File: | src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c |
Warning: | line 446, column 5 Value stored to 'maxpad' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.16 2021/12/12 21:30:13 tb Exp $ */ |
2 | /* ==================================================================== |
3 | * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. |
4 | * |
5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions |
7 | * are met: |
8 | * |
9 | * 1. Redistributions of source code must retain the above copyright |
10 | * notice, this list of conditions and the following disclaimer. |
11 | * |
12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in |
14 | * the documentation and/or other materials provided with the |
15 | * distribution. |
16 | * |
17 | * 3. All advertising materials mentioning features or use of this |
18 | * software must display the following acknowledgment: |
19 | * "This product includes software developed by the OpenSSL Project |
20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
21 | * |
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
23 | * endorse or promote products derived from this software without |
24 | * prior written permission. For written permission, please contact |
25 | * licensing@OpenSSL.org. |
26 | * |
27 | * 5. Products derived from this software may not be called "OpenSSL" |
28 | * nor may "OpenSSL" appear in their names without prior written |
29 | * permission of the OpenSSL Project. |
30 | * |
31 | * 6. Redistributions of any form whatsoever must retain the following |
32 | * acknowledgment: |
33 | * "This product includes software developed by the OpenSSL Project |
34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
35 | * |
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
48 | * ==================================================================== |
49 | */ |
50 | |
51 | #include <stdio.h> |
52 | #include <string.h> |
53 | |
54 | #include <openssl/opensslconf.h> |
55 | |
56 | #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) |
57 | |
58 | #include <openssl/evp.h> |
59 | #include <openssl/objects.h> |
60 | #include <openssl/aes.h> |
61 | #include <openssl/sha.h> |
62 | |
63 | #include "constant_time_locl.h" |
64 | #include "evp_locl.h" |
65 | |
66 | #define TLS1_1_VERSION0x0302 0x0302 |
67 | |
68 | typedef struct { |
69 | AES_KEY ks; |
70 | SHA_CTX head, tail, md; |
71 | size_t payload_length; /* AAD length in decrypt case */ |
72 | union { |
73 | unsigned int tls_ver; |
74 | unsigned char tls_aad[16]; /* 13 used */ |
75 | } aux; |
76 | } EVP_AES_HMAC_SHA1; |
77 | |
78 | #define NO_PAYLOAD_LENGTH((size_t)-1) ((size_t)-1) |
79 | |
80 | #if defined(AES_ASM1) && ( \ |
81 | defined(__x86_641) || defined(__x86_64__1) || \ |
82 | defined(_M_AMD64) || defined(_M_X64) || \ |
83 | defined(__INTEL__) ) |
84 | |
85 | #include "x86_arch.h" |
86 | |
87 | #if defined(__GNUC__4) && __GNUC__4>=2 |
88 | # define BSWAP(x)({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; } ) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) |
89 | #endif |
90 | |
91 | int aesni_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); |
92 | int aesni_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); |
93 | |
94 | void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, |
95 | size_t length, const AES_KEY *key, unsigned char *ivec, int enc); |
