e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.

	EVP_add_cipher(EVP_aes_256_xts());

	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");

	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");

#if 0  /* Disabled because of timing side-channel leaks. */

#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)

	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());

	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());

#endif

#endif

#endif

#ifndef OPENSSL_NO_CAMELLIA

	EVP_add_cipher(EVP_camellia_128_ecb());

/* ====================================================================

 * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

	defined(_M_AMD64)	|| defined(_M_X64)	|| \

	defined(__INTEL__)	)

#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)

# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })

#endif

extern unsigned int OPENSSL_ia32cap_P[2];

#define AESNI_CAPABLE   (1<<(57-32))

		SHA1_Update(c,ptr,res);

}

#ifdef SHA1_Update

#undef SHA1_Update

#endif

#define SHA1_Update sha1_update

static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,

	sha_off = SHA_CBLOCK-key->md.num;

#endif

	key->payload_length = NO_PAYLOAD_LENGTH;

	if (len%AES_BLOCK_SIZE) return 0;

	if (ctx->encrypt) {

					&key->ks,ctx->iv,1);

		}

	} else {

		unsigned char mac[SHA_DIGEST_LENGTH];

		union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];

			unsigned char c[SHA_DIGEST_LENGTH]; } mac;

		/* decrypt HMAC|padding at once */

		aesni_cbc_encrypt(in,out,len,

				&key->ks,ctx->iv,0);

		if (plen) {	/* "TLS" mode of operation */

			/* figure out payload length */

			if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))

				return 0;

			len -= (out[len-1]+1+SHA_DIGEST_LENGTH);

			size_t inp_len, mask, j, i;

			unsigned int res, maxpad, pad, bitlen;

			int ret = 1;

			union {	unsigned int  u[SHA_LBLOCK];

				unsigned char c[SHA_CBLOCK]; }

				*data = (void *)key->md.data;

			if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])

			    >= TLS1_1_VERSION) {

				len -= AES_BLOCK_SIZE;

			    >= TLS1_1_VERSION)

				iv = AES_BLOCK_SIZE;

			}

			key->aux.tls_aad[plen-2] = len>>8;

			key->aux.tls_aad[plen-1] = len;

			if (len<(iv+SHA_DIGEST_LENGTH+1))

				return 0;

			/* omit explicit iv */

			out += iv;

			len -= iv;

			/* figure out payload length */

			pad = out[len-1];

			maxpad = len-(SHA_DIGEST_LENGTH+1);

			maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);

			maxpad &= 255;

			inp_len = len - (SHA_DIGEST_LENGTH+pad+1);

			mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));

			inp_len &= mask;

			ret &= (int)mask;

			/* calculate HMAC and verify it */

			key->aux.tls_aad[plen-2] = inp_len>>8;

			key->aux.tls_aad[plen-1] = inp_len;

			/* calculate HMAC */

			key->md = key->head;

			SHA1_Update(&key->md,key->aux.tls_aad,plen);

			SHA1_Update(&key->md,out+iv,len);

			SHA1_Final(mac,&key->md);

#if 1

			len -= SHA_DIGEST_LENGTH;		/* amend mac */

			if (len>=(256+SHA_CBLOCK)) {

				j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);

				j += SHA_CBLOCK-key->md.num;

				SHA1_Update(&key->md,out,j);

				out += j;

				len -= j;

				inp_len -= j;

			}

			/* but pretend as if we hashed padded payload */

			bitlen = key->md.Nl+(inp_len<<3);	/* at most 18 bits */

			mac.c[0] = 0;

			mac.c[1] = (unsigned char)(bitlen>>16);

			mac.c[2] = (unsigned char)(bitlen>>8);

			mac.c[3] = (unsigned char)bitlen;

			bitlen = mac.u[0];

			mac.u[0]=0;

			mac.u[1]=0;

			mac.u[2]=0;

			mac.u[3]=0;

			mac.u[4]=0;

			for (res=key->md.num, j=0;j<len;j++) {

				size_t c = out[j];

				mask = (j-inp_len)>>(sizeof(j)*8-8);

				c &= mask;

				c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));

				data->c[res++]=(unsigned char)c;

				if (res!=SHA_CBLOCK) continue;

				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));

				data->u[SHA_LBLOCK-1] |= bitlen&mask;

				sha1_block_data_order(&key->md,data,1);

				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));

				mac.u[0] |= key->md.h0 & mask;

				mac.u[1] |= key->md.h1 & mask;

				mac.u[2] |= key->md.h2 & mask;

				mac.u[3] |= key->md.h3 & mask;

				mac.u[4] |= key->md.h4 & mask;

				res=0;

			}

			for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;

			if (res>SHA_CBLOCK-8) {

				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));

				data->u[SHA_LBLOCK-1] |= bitlen&mask;

				sha1_block_data_order(&key->md,data,1);

				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));

				mac.u[0] |= key->md.h0 & mask;

				mac.u[1] |= key->md.h1 & mask;

				mac.u[2] |= key->md.h2 & mask;

				mac.u[3] |= key->md.h3 & mask;

				mac.u[4] |= key->md.h4 & mask;

				memset(data,0,SHA_CBLOCK);

				j+=64;

