Home | History | Annotate | Download | only in cipher_extra
      1 /* Copyright (c) 2014, Google Inc.
      2  *
      3  * Permission to use, copy, modify, and/or distribute this software for any
      4  * purpose with or without fee is hereby granted, provided that the above
      5  * copyright notice and this permission notice appear in all copies.
      6  *
      7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
     10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
     12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
     13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
     14 
     15 #include <assert.h>
     16 #include <limits.h>
     17 #include <string.h>
     18 
     19 #include <openssl/aead.h>
     20 #include <openssl/cipher.h>
     21 #include <openssl/err.h>
     22 #include <openssl/hmac.h>
     23 #include <openssl/md5.h>
     24 #include <openssl/mem.h>
     25 #include <openssl/sha.h>
     26 #include <openssl/type_check.h>
     27 
     28 #include "../fipsmodule/cipher/internal.h"
     29 #include "../internal.h"
     30 #include "internal.h"
     31 
     32 
     33 typedef struct {
     34   EVP_CIPHER_CTX cipher_ctx;
     35   HMAC_CTX hmac_ctx;
     36   /* mac_key is the portion of the key used for the MAC. It is retained
     37    * separately for the constant-time CBC code. */
     38   uint8_t mac_key[EVP_MAX_MD_SIZE];
     39   uint8_t mac_key_len;
     40   /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
     41    * IV. */
     42   char implicit_iv;
     43 } AEAD_TLS_CTX;
     44 
     45 OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
     46 
     47 static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
     48   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
     49   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
     50   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
     51   OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
     52   OPENSSL_free(tls_ctx);
     53   ctx->aead_state = NULL;
     54 }
     55 
     56 static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
     57                          size_t tag_len, enum evp_aead_direction_t dir,
     58                          const EVP_CIPHER *cipher, const EVP_MD *md,
     59                          char implicit_iv) {
     60   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
     61       tag_len != EVP_MD_size(md)) {
     62     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
     63     return 0;
     64   }
     65 
     66   if (key_len != EVP_AEAD_key_length(ctx->aead)) {
     67     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
     68     return 0;
     69   }
     70 
     71   size_t mac_key_len = EVP_MD_size(md);
     72   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
     73   assert(mac_key_len + enc_key_len +
     74          (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
     75 
     76   AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
     77   if (tls_ctx == NULL) {
     78     OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
     79     return 0;
     80   }
     81   EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
     82   HMAC_CTX_init(&tls_ctx->hmac_ctx);
     83   assert(mac_key_len <= EVP_MAX_MD_SIZE);
     84   OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
     85   tls_ctx->mac_key_len = (uint8_t)mac_key_len;
     86   tls_ctx->implicit_iv = implicit_iv;
     87 
     88   ctx->aead_state = tls_ctx;
     89   if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
     90                          implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
     91                          dir == evp_aead_seal) ||
     92       !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
     93     aead_tls_cleanup(ctx);
     94     ctx->aead_state = NULL;
     95     return 0;
     96   }
     97   EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
     98 
     99   return 1;
    100 }
    101 
    102 static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
    103                                  uint8_t *out_tag, size_t *out_tag_len,
    104                                  size_t max_out_tag_len, const uint8_t *nonce,
    105                                  size_t nonce_len, const uint8_t *in,
    106                                  size_t in_len, const uint8_t *extra_in,
    107                                  size_t extra_in_len, const uint8_t *ad,
    108                                  size_t ad_len) {
    109   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
    110 
    111   if (!tls_ctx->cipher_ctx.encrypt) {
    112     /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
    113     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    114     return 0;
    115   }
    116 
    117   if (in_len > INT_MAX) {
    118     /* EVP_CIPHER takes int as input. */
    119     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    120     return 0;
    121   }
    122 
    123   const size_t max_overhead = EVP_AEAD_max_overhead(ctx->aead);
    124   if (max_out_tag_len < max_overhead) {
    125     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    126     return 0;
    127   }
    128 
    129   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
    130     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
