| Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/evp/e_aes_cbc_hmac_sha1.c |
| Source code | Switch to Preprocessed file |
| Line | Source | Count | ||||||
|---|---|---|---|---|---|---|---|---|
| 1 | /* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.14 2016/11/05 10:47:57 miod Exp $ */ | - | ||||||
| 2 | /* ==================================================================== | - | ||||||
| 3 | * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. | - | ||||||
| 4 | * | - | ||||||
| 5 | * Redistribution and use in source and binary forms, with or without | - | ||||||
| 6 | * modification, are permitted provided that the following conditions | - | ||||||
| 7 | * are met: | - | ||||||
| 8 | * | - | ||||||
| 9 | * 1. Redistributions of source code must retain the above copyright | - | ||||||
| 10 | * notice, this list of conditions and the following disclaimer. | - | ||||||
| 11 | * | - | ||||||
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | - | ||||||
| 13 | * notice, this list of conditions and the following disclaimer in | - | ||||||
| 14 | * the documentation and/or other materials provided with the | - | ||||||
| 15 | * distribution. | - | ||||||
| 16 | * | - | ||||||
| 17 | * 3. All advertising materials mentioning features or use of this | - | ||||||
| 18 | * software must display the following acknowledgment: | - | ||||||
| 19 | * "This product includes software developed by the OpenSSL Project | - | ||||||
| 20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | - | ||||||
| 21 | * | - | ||||||
| 22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | - | ||||||
| 23 | * endorse or promote products derived from this software without | - | ||||||
| 24 | * prior written permission. For written permission, please contact | - | ||||||
| 25 | * licensing@OpenSSL.org. | - | ||||||
| 26 | * | - | ||||||
| 27 | * 5. Products derived from this software may not be called "OpenSSL" | - | ||||||
| 28 | * nor may "OpenSSL" appear in their names without prior written | - | ||||||
| 29 | * permission of the OpenSSL Project. | - | ||||||
| 30 | * | - | ||||||
| 31 | * 6. Redistributions of any form whatsoever must retain the following | - | ||||||
| 32 | * acknowledgment: | - | ||||||
| 33 | * "This product includes software developed by the OpenSSL Project | - | ||||||
| 34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | - | ||||||
| 35 | * | - | ||||||
| 36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | - | ||||||
| 37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | - | ||||||
| 38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | - | ||||||
| 39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | - | ||||||
| 40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | - | ||||||
| 41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | - | ||||||
| 42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | - | ||||||
| 43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | - | ||||||
| 44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | - | ||||||
| 45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | - | ||||||
| 46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | - | ||||||
| 47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | - | ||||||
| 48 | * ==================================================================== | - | ||||||
| 49 | */ | - | ||||||
| 50 | - | |||||||
| 51 | #include <stdio.h> | - | ||||||
| 52 | #include <string.h> | - | ||||||
| 53 | - | |||||||
| 54 | #include <openssl/opensslconf.h> | - | ||||||
| 55 | - | |||||||
| 56 | #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) | - | ||||||
| 57 | - | |||||||
| 58 | #include <openssl/evp.h> | - | ||||||
| 59 | #include <openssl/objects.h> | - | ||||||
| 60 | #include <openssl/aes.h> | - | ||||||
| 61 | #include <openssl/sha.h> | - | ||||||
| 62 | #include "evp_locl.h" | - | ||||||
| 63 | #include "constant_time_locl.h" | - | ||||||
| 64 | - | |||||||
| 65 | #define TLS1_1_VERSION 0x0302 | - | ||||||
| 66 | - | |||||||
| 67 | typedef struct { | - | ||||||
| 68 | AES_KEY ks; | - | ||||||
| 69 | SHA_CTX head, tail, md; | - | ||||||
| 70 | size_t payload_length; /* AAD length in decrypt case */ | - | ||||||
| 71 | union { | - | ||||||
| 72 | unsigned int tls_ver; | - | ||||||
