1/* 2 * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * AES low level APIs are deprecated for public use, but still ok for internal 12 * use where we're using them to implement the higher level EVP interface, as is 13 * the case here. 14 */ 15#include "internal/deprecated.h" 16 17#include <stdio.h> 18#include <string.h> 19#include <openssl/opensslconf.h> 20#include <openssl/evp.h> 21#include <openssl/objects.h> 22#include <openssl/aes.h> 23#include <openssl/sha.h> 24#include <openssl/rand.h> 25#include "internal/cryptlib.h" 26#include "crypto/modes.h" 27#include "crypto/evp.h" 28#include "internal/constant_time.h" 29#include "evp_local.h" 30 31typedef struct { 32 AES_KEY ks; 33 SHA_CTX head, tail, md; 34 size_t payload_length; /* AAD length in decrypt case */ 35 union { 36 unsigned int tls_ver; 37 unsigned char tls_aad[16]; /* 13 used */ 38 } aux; 39} EVP_AES_HMAC_SHA1; 40 41#define NO_PAYLOAD_LENGTH ((size_t)-1) 42 43#if defined(AES_ASM) && ( \ 44 defined(__x86_64) || defined(__x86_64__) || \ 45 defined(_M_AMD64) || defined(_M_X64) ) 46 47# define AESNI_CAPABLE (1<<(57-32)) 48 49int aesni_set_encrypt_key(const unsigned char *userKey, int bits, 50 AES_KEY *key); 51int aesni_set_decrypt_key(const unsigned char *userKey, int bits, 52 AES_KEY *key); 53 54void aesni_cbc_encrypt(const unsigned char *in, 55 unsigned char *out, 56 size_t length, 57 const AES_KEY *key, unsigned char *ivec, int enc); 58 59void aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks, 60 const AES_KEY *key, unsigned char iv[16], 61 SHA_CTX *ctx, const void *in0); 62 63void aesni256_cbc_sha1_dec(const void *inp, void *out, size_t blocks, 64 const AES_KEY *key, unsigned char iv[16], 65 SHA_CTX *ctx, const void *in0); 66 67# define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx)) 68 69static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 70 const unsigned char *inkey, 71 const unsigned char *iv, int enc) 72{ 73 EVP_AES_HMAC_SHA1 *key = data(ctx); 74 int ret; 75 76 if (enc) 77 ret = aesni_set_encrypt_key(inkey, 78 EVP_CIPHER_CTX_get_key_length(ctx) * 8, 79 &key->ks); 80 else 81 ret = aesni_set_decrypt_key(inkey, 82 EVP_CIPHER_CTX_get_key_length(ctx) * 8, 83 &key->ks); 84 85 SHA1_Init(&key->head); /* handy when benchmarking */ 86 key->tail = key->head; 87 key->md = key->head; 88 89 key->payload_length = NO_PAYLOAD_LENGTH; 90 91 return ret < 0 ? 0 : 1; 92} 93 94# define STITCHED_CALL 95# undef STITCHED_DECRYPT_CALL 96 97# if !defined(STITCHED_CALL) 98# define aes_off 0 99# endif 100 101void sha1_block_data_order(void *c, const void *p, size_t len); 102 103static void sha1_update(SHA_CTX *c, const void *data, size_t len) 104{ 105 const unsigned char *ptr = data; 106 size_t res; 107 108 if ((res = c->num)) { 109 res = SHA_CBLOCK - res; 110 if (len < res) 111 res = len; 112 SHA1_Update(c, ptr, res); 113 ptr += res; 114 len -= res; 115 } 116 117 res = len % SHA_CBLOCK; 118 len -= res; 119 120 if (len) { 121 sha1_block_data_order(c, ptr, len / SHA_CBLOCK); 122 123 ptr += len; 124 c->Nh += len >> 29; 125 c->Nl += len <<= 3; 126 if (c->Nl < (unsigned int)len) 127 c->Nh++; 128 } 129 130 if (res) 131 SHA1_Update(c, ptr, res); 132} 133 134# ifdef SHA1_Update 135# undef SHA1_Update 136# endif 137# define SHA1_Update sha1_update 138 139# if !defined(OPENSSL_NO_MULTIBLOCK) 140 141typedef struct { 142 unsigned int A[8], B[8], C[8], D[8], E[8]; 143} SHA1_MB_CTX; 