    131     return 0;
    132   }
    133 
    134   if (ad_len != 13 - 2 /* length bytes */) {
    135     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    136     return 0;
    137   }
    138 
    139   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
    140    * length for legacy ciphers. */
    141   uint8_t ad_extra[2];
    142   ad_extra[0] = (uint8_t)(in_len >> 8);
    143   ad_extra[1] = (uint8_t)(in_len & 0xff);
    144 
    145   /* Compute the MAC. This must be first in case the operation is being done
    146    * in-place. */
    147   uint8_t mac[EVP_MAX_MD_SIZE];
    148   unsigned mac_len;
    149   if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
    150       !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
    151       !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
    152       !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
    153       !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
    154     return 0;
    155   }
    156 
    157   /* Configure the explicit IV. */
    158   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
    159       !tls_ctx->implicit_iv &&
    160       !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
    161     return 0;
    162   }
    163 
    164   /* Encrypt the input. */
    165   int len;
    166   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
    167     return 0;
    168   }
    169 
    170   unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
    171 
    172   /* Feed the MAC into the cipher in two steps. First complete the final partial
    173    * block from encrypting the input and split the result between |out| and
    174    * |out_tag|. Then feed the rest. */
    175 
    176   size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
    177   if (early_mac_len != 0) {
    178     assert(len + block_size - early_mac_len == in_len);
    179     uint8_t buf[EVP_MAX_BLOCK_LENGTH];
    180     int buf_len;
    181     if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
    182                            (int)early_mac_len)) {
    183       return 0;
    184     }
    185     assert(buf_len == (int)block_size);
    186     OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
    187     OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
    188   }
    189   size_t tag_len = early_mac_len;
    190 
    191   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
    192                          mac + tag_len, mac_len - tag_len)) {
    193     return 0;
    194   }
    195   tag_len += len;
    196 
    197   if (block_size > 1) {
    198     assert(block_size <= 256);
    199     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
    200 
    201     /* Compute padding and feed that into the cipher. */
    202     uint8_t padding[256];
    203     unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
    204     OPENSSL_memset(padding, padding_len - 1, padding_len);
    205     if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
    206                            padding, (int)padding_len)) {
    207       return 0;
    208     }
    209     tag_len += len;
    210   }
    211 
    212   if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
    213     return 0;
    214   }
    215   tag_len += len;
    216   assert(tag_len <= max_overhead);
    217 
    218   *out_tag_len = tag_len;
    219   return 1;
    220 }
    221 
    222 static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
    223                          size_t max_out_len, const uint8_t *nonce,
    224                          size_t nonce_len, const uint8_t *in, size_t in_len,
    225                          const uint8_t *ad, size_t ad_len) {
    226   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
    227 
    228   if (tls_ctx->cipher_ctx.encrypt) {
    229     /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
    230     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    231     return 0;
    232   }
    233 
    234   if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
    235     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    236     return 0;
    237   }
    238 
    239   if (max_out_len < in_len) {
    240     /* This requires that the caller provide space for the MAC, even though it
    241      * will always be removed on return. */
    242     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    243     return 0;
    244   }
    245 
    246   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
    247     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
    248     return 0;
    249   }
    250 
    251   if (ad_len != 13 - 2 /* length bytes */) {
    252     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    253     return 0;
    254   }
    255 
    256   if (in_len > INT_MAX) {
    257     /* EVP_CIPHER takes int as input. */
    258     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    259     return 0;
    260   }
    261 
    262   /* Configure the explicit IV. */
    263   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
    264       !tls_ctx->implicit_iv &&
    265       !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
    266     return 0;
    267   }
    268 
    269   /* Decrypt to get the plaintext + MAC + padding. */
    270   size_t total = 0;
    271   int len;
    272   if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
