.Nh++;
0
446 } else {
never executed: end of block
0
447 sha_off = 0;-
448 }
never executed: end of block
0
449# endif-
450 sha_off += iv;-
451 SHA1_Update(&key->md, in + sha_off, plen - sha_off);-
452-
453 if (plen != len) { /* "TLS" mode of operation */
plen != lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
454 if (in != out)
in != outDescription
TRUEnever evaluated
FALSEnever evaluated
0
455 memcpy(out + aes_off, in + aes_off, plen - aes_off);
never executed: memcpy(out + aes_off, in + aes_off, plen - aes_off);
0
456-
457 /* calculate HMAC and append it to payload */-
458 SHA1_Final(out + plen, &key->md);-
459 key->md = key->tail;-
460 SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH);-
461 SHA1_Final(out + plen, &key->md);-
462-
463 /* pad the payload|hmac */-
464 plen += SHA_DIGEST_LENGTH;-
465 for (l = len - plen - 1; plen < len; plen++)
plen < lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
466 out[plen] = l;
never executed: out[plen] = l;
0
467 /* encrypt HMAC|padding at once */-
468 aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off,-
469 &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);-
470 } else {
never executed: end of block
0
471 aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off,-
472 &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);-
473 }
never executed: end of block
0
474 } else {-
475 union {-
476 unsigned int u[SHA_DIGEST_LENGTH / sizeof(unsigned int)];-
477 unsigned char c[32 + SHA_DIGEST_LENGTH];-
478 } mac, *pmac;-
479-
480 /* arrange cache line alignment */-
481 pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32));-
482-
483 if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
plen != ((size_t)-1)Description
TRUEnever evaluated
FALSEnever evaluated
0
484 size_t inp_len, mask, j, i;-
485 unsigned int res, maxpad, pad, bitlen;-
486 int ret = 1;-
487 union {-
488 unsigned int u[SHA_LBLOCK];-
489 unsigned char c[SHA_CBLOCK];-
490 } *data = (void *)key->md.data;-
491# if defined(STITCHED_DECRYPT_CALL)-
492 unsigned char tail_iv[AES_BLOCK_SIZE];-
493 int stitch = 0;-
494# endif-
495-
496 if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3])
(key->aux.tls_... 3]) >= 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
497 >= TLS1_1_VERSION) {
(key->aux.tls_... 3]) >= 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
498 if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1))
len < (16 + 20 + 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
499 return 0;
never executed: return 0;
0
500-
501 /* omit explicit iv */-
502 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in, AES_BLOCK_SIZE);-
503-
504 in += AES_BLOCK_SIZE;-
505 out += AES_BLOCK_SIZE;-
506 len -= AES_BLOCK_SIZE;-
507 } else if (len < (SHA_DIGEST_LENGTH + 1))
never executed: end of block
len < (20 + 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
508 return 0;
never executed: return 0;
0
509-
510# if defined(STITCHED_DECRYPT_CALL)-
511 if (len >= 1024 && ctx->key_len == 32) {-
512 /* decrypt last block */-
513 memcpy(tail_iv, in + len - 2 * AES_BLOCK_SIZE,-
514 AES_BLOCK_SIZE);-
515 aesni_cbc_encrypt(in + len - AES_BLOCK_SIZE,-
516 out + len - AES_BLOCK_SIZE, AES_BLOCK_SIZE,-
517 &key->ks, tail_iv, 0);-
518 stitch = 1;-
519 } else-
520# endif-
521 /* decrypt HMAC|padding at once */-
522 aesni_cbc_encrypt(in, out, len, &key->ks,-
523 EVP_CIPHER_CTX_iv_noconst(ctx), 0);-
524-
525 /* figure out payload length */-
526 pad = out[len - 1];-
527 maxpad = len - (SHA_DIGEST_LENGTH + 1);-