144typedef struct { 145 const unsigned char *ptr; 146 int blocks; 147} HASH_DESC; 148 149void sha1_multi_block(SHA1_MB_CTX *, const HASH_DESC *, int); 150 151typedef struct { 152 const unsigned char *inp; 153 unsigned char *out; 154 int blocks; 155 u64 iv[2]; 156} CIPH_DESC; 157 158void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); 159 160static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, 161 unsigned char *out, 162 const unsigned char *inp, 163 size_t inp_len, int n4x) 164{ /* n4x is 1 or 2 */ 165 HASH_DESC hash_d[8], edges[8]; 166 CIPH_DESC ciph_d[8]; 167 unsigned char storage[sizeof(SHA1_MB_CTX) + 32]; 168 union { 169 u64 q[16]; 170 u32 d[32]; 171 u8 c[128]; 172 } blocks[8]; 173 SHA1_MB_CTX *ctx; 174 unsigned int frag, last, packlen, i, x4 = 4 * n4x, minblocks, processed = 175 0; 176 size_t ret = 0; 177 u8 *IVs; 178# if defined(BSWAP8) 179 u64 seqnum; 180# endif 181 182 /* ask for IVs in bulk */ 183 if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0) 184 return 0; 185 186 ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */ 187 188 frag = (unsigned int)inp_len >> (1 + n4x); 189 last = (unsigned int)inp_len + frag - (frag << (1 + n4x)); 190 if (last > frag && ((last + 13 + 9) % 64) < (x4 - 1)) { 191 frag++; 192 last -= x4 - 1; 193 } 194 195 packlen = 5 + 16 + ((frag + 20 + 16) & -16); 196 197 /* populate descriptors with pointers and IVs */ 198 hash_d[0].ptr = inp; 199 ciph_d[0].inp = inp; 200 /* 5+16 is place for header and explicit IV */ 201 ciph_d[0].out = out + 5 + 16; 202 memcpy(ciph_d[0].out - 16, IVs, 16); 203 memcpy(ciph_d[0].iv, IVs, 16); 204 IVs += 16; 205 206 for (i = 1; i < x4; i++) { 207 ciph_d[i].inp = hash_d[i].ptr = hash_d[i - 1].ptr + frag; 208 ciph_d[i].out = ciph_d[i - 1].out + packlen; 209 memcpy(ciph_d[i].out - 16, IVs, 16); 210 memcpy(ciph_d[i].iv, IVs, 16); 211 IVs += 16; 212 } 213 214# if defined(BSWAP8) 215 memcpy(blocks[0].c, key->md.data, 8); 216 seqnum = BSWAP8(blocks[0].q[0]); 217# endif 218 for (i = 0; i < x4; i++) { 219 unsigned int len = (i == (x4 - 1) ? last : frag); 220# if !defined(BSWAP8) 221 unsigned int carry, j; 222# endif 223 224 ctx->A[i] = key->md.h0; 225 ctx->B[i] = key->md.h1; 226 ctx->C[i] = key->md.h2; 227 ctx->D[i] = key->md.h3; 228 ctx->E[i] = key->md.h4; 229 230 /* fix seqnum */ 231# if defined(BSWAP8) 232 blocks[i].q[0] = BSWAP8(seqnum + i); 233# else 234 for (carry = i, j = 8; j--;) { 235 blocks[i].c[j] = ((u8 *)key->md.data)[j] + carry; 236 carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1); 237 } 238# endif 239 blocks[i].c[8] = ((u8 *)key->md.data)[8]; 240 blocks[i].c[9] = ((u8 *)key->md.data)[9]; 241 blocks[i].c[10] = ((u8 *)key->md.data)[10]; 242 /* fix length */ 243 blocks[i].c[11] = (u8)(len >> 8); 244 blocks[i].c[12] = (u8)(len); 245 246 memcpy(blocks[i].c + 13, hash_d[i].ptr, 64 - 13); 247 hash_d[i].ptr += 64 - 13; 248 hash_d[i].blocks = (len - (64 - 13)) / 64; 249 250 edges[i].ptr = blocks[i].c; 251 edges[i].blocks = 1; 252 } 253 254 /* hash 13-byte headers and first 64-13 bytes of inputs */ 255 sha1_multi_block(ctx, edges, n4x); 256 /* hash bulk inputs */ 257# define MAXCHUNKSIZE 2048 258# if MAXCHUNKSIZE%64 259# error "MAXCHUNKSIZE is not divisible by 64" 260# elif MAXCHUNKSIZE 261 /* 262 * goal is to minimize pressure on L1 cache by moving in shorter steps, 263 * so that hashed data is still in the cache by the time we encrypt it 264 */ 265 minblocks = ((frag <= last ? frag : last) - (64 - 13)) / 64; 266 if (minblocks > MAXCHUNKSIZE / 64) { 267 for (i = 0; i < x4; i++) { 268 edges[i].ptr = hash_d[i].ptr; 269 edges[i].blocks = MAXCHUNKSIZE / 64; 270 ciph_d[i].blocks = MAXCHUNKSIZE / 16; 271 } 272 do { 273 sha1_multi_block(ctx, edges, n4x); 274 aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x); 275 276 for (i = 0; i < x4; i++) { 277 edges[i].ptr = hash_d[i].ptr += MAXCHUNKSIZE; 278 hash_d[i].blocks -= MAXCHUNKSIZE / 64; 279 edges[i].blocks = MAXCHUNKSIZE / 64; 280 ciph_d[i].inp += MAXCHUNKSIZE; 281 ciph_d[i].out += MAXCHUNKSIZE; 282 ciph_d[i].blocks = MAXCHUNKSIZE / 16; 283 memcpy(ciph_d[i].iv, ciph_d[i].out - 16, 16); 284 } 285 processed += MAXCHUNKSIZE; 286 minblocks -= MAXCHUNKSIZE / 64; 287 } while (minblocks > MAXCHUNKSIZE / 64); 288 } 289# endif 290# undef MAXCHUNKSIZE 291 sha1_multi_block(ctx, hash_d, n4x); 292 293 memset(blocks, 0, sizeof(blocks)); 294 for (i = 0; i < x4; i++) { 295 unsigned int len = (i == (x4 - 1) ? last : frag), 296 off = hash_d[i].blocks * 64; 297 const unsigned char *ptr = hash_d[i].ptr + off; 298 299 off = (len - processed) - (64 - 13) - off; /* remainder actually */ 300 memcpy(blocks[i].c, ptr, off); 301 blocks[i].c[off] = 0x80; 302 len += 64 + 13; /* 64 is HMAC header */ 303 len *= 8; /* convert to bits */ 304 if (off < (64 - 8)) { 305# ifdef BSWAP4 306 blocks[i].d[15] = BSWAP4(len); 307# else 308 PUTU32(blocks[i].c + 60, len); 309# endif 310 edges[i].blocks = 1; 311 } else { 312# ifdef BSWAP4 313 blocks[i].d[31] = BSWAP4(len); 314# else 315 PUTU32(blocks[i].c + 124, len); 316# endif 317 edges[i].blocks = 2; 318 } 319 edges[i].ptr = blocks[i].c; 320 } 321 322 /* hash input tails and finalize */ 323 sha1_multi_block(ctx, edges, n4x); 324 325 memset(blocks, 0, sizeof(blocks)); 326 for (i = 0; i < x4; i++) { 327# ifdef BSWAP4 328 blocks[i].d[0] = BSWAP4(ctx->A[i]); 329 ctx->A[i] = key->tail.h0; 330 blocks[i].d[1] = BSWAP4(ctx->B[i]); 331 ctx->B[i] = key->tail.h1; 332 blocks[i].d[2] = BSWAP4(ctx->C[i]); 333 ctx->C[i] = key->tail.h2; 334 blocks[i].d[3] = BSWAP4(ctx->D[i]); 335 ctx->D[i] = key->tail.h3; 336 blocks[i].d[4] = BSWAP4(ctx->E[i]); 337 ctx->E[i] = key->tail.h4; 338 blocks[i].c[20] = 0x80; 339 blocks[i].d[15] = BSWAP4((64 + 20) * 8); 340# else 341 PUTU32(blocks[i].c + 0, ctx->A[i]); 342 ctx->A[i] = key->tail.h0; 343 PUTU32(blocks[i].c + 4, ctx->B[i]); 344 ctx->B[i] = key->tail.h1; 345 PUTU32(blocks[i].c + 8, ctx->C[i]); 346 ctx->C[i] = key->tail.h2; 347 PUTU32(blocks[i].c + 12, ctx->D[i]); 348 ctx->D[i] = key->tail.h3; 349 PUTU32(blocks[i].c + 16, ctx->E[i]); 350 ctx->E[i] = key->tail.h4; 351 blocks[i].c[20] = 0x80; 352 PUTU32(blocks[i].c + 60, (64 + 20) * 8); 353# endif 354 edges[i].ptr = blocks[i].c; 355 edges[i].blocks = 1; 356 } 357 358 /* finalize MACs */ 359 sha1_multi_block(ctx, edges, n4x); 360 361 for (i = 0; i < x4; i++) { 362 unsigned int len = (i == (x4 - 1) ? last : frag), pad, j; 363 unsigned char *out0 = out; 364 365 memcpy(ciph_d[i].out, ciph_d[i].inp, len - processed); 366 ciph_d[i].inp = ciph_d[i].out; 367 368 out += 5 + 16 + len; 369 370 /* write MAC */ 371 PUTU32(out + 0, ctx->A[i]); 372 PUTU32(out + 4, ctx->B[i]); 373 PUTU32(out + 8, ctx->C[i]); 374 PUTU32(out + 12, ctx->D[i]); 375 PUTU32(out + 16, ctx->E[i]); 376 out += 20; 377 len += 20; 378 379 /* pad */ 380 pad = 15 - len % 16; 381 for (j = 0; j <= pad; j++) 382 *(out++) = pad; 383 len += pad + 1; 384 385 ciph_d[i].blocks = (len - processed) / 16; 386 len += 16; /* account for explicit iv */ 387 388 /* arrange header */ 389 out0[0] = ((u8 *)key->md.data)[8]; 390 out0[1] = ((u8 *)key->md.data)[9]; 391 out0[2] = ((u8 *)key->md.data)[10]; 392 out0[3] = (u8)(len >> 8); 393 out0[4] = (u8)(len); 394 395 ret += len + 5; 396 inp += frag; 397 } 398 399 aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x); 400 401 OPENSSL_cleanse(blocks, sizeof(blocks)); 402 OPENSSL_cleanse(ctx, sizeof(*ctx)); 403 404 return ret; 405} 406# endif 407 408static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 409 const unsigned char *in, size_t len) 410{ 411 EVP_AES_HMAC_SHA1 *key = data(ctx); 412 unsigned int l; 413 size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and 414 * later */ 415 sha_off = 0; 416# if defined(STITCHED_CALL) 417 size_t aes_off = 0, blocks; 418 419 sha_off = SHA_CBLOCK - key->md.num; 420# endif 421 422 key->payload_length = NO_PAYLOAD_LENGTH; 423 424 if (len % AES_BLOCK_SIZE) 425 return 0; 426 427 if (EVP_CIPHER_CTX_is_encrypting(ctx)) { 428 if (plen == NO_PAYLOAD_LENGTH) 429 plen = len; 430 else if (len != 431 ((plen + SHA_DIGEST_LENGTH + 432 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) 433 return 0; 434 else if (key->aux.tls_ver >= TLS1_1_VERSION) 435 iv = AES_BLOCK_SIZE; 436 437# if defined(STITCHED_CALL) 438 if (plen > (sha_off + iv) 439 && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) { 440 SHA1_Update(&key->md, in + iv, sha_off); 441 442 aesni_cbc_sha1_enc(in, out, blocks, &key->ks, ctx->iv, 443 &key->md, in + iv + sha_off); 444 blocks *= SHA_CBLOCK; 445 aes_off += blocks; 446 sha_off += blocks; 447 key->md.Nh += blocks >> 29; 448 key->md.Nl += blocks <<= 3; 449 if (key->md.Nl < (unsigned int)blocks) 450 key->md.Nh++; 451 } else { 452 sha_off = 0; 453 } 454# endif 455 sha_off += iv; 456 SHA1_Update(&key->md, in + sha_off, plen - sha_off); 457 458 if (plen != len) { /* "TLS" mode of operation */ 459 if (in != out) 460 memcpy(out + aes_off, in + aes_off, plen - aes_off); 461 462 /* calculate HMAC and append it to payload */ 463 SHA1_Final(out + plen, &key->md); 464 key->md = key->tail; 465 SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH); 466 SHA1_Final(out + plen, &key->md); 467 468 /* pad the payload|hmac */ 469 plen += SHA_DIGEST_LENGTH; 470 for (l = len - plen - 1; plen < len; plen++) 471 out[plen] = l; 472 /* encrypt HMAC|padding at once */ 473 aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off, 474 &key->ks, ctx->iv, 1); 475 } else { 476 aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off, 477 &key->ks, ctx->iv, 1); 478 } 479 } else { 480 union { 481 unsigned int u[SHA_DIGEST_LENGTH / sizeof(unsigned int)]; 482 unsigned char c[32 + SHA_DIGEST_LENGTH]; 483 } mac, *pmac; 484 485 /* arrange cache line alignment */ 486 pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); 487 488 if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ 489 size_t inp_len, mask, j, i; 490 unsigned int res, maxpad, pad, bitlen; 491 int ret = 1; 492 union { 493 unsigned int u[SHA_LBLOCK]; 494 unsigned char c[SHA_CBLOCK]; 495 } *data = (void *)key->md.data; 496# if defined(STITCHED_DECRYPT_CALL) 497 unsigned char tail_iv[AES_BLOCK_SIZE]; 498 int stitch = 0; 499# endif 500 501 if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3]) 502 >= TLS1_1_VERSION) { 503 if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1)) 504 return 0; 505 506 /* omit explicit iv */ 507 memcpy(ctx->iv, in, AES_BLOCK_SIZE); 508 509 in += AES_BLOCK_SIZE; 510 out += AES_BLOCK_SIZE; 511 len -= AES_BLOCK_SIZE; 512 } else if (len < (SHA_DIGEST_LENGTH + 1)) 513 return 0; 514 515# if defined(STITCHED_DECRYPT_CALL) 516 if (len >= 1024 && ctx->key_len == 32) { 517 /* decrypt last block */ 518 memcpy(tail_iv, in + len - 2 * AES_BLOCK_SIZE, 519 AES_BLOCK_SIZE); 520 aesni_cbc_encrypt(in + len - AES_BLOCK_SIZE, 521 out + len - AES_BLOCK_SIZE, AES_BLOCK_SIZE, 522 &key->ks, tail_iv, 0); 523 stitch = 1; 524 } else 525# endif 526 /* decrypt HMAC|padding at once */ 527 aesni_cbc_encrypt(in, out, len, &key->ks, 528 ctx->iv, 0); 529 530 /* figure out payload length */ 531 pad = out[len - 1]; 532 maxpad = len - (SHA_DIGEST_LENGTH + 1); 533 maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); 534 maxpad &= 255; 535 536 mask = constant_time_ge(maxpad, pad); 537 ret &= mask; 538 /* 539 * If pad is invalid then we will fail the above test but we must 540 * continue anyway because we are in constant time code. However, 541 * we'll use the maxpad value instead of the supplied pad to make 542 * sure we perform well defined pointer arithmetic. 543 */ 544 pad = constant_time_select(mask, pad, maxpad); 545 546 inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); 547 548 key->aux.tls_aad[plen - 2] = inp_len >> 8; 549 key->aux.tls_aad[plen - 1] = inp_len; 550 551 /* calculate HMAC */ 552 key->md = key->head; 553 SHA1_Update(&key->md, key->aux.tls_aad, plen); 554 555# if defined(STITCHED_DECRYPT_CALL) 556 if (stitch) { 557 blocks = (len - (256 + 32 + SHA_CBLOCK)) / SHA_CBLOCK; 558 aes_off = len - AES_BLOCK_SIZE - blocks * SHA_CBLOCK; 559 sha_off = SHA_CBLOCK - plen; 560 561 aesni_cbc_encrypt(in, out, aes_off, &key->ks, ctx->iv, 0); 562 563 SHA1_Update(&key->md, out, sha_off); 564 aesni256_cbc_sha1_dec(in + aes_off, 565 out + aes_off, blocks, &key->ks, 566 ctx->iv, &key->md, out + sha_off); 567 568 sha_off += blocks *= SHA_CBLOCK; 569 out += sha_off; 570 len -= sha_off; 571 inp_len -= sha_off; 572 573 key->md.Nl += (blocks << 3); /* at most 18 bits */ 574 memcpy(ctx->iv, tail_iv, AES_BLOCK_SIZE); 575 } 576# endif 577 578# if 1 /* see original reference version in #else */ 579 len -= SHA_DIGEST_LENGTH; /* amend mac */ 580 if (len >= (256 + SHA_CBLOCK)) { 581 j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK); 582 j += SHA_CBLOCK - key->md.num; 583 SHA1_Update(&key->md, out, j); 584 out += j; 585 len -= j; 586 inp_len -= j; 587 } 588 589 /* but pretend as if we hashed padded payload */ 590 bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ 591# ifdef BSWAP4 592 bitlen = BSWAP4(bitlen); 593# else 594 mac.c[0] = 0; 595 mac.c[1] = (unsigned char)(bitlen >> 16); 596 mac.c[2] = (unsigned char)(bitlen >> 8); 597 mac.c[3] = (unsigned char)bitlen; 598 bitlen = mac.u[0]; 599# endif 600 601 pmac->u[0] = 0; 602 pmac->u[1] = 0; 603 pmac->u[2] = 0; 604 pmac->u[3] = 0; 605 pmac->u[4] = 0; 606 607 for (res = key->md.num, j = 0; j < len; j++) { 608 size_t c = out[j]; 609 mask = (j - inp_len) >> (sizeof(j) * 8 - 8); 610 c &= mask; 611 c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8)); 612 data->c[res++] = (unsigned char)c; 613 614 if (res != SHA_CBLOCK) 615 continue; 616 617 /* j is not incremented yet */ 618 mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1)); 619 data->u[SHA_LBLOCK - 1] |= bitlen & mask; 620 sha1_block_data_order(&key->md, data, 1); 621 mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1)); 622 pmac->u[0] |= key->md.h0 & mask; 623 pmac->u[1] |= key->md.h1 & mask; 624 pmac->u[2] |= key->md.h2 & mask; 625 pmac->u[3] |= key->md.h3 & mask; 626 pmac->u[4] |= key->md.h4 & mask; 627 res = 0; 628 } 629 630 for (i = res; i < SHA_CBLOCK; i++, j++) 631 data->c[i] = 0; 632 633 if (res > SHA_CBLOCK - 8) { 634 mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1)); 635 data->u[SHA_LBLOCK - 1] |= bitlen & mask; 636 sha1_block_data_order(&key->md, data, 1); 637 mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 638 pmac->u[0] |= key->md.h0 & mask; 639 pmac->u[1] |= key->md.h1 & mask; 640 pmac->u[2] |= key->md.h2 & mask; 641 pmac->u[3] |= key->md.h3 & mask; 642 pmac->u[4] |= key->md.h4 & mask; 643 644 memset(data, 0, SHA_CBLOCK); 645 j += 64; 646 } 647 data->u[SHA_LBLOCK - 1] = bitlen; 648 sha1_block_data_order(&key->md, data, 1); 649 mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); 650 pmac->u[0] |= key->md.h0 & mask; 651 pmac->u[1] |= key->md.h1 & mask; 652 pmac->u[2] |= key->md.h2 & mask; 653 pmac->u[3] |= key->md.h3 & mask; 654 pmac->u[4] |= key->md.h4 & mask; 655 656# ifdef BSWAP4 657 pmac->u[0] = BSWAP4(pmac->u[0]); 658 pmac->u[1] = BSWAP4(pmac->u[1]); 659 pmac->u[2] = BSWAP4(pmac->u[2]); 660 pmac->u[3] = BSWAP4(pmac->u[3]); 661 pmac->u[4] = BSWAP4(pmac->u[4]); 662# else 663 for (i = 0; i < 5; i++) { 664 res = pmac->u[i]; 665 pmac->c[4 * i + 0] = (unsigned char)(res >> 24); 666 pmac->c[4 * i + 1] = (unsigned char)(res >> 16); 667 pmac->c[4 * i + 2] = (unsigned char)(res >> 8); 668 pmac->c[4 * i + 3] = (unsigned char)res; 669 } 670# endif 671 len += SHA_DIGEST_LENGTH; 672# else /* pre-lucky-13 reference version of above */ 673 SHA1_Update(&key->md, out, inp_len); 674 res = key->md.num; 675 SHA1_Final(pmac->c, &key->md); 676 677 { 678 unsigned int inp_blocks, pad_blocks; 679 680 /* but pretend as if we hashed padded payload */ 681 inp_blocks = 682 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 683 res += (unsigned int)(len - inp_len); 684 pad_blocks = res / SHA_CBLOCK; 685 res %= SHA_CBLOCK; 686 pad_blocks += 687 1 + ((SHA_CBLOCK - 9 - res) >> (sizeof(res) * 8 - 1)); 688 for (; inp_blocks < pad_blocks; inp_blocks++) 689 sha1_block_data_order(&key->md, data, 1); 690 } 691# endif 692 key->md = key->tail; 693 SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH); 694 SHA1_Final(pmac->c, &key->md); 695 696 /* verify HMAC */ 697 out += inp_len; 698 len -= inp_len; 699# if 1 /* see original reference version in #else */ 700 { 701 unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH; 702 size_t off = out - p; 703 unsigned int c, cmask; 704 705 for (res = 0, i = 0, j = 0; j < maxpad + SHA_DIGEST_LENGTH; j++) { 706 c = p[j]; 707 cmask = 708 ((int)(j - off - SHA_DIGEST_LENGTH)) >> (sizeof(int) * 709 8 - 1); 710 res |= (c ^ pad) & ~cmask; /* ... and padding */ 711 cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1); 712 res |= (c ^ pmac->c[i]) & cmask; 713 i += 1 & cmask; 714 } 715 716 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 717 ret &= (int)~res; 718 } 719# else /* pre-lucky-13 reference version of above */ 720 for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++) 721 res |= out[i] ^ pmac->c[i]; 722 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); 723 ret &= (int)~res; 724 725 /* verify padding */ 726 pad = (pad & ~res) | (maxpad & res); 727 out = out + len - 1 - pad; 728 for (res = 0, i = 0; i < pad; i++) 729 res |= out[i] ^ pad; 730 731 res = (0 - res) >> (sizeof(res) * 8 - 1); 732 ret &= (int)~res; 733# endif 734 return ret; 735 } else { 736# if defined(STITCHED_DECRYPT_CALL) 737 if (len >= 1024 && ctx->key_len == 32) { 738 if (sha_off %= SHA_CBLOCK) 739 blocks = (len - 3 * SHA_CBLOCK) / SHA_CBLOCK; 740 else 741 blocks = (len - 2 * SHA_CBLOCK) / SHA_CBLOCK; 742 aes_off = len - blocks * SHA_CBLOCK; 743 744 aesni_cbc_encrypt(in, out, aes_off, &key->ks, ctx->iv, 0); 745 SHA1_Update(&key->md, out, sha_off); 746 aesni256_cbc_sha1_dec(in + aes_off, 747 out + aes_off, blocks, &key->ks, 748 ctx->iv, &key->md, out + sha_off); 749 750 sha_off += blocks *= SHA_CBLOCK; 751 out += sha_off; 752 len -= sha_off; 753 754 key->md.Nh += blocks >> 29; 755 key->md.Nl += blocks <<= 3; 756 if (key->md.Nl < (unsigned int)blocks) 757 key->md.Nh++; 758 } else 759# endif 760 /* decrypt HMAC|padding at once */ 761 aesni_cbc_encrypt(in, out, len, &key->ks, 762 ctx->iv, 0); 763 764 SHA1_Update(&key->md, out, len); 765 } 766 } 767 768 return 1; 769} 770 771static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 772 void *ptr) 773{ 774 EVP_AES_HMAC_SHA1 *key = data(ctx); 775 776 switch (type) { 777 case EVP_CTRL_AEAD_SET_MAC_KEY: 778 { 779 unsigned int i; 780 unsigned char hmac_key[64]; 781 782 memset(hmac_key, 0, sizeof(hmac_key)); 783 784 if (arg > (int)sizeof(hmac_key)) { 785 SHA1_Init(&key->head); 786 SHA1_Update(&key->head, ptr, arg); 787 SHA1_Final(hmac_key, &key->head); 788 } else { 789 memcpy(hmac_key, ptr, arg); 790 } 791 792 for (i = 0; i < sizeof(hmac_key); i++) 793 hmac_key[i] ^= 0x36; /* ipad */ 794 SHA1_Init(&key->head); 795 SHA1_Update(&key->head, hmac_key, sizeof(hmac_key)); 796 797 for (i = 0; i < sizeof(hmac_key); i++) 798 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ 799 SHA1_Init(&key->tail); 800 SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key)); 801 802 OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); 803 804 return 1; 805 } 806 case EVP_CTRL_AEAD_TLS1_AAD: 807 { 808 unsigned char *p = ptr; 809 unsigned int len; 810 811 if (arg != EVP_AEAD_TLS1_AAD_LEN) 812 return -1; 813 814 len = p[arg - 2] << 8 | p[arg - 1]; 815 816 if (EVP_CIPHER_CTX_is_encrypting(ctx)) { 817 key->payload_length = len; 818 if ((key->aux.tls_ver = 819 p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { 820 if (len < AES_BLOCK_SIZE) 821 return 0; 822 len -= AES_BLOCK_SIZE; 823 p[arg - 2] = len >> 8; 824 p[arg - 1] = len; 825 } 826 key->md = key->head; 827 SHA1_Update(&key->md, p, arg); 828 829 return (int)(((len + SHA_DIGEST_LENGTH + 830 AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) 831 - len); 832 } else { 833 memcpy(key->aux.tls_aad, ptr, arg); 834 key->payload_length = arg; 835 836 return SHA_DIGEST_LENGTH; 837 } 838 } 839# if !defined(OPENSSL_NO_MULTIBLOCK) 840 case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE: 841 return (int)(5 + 16 + ((arg + 20 + 16) & -16)); 842 case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: 843 { 844 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = 845 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *) ptr; 846 unsigned int n4x = 1, x4; 847 unsigned