    273     return 0;
    274   }
    275   total += len;
    276   if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
    277     return 0;
    278   }
    279   total += len;
    280   assert(total == in_len);
    281 
    282   /* Remove CBC padding. Code from here on is timing-sensitive with respect to
    283    * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
    284   size_t data_plus_mac_len;
    285   crypto_word_t padding_ok;
    286   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
    287     if (!EVP_tls_cbc_remove_padding(
    288             &padding_ok, &data_plus_mac_len, out, total,
    289             EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
    290             HMAC_size(&tls_ctx->hmac_ctx))) {
    291       /* Publicly invalid. This can be rejected in non-constant time. */
    292       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    293       return 0;
    294     }
    295   } else {
    296     padding_ok = CONSTTIME_TRUE_W;
    297     data_plus_mac_len = total;
    298     /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
    299      * already been checked against the MAC size at the top of the function. */
    300     assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
    301   }
    302   size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
    303 
    304   /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
    305    * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
    306    * still large enough to extract a MAC, but it will be irrelevant. */
    307 
    308   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
    309    * length for legacy ciphers. */
    310   uint8_t ad_fixed[13];
    311   OPENSSL_memcpy(ad_fixed, ad, 11);
    312   ad_fixed[11] = (uint8_t)(data_len >> 8);
    313   ad_fixed[12] = (uint8_t)(data_len & 0xff);
    314   ad_len += 2;
    315 
    316   /* Compute the MAC and extract the one in the record. */
    317   uint8_t mac[EVP_MAX_MD_SIZE];
    318   size_t mac_len;
    319   uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
    320   uint8_t *record_mac;
    321   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
    322       EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
    323     if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
    324                                    ad_fixed, out, data_plus_mac_len, total,
    325                                    tls_ctx->mac_key, tls_ctx->mac_key_len)) {
    326       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    327       return 0;
    328     }
    329     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
    330 
    331     record_mac = record_mac_tmp;
    332     EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
    333   } else {
    334     /* We should support the constant-time path for all CBC-mode ciphers
    335      * implemented. */
    336     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
    337 
    338     unsigned mac_len_u;
    339     if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
    340         !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
    341         !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
    342         !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
    343       return 0;
    344     }
    345     mac_len = mac_len_u;
    346 
    347     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
    348     record_mac = &out[data_len];
    349   }
    350 
    351   /* Perform the MAC check and the padding check in constant-time. It should be
    352    * safe to simply perform the padding check first, but it would not be under a
    353    * different choice of MAC location on padding failure. See
    354    * EVP_tls_cbc_remove_padding. */
    355   crypto_word_t good =
    356       constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
    357   good &= padding_ok;
    358   if (!good) {
    359     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    360     return 0;
    361   }
    362 
    363   /* End of timing-sensitive code. */
    364 
    365   *out_len = data_len;
    366   return 1;
    367 }
    368 
    369 static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
    370                                           size_t key_len, size_t tag_len,
    371                                           enum evp_aead_direction_t dir) {
    372   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
    373                        EVP_sha1(), 0);
    374 }
    375 
    376 static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
    377     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
    378     enum evp_aead_direction_t dir) {
    379   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
    380                        EVP_sha1(), 1);
    381 }
    382 
    383 static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
    384                                             const uint8_t *key, size_t key_len,
    385                                             size_t tag_len,
    386                                             enum evp_aead_direction_t dir) {
    387   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
    388                        EVP_sha256(), 0);
    389 }
    390 
    391 static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
    392                                           size_t key_len, size_t tag_len,
