1238384Sjkim/* ==================================================================== 2246772Sjkim * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. 3238384Sjkim * 4238384Sjkim * Redistribution and use in source and binary forms, with or without 5238384Sjkim * modification, are permitted provided that the following conditions 6238384Sjkim * are met: 7238384Sjkim * 8238384Sjkim * 1. Redistributions of source code must retain the above copyright 9238384Sjkim * notice, this list of conditions and the following disclaimer. 10238384Sjkim * 11238384Sjkim * 2. Redistributions in binary form must reproduce the above copyright 12238384Sjkim * notice, this list of conditions and the following disclaimer in 13238384Sjkim * the documentation and/or other materials provided with the 14238384Sjkim * distribution. 15238384Sjkim * 16238384Sjkim * 3. All advertising materials mentioning features or use of this 17238384Sjkim * software must display the following acknowledgment: 18238384Sjkim * "This product includes software developed by the OpenSSL Project 19238384Sjkim * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 20238384Sjkim * 21238384Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22238384Sjkim * endorse or promote products derived from this software without 23238384Sjkim * prior written permission. For written permission, please contact 24238384Sjkim * licensing@OpenSSL.org. 25238384Sjkim * 26238384Sjkim * 5. Products derived from this software may not be called "OpenSSL" 27238384Sjkim * nor may "OpenSSL" appear in their names without prior written 28238384Sjkim * permission of the OpenSSL Project. 29238384Sjkim * 30238384Sjkim * 6. Redistributions of any form whatsoever must retain the following 31238384Sjkim * acknowledgment: 32238384Sjkim * "This product includes software developed by the OpenSSL Project 33238384Sjkim * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 34238384Sjkim * 35238384Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36238384Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37238384Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38238384Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39238384Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40238384Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41238384Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42238384Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43238384Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44238384Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45238384Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46238384Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 47238384Sjkim * ==================================================================== 48238384Sjkim */ 49238384Sjkim 50238384Sjkim#include <openssl/opensslconf.h> 51238384Sjkim 52238384Sjkim#include <stdio.h> 53238384Sjkim#include <string.h> 54238384Sjkim 55238384Sjkim#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) 56238384Sjkim 57280304Sjkim# include <openssl/evp.h> 58280304Sjkim# include <openssl/objects.h> 59280304Sjkim# include <openssl/aes.h> 60280304Sjkim# include <openssl/sha.h> 61280304Sjkim# include "evp_locl.h" 62298999Sjkim# include "constant_time_locl.h" 63238384Sjkim 64280304Sjkim# ifndef EVP_CIPH_FLAG_AEAD_CIPHER 65280304Sjkim# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 66280304Sjkim# define EVP_CTRL_AEAD_TLS1_AAD 