96 | |
97 | void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks, |
98 | const AES_KEY *key, unsigned char iv[16], SHA_CTX *ctx, const void *in0); |
99 | |
100 | #define data(ctx)((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) |
101 | |
102 | static int |
103 | aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *inkey, |
104 | const unsigned char *iv, int enc) |
105 | { |
106 | EVP_AES_HMAC_SHA1 *key = data(ctx)((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data); |
107 | int ret; |
108 | |
109 | if (enc) |
110 | ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); |
111 | else |
112 | ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); |
113 | |
114 | SHA1_Init(&key->head); /* handy when benchmarking */ |
115 | key->tail = key->head; |
116 | key->md = key->head; |
117 | |
118 | key->payload_length = NO_PAYLOAD_LENGTH((size_t)-1); |
119 | |
120 | return ret < 0 ? 0 : 1; |
121 | } |
122 | |
123 | #define STITCHED_CALL |
124 | |
125 | #if !defined(STITCHED_CALL) |
126 | #define aes_off 0 |
127 | #endif |
128 | |
129 | void sha1_block_data_order (void *c, const void *p, size_t len); |
130 | |
131 | static void |
132 | sha1_update(SHA_CTX *c, const void *data, size_t len) |
133 | { |
134 | const unsigned char *ptr = data; |
135 | size_t res; |
136 | |
137 | if ((res = c->num)) { |
138 | res = SHA_CBLOCK(16*4) - res; |
139 | if (len < res) |
140 | res = len; |
141 | SHA1_Updatesha1_update(c, ptr, res); |
142 | ptr += res; |
143 | len -= res; |
144 | } |
145 | |
146 | res = len % SHA_CBLOCK(16*4); |
147 | len -= res; |
148 | |
149 | if (len) { |
150 | sha1_block_data_order(c, ptr, len / SHA_CBLOCK(16*4)); |
151 | |
152 | ptr += len; |
153 | c->Nh += len >> 29; |
154 | c->Nl += len <<= 3; |
155 | if (c->Nl < (unsigned int)len) |
156 | c->Nh++; |
157 | } |
158 | |
159 | if (res) |
160 | SHA1_Updatesha1_update(c, ptr, res); |
161 | } |
162 | |
163 | #ifdef SHA1_Updatesha1_update |
164 | #undef SHA1_Updatesha1_update |
165 | #endif |
166 | #define SHA1_Updatesha1_update sha1_update |
167 | |
168 | static int |
169 | aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
170 | const unsigned char *in, size_t len) |
171 | { |
172 | EVP_AES_HMAC_SHA1 *key = data(ctx)((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data); |
173 | unsigned int l; |
174 | size_t plen = key->payload_length, |
175 | iv = 0, /* explicit IV in TLS 1.1 and later */ |
176 | sha_off = 0; |
177 | #if defined(STITCHED_CALL) |
178 | size_t aes_off = 0, blocks; |
179 | |
180 | sha_off = SHA_CBLOCK(16*4) - key->md.num; |
181 | #endif |
182 | |
183 | key->payload_length = NO_PAYLOAD_LENGTH((size_t)-1); |
184 | |
185 | if (len % AES_BLOCK_SIZE16) |
186 | return 0; |
187 | |
188 | if (ctx->encrypt) { |
189 | if (plen == NO_PAYLOAD_LENGTH((size_t)-1)) |
190 | plen = len; |
191 | else if (len != ((plen + SHA_DIGEST_LENGTH20 + AES_BLOCK_SIZE16) & |
192 | -AES_BLOCK_SIZE16)) |
193 | return 0; |
194 | else if (key->aux.tls_ver >= TLS1_1_VERSION0x0302) |
195 | iv = AES_BLOCK_SIZE16; |
196 | |
197 | #if defined(STITCHED_CALL) |
198 | if (plen > (sha_off + iv) && |
199 | (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK(16*4))) { |
200 | SHA1_Updatesha1_update(&key->md, in + iv, sha_off); |
201 | |
202 | aesni_cbc_sha1_enc(in, out, blocks, &key->ks, |
