e_aes_cbc_hmac_sha1.c revision 298999
1/* ==================================================================== 2 * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * licensing@OpenSSL.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== 48 */ 49 50#include <openssl/opensslconf.h> 51 52#include <stdio.h> 53#include <string.h> 54 55#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) 56 57# include <openssl/evp.h> 58# include <openssl/objects.h> 59# include <openssl/aes.h> 60# include <openssl/sha.h> 61# include "evp_locl.h" 62# include "constant_time_locl.h" 63 64# ifndef EVP_CIPH_FLAG_AEAD_CIPHER 65# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 66# define EVP_CTRL_AEAD_TLS1_AAD 0x16 67# define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 68# endif 69 70# if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1) 71# define EVP_CIPH_FLAG_DEFAULT_ASN1 0 72# endif 73 74# define TLS1_1_VERSION 0x0302 75 76typedef struct { 77 AES_KEY ks; 78 SHA_CTX head, tail, md; 79 size_t payload_length; /* AAD length in decrypt case */ 80 union { 81 unsigned int tls_ver; 82 unsigned char tls_aad[16]; /* 13 used */ 83 } aux; 84} EVP_AES_HMAC_SHA1; 85 86# define NO_PAYLOAD_LENGTH ((size_t)-1) 87 88# if defined(AES_ASM) && ( \ 89 defined(__x86_64) || defined(__x86_64__) || \ 90 defined(_M_AMD64) || defined(_M_X64) || \ 91 defined(__INTEL__) ) 92 93# if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) 94# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) 95# endif 96 97extern unsigned int OPENSSL_ia32cap_P[2]; 98# define AESNI_CAPABLE (1<<(57-32)) 99 100int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 101 AES_KEY *key); 102int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 103 AES_KEY *key); 104 105void aesni_cbc_encrypt(const unsigned char *in, 106 unsigned char *out, 107 size_t length, 108 const AES_KEY *key, unsigned char *ivec, int enc); 109 110void aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks, 111 const AES_KEY *key, unsigned char iv[16], 112 SHA_CTX *ctx, const void *in0); 113 114# define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) 115 116static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 117 const unsigned char *inkey, 118 const unsigned char *iv, int enc) 119{ 120 EVP_AES_HMAC_SHA1 *key = data(ctx); 121 int ret; 122 123 if (enc) 124 ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); 125 else 126 ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); 127 128 SHA1_Init(&key->head); /* handy when benchmarking */ 129 key->tail = key->head; 130 key->md = key->head; 131 132 key->payload_length = NO_PAYLOAD_LENGTH; 133 134 return ret < 0 ? 0 : 1; 135} 136 137# define STITCHED_CALL 138 139# if !defined(STITCHED_CALL) 140# define aes_off 0 141# endif 142 143void sha1_block_data_order(void *c, const void *p, size_t len); 144 145static void sha1_update(SHA_CTX *c, const void *data, size_t len) 146{ 147 const unsigned char *ptr = data; 148 size_t res; 149 150 if ((res = c->num)) { 151 res = SHA_CBLOCK - res; 152 if (len < res) 153 res = len; 154 SHA1_Update(c, ptr, res); 155 ptr += res; 156 len -= res; 157 } 158 159 res = len % SHA_CBLOCK; 160 len -= res; 161 162 if (len) { 163 sha1_block_data_order(c, ptr, len / SHA_CBLOCK); 164 165 ptr += len; 166 c->Nh += len >> 29; 167 c->Nl += len <<= 3; 168 if (c->Nl < (unsigned int)len) 169 c->Nh++; 170 } 171 172 if (res) 173 SHA1_Update(c, ptr, res); 174} 175 176# ifdef SHA1_Update 177# undef SHA1_Update 178# endif 179# define SHA1_Update sha1_update 180 181static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 182 const unsigned char *in, size_t len) 183{ 184 EVP_AES_HMAC_SHA1 *key = data(ctx); 185 unsigned int l; 186 size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and 187 * later */ 188 sha_off = 0; 189# if defined(STITCHED_CALL) 