0x16 67280304Sjkim# define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 68280304Sjkim# endif 69238384Sjkim 70280304Sjkim# if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1) 71280304Sjkim# define EVP_CIPH_FLAG_DEFAULT_ASN1 0 72280304Sjkim# endif 73238384Sjkim 74280304Sjkim# define TLS1_1_VERSION 0x0302 75238384Sjkim 76280304Sjkimtypedef struct { 77280304Sjkim AES_KEY ks; 78280304Sjkim SHA_CTX head, tail, md; 79280304Sjkim size_t payload_length; /* AAD length in decrypt case */ 80238384Sjkim union { 81280304Sjkim unsigned int tls_ver; 82280304Sjkim unsigned char tls_aad[16]; /* 13 used */ 83238384Sjkim } aux; 84280304Sjkim} EVP_AES_HMAC_SHA1; 85238384Sjkim 86280304Sjkim# define NO_PAYLOAD_LENGTH ((size_t)-1) 87238384Sjkim 88280304Sjkim# if defined(AES_ASM) && ( \ 89280304Sjkim defined(__x86_64) || defined(__x86_64__) || \ 90280304Sjkim defined(_M_AMD64) || defined(_M_X64) || \ 91280304Sjkim defined(__INTEL__) ) 92238384Sjkim 93280304Sjkim# if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) 94280304Sjkim# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) 95280304Sjkim# endif 96246772Sjkim 97238384Sjkimextern unsigned int OPENSSL_ia32cap_P[2]; 98280304Sjkim# define AESNI_CAPABLE (1<<(57-32)) 99238384Sjkim 100238384Sjkimint aesni_set_encrypt_key(const unsigned char *userKey, int bits, 101280304Sjkim AES_KEY *key); 102238384Sjkimint aesni_set_decrypt_key(const unsigned char *userKey, int bits, 103280304Sjkim AES_KEY *key); 104238384Sjkim 105238384Sjkimvoid aesni_cbc_encrypt(const unsigned char *in, 106280304Sjkim unsigned char *out, 107280304Sjkim size_t length, 108280304Sjkim const AES_KEY *key, unsigned char *ivec, int enc); 109238384Sjkim 110280304Sjkimvoid aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks, 111280304Sjkim const AES_KEY *key, unsigned char iv[16], 112280304Sjkim SHA_CTX *ctx, const void *in0); 113238384Sjkim 114280304Sjkim# define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) 115238384Sjkim 116238384Sjkimstatic int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 117280304Sjkim const unsigned char *inkey, 118280304Sjkim const unsigned char *iv, int enc) 119280304Sjkim{ 120280304Sjkim EVP_AES_HMAC_SHA1 *key = data(ctx); 121280304Sjkim int ret; 122238384Sjkim 123280304Sjkim if (enc) 124280304Sjkim ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); 125280304Sjkim else 126280304Sjkim ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); 127238384Sjkim 128280304Sjkim SHA1_Init(&key->head); /* handy when benchmarking */ 129280304Sjkim key->tail = key->head; 130280304Sjkim key->md = key->head; 131238384Sjkim 132280304Sjkim key->payload_length = NO_PAYLOAD_LENGTH; 133238384Sjkim 134280304Sjkim return ret < 0 ? 0 : 1; 135280304Sjkim} 136238384Sjkim 137280304Sjkim# define STITCHED_CALL 138238384Sjkim 139280304Sjkim# if !defined(STITCHED_CALL) 140280304Sjkim# define aes_off 0 141280304Sjkim# endif 142238384Sjkim 143280304Sjkimvoid sha1_block_data_order(void *c, const void *p, size_t len); 144238384Sjkim 145280304Sjkimstatic void sha1_update(SHA_CTX *c, const void *data, size_t len) 146280304Sjkim{ 147280304Sjkim const unsigned char *ptr = data; 148280304Sjkim size_t res; 149238384Sjkim 150280304Sjkim if ((res = c->num)) { 151280304Sjkim res = SHA_CBLOCK - res; 152280304Sjkim if (len < res) 153280304Sjkim res = len; 154280304Sjkim SHA1_Update(c, ptr, res); 155280304Sjkim ptr += res; 156280304Sjkim