203 | ctx->iv, &key->md, in + iv + sha_off); |
204 | blocks *= SHA_CBLOCK(16*4); |
205 | aes_off += blocks; |
206 | sha_off += blocks; |
207 | key->md.Nh += blocks >> 29; |
208 | key->md.Nl += blocks <<= 3; |
209 | if (key->md.Nl < (unsigned int)blocks) |
210 | key->md.Nh++; |
211 | } else { |
212 | sha_off = 0; |
213 | } |
214 | #endif |
215 | sha_off += iv; |
216 | SHA1_Updatesha1_update(&key->md, in + sha_off, plen - sha_off); |
217 | |
218 | if (plen != len) { /* "TLS" mode of operation */ |
219 | if (in != out) |
220 | memcpy(out + aes_off, in + aes_off, |
221 | plen - aes_off); |
222 | |
223 | /* calculate HMAC and append it to payload */ |
224 | SHA1_Final(out + plen, &key->md); |
225 | key->md = key->tail; |
226 | SHA1_Updatesha1_update(&key->md, out + plen, SHA_DIGEST_LENGTH20); |
227 | SHA1_Final(out + plen, &key->md); |
228 | |
229 | /* pad the payload|hmac */ |
230 | plen += SHA_DIGEST_LENGTH20; |
231 | for (l = len - plen - 1; plen < len; plen++) |
232 | out[plen] = l; |
233 | |
234 | /* encrypt HMAC|padding at once */ |
235 | aesni_cbc_encrypt(out + aes_off, out + aes_off, |
236 | len - aes_off, &key->ks, ctx->iv, 1); |
237 | } else { |
238 | aesni_cbc_encrypt(in + aes_off, out + aes_off, |
239 | len - aes_off, &key->ks, ctx->iv, 1); |
240 | } |
241 | } else { |
242 | union { |
243 | unsigned int u[SHA_DIGEST_LENGTH20/sizeof(unsigned int)]; |
244 | unsigned char c[32 + SHA_DIGEST_LENGTH20]; |
245 | } mac, *pmac; |
246 | |
247 | /* arrange cache line alignment */ |
248 | pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); |
249 | |
250 | /* decrypt HMAC|padding at once */ |
251 | aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); |
252 | |
253 | if (plen == 0 || plen == NO_PAYLOAD_LENGTH((size_t)-1)) { |
254 | SHA1_Updatesha1_update(&key->md, out, len); |
255 | } else if (plen < 4) { |
256 | return 0; |
257 | } else { /* "TLS" mode of operation */ |
258 | size_t inp_len, mask, j, i; |
259 | unsigned int res, maxpad, pad, bitlen; |
260 | int ret = 1; |
261 | union { |
262 | unsigned int u[SHA_LBLOCK16]; |
263 | unsigned char c[SHA_CBLOCK(16*4)]; |
264 | } |
265 | *data = (void *)key->md.data; |
266 | |
267 | if ((key->aux.tls_aad[plen - 4] << 8 | |
268 | key->aux.tls_aad[plen - 3]) >= TLS1_1_VERSION0x0302) |
269 | iv = AES_BLOCK_SIZE16; |
270 | |
271 | if (len < (iv + SHA_DIGEST_LENGTH20 + 1)) |
272 | return 0; |
273 | |
274 | /* omit explicit iv */ |
275 | out += iv; |
276 | len -= iv; |
277 | |
278 | /* figure out payload length */ |
279 | pad = out[len - 1]; |
280 | maxpad = len - (SHA_DIGEST_LENGTH20 + 1); |
281 | maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); |
282 | maxpad &= 255; |
283 | |
284 | ret &= constant_time_ge(maxpad, pad); |
285 | |
286 | inp_len = len - (SHA_DIGEST_LENGTH20 + pad + 1); |
287 | mask = (0 - ((inp_len - len) >> |
288 | (sizeof(inp_len) * 8 - 1))); |
289 | inp_len &= mask; |
290 | ret &= (int)mask; |
291 | |
292 | key->aux.tls_aad[plen - 2] = inp_len >> 8; |
293 | key->aux.tls_aad[plen - 1] = inp_len; |
294 | |
295 | /* calculate HMAC */ |
296 | key->md = key->head; |
297 | SHA1_Updatesha1_update(&key->md, key->aux.tls_aad, plen); |
298 | |
299 | #if 1 |
300 | len -= SHA_DIGEST_LENGTH20; /* amend mac */ |
301 | if (len >= (256 + SHA_CBLOCK(16*4))) { |
302 | j = (len - (256 + SHA_CBLOCK(16*4))) & |