			}

			data->u[SHA_LBLOCK-1] = bitlen;

			sha1_block_data_order(&key->md,data,1);

			mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));

			mac.u[0] |= key->md.h0 & mask;

			mac.u[1] |= key->md.h1 & mask;

			mac.u[2] |= key->md.h2 & mask;

			mac.u[3] |= key->md.h3 & mask;

			mac.u[4] |= key->md.h4 & mask;

#ifdef BSWAP

			mac.u[0] = BSWAP(mac.u[0]);

			mac.u[1] = BSWAP(mac.u[1]);

			mac.u[2] = BSWAP(mac.u[2]);

			mac.u[3] = BSWAP(mac.u[3]);

			mac.u[4] = BSWAP(mac.u[4]);

#else

			for (i=0;i<5;i++) {

				res = mac.u[i];

				mac.c[4*i+0]=(unsigned char)(res>>24);

				mac.c[4*i+1]=(unsigned char)(res>>16);

				mac.c[4*i+2]=(unsigned char)(res>>8);

				mac.c[4*i+3]=(unsigned char)res;

			}

#endif

			len += SHA_DIGEST_LENGTH;

#else

			SHA1_Update(&key->md,out,inp_len);

			res = key->md.num;

			SHA1_Final(mac.c,&key->md);

			{

			unsigned int inp_blocks, pad_blocks;

			/* but pretend as if we hashed padded payload */

			inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));

			res += (unsigned int)(len-inp_len);

			pad_blocks = res / SHA_CBLOCK;

			res %= SHA_CBLOCK;

			pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));

			for (;inp_blocks<pad_blocks;inp_blocks++)

				sha1_block_data_order(&key->md,data,1);

			}

#endif

			key->md = key->tail;

			SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);

			SHA1_Final(mac,&key->md);

			SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);

			SHA1_Final(mac.c,&key->md);

			if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))

				return 0;

			/* verify HMAC */

			out += inp_len;

			len -= inp_len;

#if 1

			{

			unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;

			size_t off = out-p;

			unsigned int c, cmask;

			maxpad += SHA_DIGEST_LENGTH;

			for (res=0,i=0,j=0;j<maxpad;j++) {

				c = p[j];

				cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);

				res |= (c^pad)&~cmask;	/* ... and padding */

				cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);

				res |= (c^mac.c[i])&cmask;

				i += 1&cmask;

			}

			maxpad -= SHA_DIGEST_LENGTH;

			res = 0-((0-res)>>(sizeof(res)*8-1));

			ret &= (int)~res;

			}

#else

			for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)

				res |= out[i]^mac.c[i];

			res = 0-((0-res)>>(sizeof(res)*8-1));

			ret &= (int)~res;

			/* verify padding */

			pad = (pad&~res) | (maxpad&res);

			out = out+len-1-pad;

			for (res=0,i=0;i<pad;i++)

				res |= out[i]^pad;

			res = (0-res)>>(sizeof(res)*8-1);

			ret &= (int)~res;

#endif

			return ret;

		} else {

			SHA1_Update(&key->md,out,len);

		}

	}

	key->payload_length = NO_PAYLOAD_LENGTH;

	return 1;

	}

	if (overhead > rec->length)

		return 0;

	/* We can always safely skip the explicit IV. We check at the beginning

	 * of this function that the record has at least enough space for the

	 * IV, MAC and padding length byte. (These can be checked in

	 * non-constant time because it's all public information.) So, if the

	 * padding was invalid, then we didn't change |rec->length| and this is

	 * safe. If the padding was valid then we know that we have at least

	 * overhead+padding_length bytes of space and so this is still safe

	 * because overhead accounts for the explicit IV. */

	if (has_explicit_iv)

		{

		rec->data += block_size;

		rec->input += block_size;

		rec->length -= block_size;

		}

	padding_length = rec->data[rec->length-1];

	/* NB: if compression is in operation the first packet may not be of

			}

		}

	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)

		{

		/* padding is already verified */

		rec->length -= padding_length;

		return 1;

		}

	good = constant_time_ge(rec->length, overhead+padding_length);

	/* The padding consists of a length byte at the end of the record and

	 * then that many bytes of padding, all with the same value as the

	rec->length -= padding_length;

	rec->type |= padding_length<<8;	/* kludge: pass padding length */

	/* We can always safely skip the explicit IV. We check at the beginning

	 * of this function that the record has at least enough space for the

	 * IV, MAC and padding length byte. (These can be checked in

	 * non-constant time because it's all public information.) So, if the

	 * padding was invalid, then we didn't change |rec->length| and this is

	 * safe. If the padding was valid then we know that we have at least

	 * overhead+padding_length bytes of space and so this is still safe

	 * because overhead accounts for the explicit IV. */

	if (has_explicit_iv)

		{

		rec->data += block_size;

		rec->input += block_size;

		rec->length -= block_size;

		}

	return (int)((good & 1) | (~good & -1));

	}

	EVP_add_cipher(EVP_aes_256_cbc());

	EVP_add_cipher(EVP_aes_128_gcm());

	EVP_add_cipher(EVP_aes_256_gcm());

#if 0 /* Disabled because of timing side-channel leaks. */

#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)

	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());

	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());

#endif

#endif

#endif

#ifndef OPENSSL_NO_CAMELLIA