len -= res; 157280304Sjkim } 158238384Sjkim 159280304Sjkim res = len % SHA_CBLOCK; 160280304Sjkim len -= res; 161238384Sjkim 162280304Sjkim if (len) { 163280304Sjkim sha1_block_data_order(c, ptr, len / SHA_CBLOCK); 164238384Sjkim 165280304Sjkim ptr += len; 166280304Sjkim c->Nh += len >> 29; 167280304Sjkim c->Nl += len <<= 3; 168280304Sjkim if (c->Nl < (unsigned int)len) 169280304Sjkim c->Nh++; 170280304Sjkim } 171238384Sjkim 172280304Sjkim if (res) 173280304Sjkim SHA1_Update(c, ptr, res); 174238384Sjkim} 175238384Sjkim 176280304Sjkim# ifdef SHA1_Update 177280304Sjkim# undef SHA1_Update 178280304Sjkim# endif 179280304Sjkim# define SHA1_Update sha1_update 180238384Sjkim 181238384Sjkimstatic int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 182280304Sjkim const unsigned char *in, size_t len) 183280304Sjkim{ 184280304Sjkim EVP_AES_HMAC_SHA1 *key = data(ctx); 185280304Sjkim unsigned int l; 186280304Sjkim size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and 187280304Sjkim * later */ 188280304Sjkim sha_off = 0; 189280304Sjkim# if defined(STITCHED_CALL) 190280304Sjkim size_t aes_off = 0, blocks; 191238384Sjkim 192280304Sjkim sha_off = SHA_CBLOCK - key->md.num; 193280304Sjkim# endif 194238384Sjkim 195280304Sjkim key->payload_length = NO_PAYLOAD_LENGTH; 196246772Sjkim 197280304Sjkim if (len % AES_BLOCK_SIZE) 198280304Sjkim return 0; 199238384Sjkim 200280304Sjkim if (ctx->encrypt) { 201280304Sjkim if (plen == NO_PAYLOAD_LENGTH) 202280304Sjkim plen = len; 203280304Sjkim else if (len != 204280304Sjkim ((plen + SHA_DIGEST_LENGTH + 205280304Sjkim AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) 206280304Sjkim return 0; 207280304Sjkim else if (key->aux.tls_ver >= TLS1_1_VERSION) 208280304Sjkim iv = AES_BLOCK_SIZE; 209238384Sjkim 210280304Sjkim# if defined(STITCHED_CALL) 211280304Sjkim if (plen > (sha_off + iv) 212280304Sjkim && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) { 213280304Sjkim SHA1_Update(&key->md, in + iv, sha_off); 214238384Sjkim 215280304Sjkim aesni_cbc_sha1_enc(in, out, blocks, &key->ks, 216280304Sjkim ctx->iv, &key->md, in + iv + sha_off); 217280304Sjkim blocks *= SHA_CBLOCK; 218280304Sjkim aes_off += blocks; 219280304Sjkim sha_off += blocks; 220280304Sjkim key->md.Nh += blocks >> 29; 221280304Sjkim key->md.Nl += blocks <<= 3; 222280304Sjkim if (key->md.Nl < (unsigned int)blocks) 223280304Sjkim key->md.Nh++; 224280304Sjkim } else { 225280304Sjkim sha_off = 0; 226280304Sjkim } 227280304Sjkim# endif 228280304Sjkim sha_off += iv; 229280304Sjkim SHA1_Update(&key->md, in + sha_off, plen - sha_off); 230238384Sjkim 231280304Sjkim if (plen != len) { /* "TLS" mode of operation */ 232280304Sjkim if (in != out) 233280304Sjkim memcpy(out + aes_off, in + aes_off, plen - aes_off); 234238384Sjkim 235280304Sjkim /* calculate HMAC and append it to payload */ 236280304Sjkim SHA1_Final(out + plen, &key->md); 237280304Sjkim key->md = key->tail; 238280304Sjkim SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH); 239280304Sjkim SHA1_Final(out + plen, &key->md); 240238384Sjkim 241280304Sjkim /* pad the payload|hmac */ 242280304Sjkim plen += SHA_DIGEST_LENGTH; 243280304Sjkim for (l = len - plen - 1; plen < len; plen++) 244280304Sjkim out[plen] = l; 245280304Sjkim /* encrypt HMAC|padding at once */ 246280304Sjkim aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off, 247280304Sjkim &key->ks, ctx->iv, 1); 248280304Sjkim } else { 