303 | (0 - SHA_CBLOCK(16*4)); |
304 | j += SHA_CBLOCK(16*4) - key->md.num; |
305 | SHA1_Updatesha1_update(&key->md, out, j); |
306 | out += j; |
307 | len -= j; |
308 | inp_len -= j; |
309 | } |
310 | |
311 | /* but pretend as if we hashed padded payload */ |
312 | bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ |
313 | #ifdef BSWAP |
314 | bitlen = BSWAP(bitlen)({ unsigned int r=(bitlen); asm ("bswapl %0":"=r"(r):"0"(r)); r; }); |
315 | #else |
316 | mac.c[0] = 0; |
317 | mac.c[1] = (unsigned char)(bitlen >> 16); |
318 | mac.c[2] = (unsigned char)(bitlen >> 8); |
319 | mac.c[3] = (unsigned char)bitlen; |
320 | bitlen = mac.u[0]; |
321 | #endif |
322 | |
323 | pmac->u[0] = 0; |
324 | pmac->u[1] = 0; |
325 | pmac->u[2] = 0; |
326 | pmac->u[3] = 0; |
327 | pmac->u[4] = 0; |
328 | |
329 | for (res = key->md.num, j = 0; j < len; j++) { |
330 | size_t c = out[j]; |
331 | mask = (j - inp_len) >> (sizeof(j) * 8 - 8); |
332 | c &= mask; |
333 | c |= 0x80 & ~mask & |
334 | ~((inp_len - j) >> (sizeof(j) * 8 - 8)); |
335 | data->c[res++] = (unsigned char)c; |
336 | |
337 | if (res != SHA_CBLOCK(16*4)) |
338 | continue; |
339 | |
340 | /* j is not incremented yet */ |
341 | mask = 0 - ((inp_len + 7 - j) >> |
342 | (sizeof(j) * 8 - 1)); |
343 | data->u[SHA_LBLOCK16 - 1] |= bitlen&mask; |
344 | sha1_block_data_order(&key->md, data, 1); |
345 | mask &= 0 - ((j - inp_len - 72) >> |
346 | (sizeof(j) * 8 - 1)); |
347 | pmac->u[0] |= key->md.h0 & mask; |
348 | pmac->u[1] |= key->md.h1 & mask; |
349 | pmac->u[2] |= key->md.h2 & mask; |
350 | pmac->u[3] |= key->md.h3 & mask; |
351 | pmac->u[4] |= key->md.h4 & mask; |
352 | res = 0; |
353 | } |
354 | |
355 | for (i = res; i < SHA_CBLOCK(16*4); i++, j++) |
356 | data->c[i] = 0; |
357 | |
358 | if (res > SHA_CBLOCK(16*4) - 8) { |
359 | mask = 0 - ((inp_len + 8 - j) >> |
360 | (sizeof(j) * 8 - 1)); |
361 | data->u[SHA_LBLOCK16 - 1] |= bitlen & mask; |
362 | sha1_block_data_order(&key->md, data, 1); |
363 | mask &= 0 - ((j - inp_len - 73) >> |
364 | (sizeof(j) * 8 - 1)); |
365 | pmac->u[0] |= key->md.h0 & mask; |
366 | pmac->u[1] |= key->md.h1 & mask; |
367 | pmac->u[2] |= key->md.h2 & mask; |
368 | pmac->u[3] |= key->md.h3 & mask; |
369 | pmac->u[4] |= key->md.h4 & mask; |
370 | |
371 | memset(data, 0, SHA_CBLOCK(16*4)); |
372 | j += 64; |
373 | } |
374 | data->u[SHA_LBLOCK16 - 1] = bitlen; |
375 | sha1_block_data_order(&key->md, data, 1); |
376 | mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); |
377 | pmac->u[0] |= key->md.h0 & mask; |
378 | pmac->u[1] |= key->md.h1 & mask; |
379 | pmac->u[2] |= key->md.h2 & mask; |
380 | pmac->u[3] |= key->md.h3 & mask; |
381 | pmac->u[4] |= key->md.h4 & mask; |
382 | |
383 | #ifdef BSWAP |
384 | pmac->u[0] = BSWAP(pmac->u[0])({ unsigned int r=(pmac->u[0]); asm ("bswapl %0":"=r"(r):"0" (r)); r; }); |
385 | pmac->u[1] = BSWAP(pmac->u[1])({ unsigned int r=(pmac->u[1]); asm ("bswapl %0":"=r"(r):"0" (r)); r; }); |
386 | pmac->u[2] = BSWAP(pmac->u[2])({ unsigned int r=(pmac->u[2]); asm ("bswapl %0":"=r"(r):"0" (r)); r; }); |
387 | pmac->u[3] = BSWAP(pmac->u[3])({ unsigned int r=(pmac->u[3]); asm ("bswapl %0":"=r"(r):"0" (r)); r; }); |
388 | pmac->u[4] = BSWAP(pmac->u[4])({ unsigned int r=(pmac->u[4]); asm ("bswapl %0":"=r"(r):"0" (r)); r; }); |
389 | #else |
390 | for (i = 0; i < 5; i++) { |
391 | res = pmac->u[i]; |
