35 	cc->vtable = &br_sslrec_in_cbc_vtable;  in in_cbc_init()
36 	cc->seq = 0;  in in_cbc_init()
37 	bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);  in in_cbc_init()
38 	br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);  in in_cbc_init()
39 	cc->mac_len = mac_out_len;  in in_cbc_init()
41 		memset(cc->iv, 0, sizeof cc->iv);  in in_cbc_init()
42 		cc->explicit_IV = 1;  in in_cbc_init()
44 		memcpy(cc->iv, iv, bc_impl->block_size);  in in_cbc_init()
45 		cc->explicit_IV = 0;  in in_cbc_init()
66 	blen = cc->bc.vtable->block_size;  in cbc_check_length()
67 	min_len = (blen + cc->mac_len) & ~(blen - 1);  in cbc_check_length()
68 	max_len = (16384 + 256 + cc->mac_len) & ~(blen - 1);  in cbc_check_length()
69 	if (cc->explicit_IV) {  in cbc_check_length()
77  * Rotate array buf[] of length 'len' to the left (towards low indices)
79  * constant-time. 'num' MUST be lower than 'len'. 'len' MUST be lower
102 	 * We represent all lengths on 32-bit integers, because:  in cbc_decrypt()
103 	 * -- SSL record lengths always fit in 32 bits;  in cbc_decrypt()
104 	 * -- our constant-time primitives operate on 32-bit integers.  in cbc_decrypt()
115 	blen = cc->bc.vtable->block_size;  in cbc_decrypt()
124 	cc->bc.vtable->run(&cc->bc.vtable, cc->iv, data, len);  in cbc_decrypt()
125 	if (cc->explicit_IV) {  in cbc_decrypt()
127 		len -= blen;  in cbc_decrypt()
134 	min_len = (cc->mac_len + 256 < len) ? len - 256 : cc->mac_len;  in cbc_decrypt()
135 	max_len = len - 1;  in cbc_decrypt()
142 	good = LE(pad_len, (uint32_t)(max_len - min_len));  in cbc_decrypt()
143 	len = MUX(good, (uint32_t)(max_len - pad_len), min_len);  in cbc_decrypt()
163 	len_nomac = len_withmac - cc->mac_len;  in cbc_decrypt()
164 	min_len -= cc->mac_len;  in cbc_decrypt()
166 	memset(tmp1, 0, cc->mac_len);  in cbc_decrypt()
172 		if (++ v == cc->mac_len) {  in cbc_decrypt()
176 	max_len -= cc->mac_len;  in cbc_decrypt()
179 	 * Rotate back the MAC value. The loop below does the constant-time  in cbc_decrypt()
184 	for (i = 5; i >= 0; i --) {  in cbc_decrypt()
188 		cond_rotate(rot_count >> i, tmp1, cc->mac_len, rc);  in cbc_decrypt()
200 	br_enc64be(tmp2, cc->seq ++);  in cbc_decrypt()
204 	br_hmac_init(&hc, &cc->mac, cc->mac_len);  in cbc_decrypt()
211 	for (u = 0; u < cc->mac_len; u ++) {  in cbc_decrypt()
220 	 * Once this final test is done, the critical "constant-time"  in cbc_decrypt()
252  * -- With TLS 1.1+, there is an explicit IV. Generation method uses
253  * HMAC, computed over the current sequence number, and the current MAC
259  * the record header and the plaintext, the HMAC-for-IV will not collide
262  * -- With TLS 1.0, for application data, we want to enforce a 1/n-1
263  * split, as a countermeasure against chosen-plaintext attacks. We thus
275 	cc->vtable = &br_sslrec_out_cbc_vtable;  in out_cbc_init()
276 	cc->seq = 0;  in out_cbc_init()
277 	bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);  in out_cbc_init()
278 	br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);  in out_cbc_init()
279 	cc->mac_len = mac_out_len;  in out_cbc_init()
281 		memset(cc->iv, 0, sizeof cc->iv);  in out_cbc_init()
282 		cc->explicit_IV = 1;  in out_cbc_init()
284 		memcpy(cc->iv, iv, bc_impl->block_size);  in out_cbc_init()
285 		cc->explicit_IV = 0;  in out_cbc_init()
295 	blen = cc->bc.vtable->block_size;  in cbc_max_plaintext()
296 	if (cc->explicit_IV) {  in cbc_max_plaintext()
299 		*start += 4 + ((cc->mac_len + blen + 1) & ~(blen - 1));  in cbc_max_plaintext()
301 	len = (*end - *start) & ~(blen - 1);  in cbc_max_plaintext()
302 	len -= 1 + cc->mac_len;  in cbc_max_plaintext()
320 	blen = cc->bc.vtable->block_size;  in cbc_encrypt()
334 	if (cc->explicit_IV) {  in cbc_encrypt()
342 		br_enc64be(tmp, cc->seq);  in cbc_encrypt()
343 		br_hmac_init(&hc, &cc->mac, blen);  in cbc_encrypt()
345 		br_hmac_out(&hc, buf - blen);  in cbc_encrypt()
346 		rbuf = buf - blen - 5;  in cbc_encrypt()
364 			rbuf = buf - 4  in cbc_encrypt()
365 				- ((cc->mac_len + blen + 1) & ~(blen - 1));  in cbc_encrypt()
371 			len --;  in cbc_encrypt()
373 			rbuf = buf - 5;  in cbc_encrypt()
380 	br_enc64be(tmp, cc->seq ++);  in cbc_encrypt()
384 	br_hmac_init(&hc, &cc->mac, cc->mac_len);  in cbc_encrypt()
388 	len += cc->mac_len;  in cbc_encrypt()
393 	plen = blen - (len & (blen - 1));  in cbc_encrypt()
394 	memset(buf + len, (unsigned)plen - 1, plen);  in cbc_encrypt()
402 	if (cc->explicit_IV) {  in cbc_encrypt()
403 		buf -= blen;  in cbc_encrypt()
412 	cc->bc.vtable->run(&cc->bc.vtable, cc->iv, buf, len);  in cbc_encrypt()
417 	buf[-5] = record_type;  in cbc_encrypt()
418 	br_enc16be(buf - 4, version);  in cbc_encrypt()
419 	br_enc16be(buf - 2, len);  in cbc_encrypt()
420 	*data_len = (size_t)((buf + len) - rbuf);  in cbc_encrypt()