190 size_t aes_off = 0, blocks; 191 192 sha_off = SHA_CBLOCK - key->md.num; 193# endif 194 195 key->payload_length = NO_PAYLOAD_LENGTH; 196 197 if (len % AES_BLOCK_SIZE) 198 return 0; 199 200 if (ctx->encrypt) { 201 if (plen == NO_PAYLOAD_LENGTH) 202 plen = len; 203 else if (len != 204 ((plen + SHA_DIGEST_LENGTH + 205 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) 206 return 0; 207 else if (key->aux.tls_ver >= TLS1_1_VERSION) 208 iv = AES_BLOCK_SIZE; 209 210# if defined(STITCHED_CALL) 211 if (plen > (sha_off + iv) 212 && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) { 213 SHA1_Update(&key->md, in + iv, sha_off); 214 215 aesni_cbc_sha1_enc(in, out, blocks, &key->ks, 216 ctx->iv, &key->md, in + iv + sha_off); 217 blocks *= SHA_CBLOCK; 218 aes_off += blocks; 219 sha_off += blocks; 220 key->md.Nh += blocks >> 29; 221 key->md.Nl += blocks <<= 3; 222 if (key->md.Nl < (unsigned int)blocks) 223 key->md.Nh++; 224 } else { 225 sha_off = 0; 226 } 227# endif 228 sha_off += iv; 229 SHA1_Update(&key->md, in + sha_off, plen - sha_off); 230 231 if (plen != len) { /* "TLS" mode of operation */ 232 if (in != out) 233 memcpy(out + aes_off, in + aes_off, plen - aes_off); 234 235 /* calculate HMAC and append it to payload */ 236 SHA1_Final(out + plen, &key->md); 237 key->md = key->tail; 238 SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH); 239 SHA1_Final(out + plen, &key->md); 240 241 /* pad the payload|hmac */ 242 plen += SHA_DIGEST_LENGTH; 243 for (l = len - plen - 1; plen < len; plen++) 244 out[plen] = l; 245 /* encrypt HMAC|padding at once */ 246 aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off, 247 &key->ks, ctx->iv, 1); 248 } else { 249 aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off, 250 &key->ks, ctx->iv, 1); 251 } 252 } else { 253 union { 254 unsigned int u[SHA_DIGEST_LENGTH / sizeof(unsigned int)]; 255 unsigned char c[32 + SHA_DIGEST_LENGTH]; 256 } mac, *pmac; 257 258 /* arrange cache line alignment */ 259 pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); 260 261 /* decrypt HMAC|padding at once */ 262 aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); 263 264 if (plen) { /* "TLS" mode of operation */ 265 size_t inp_len, mask, j, i; 266 unsigned int res, maxpad, pad, bitlen; 267 int ret = 1; 268 union { 269 unsigned int u[SHA_LBLOCK]; 270 unsigned char c[SHA_CBLOCK]; 271 } *data = (void *)key->md.data; 272 273 if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3]) 274 >= TLS1_1_VERSION) 275 iv = AES_BLOCK_SIZE; 276 277 if (len < (iv + SHA_DIGEST_LENGTH + 1)) 278 return 0; 279 280 /* omit explicit iv */ 281 out += iv; 282 len -= iv; 283 284 /* figure out payload length */ 285 pad = out[len - 1]; 286 maxpad = len - (SHA_DIGEST_LENGTH + 1); 287 maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); 288 maxpad &= 255; 289 290 ret &= constant_time_ge(maxpad, pad); 291 292 inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); 293 mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); 294 inp_len &= mask; 295 ret &= (int)mask; 296 297 key->aux.tls_aad[plen - 2] = inp_len >> 8; 298 key->aux.tls_aad[plen - 1] = inp_len; 299 300 /* calculate HMAC */ 301 key->md = key->head; 302 SHA1_Update(&key->md, key->aux.tls_aad, plen); 303 304# if 1 305 len -= SHA_DIGEST_LENGTH; /* amend mac */ 306 if (len >= (256 + SHA_CBLOCK)) { 307 j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK); 308 j += SHA_CBLOCK - key->md.num; 309 SHA1_Update(&key->md, out, j); 310 out += j; 311 len -= j; 312 inp_len -= j; 313 } 314 315 /* but pretend as if we hashed padded payload */ 316 bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ 317# ifdef BSWAP 318 bitlen = BSWAP(bitlen); 319# else 320 mac.c[0] = 0; 321 mac.c[1] = (unsigned char)(bitlen >> 16); 322 mac.c[2] = (unsigned char)(bitlen >> 8); 323 