    393                                           enum evp_aead_direction_t dir) {
    394   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
    395                        EVP_sha1(), 0);
    396 }
    397 
    398 static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
    399     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
    400     enum evp_aead_direction_t dir) {
    401   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
    402                        EVP_sha1(), 1);
    403 }
    404 
    405 static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
    406                                             const uint8_t *key, size_t key_len,
    407                                             size_t tag_len,
    408                                             enum evp_aead_direction_t dir) {
    409   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
    410                        EVP_sha256(), 0);
    411 }
    412 
    413 static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
    414                                             const uint8_t *key, size_t key_len,
    415                                             size_t tag_len,
    416                                             enum evp_aead_direction_t dir) {
    417   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
    418                        EVP_sha384(), 0);
    419 }
    420 
    421 static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
    422                                            const uint8_t *key, size_t key_len,
    423                                            size_t tag_len,
    424                                            enum evp_aead_direction_t dir) {
    425   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
    426                        EVP_sha1(), 0);
    427 }
    428 
    429 static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
    430     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
    431     enum evp_aead_direction_t dir) {
    432   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
    433                        EVP_sha1(), 1);
    434 }
    435 
    436 static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
    437                            size_t *out_iv_len) {
    438   const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
    439   const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
    440   if (iv_len <= 1) {
    441     return 0;
    442   }
    443 
    444   *out_iv = tls_ctx->cipher_ctx.iv;
    445   *out_iv_len = iv_len;
    446   return 1;
    447 }
    448 
    449 static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
    450                                    size_t key_len, size_t tag_len,
    451                                    enum evp_aead_direction_t dir) {
    452   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
    453                        EVP_sha1(), 1 /* implicit iv */);
    454 }
    455 
    456 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
    457     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
    458     16,                     /* nonce len (IV) */
    459     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
    460     SHA_DIGEST_LENGTH,      /* max tag length */
    461     0,                      /* seal_scatter_supports_extra_in */
    462 
    463     NULL, /* init */
    464     aead_aes_128_cbc_sha1_tls_init,
    465     aead_tls_cleanup,
    466     aead_tls_open,
    467     aead_tls_seal_scatter,
    468     NULL, /* open_gather */
    469     NULL, /* get_iv */
    470 };
    471 
    472 static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
    473     SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
    474     0,                           /* nonce len */
    475     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
    476     SHA_DIGEST_LENGTH,           /* max tag length */
    477     0,                           /* seal_scatter_supports_extra_in */
    478 
    479     NULL, /* init */
    480     aead_aes_128_cbc_sha1_tls_implicit_iv_init,
    481     aead_tls_cleanup,
    482     aead_tls_open,
    483     aead_tls_seal_scatter,
    484     NULL,            /* open_gather */
    485     aead_tls_get_iv, /* get_iv */
    486 };
    487 
    488 static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
    489     SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
    490     16,                        /* nonce len (IV) */
    491     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
    492     SHA256_DIGEST_LENGTH,      /* max tag length */
    493     0,                         /* seal_scatter_supports_extra_in */
    494 
    495     NULL, /* init */
    496     aead_aes_128_cbc_sha256_tls_init,
    497     aead_tls_cleanup,
    498     aead_tls_open,
    499     aead_tls_seal_scatter,
    500     NULL, /* open_gather */
    501     NULL, /* get_iv */
    502 };
    503 
    504 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
    505     SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
    506     16,                     /* nonce len (IV) */
    507     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
    508     SHA_DIGEST_LENGTH,      /* max tag length */
    509     0,                      /* seal_scatter_supports_extra_in */
    510 
    511     NULL, /* init */