528 maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);-
529 maxpad &= 255;-
530-
531 mask = constant_time_ge(maxpad, pad);-
532 ret &= mask;-
533 /*-
534 * If pad is invalid then we will fail the above test but we must-
535 * continue anyway because we are in constant time code. However,-
536 * we'll use the maxpad value instead of the supplied pad to make-
537 * sure we perform well defined pointer arithmetic.-
538 */-
539 pad = constant_time_select(mask, pad, maxpad);-
540-
541 inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);-
542-
543 key->aux.tls_aad[plen - 2] = inp_len >> 8;-
544 key->aux.tls_aad[plen - 1] = inp_len;-
545-
546 /* calculate HMAC */-
547 key->md = key->head;-
548 SHA1_Update(&key->md, key->aux.tls_aad, plen);-
549-
550# if defined(STITCHED_DECRYPT_CALL)-
551 if (stitch) {-
552 blocks = (len - (256 + 32 + SHA_CBLOCK)) / SHA_CBLOCK;-
553 aes_off = len - AES_BLOCK_SIZE - blocks * SHA_CBLOCK;-
554 sha_off = SHA_CBLOCK - plen;-
555-
556 aesni_cbc_encrypt(in, out, aes_off, &key->ks, ctx->iv, 0);-
557-
558 SHA1_Update(&key->md, out, sha_off);-
559 aesni256_cbc_sha1_dec(in + aes_off,-
560 out + aes_off, blocks, &key->ks,-
561 ctx->iv, &key->md, out + sha_off);-
562-
563 sha_off += blocks *= SHA_CBLOCK;-
564 out += sha_off;-
565 len -= sha_off;-
566 inp_len -= sha_off;-
567-
568 key->md.Nl += (blocks << 3); /* at most 18 bits */-
569 memcpy(ctx->iv, tail_iv, AES_BLOCK_SIZE);-
570 }-
571# endif-
572-
573# if 1 /* see original reference version in #else */-
574 len -= SHA_DIGEST_LENGTH; /* amend mac */-
575 if (len >= (256 + SHA_CBLOCK)) {
len >= (256 + (16*4))Description
TRUEnever evaluated
FALSEnever evaluated
0
576 j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK);-
577 j += SHA_CBLOCK - key->md.num;-
578 SHA1_Update(&key->md, out, j);-
579 out += j;-
580 len -= j;-
581 inp_len -= j;-
582 }
never executed: end of block
0
583-
584 /* but pretend as if we hashed padded payload */-
585 bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */-
586# ifdef BSWAP4-
587 bitlen = BSWAP4(bitlen);-
588# else-
589 mac.c[0] = 0;-
590 mac.c[1] = (unsigned char)(bitlen >> 16);-
591 mac.c[2] = (unsigned char)(bitlen >> 8);-
592 mac.c[3] = (unsigned char)bitlen;-
593 bitlen = mac.u[0];-
594# endif-
595-
596 pmac->u[0] = 0;-
597 pmac->u[1] = 0;-
598 pmac->u[2] = 0;-
599 pmac->u[3] = 0;-
600 pmac->u[4] = 0;-
601-
602 for (res = key->md.num, j = 0; j < len; j++) {
j < lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
603 size_t c = out[j];-
604 mask = (j - inp_len) >> (sizeof(j) * 8 - 8);-
605 c &= mask;-
606 c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8));-
607 data->c[res++] = (unsigned char)c;-
608-
609 if (res != SHA_CBLOCK)
res != (16*4)Description
TRUEnever evaluated
FALSEnever evaluated
0
610 continue;
never executed: continue;
0
611-
612 /* j is not incremented yet */-
613 mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1));-
614 data->u[SHA_LBLOCK - 1] |= bitlen & mask;-
615 sha1_block_data_order(&key->md, data, 1);-
616 mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1));-
617 pmac->u[0] |= key->md.h0 & mask;-
618 pmac->u[1] |= key->md.h1 & mask;-
619 pmac->u[2] |= key->md.h2 & mask;-
620 pmac->u[3] |= key->md.h3 & mask;-
621 pmac->u[4] |= key->md.h4 & mask;-
622 res = 0;-
623 }
never executed: end of block
0
624-
625 for (i = res; i < SHA_CBLOCK; i++, j++)
i < (16*4)Description
TRUEnever evaluated
FALSEnever evaluated
0
626 data->c[i] = 0;
never executed: data->c[i] = 0;
0
627-
628 if (res > SHA_CBLOCK - 8) {
res > (16*4) - 8Description