249280304Sjkim aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off, 250280304Sjkim &key->ks, ctx->iv, 1); 251280304Sjkim } 252280304Sjkim } else { 253280304Sjkim union { 254280304Sjkim unsigned int u[SHA_DIGEST_LENGTH / sizeof(unsigned int)]; 255280304Sjkim unsigned char c[32 + SHA_DIGEST_LENGTH]; 256280304Sjkim } mac, *pmac; 257238384Sjkim 258280304Sjkim /* arrange cache line alignment */ 259280304Sjkim pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); 260246772Sjkim 261280304Sjkim /* decrypt HMAC|padding at once */ 262280304Sjkim aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); 263238384Sjkim 264280304Sjkim if (plen) { /* "TLS" mode of operation */ 265280304Sjkim size_t inp_len, mask, j, i; 266280304Sjkim unsigned int res, maxpad, pad, bitlen; 267280304Sjkim int ret = 1; 268280304Sjkim union { 269280304Sjkim unsigned int u[SHA_LBLOCK]; 270280304Sjkim unsigned char c[SHA_CBLOCK]; 271280304Sjkim } *data = (void *)key->md.data; 272238384Sjkim 273280304Sjkim if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3]) 274280304Sjkim >= TLS1_1_VERSION) 275280304Sjkim iv = AES_BLOCK_SIZE; 276238384Sjkim 277280304Sjkim if (len < (iv + SHA_DIGEST_LENGTH + 1)) 278280304Sjkim return 0; 279238384Sjkim 280280304Sjkim /* omit explicit iv */ 281280304Sjkim out += iv; 282280304Sjkim len -= iv; 283246772Sjkim 284280304Sjkim /* figure out payload length */ 285280304Sjkim pad = out[len - 1]; 286280304Sjkim maxpad = len - (SHA_DIGEST_LENGTH + 1); 287280304Sjkim maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); 288280304Sjkim maxpad &= 255; 289246772Sjkim 290298999Sjkim ret &= constant_time_ge(maxpad, pad); 291298999Sjkim 292280304Sjkim inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); 293280304Sjkim mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); 294280304Sjkim inp_len &= mask; 295280304Sjkim ret &= (int)mask; 296246772Sjkim 297280304Sjkim key->aux.tls_aad[plen - 2] = inp_len >> 8; 298280304Sjkim key->aux.tls_aad[plen - 1] = inp_len; 299246772Sjkim 300280304Sjkim /* calculate HMAC */ 301280304Sjkim key->md = key->head; 302280304Sjkim SHA1_Update(&key->md, key->aux.tls_aad, plen); 303238384Sjkim 304280304Sjkim# if 1 305280304Sjkim len -= SHA_DIGEST_LENGTH; /* amend mac */ 306280304Sjkim if (len >= (256 + SHA_CBLOCK)) { 307280304Sjkim j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK); 308280304Sjkim j += SHA_CBLOCK - key->md.num; 309280304Sjkim SHA1_Update(&key->md, out, j); 310280304Sjkim out += j; 311280304Sjkim len -= j; 312280304Sjkim inp_len -= j; 313280304Sjkim } 314246772Sjkim 315280304Sjkim /* but pretend as if we hashed padded payload */ 316280304Sjkim bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ 317280304Sjkim# ifdef BSWAP 318280304Sjkim bitlen = BSWAP(bitlen); 319280304Sjkim# else 320280304Sjkim mac.c[0] = 0; 321280304Sjkim mac.c[1] = (unsigned char)(bitlen >> 16); 322280304Sjkim mac.c[2] = (unsigned char)(bitlen >> 8); 323280304Sjkim mac.c[3] = (unsigned char)bitlen; 324280304Sjkim bitlen = mac.u[0]; 325280304Sjkim# endif 326246772Sjkim 327280304Sjkim pmac->u[0] = 0; 328280304Sjkim pmac->u[1] = 0; 329280304Sjkim pmac->u[2] = 0; 330280304Sjkim pmac->u[3] = 0; 331280304Sjkim pmac->u[4] = 0; 332246772Sjkim 333280304Sjkim for (res = key->md.num, j = 0; j < len; j++) { 334280304Sjkim size_t c = out[j]; 335280304Sjkim mask = (j - inp_len) >> (sizeof(j) * 8 - 8); 336280304Sjkim c &= mask; 337280304Sjkim