    512     aead_aes_256_cbc_sha1_tls_init,
    513     aead_tls_cleanup,
    514     aead_tls_open,
    515     aead_tls_seal_scatter,
    516     NULL, /* open_gather */
    517     NULL, /* get_iv */
    518 };
    519 
    520 static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
    521     SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
    522     0,                           /* nonce len */
    523     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
    524     SHA_DIGEST_LENGTH,           /* max tag length */
    525     0,                           /* seal_scatter_supports_extra_in */
    526 
    527     NULL, /* init */
    528     aead_aes_256_cbc_sha1_tls_implicit_iv_init,
    529     aead_tls_cleanup,
    530     aead_tls_open,
    531     aead_tls_seal_scatter,
    532     NULL,            /* open_gather */
    533     aead_tls_get_iv, /* get_iv */
    534 };
    535 
    536 static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
    537     SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
    538     16,                        /* nonce len (IV) */
    539     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
    540     SHA256_DIGEST_LENGTH,      /* max tag length */
    541     0,                         /* seal_scatter_supports_extra_in */
    542 
    543     NULL, /* init */
    544     aead_aes_256_cbc_sha256_tls_init,
    545     aead_tls_cleanup,
    546     aead_tls_open,
    547     aead_tls_seal_scatter,
    548     NULL, /* open_gather */
    549     NULL, /* get_iv */
    550 };
    551 
    552 static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
    553     SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
    554     16,                        /* nonce len (IV) */
    555     16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
    556     SHA384_DIGEST_LENGTH,      /* max tag length */
    557     0,                         /* seal_scatter_supports_extra_in */
    558 
    559     NULL, /* init */
    560     aead_aes_256_cbc_sha384_tls_init,
    561     aead_tls_cleanup,
    562     aead_tls_open,
    563     aead_tls_seal_scatter,
    564     NULL, /* open_gather */
    565     NULL, /* get_iv */
    566 };
    567 
    568 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
    569     SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
    570     8,                      /* nonce len (IV) */
    571     8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
    572     SHA_DIGEST_LENGTH,      /* max tag length */
    573     0,                      /* seal_scatter_supports_extra_in */
    574 
    575     NULL, /* init */
    576     aead_des_ede3_cbc_sha1_tls_init,
    577     aead_tls_cleanup,
    578     aead_tls_open,
    579     aead_tls_seal_scatter,
    580     NULL, /* open_gather */
    581     NULL, /* get_iv */
    582 };
    583 
    584 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
    585     SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
    586     0,                          /* nonce len */
    587     8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
    588     SHA_DIGEST_LENGTH,          /* max tag length */
    589     0,                          /* seal_scatter_supports_extra_in */
    590 
    591     NULL, /* init */
    592     aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
    593     aead_tls_cleanup,
    594     aead_tls_open,
    595     aead_tls_seal_scatter,
    596     NULL,            /* open_gather */
    597     aead_tls_get_iv, /* get_iv */
    598 };
    599 
    600 static const EVP_AEAD aead_null_sha1_tls = {
    601     SHA_DIGEST_LENGTH, /* key len */
    602     0,                 /* nonce len */
    603     SHA_DIGEST_LENGTH, /* overhead (SHA1) */
    604     SHA_DIGEST_LENGTH, /* max tag length */
    605     0,                 /* seal_scatter_supports_extra_in */
    606 
    607     NULL, /* init */
    608     aead_null_sha1_tls_init,
    609     aead_tls_cleanup,
    610     aead_tls_open,
    611     aead_tls_seal_scatter,
    612     NULL, /* open_gather */
    613     NULL, /* get_iv */
    614 };
    615 
    616 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
    617   return &aead_aes_128_cbc_sha1_tls;
    618 }
    619 
    620 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
    621   return &aead_aes_128_cbc_sha1_tls_implicit_iv;
    622 }
    623 
    624 const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
    625   return &aead_aes_128_cbc_sha256_tls;
    626 }
    627 
    628 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
    629   return &aead_aes_256_cbc_sha1_tls;
    630 }
    631 
    632 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
    633   return &aead_aes_256_cbc_sha1_tls_implicit_iv;
    634 }
    635 
    636 const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {
    637   return &aead_aes_256_cbc_sha256_tls;
    638 }
    639 
    640 const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
    641   return &aead_aes_256_cbc_sha384_tls;
    642 }
    643 
    644 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
    645   return &aead_des_ede3_cbc_sha1_tls;
    646 }
    647 
    648 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
    649   return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
    650 }
    651 
    652 const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
    653