TRUEnever evaluated
FALSEnever evaluated
0
629 mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1));-
630 data->u[SHA_LBLOCK - 1] |= bitlen & mask;-
631 sha1_block_data_order(&key->md, data, 1);-
632 mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1));-
633 pmac->u[0] |= key->md.h0 & mask;-
634 pmac->u[1] |= key->md.h1 & mask;-
635 pmac->u[2] |= key->md.h2 & mask;-
636 pmac->u[3] |= key->md.h3 & mask;-
637 pmac->u[4] |= key->md.h4 & mask;-
638-
639 memset(data, 0, SHA_CBLOCK);-
640 j += 64;-
641 }
never executed: end of block
0
642 data->u[SHA_LBLOCK - 1] = bitlen;-
643 sha1_block_data_order(&key->md, data, 1);-
644 mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1));-
645 pmac->u[0] |= key->md.h0 & mask;-
646 pmac->u[1] |= key->md.h1 & mask;-
647 pmac->u[2] |= key->md.h2 & mask;-
648 pmac->u[3] |= key->md.h3 & mask;-
649 pmac->u[4] |= key->md.h4 & mask;-
650-
651# ifdef BSWAP4-
652 pmac->u[0] = BSWAP4(pmac->u[0]);-
653 pmac->u[1] = BSWAP4(pmac->u[1]);-
654 pmac->u[2] = BSWAP4(pmac->u[2]);-
655 pmac->u[3] = BSWAP4(pmac->u[3]);-
656 pmac->u[4] = BSWAP4(pmac->u[4]);-
657# else-
658 for (i = 0; i < 5; i++) {-
659 res = pmac->u[i];-
660 pmac->c[4 * i + 0] = (unsigned char)(res >> 24);-
661 pmac->c[4 * i + 1] = (unsigned char)(res >> 16);-
662 pmac->c[4 * i + 2] = (unsigned char)(res >> 8);-
663 pmac->c[4 * i + 3] = (unsigned char)res;-
664 }-
665# endif-
666 len += SHA_DIGEST_LENGTH;-
667# else /* pre-lucky-13 reference version of above */-
668 SHA1_Update(&key->md, out, inp_len);-
669 res = key->md.num;-
670 SHA1_Final(pmac->c, &key->md);-
671-
672 {-
673 unsigned int inp_blocks, pad_blocks;-
674-
675 /* but pretend as if we hashed padded payload */-
676 inp_blocks =-
677 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1));-
678 res += (unsigned int)(len - inp_len);-
679 pad_blocks = res / SHA_CBLOCK;-
680 res %= SHA_CBLOCK;-
681 pad_blocks +=-
682 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1));-
683 for (; inp_blocks < pad_blocks; inp_blocks++)-
684 sha1_block_data_order(&key->md, data, 1);-
685 }-
686# endif-
687 key->md = key->tail;-
688 SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH);-
689 SHA1_Final(pmac->c, &key->md);-
690-
691 /* verify HMAC */-
692 out += inp_len;-
693 len -= inp_len;-
694# if 1 /* see original reference version in #else */-
695 {-
696 unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH;-
697 size_t off = out - p;-
698 unsigned int c, cmask;-
699-
700 maxpad += SHA_DIGEST_LENGTH;-
701 for (res = 0, i = 0, j = 0; j < maxpad; j++) {
j < maxpadDescription
TRUEnever evaluated
FALSEnever evaluated
0
702 c = p[j];-
703 cmask =-
704 ((int)(j - off - SHA_DIGEST_LENGTH)) >> (sizeof(int) *-
705 8 - 1);-
706 res |= (c ^ pad) & ~cmask; /* ... and padding */-
707 cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1);-
708 res |= (c ^ pmac->c[i]) & cmask;-
709 i += 1 & cmask;-
710 }
never executed: end of block
0
711 maxpad -= SHA_DIGEST_LENGTH;-
712-
713 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));-
714 ret &= (int)~res;-
715 }-
716# else /* pre-lucky-13 reference version of above */-
717 for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++)-
718 res |= out[i] ^ pmac->c[i];-
719 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));-
720 ret &= (int)~res;-
721-
722 /* verify padding */-
723 pad = (pad & ~res) | (maxpad & res);-
724 out = out + len - 1 - pad;-
725 for (res = 0, i = 0; i < pad; i++)-
726 res |= out[i] ^ pad;-
727-
728 res = (0 - res) >> (sizeof(res) * 8 - 1);-
