It seems like we have an extra nest level here. csp_auth_key != NULL should be true IFF csp_auth_klen != 0, and vice versa? (During newsession.)

Nevermind, I guess we could be creating a keyed-hash session without any per-session key.

The implication is that hash functions with a Setkey operation cannot be HMACs? That's probably fine.

Why move opad initialization below instead of just doing it here? Avoid a copy?

this feels brittle, although it's not a regression in this diff

What portions of this file are direct from openssl and what portions are novel?

The implication is that hash functions with a Setkey operation cannot be HMACs? That's probably fine.

Correct.

Why move opad initialization below instead of just doing it here? Avoid a copy?

It overwrites the single ctx. Basically, we have a single auth ctx on the stack. We either copy it from a saved context when using session keys, or we generate the context on the fly when using per-op keys. Moving opad here would mean having to store two copies on the stack.

this feels brittle, although it's not a regression in this diff

There are static assertions in each of the auth hash files that the context is big enough. The alternative of trying to include the relevant headers is a bit messy.

From here down is new, the #includes are new, and the explicit #define is new, the rest is from OpenSSL.

Yeah, that's reasonable. Is uint32 aligned enough for all algorithms and architectures?

It's actually 32 byte alignment for AVX and is sufficient for everything currently.

Would it make sense to assert klen matches openssl's expectations?

I can add that.