c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8)); 338280304Sjkim data->c[res++] = (unsigned char)c; 339246772Sjkim 340280304Sjkim if (res != SHA_CBLOCK) 341280304Sjkim continue; 342246772Sjkim 343280304Sjkim /* j is not incremented yet */ 344280304Sjkim mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1)); 345280304Sjkim data->u[SHA_LBLOCK - 1] |= bitlen & mask; 346280304Sjkim sha1_block_data_order(&key->md, data, 1); 347280304Sjkim mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1)); 348280304Sjkim pmac->u[0] |= key->md.h0 & mask; 349280304Sjkim pmac->u[1] |= key->md.h1 & mask; 350280304Sjkim pmac->u[2] |= key->md.h2 & mask; 351280304Sjkim pmac->u[3] |= key->md.h3 & mask; 352280304Sjkim pmac->u[4] |= key->md.h4 & mask; 353280304Sjkim res = 0; 354280304Sjkim } 355246772Sjkim 356280304Sjkim for (i = res; i < SHA_CBLOCK; i++, j++) 357280304Sjkim data->c[i] = 0; 358246772Sjkim 359280304Sjkim if (res > SHA_CBLOCK - 8) { 360280304Sjkim mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1)); 361280304Sjkim data->u[SHA_LBLOCK - 1] |= bitlen & mask; 362280304Sjkim sha1_block_data_order(&key->md, data, 1); 363280304Sjkim mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 364280304Sjkim pmac->u[0] |= key->md.h0 & mask; 365280304Sjkim pmac->u[1] |= key->md.h1 & mask; 366280304Sjkim pmac->u[2] |= key->md.h2 & mask; 367280304Sjkim pmac->u[3] |= key->md.h3 & mask; 368280304Sjkim pmac->u[4] |= key->md.h4 & mask; 369246772Sjkim 370280304Sjkim memset(data, 0, SHA_CBLOCK); 371280304Sjkim j += 64; 372280304Sjkim } 373280304Sjkim data->u[SHA_LBLOCK - 1] = bitlen; 374280304Sjkim sha1_block_data_order(&key->md, data, 1); 375280304Sjkim mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 376280304Sjkim pmac->u[0] |= key->md.h0 & mask; 377280304Sjkim pmac->u[1] |= key->md.h1 & mask; 378280304Sjkim pmac->u[2] |= key->md.h2 & mask; 379280304Sjkim pmac->u[3] |= key->md.h3 & mask; 380280304Sjkim pmac->u[4] |= key->md.h4 & mask; 381246772Sjkim 382280304Sjkim# ifdef BSWAP 383280304Sjkim pmac->u[0] = BSWAP(pmac->u[0]); 384280304Sjkim pmac->u[1] = BSWAP(pmac->u[1]); 385280304Sjkim pmac->u[2] = BSWAP(pmac->u[2]); 386280304Sjkim pmac->u[3] = BSWAP(pmac->u[3]); 387280304Sjkim pmac->u[4] = BSWAP(pmac->u[4]); 388280304Sjkim# else 389280304Sjkim for (i = 0; i < 5; i++) { 390280304Sjkim res = pmac->u[i]; 391280304Sjkim pmac->c[4 * i + 0] = (unsigned char)(res >> 24); 392280304Sjkim pmac->c[4 * i + 1] = (unsigned char)(res >> 16); 393280304Sjkim pmac->c[4 * i + 2] = (unsigned char)(res >> 8); 394280304Sjkim pmac->c[4 * i + 3] = (unsigned char)res; 395280304Sjkim } 396280304Sjkim# endif 397280304Sjkim len += SHA_DIGEST_LENGTH; 398280304Sjkim# else 399280304Sjkim SHA1_Update(&key->md, out, inp_len); 400280304Sjkim res = key->md.num; 401280304Sjkim SHA1_Final(pmac->c, &key->md); 402246772Sjkim 403280304Sjkim { 404280304Sjkim unsigned int inp_blocks, pad_blocks; 405246772Sjkim 406280304Sjkim /* but pretend as if we hashed padded payload */ 407280304Sjkim inp_blocks = 408280304Sjkim 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 409280304Sjkim res += (unsigned int)(len - inp_len); 410280304Sjkim pad_blocks = res / SHA_CBLOCK; 411280304Sjkim res %= SHA_CBLOCK; 412280304Sjkim pad_blocks += 413280304Sjkim 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 414280304Sjkim for (; inp_blocks < pad_blocks; inp_blocks++) 415280304Sjkim sha1_block_data_order(&key->md, data, 