729 ret &= (int)~res;-
730# endif-
731 return ret;
never executed: return ret;
0
732 } else {-
733# if defined(STITCHED_DECRYPT_CALL)-
734 if (len >= 1024 && ctx->key_len == 32) {-
735 if (sha_off %= SHA_CBLOCK)-
736 blocks = (len - 3 * SHA_CBLOCK) / SHA_CBLOCK;-
737 else-
738 blocks = (len - 2 * SHA_CBLOCK) / SHA_CBLOCK;-
739 aes_off = len - blocks * SHA_CBLOCK;-
740-
741 aesni_cbc_encrypt(in, out, aes_off, &key->ks, ctx->iv, 0);-
742 SHA1_Update(&key->md, out, sha_off);-
743 aesni256_cbc_sha1_dec(in + aes_off,-
744 out + aes_off, blocks, &key->ks,-
745 ctx->iv, &key->md, out + sha_off);-
746-
747 sha_off += blocks *= SHA_CBLOCK;-
748 out += sha_off;-
749 len -= sha_off;-
750-
751 key->md.Nh += blocks >> 29;-
752 key->md.Nl += blocks <<= 3;-
753 if (key->md.Nl < (unsigned int)blocks)-
754 key->md.Nh++;-
755 } else-
756# endif-
757 /* decrypt HMAC|padding at once */-
758 aesni_cbc_encrypt(in, out, len, &key->ks,-
759 EVP_CIPHER_CTX_iv_noconst(ctx), 0);-
760-
761 SHA1_Update(&key->md, out, len);-
762 }
never executed: end of block
0
763 }-
764-
765 return 1;
never executed: return 1;
0
766}-
767-
768static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,-
769 void *ptr)-
770{-
771 EVP_AES_HMAC_SHA1 *key = data(ctx);-
772-
773 switch (type) {-
774 case EVP_CTRL_AEAD_SET_MAC_KEY:
never executed: case 0x17:
0
775 {-
776 unsigned int i;-
777 unsigned char hmac_key[64];-
778-
779 memset(hmac_key, 0, sizeof(hmac_key));-
780-
781 if (arg > (int)sizeof(hmac_key)) {
arg > (int)sizeof(hmac_key)Description
TRUEnever evaluated
FALSEnever evaluated
0
782 SHA1_Init(&key->head);-
783 SHA1_Update(&key->head, ptr, arg);-
784 SHA1_Final(hmac_key, &key->head);-
785 } else {
never executed: end of block
0
786 memcpy(hmac_key, ptr, arg);-
787 }
never executed: end of block
0
788-
789 for (i = 0; i < sizeof(hmac_key); i++)
i < sizeof(hmac_key)Description
TRUEnever evaluated
FALSEnever evaluated
0
790 hmac_key[i] ^= 0x36; /* ipad */
never executed: hmac_key[i] ^= 0x36;
0
791 SHA1_Init(&key->head);-
792 SHA1_Update(&key->head, hmac_key, sizeof(hmac_key));-
793-
794 for (i = 0; i < sizeof(hmac_key); i++)
i < sizeof(hmac_key)Description
TRUEnever evaluated
FALSEnever evaluated
0
795 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
never executed: hmac_key[i] ^= 0x36 ^ 0x5c;
0
796 SHA1_Init(&key->tail);-
797 SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key));-
798-
799 OPENSSL_cleanse(hmac_key, sizeof(hmac_key));-
800-
801 return 1;
never executed: return 1;
0
802 }-
803 case EVP_CTRL_AEAD_TLS1_AAD:
never executed: case 0x16:
0
804 {-
805 unsigned char *p = ptr;-
806 unsigned int len;-
807-
808 if (arg != EVP_AEAD_TLS1_AAD_LEN)
arg != 13Description
TRUEnever evaluated
FALSEnever evaluated
0
809 return -1;
never executed: return -1;
0
810-
811 len = p[arg - 2] << 8 | p[arg - 1];-
812-
813 if (EVP_CIPHER_CTX_encrypting(ctx)) {
EVP_CIPHER_CTX_encrypting(ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
814 key->payload_length = len;-
815 if ((key->aux.tls_ver =
(key->aux.tls_... 3]) >= 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
816 p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) {
(key->aux.tls_... 3]) >= 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
817 if (len < AES_BLOCK_SIZE)
len < 16Description
TRUEnever evaluated
FALSEnever evaluated
0
818 return 0;
never executed: return 0;
0
819 len -= AES_BLOCK_SIZE;-
820 p[arg - 2] = len >> 8;-
821 p[arg - 1] = len;-
822 }
never executed: end of block
0
823 key->md = key->head;-