392 | pmac->c[4 * i + 0] = (unsigned char)(res >> 24); |
393 | pmac->c[4 * i + 1] = (unsigned char)(res >> 16); |
394 | pmac->c[4 * i + 2] = (unsigned char)(res >> 8); |
395 | pmac->c[4 * i + 3] = (unsigned char)res; |
396 | } |
397 | #endif |
398 | len += SHA_DIGEST_LENGTH20; |
399 | #else |
400 | SHA1_Updatesha1_update(&key->md, out, inp_len); |
401 | res = key->md.num; |
402 | SHA1_Final(pmac->c, &key->md); |
403 | |
404 | { |
405 | unsigned int inp_blocks, pad_blocks; |
406 | |
407 | /* but pretend as if we hashed padded payload */ |
408 | inp_blocks = 1 + ((SHA_CBLOCK(16*4) - 9 - res) >> |
409 | (sizeof(res) * 8 - 1)); |
410 | res += (unsigned int)(len - inp_len); |
411 | pad_blocks = res / SHA_CBLOCK(16*4); |
412 | res %= SHA_CBLOCK(16*4); |
413 | pad_blocks += 1 + ((SHA_CBLOCK(16*4) - 9 - res) >> |
414 | (sizeof(res) * 8 - 1)); |
415 | for (; inp_blocks < pad_blocks; inp_blocks++) |
416 | sha1_block_data_order(&key->md, |
417 | data, 1); |
418 | } |
419 | #endif |
420 | key->md = key->tail; |
421 | SHA1_Updatesha1_update(&key->md, pmac->c, SHA_DIGEST_LENGTH20); |
422 | SHA1_Final(pmac->c, &key->md); |
423 | |
424 | /* verify HMAC */ |
425 | out += inp_len; |
426 | len -= inp_len; |
427 | #if 1 |
428 | { |
429 | unsigned char *p = |
430 | out + len - 1 - maxpad - SHA_DIGEST_LENGTH20; |
431 | size_t off = out - p; |
432 | unsigned int c, cmask; |
433 | |
434 | maxpad += SHA_DIGEST_LENGTH20; |
435 | for (res = 0, i = 0, j = 0; j < maxpad; j++) { |
436 | c = p[j]; |
437 | cmask = ((int)(j - off - |
438 | SHA_DIGEST_LENGTH20)) >> |
439 | (sizeof(int) * 8 - 1); |
440 | res |= (c ^ pad) & ~cmask; /* ... and padding */ |
441 | cmask &= ((int)(off - 1 - j)) >> |
442 | (sizeof(int) * 8 - 1); |
443 | res |= (c ^ pmac->c[i]) & cmask; |
444 | i += 1 & cmask; |
445 | } |
446 | maxpad -= SHA_DIGEST_LENGTH20; |
Value stored to 'maxpad' is never read | |
447 | |
448 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); |
449 | ret &= (int)~res; |
450 | } |
451 | #else |
452 | for (res = 0, i = 0; i < SHA_DIGEST_LENGTH20; i++) |
453 | res |= out[i] ^ pmac->c[i]; |
454 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); |
455 | ret &= (int)~res; |
456 | |
457 | /* verify padding */ |
458 | pad = (pad & ~res) | (maxpad & res); |
459 | out = out + len - 1 - pad; |
460 | for (res = 0, i = 0; i < pad; i++) |
461 | res |= out[i] ^ pad; |
462 | |
463 | res = (0 - res) >> (sizeof(res) * 8 - 1); |
464 | ret &= (int)~res; |
465 | #endif |
466 | return ret; |
467 | } |
468 | } |
469 | |
470 | return 1; |
471 | } |
472 | |
473 | static int |
474 | aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) |
475 | { |
476 | EVP_AES_HMAC_SHA1 *key = data(ctx)((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data); |
477 | |
478 | switch (type) { |
479 | case EVP_CTRL_AEAD_SET_MAC_KEY0x17: |
480 | { |
481 | unsigned int i; |
482 | unsigned char hmac_key[64]; |
483 | |
484 | memset(hmac_key, 0, sizeof(hmac_key)); |
485 | |
486 | if (arg > (int)sizeof(hmac_key)) { |
487 | SHA1_Init(&key->head); |
488 | SHA1_Updatesha1_update(&key->head, ptr, arg); |
489 | SHA1_Final(hmac_key, &key->head); |
490 | } else { |
491 | memcpy(hmac_key, ptr, arg); |
492 | } |
493 | |
494 | for (i = 0; i < sizeof(hmac_key); i++) |
495 | hmac_key[i] ^= 0x36; /* ipad */ |
496 | SHA1_Init(&key->head); |