mac.c[3] = (unsigned char)bitlen; 324 bitlen = mac.u[0]; 325# endif 326 327 pmac->u[0] = 0; 328 pmac->u[1] = 0; 329 pmac->u[2] = 0; 330 pmac->u[3] = 0; 331 pmac->u[4] = 0; 332 333 for (res = key->md.num, j = 0; j < len; j++) { 334 size_t c = out[j]; 335 mask = (j - inp_len) >> (sizeof(j) * 8 - 8); 336 c &= mask; 337 c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8)); 338 data->c[res++] = (unsigned char)c; 339 340 if (res != SHA_CBLOCK) 341 continue; 342 343 /* j is not incremented yet */ 344 mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1)); 345 data->u[SHA_LBLOCK - 1] |= bitlen & mask; 346 sha1_block_data_order(&key->md, data, 1); 347 mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1)); 348 pmac->u[0] |= key->md.h0 & mask; 349 pmac->u[1] |= key->md.h1 & mask; 350 pmac->u[2] |= key->md.h2 & mask; 351 pmac->u[3] |= key->md.h3 & mask; 352 pmac->u[4] |= key->md.h4 & mask; 353 res = 0; 354 } 355 356 for (i = res; i < SHA_CBLOCK; i++, j++) 357 data->c[i] = 0; 358 359 if (res > SHA_CBLOCK - 8) { 360 mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1)); 361 data->u[SHA_LBLOCK - 1] |= bitlen & mask; 362 sha1_block_data_order(&key->md, data, 1); 363 mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 364 pmac->u[0] |= key->md.h0 & mask; 365 pmac->u[1] |= key->md.h1 & mask; 366 pmac->u[2] |= key->md.h2 & mask; 367 pmac->u[3] |= key->md.h3 & mask; 368 pmac->u[4] |= key->md.h4 & mask; 369 370 memset(data, 0, SHA_CBLOCK); 371 j += 64; 372 } 373 data->u[SHA_LBLOCK - 1] = bitlen; 374 sha1_block_data_order(&key->md, data, 1); 375 mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 376 pmac->u[0] |= key->md.h0 & mask; 377 pmac->u[1] |= key->md.h1 & mask; 378 pmac->u[2] |= key->md.h2 & mask; 379 pmac->u[3] |= key->md.h3 & mask; 380 pmac->u[4] |= key->md.h4 & mask; 381 382# ifdef BSWAP 383 pmac->u[0] = BSWAP(pmac->u[0]); 384 pmac->u[1] = BSWAP(pmac->u[1]); 385 pmac->u[2] = BSWAP(pmac->u[2]); 386 pmac->u[3] = BSWAP(pmac->u[3]); 387 pmac->u[4] = BSWAP(pmac->u[4]); 388# else 389 for (i = 0; i < 5; i++) { 390 res = pmac->u[i]; 391 pmac->c[4 * i + 0] = (unsigned char)(res >> 24); 392 pmac->c[4 * i + 1] = (unsigned char)(res >> 16); 393 pmac->c[4 * i + 2] = (unsigned char)(res >> 8); 394 pmac->c[4 * i + 3] = (unsigned char)res; 395 } 396# endif 397 len += SHA_DIGEST_LENGTH; 398# else 399 SHA1_Update(&key->md, out, inp_len); 400 res = key->md.num; 401 SHA1_Final(pmac->c, &key->md); 402 403 { 404 unsigned int inp_blocks, pad_blocks; 405 406 /* but pretend as if we hashed padded payload */ 407 inp_blocks = 408 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 409 res += (unsigned int)(len - inp_len); 410 pad_blocks = res / SHA_CBLOCK; 411 res %= SHA_CBLOCK; 412 pad_blocks += 413 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 414 for (; inp_blocks < pad_blocks; inp_blocks++) 415 sha1_block_data_order(&key->md, data, 1); 416 } 417# endif 418 key->md = key->tail; 419 SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH); 420 SHA1_Final(pmac->c, &key->md); 421 422 /* verify HMAC */ 423 out += inp_len; 424 len -= inp_len; 425# if 1 426 { 427 unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH; 428 size_t off = out - p; 429 unsigned int c, cmask; 430 431 maxpad += SHA_DIGEST_LENGTH; 432 for (res = 0, i = 0, j = 0; j < maxpad; j++) { 433 c = p[j]; 434 cmask = 435 ((int)(j - off - SHA_DIGEST_LENGTH)) >> (sizeof(int) * 436 8 - 1); 437 res |= (c ^ pad) & ~cmask; /* ... and padding */ 438 cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1); 439 res |= (c ^ pmac->c[i]) & cmask; 440 i += 1 & cmask; 441 } 442 maxpad -= SHA_DIGEST_LENGTH; 443 444 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 445 ret &= (int)~res; 446 } 447# else 448 for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++) 449 res |= out[i] ^ pmac->c[i]; 