824 SHA1_Update(&key->md, p, arg);-
825-
826 return (int)(((len + SHA_DIGEST_LENGTH +
never executed: return (int)(((len + 20 + 16) & -16) - len);
0
827 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
never executed: return (int)(((len + 20 + 16) & -16) - len);
0
828 - len);
never executed: return (int)(((len + 20 + 16) & -16) - len);
0
829 } else {-
830 memcpy(key->aux.tls_aad, ptr, arg);-
831 key->payload_length = arg;-
832-
833 return SHA_DIGEST_LENGTH;
never executed: return 20;
0
834 }-
835 }-
836# if !defined(OPENSSL_NO_MULTIBLOCK)-
837 case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
never executed: case 0x1c:
0
838 return (int)(5 + 16 + ((arg + 20 + 16) & -16));
never executed: return (int)(5 + 16 + ((arg + 20 + 16) & -16));
0
839 case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD:
never executed: case 0x19:
0
840 {-
841 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param =-
842 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *) ptr;-
843 unsigned int n4x = 1, x4;-
844 unsigned int frag, last, packlen, inp_len;-
845-
846 if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
arg < (int)siz...TIBLOCK_PARAM)Description
TRUEnever evaluated
FALSEnever evaluated
0
847 return -1;
never executed: return -1;
0
848-
849 inp_len = param->inp[11] << 8 | param->inp[12];-
850-
851 if (EVP_CIPHER_CTX_encrypting(ctx)) {
EVP_CIPHER_CTX_encrypting(ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
852 if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION)
(param->inp[9]...[10]) < 0x0302Description
TRUEnever evaluated
FALSEnever evaluated
0
853 return -1;
never executed: return -1;
0
854-
855 if (inp_len) {
inp_lenDescription
TRUEnever evaluated
FALSEnever evaluated
0
856 if (inp_len < 4096)
inp_len < 4096Description
TRUEnever evaluated
FALSEnever evaluated
0
857 return 0; /* too short */
never executed: return 0;
0
858-
859 if (inp_len >= 8192 && OPENSSL_ia32cap_P[2] & (1 << 5))
inp_len >= 8192Description
TRUEnever evaluated
FALSEnever evaluated
OPENSSL_ia32ca...[2] & (1 << 5)Description
TRUEnever evaluated
FALSEnever evaluated
0
860 n4x = 2; /* AVX2 */
never executed: n4x = 2;
0
861 } else if ((n4x = param->interleave / 4) && n4x <= 2)
never executed: end of block
(n4x = param->interleave / 4)Description
TRUEnever evaluated
FALSEnever evaluated
n4x <= 2Description
TRUEnever evaluated
FALSEnever evaluated
0
862 inp_len = param->len;
never executed: inp_len = param->len;
0
863 else-
864 return -1;
never executed: return -1;
0
865-
866 key->md = key->head;-
867 SHA1_Update(&key->md, param->inp, 13);-
868-
869 x4 = 4 * n4x;-
870 n4x += 1;-
871-
872 frag = inp_len >> n4x;-
873 last = inp_len + frag - (frag << n4x);-
874 if (last > frag && ((last + 13 + 9) % 64 < (x4 - 1))) {
last > fragDescription
TRUEnever evaluated
FALSEnever evaluated
((last + 13 + ...64 < (x4 - 1))Description
TRUEnever evaluated
FALSEnever evaluated
0
875 frag++;-
876 last -= x4 - 1;-
877 }
never executed: end of block
0
878-
879 packlen = 5 + 16 + ((frag + 20 + 16) & -16);-
880 packlen = (packlen << n4x) - packlen;-
881 packlen += 5 + 16 + ((last + 20 + 16) & -16);-
882-
883 param->interleave = x4;-
884-
885 return (int)packlen;
never executed: return (int)packlen;
0
886 } else-
887 return -1; /* not yet */
never executed: return -1;
0
888 }-
889 case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT:
never executed: case 0x1a:
0
890 {-
891 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param =-
892 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *) ptr;-