int frag, last, packlen, inp_len; 848 849 if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM)) 850 return -1; 851 852 inp_len = param->inp[11] << 8 | param->inp[12]; 853 854 if (EVP_CIPHER_CTX_is_encrypting(ctx)) { 855 if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION) 856 return -1; 857 858 if (inp_len) { 859 if (inp_len < 4096) 860 return 0; /* too short */ 861 862 if (inp_len >= 8192 && OPENSSL_ia32cap_P[2] & (1 << 5)) 863 n4x = 2; /* AVX2 */ 864 } else if ((n4x = param->interleave / 4) && n4x <= 2) 865 inp_len = param->len; 866 else 867 return -1; 868 869 key->md = key->head; 870 SHA1_Update(&key->md, param->inp, 13); 871 872 x4 = 4 * n4x; 873 n4x += 1; 874 875 frag = inp_len >> n4x; 876 last = inp_len + frag - (frag << n4x); 877 if (last > frag && ((last + 13 + 9) % 64 < (x4 - 1))) { 878 frag++; 879 last -= x4 - 1; 880 } 881 882 packlen = 5 + 16 + ((frag + 20 + 16) & -16); 883 packlen = (packlen << n4x) - packlen; 884 packlen += 5 + 16 + ((last + 20 + 16) & -16); 885 886 param->interleave = x4; 887 888 return (int)packlen; 889 } else 890 return -1; /* not yet */ 891 } 892 case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: 893 { 894 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = 895 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *) ptr; 896 897 return (int)tls1_1_multi_block_encrypt(key, param->out, 898 param->inp, param->len, 899 param->interleave / 4); 900 } 901 case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: 902# endif 903 default: 904 return -1; 905 } 906} 907 908static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { 909# ifdef NID_aes_128_cbc_hmac_sha1 910 NID_aes_128_cbc_hmac_sha1, 911# else 912 NID_undef, 913# endif 914 AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, 915 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 916 EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, 917 EVP_ORIG_GLOBAL, 918 aesni_cbc_hmac_sha1_init_key, 919 aesni_cbc_hmac_sha1_cipher, 920 NULL, 921 sizeof(EVP_AES_HMAC_SHA1), 922 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 923 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 924 aesni_cbc_hmac_sha1_ctrl, 925 NULL 926}; 927 928static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { 929# ifdef NID_aes_256_cbc_hmac_sha1 930 NID_aes_256_cbc_hmac_sha1, 931# else 932 NID_undef, 933# endif 934 AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, 935 EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | 936 EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, 937 EVP_ORIG_GLOBAL, 938 aesni_cbc_hmac_sha1_init_key, 939 aesni_cbc_hmac_sha1_cipher, 940 NULL, 941 sizeof(EVP_AES_HMAC_SHA1), 942 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv, 943 EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv, 944 aesni_cbc_hmac_sha1_ctrl, 945 NULL 946}; 947 948const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 949{ 950 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 951 &aesni_128_cbc_hmac_sha1_cipher : NULL); 952} 953 954const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 955{ 956 return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ? 957 &aesni_256_cbc_hmac_sha1_cipher : NULL); 958} 959#else 960const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 961{ 962 return NULL; 963} 964 965const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 966{ 967 return NULL; 968} 969#endif 970