1); 416280304Sjkim } 417280304Sjkim# endif 418280304Sjkim key->md = key->tail; 419280304Sjkim SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH); 420280304Sjkim SHA1_Final(pmac->c, &key->md); 421238384Sjkim 422280304Sjkim /* verify HMAC */ 423280304Sjkim out += inp_len; 424280304Sjkim len -= inp_len; 425280304Sjkim# if 1 426280304Sjkim { 427280304Sjkim unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH; 428280304Sjkim size_t off = out - p; 429280304Sjkim unsigned int c, cmask; 430246772Sjkim 431280304Sjkim maxpad += SHA_DIGEST_LENGTH; 432280304Sjkim for (res = 0, i = 0, j = 0; j < maxpad; j++) { 433280304Sjkim c = p[j]; 434280304Sjkim cmask = 435280304Sjkim ((int)(j - off - SHA_DIGEST_LENGTH)) >> (sizeof(int) * 436280304Sjkim 8 - 1); 437280304Sjkim res |= (c ^ pad) & ~cmask; /* ... and padding */ 438280304Sjkim cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1); 439280304Sjkim res |= (c ^ pmac->c[i]) & cmask; 440280304Sjkim i += 1 & cmask; 441280304Sjkim } 442280304Sjkim maxpad -= SHA_DIGEST_LENGTH; 443246772Sjkim 444280304Sjkim res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 445280304Sjkim ret &= (int)~res; 446280304Sjkim } 447280304Sjkim# else 448280304Sjkim for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++) 449280304Sjkim res |= out[i] ^ pmac->c[i]; 450280304Sjkim res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 451280304Sjkim ret &= (int)~res; 452246772Sjkim 453280304Sjkim /* verify padding */ 454280304Sjkim pad = (pad & ~res) | (maxpad & res); 455280304Sjkim out = out + len - 1 - pad; 456280304Sjkim for (res = 0, i = 0; i < pad; i++) 457280304Sjkim res |= out[i] ^ pad; 458246772Sjkim 459280304Sjkim res = (0 - res) >> (sizeof(res) * 8 - 1); 460280304Sjkim ret &= (int)~res; 461280304Sjkim# endif 462280304Sjkim return ret; 463280304Sjkim } else { 464280304Sjkim SHA1_Update(&key->md, out, len); 465280304Sjkim } 466280304Sjkim } 467238384Sjkim 468280304Sjkim return 1; 469280304Sjkim} 470238384Sjkim 471280304Sjkimstatic int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 472280304Sjkim void *ptr) 473280304Sjkim{ 474280304Sjkim EVP_AES_HMAC_SHA1 *key = data(ctx); 475238384Sjkim 476280304Sjkim switch (type) { 477280304Sjkim case EVP_CTRL_AEAD_SET_MAC_KEY: 478280304Sjkim { 479280304Sjkim unsigned int i; 480280304Sjkim unsigned char hmac_key[64]; 481238384Sjkim 482280304Sjkim memset(hmac_key, 0, sizeof(hmac_key)); 483238384Sjkim 484280304Sjkim if (arg > (int)sizeof(hmac_key)) { 485280304Sjkim SHA1_Init(&key->head); 486280304Sjkim SHA1_Update(&key->head, ptr, arg); 487280304Sjkim SHA1_Final(hmac_key, &key->head); 488280304Sjkim } else { 489280304Sjkim memcpy(hmac_key, ptr, arg); 490280304Sjkim } 491238384Sjkim 492280304Sjkim for (i = 0; i < sizeof(hmac_key); i++) 493280304Sjkim hmac_key[i] ^= 0x36; /* ipad */ 494280304Sjkim SHA1_Init(&key->head); 495280304Sjkim SHA1_Update(&key->head, hmac_key, sizeof(hmac_key)); 496238384Sjkim 497280304Sjkim for (i = 0; i < sizeof(hmac_key); i++) 498280304Sjkim hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ 499280304Sjkim SHA1_Init(&key->tail); 500280304Sjkim SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key)); 501238384Sjkim 502280304Sjkim OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); 503246772Sjkim 504280304Sjkim return 1; 505280304Sjkim } 506280304Sjkim case EVP_CTRL_AEAD_TLS1_AAD: 507280304Sjkim { 508280304Sjkim unsigned char *p = ptr; 