893-
894 return (int)tls1_1_multi_block_encrypt(key, param->out,
never executed: return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, param->interleave / 4);
0
895 param->inp, param->len,
never executed: return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, param->interleave / 4);
0
896 param->interleave / 4);
never executed: return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, param->interleave / 4);
0
897 }-
898 case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
never executed: case 0x1b:
0
899# endif-
900 default:
never executed: default:
0
901 return -1;
never executed: return -1;
0
902 }-
903}-
904-
905static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {-
906# ifdef NID_aes_128_cbc_hmac_sha1-
907 NID_aes_128_cbc_hmac_sha1,-
908# else-
909 NID_undef,-
910# endif-
911 AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE,-
912 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |-
913 EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,-
914 aesni_cbc_hmac_sha1_init_key,-
915 aesni_cbc_hmac_sha1_cipher,-
916 NULL,-
917 sizeof(EVP_AES_HMAC_SHA1),-
918 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv,-
919 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv,-
920 aesni_cbc_hmac_sha1_ctrl,-
921 NULL-
922};-
923-
924static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = {-
925# ifdef NID_aes_256_cbc_hmac_sha1-
926 NID_aes_256_cbc_hmac_sha1,-
927# else-
928 NID_undef,-
929# endif-
930 AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE,-
931 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |-
932 EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,-
933 aesni_cbc_hmac_sha1_init_key,-
934 aesni_cbc_hmac_sha1_cipher,-
935 NULL,-
936 sizeof(EVP_AES_HMAC_SHA1),-
937 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv,-
938 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv,-
939 aesni_cbc_hmac_sha1_ctrl,-
940 NULL-
941};-
942-
943const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)-
944{-
945 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ?
executed 3920 times by 1 test: return (OPENSSL_ia32cap_P[1] & (1<<(57-32)) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) );
Executed by:
  • libcrypto.so.1.1
OPENSSL_ia32ca...& (1<<(57-32))Description
TRUEnever evaluated
FALSEevaluated 3920 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-3920
946 &aesni_128_cbc_hmac_sha1_cipher : NULL);
executed 3920 times by 1 test: return (OPENSSL_ia32cap_P[1] & (1<<(57-32)) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) );
Executed by:
  • libcrypto.so.1.1
3920
947}-
948-
949const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)-
950{-
951 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ?
executed 3920 times by 1 test: return (OPENSSL_ia32cap_P[1] & (1<<(57-32)) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) );
Executed by:
  • libcrypto.so.1.1
OPENSSL_ia32ca...& (1<<(57-32))Description
TRUEnever evaluated
FALSEevaluated 3920 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-3920
952 &aesni_256_cbc_hmac_sha1_cipher : NULL);
executed 3920 times by 1 test: return (OPENSSL_ia32cap_P[1] & (1<<(57-32)) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) );
Executed by:
  • libcrypto.so.1.1
3920
953}-
954#else-
955const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)-
956{-
957 return NULL;-
958}-
959-
960const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)-
961{-
962 return NULL;-
963}-
964#endif-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2