450 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 451 ret &= (int)~res; 452 453 /* verify padding */ 454 pad = (pad & ~res) | (maxpad & res); 455 out = out + len - 1 - pad; 456 for (res = 0, i = 0; i < pad; i++) 457 res |= out[i] ^ pad; 458 459 res = (0 - res) >> (sizeof(res) * 8 - 1); 460 ret &= (int)~res; 461# endif 462 return ret; 463 } else { 464 SHA1_Update(&key->md, out, len); 465 } 466 } 467 468 return 1; 469} 470 471static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 472 void *ptr) 473{ 474 EVP_AES_HMAC_SHA1 *key = data(ctx); 475 476 switch (type) { 477 case EVP_CTRL_AEAD_SET_MAC_KEY: 478 { 479 unsigned int i; 480 unsigned char hmac_key[64]; 481 482 memset(hmac_key, 0, sizeof(hmac_key)); 483 484 if (arg > (int)sizeof(hmac_key)) { 485 SHA1_Init(&key->head); 486 SHA1_Update(&key->head, ptr, arg); 487 SHA1_Final(hmac_key, &key->head); 488 } else { 489 memcpy(hmac_key, ptr, arg); 490 } 491 492 for (i = 0; i < sizeof(hmac_key); i++) 493 hmac_key[i] ^= 0x36; /* ipad */ 494 SHA1_Init(&key->head); 495 SHA1_Update(&key->head, hmac_key, sizeof(hmac_key)); 496 497 for (i = 0; i < sizeof(hmac_key); i++) 498 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ 499 SHA1_Init(&key->tail); 500 SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key)); 501 502 OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); 503 504 return 1; 505 } 506 case EVP_CTRL_AEAD_TLS1_AAD: 507 { 508 unsigned char *p = ptr; 509 unsigned int len; 510 511 if (arg != EVP_AEAD_TLS1_AAD_LEN) 512 return -1; 513 514 len = p[arg - 2] << 8 | p[arg - 1]; 515 516 if (ctx->encrypt) { 517 key->payload_length = len; 518 if ((key->aux.tls_ver = 519 p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { 520 len -= AES_BLOCK_SIZE; 521 p[arg - 2] = len >> 8; 522 p[arg - 1] = len; 523 } 524 key->md = key->head; 525 SHA1_Update(&key->md, p, arg); 526 527 return (int)(((len + SHA_DIGEST_LENGTH + 528 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) 529 - len); 530 } else { 531 memcpy(key->aux.tls_aad, ptr, arg); 532 key->payload_length = arg; 533 534 return SHA_DIGEST_LENGTH; 535 } 536 } 537 default: 538 return -1; 539 } 540} 541 542static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { 543# ifdef NID_aes_128_cbc_hmac_sha1 544 NID_aes_128_cbc_hmac_sha1, 545# else 546 NID_undef, 547# endif 548 16, 16, 16, 549 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 550 EVP_CIPH_FLAG_AEAD_CIPHER, 551 aesni_cbc_hmac_sha1_init_key, 552 aesni_cbc_hmac_sha1_cipher, 553 NULL, 554 sizeof(EVP_AES_HMAC_SHA1), 555 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 556 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 557 aesni_cbc_hmac_sha1_ctrl, 558 NULL 559}; 560 561static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { 562# ifdef NID_aes_256_cbc_hmac_sha1 563 NID_aes_256_cbc_hmac_sha1, 564# else 565 NID_undef, 566# endif 567 16, 32, 16, 568 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 569 EVP_CIPH_FLAG_AEAD_CIPHER, 570 aesni_cbc_hmac_sha1_init_key, 571 aesni_cbc_hmac_sha1_cipher, 572 NULL, 573 sizeof(EVP_AES_HMAC_SHA1), 574 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 575 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 576 aesni_cbc_hmac_sha1_ctrl, 577 NULL 578}; 579 580const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 581{ 582 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 583 &aesni_128_cbc_hmac_sha1_cipher : NULL); 584} 585 586const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 587{ 588 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 589 &aesni_256_cbc_hmac_sha1_cipher : NULL); 590} 591# else 592const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 593{ 594 return NULL; 595} 596 597const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 598{ 599 return NULL; 600} 601# endif 602#endif 603