| 73 | unsigned char tls_aad[16]; /* 13 used */ | - | ||||||
| 74 | } aux; | - | ||||||
| 75 | } EVP_AES_HMAC_SHA1; | - | ||||||
| 76 | - | |||||||
| 77 | #define NO_PAYLOAD_LENGTH ((size_t)-1) | - | ||||||
| 78 | - | |||||||
| 79 | #if defined(AES_ASM) && ( \ | - | ||||||
| 80 | defined(__x86_64) || defined(__x86_64__) || \ | - | ||||||
| 81 | defined(_M_AMD64) || defined(_M_X64) || \ | - | ||||||
| 82 | defined(__INTEL__) ) | - | ||||||
| 83 | - | |||||||
| 84 | #include "x86_arch.h" | - | ||||||
| 85 | - | |||||||
| 86 | #if defined(__GNUC__) && __GNUC__>=2 | - | ||||||
| 87 | # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) | - | ||||||
| 88 | #endif | - | ||||||
| 89 | - | |||||||
| 90 | int aesni_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); | - | ||||||
| 91 | int aesni_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); | - | ||||||
| 92 | - | |||||||
| 93 | void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, | - | ||||||
| 94 | size_t length, const AES_KEY *key, unsigned char *ivec, int enc); | - | ||||||
| 95 | - | |||||||
| 96 | void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks, | - | ||||||
| 97 | const AES_KEY *key, unsigned char iv[16], SHA_CTX *ctx, const void *in0); | - | ||||||
| 98 | - | |||||||
| 99 | #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) | - | ||||||
| 100 | - | |||||||
| 101 | static int | - | ||||||
| 102 | aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *inkey, | - | ||||||
| 103 | const unsigned char *iv, int enc) | - | ||||||
| 104 | { | - | ||||||
| 105 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
| 106 | int ret; | - | ||||||
| 107 | - | |||||||
| 108 | if (enc)
| 0 | ||||||
| 109 | ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); never executed: ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); | 0 | ||||||
| 110 | else | - | ||||||
| 111 | ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); never executed: ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); | 0 | ||||||
| 112 | - | |||||||
| 113 | SHA1_Init(&key->head); /* handy when benchmarking */ | - | ||||||
| 114 | key->tail = key->head; | - | ||||||
| 115 | key->md = key->head; | - | ||||||
| 116 | - | |||||||
| 117 | key->payload_length = NO_PAYLOAD_LENGTH; | - | ||||||
| 118 | - | |||||||
| 119 | return ret < 0 ? 0 : 1; never executed: return ret < 0 ? 0 : 1;
| 0 | ||||||
| 120 | } | - | ||||||
| 121 | - | |||||||
| 122 | #define STITCHED_CALL | - | ||||||
| 123 | - | |||||||
| 124 | #if !defined(STITCHED_CALL) | - | ||||||
| 125 | #define aes_off 0 | - | ||||||
| 126 | #endif | - | ||||||
| 127 | - | |||||||
| 128 | void sha1_block_data_order (void *c, const void *p, size_t len); | - | ||||||
| 129 | - | |||||||
| 130 | static void | - | ||||||
| 131 | sha1_update(SHA_CTX *c, const void *data, size_t len) | - | ||||||
| 132 | { | - | ||||||
| 133 | const unsigned char *ptr = data; | - | ||||||
| 134 | size_t res; | - | ||||||
| 135 | - | |||||||
| 136 | if ((res = c->num)) {
| 0 | ||||||
| 137 | res = SHA_CBLOCK - res; | - | ||||||
| 138 | if (len < res)
| 0 | ||||||
| 139 | res = len; never executed: res = len; | 0 | ||||||
| 140 | SHA1_Update(c, ptr, res); | - | ||||||
| 141 | ptr += res; | - | ||||||
| 142 | len -= res; | - | ||||||
| 143 | } never executed: end of block | 0 | ||||||
| 144 | - | |||||||
| 145 | res = len % SHA_CBLOCK; | - | ||||||
| 146 | len -= res; | - | ||||||
| 147 | - | |||||||
| 148 | if (len) {
| 0 | ||||||
| 149 | sha1_block_data_order(c, ptr, len / SHA_CBLOCK); | - | ||||||
| 150 | - | |||||||
| 151 | ptr += len; | - | ||||||
| 152 | c->Nh += len >> 29; | - | ||||||
| 153 | c->Nl += len <<= 3; | - | ||||||
| 154 | if (c->Nl < (unsigned int)len)
| 0 | ||||||
| 155 | c->Nh++; never executed: c->Nh++; | 0 | ||||||
| 156 | } never executed: end of block | 0 | ||||||
| 157 | - | |||||||
| 158 | if (res)
| 0 | ||||||
| 159 | SHA1_Update(c, ptr, res); never executed: SHA1_Update(c, ptr, res); | 0 | ||||||
| 160 | } never executed: end of block | 0 | ||||||
| 161 | - | |||||||
| 162 | #ifdef SHA1_Update | - | ||||||
| 163 | #undef SHA1_Update | - | ||||||
| 164 | #endif | - | ||||||
| 165 | #define SHA1_Update sha1_update | - | ||||||
| 166 | - | |||||||
| 167 | static int | - | ||||||
| 168 | aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | - | ||||||