509284285Sjkim unsigned int len; 510238384Sjkim 511284285Sjkim if (arg != EVP_AEAD_TLS1_AAD_LEN) 512284285Sjkim return -1; 513284285Sjkim 514284285Sjkim len = p[arg - 2] << 8 | p[arg - 1]; 515284285Sjkim 516280304Sjkim if (ctx->encrypt) { 517280304Sjkim key->payload_length = len; 518280304Sjkim if ((key->aux.tls_ver = 519280304Sjkim p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { 520280304Sjkim len -= AES_BLOCK_SIZE; 521280304Sjkim p[arg - 2] = len >> 8; 522280304Sjkim p[arg - 1] = len; 523280304Sjkim } 524280304Sjkim key->md = key->head; 525280304Sjkim SHA1_Update(&key->md, p, arg); 526238384Sjkim 527280304Sjkim return (int)(((len + SHA_DIGEST_LENGTH + 528280304Sjkim AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) 529280304Sjkim - len); 530280304Sjkim } else { 531280304Sjkim memcpy(key->aux.tls_aad, ptr, arg); 532280304Sjkim key->payload_length = arg; 533238384Sjkim 534280304Sjkim return SHA_DIGEST_LENGTH; 535280304Sjkim } 536280304Sjkim } 537280304Sjkim default: 538280304Sjkim return -1; 539280304Sjkim } 540280304Sjkim} 541238384Sjkim 542280304Sjkimstatic EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { 543280304Sjkim# ifdef NID_aes_128_cbc_hmac_sha1 544280304Sjkim NID_aes_128_cbc_hmac_sha1, 545280304Sjkim# else 546280304Sjkim NID_undef, 547280304Sjkim# endif 548280304Sjkim 16, 16, 16, 549280304Sjkim EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 550280304Sjkim EVP_CIPH_FLAG_AEAD_CIPHER, 551280304Sjkim aesni_cbc_hmac_sha1_init_key, 552280304Sjkim aesni_cbc_hmac_sha1_cipher, 553280304Sjkim NULL, 554280304Sjkim sizeof(EVP_AES_HMAC_SHA1), 555280304Sjkim EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 556280304Sjkim EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 557280304Sjkim aesni_cbc_hmac_sha1_ctrl, 558280304Sjkim NULL 559280304Sjkim}; 560238384Sjkim 561280304Sjkimstatic EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { 562280304Sjkim# ifdef NID_aes_256_cbc_hmac_sha1 563280304Sjkim NID_aes_256_cbc_hmac_sha1, 564280304Sjkim# else 565280304Sjkim NID_undef, 566280304Sjkim# endif 567280304Sjkim 16, 32, 16, 568280304Sjkim EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 569280304Sjkim EVP_CIPH_FLAG_AEAD_CIPHER, 570280304Sjkim aesni_cbc_hmac_sha1_init_key, 571280304Sjkim aesni_cbc_hmac_sha1_cipher, 572280304Sjkim NULL, 573280304Sjkim sizeof(EVP_AES_HMAC_SHA1), 574280304Sjkim EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 575280304Sjkim EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 576280304Sjkim aesni_cbc_hmac_sha1_ctrl, 577280304Sjkim NULL 578280304Sjkim}; 579238384Sjkim 580238384Sjkimconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 581280304Sjkim{ 582280304Sjkim return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 583280304Sjkim &aesni_128_cbc_hmac_sha1_cipher : NULL); 584280304Sjkim} 585238384Sjkim 586238384Sjkimconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 587280304Sjkim{ 588280304Sjkim return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 589280304Sjkim &aesni_256_cbc_hmac_sha1_cipher : NULL); 590280304Sjkim} 591280304Sjkim# else 592238384Sjkimconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 593280304Sjkim{ 594280304Sjkim return NULL; 595280304Sjkim} 596280304Sjkim 597238384Sjkimconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 598280304Sjkim{ 599280304Sjkim return NULL; 600280304Sjkim} 601280304Sjkim# endif 602238384Sjkim#endif 603