497 | SHA1_Updatesha1_update(&key->head, hmac_key, sizeof(hmac_key)); |
498 | |
499 | for (i = 0; i < sizeof(hmac_key); i++) |
500 | hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ |
501 | SHA1_Init(&key->tail); |
502 | SHA1_Updatesha1_update(&key->tail, hmac_key, sizeof(hmac_key)); |
503 | |
504 | explicit_bzero(hmac_key, sizeof(hmac_key)); |
505 | |
506 | return 1; |
507 | } |
508 | case EVP_CTRL_AEAD_TLS1_AAD0x16: |
509 | { |
510 | unsigned char *p = ptr; |
511 | unsigned int len; |
512 | |
513 | /* RFC 5246, 6.2.3.3: additional data has length 13 */ |
514 | if (arg != 13) |
515 | return -1; |
516 | |
517 | len = p[arg - 2] << 8 | p[arg - 1]; |
518 | |
519 | if (ctx->encrypt) { |
520 | key->payload_length = len; |
521 | if ((key->aux.tls_ver = p[arg - 4] << 8 | |
522 | p[arg - 3]) >= TLS1_1_VERSION0x0302) { |
523 | len -= AES_BLOCK_SIZE16; |
524 | p[arg - 2] = len >> 8; |
525 | p[arg - 1] = len; |
526 | } |
527 | key->md = key->head; |
528 | SHA1_Updatesha1_update(&key->md, p, arg); |
529 | |
530 | return (int)(((len + SHA_DIGEST_LENGTH20 + |
531 | AES_BLOCK_SIZE16) & -AES_BLOCK_SIZE16) - len); |
532 | } else { |
533 | memcpy(key->aux.tls_aad, ptr, arg); |
534 | key->payload_length = arg; |
535 | |
536 | return SHA_DIGEST_LENGTH20; |
537 | } |
538 | } |
539 | default: |
540 | return -1; |
541 | } |
542 | } |
543 | |
544 | static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { |
545 | #ifdef NID_aes_128_cbc_hmac_sha1916 |
546 | .nid = NID_aes_128_cbc_hmac_sha1916, |
547 | #else |
548 | .nid = NID_undef0, |
549 | #endif |
550 | .block_size = 16, |
551 | .key_len = 16, |
552 | .iv_len = 16, |
553 | .flags = EVP_CIPH_CBC_MODE0x2 | EVP_CIPH_FLAG_DEFAULT_ASN10x1000 | |
554 | EVP_CIPH_FLAG_AEAD_CIPHER0x200000, |
555 | .init = aesni_cbc_hmac_sha1_init_key, |
556 | .do_cipher = aesni_cbc_hmac_sha1_cipher, |
557 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), |
558 | .ctrl = aesni_cbc_hmac_sha1_ctrl |
559 | }; |
560 | |
561 | static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { |
562 | #ifdef NID_aes_256_cbc_hmac_sha1918 |
563 | .nid = NID_aes_256_cbc_hmac_sha1918, |
564 | #else |
565 | .nid = NID_undef0, |
566 | #endif |
567 | .block_size = 16, |
568 | .key_len = 32, |
569 | .iv_len = 16, |
570 | .flags = EVP_CIPH_CBC_MODE0x2 | EVP_CIPH_FLAG_DEFAULT_ASN10x1000 | |
571 | EVP_CIPH_FLAG_AEAD_CIPHER0x200000, |
572 | .init = aesni_cbc_hmac_sha1_init_key, |
573 | .do_cipher = aesni_cbc_hmac_sha1_cipher, |
574 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), |
575 | .ctrl = aesni_cbc_hmac_sha1_ctrl |
576 | }; |
577 | |
578 | const EVP_CIPHER * |
579 | EVP_aes_128_cbc_hmac_sha1(void) |
580 | { |
581 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI(1ULL << (32 + 25))) ? |
582 | &aesni_128_cbc_hmac_sha1_cipher : NULL((void*)0); |
583 | } |
584 | |
585 | const EVP_CIPHER * |
586 | EVP_aes_256_cbc_hmac_sha1(void) |
587 | { |
588 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI(1ULL << (32 + 25))) ? |
589 | &aesni_256_cbc_hmac_sha1_cipher : NULL((void*)0); |
590 | } |
591 | #else |
592 | const EVP_CIPHER * |
593 | EVP_aes_128_cbc_hmac_sha1(void) |
594 | { |
595 | return NULL((void*)0); |
596 | } |
597 | |
598 | const EVP_CIPHER * |
599 | EVP_aes_256_cbc_hmac_sha1(void) |
600 | { |
601 | return NULL((void*)0); |
602 | } |
603 | #endif |
604 | #endif |