| 169 | const unsigned char *in, size_t len) | - | ||||||
| 170 | { | - | ||||||
| 171 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
| 172 | unsigned int l; | - | ||||||
| 173 | size_t plen = key->payload_length, | - | ||||||
| 174 | iv = 0, /* explicit IV in TLS 1.1 and later */ | - | ||||||
| 175 | sha_off = 0; | - | ||||||
| 176 | #if defined(STITCHED_CALL) | - | ||||||
| 177 | size_t aes_off = 0, blocks; | - | ||||||
| 178 | - | |||||||
| 179 | sha_off = SHA_CBLOCK - key->md.num; | - | ||||||
| 180 | #endif | - | ||||||
| 181 | - | |||||||
| 182 | key->payload_length = NO_PAYLOAD_LENGTH; | - | ||||||
| 183 | - | |||||||
| 184 | if (len % AES_BLOCK_SIZE)
| 0 | ||||||
| 185 | return 0; never executed: return 0; | 0 | ||||||
| 186 | - | |||||||
| 187 | if (ctx->encrypt) {
| 0 | ||||||
| 188 | if (plen == NO_PAYLOAD_LENGTH)
| 0 | ||||||
| 189 | plen = len; never executed: plen = len; | 0 | ||||||
| 190 | else if (len != ((plen + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) &
| 0 | ||||||
| 191 | -AES_BLOCK_SIZE))
| 0 | ||||||
| 192 | return 0; never executed: return 0; | 0 | ||||||
| 193 | else if (key->aux.tls_ver >= TLS1_1_VERSION)
| 0 | ||||||
| 194 | iv = AES_BLOCK_SIZE; never executed: iv = 16; | 0 | ||||||
| 195 | - | |||||||
| 196 | #if defined(STITCHED_CALL) | - | ||||||
| 197 | if (plen > (sha_off + iv) &&
| 0 | ||||||
| 198 | (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) {
| 0 | ||||||
| 199 | SHA1_Update(&key->md, in + iv, sha_off); | - | ||||||
| 200 | - | |||||||
| 201 | aesni_cbc_sha1_enc(in, out, blocks, &key->ks, | - | ||||||
| 202 | ctx->iv, &key->md, in + iv + sha_off); | - | ||||||
| 203 | blocks *= SHA_CBLOCK; | - | ||||||
| 204 | aes_off += blocks; | - | ||||||
| 205 | sha_off += blocks; | - | ||||||
| 206 | key->md.Nh += blocks >> 29; | - | ||||||
| 207 | key->md.Nl += blocks <<= 3; | - | ||||||
| 208 | if (key->md.Nl < (unsigned int)blocks)
| 0 | ||||||
| 209 | key->md.Nh++; never executed: key->md.Nh++; | 0 | ||||||
| 210 | } else { never executed: end of block | 0 | ||||||
| 211 | sha_off = 0; | - | ||||||
| 212 | } never executed: end of block | 0 | ||||||
| 213 | #endif | - | ||||||
| 214 | sha_off += iv; | - | ||||||
| 215 | SHA1_Update(&key->md, in + sha_off, plen - sha_off); | - | ||||||
| 216 | - | |||||||
| 217 | if (plen != len) { /* "TLS" mode of operation */
| 0 | ||||||
| 218 | if (in != out)
| 0 | ||||||
| 219 | memcpy(out + aes_off, in + aes_off, never executed: memcpy(out + aes_off, in + aes_off, plen - aes_off); | 0 | ||||||
| 220 | plen - aes_off); never executed: memcpy(out + aes_off, in + aes_off, plen - aes_off); | 0 | ||||||
| 221 | - | |||||||
| 222 | /* calculate HMAC and append it to payload */ | - | ||||||
| 223 | SHA1_Final(out + plen, &key->md); | - | ||||||
| 224 | key->md = key->tail; | - | ||||||
| 225 | SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH); | - | ||||||
| 226 | SHA1_Final(out + plen, &key->md); | - | ||||||
| 227 | - | |||||||
| 228 | /* pad the payload|hmac */ | - | ||||||
| 229 | plen += SHA_DIGEST_LENGTH; | - | ||||||
| 230 | for (l = len - plen - 1; plen < len; plen++)
| 0 | ||||||
| 231 | out[plen] = l; never executed: out[plen] = l; | 0 | ||||||
| 232 | - | |||||||
| 233 | /* encrypt HMAC|padding at once */ | - | ||||||
| 234 | aesni_cbc_encrypt(out + aes_off, out + aes_off, | - | ||||||
| 235 | len - aes_off, &key->ks, ctx->iv, 1); | - | ||||||
| 236 | } else { never executed: end of block | 0 | ||||||
| 237 | aesni_cbc_encrypt(in + aes_off, out + aes_off, | - | ||||||
| 238 | len - aes_off, &key->ks, ctx->iv, 1); | - | ||||||
| 239 | } never executed: end of block | 0 | ||||||
| 240 | } else { | - | ||||||
| 241 | union { | - | ||||||
| 242 | unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; | - | ||||||
| 243 | unsigned char c[32 + SHA_DIGEST_LENGTH]; | - | ||||||
| 244 | } mac, *pmac; | - | ||||||
| 245 | - | |||||||
| 246 | /* arrange cache line alignment */ | - | ||||||
| 247 | pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); | - | ||||||
| 248 | - | |||||||
| 249 | /* decrypt HMAC|padding at once */ | - | ||||||
| 250 | aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); | - | ||||||
| 251 | - | |||||||
| 252 | if (plen) { /* "TLS" mode of operation */
| 0 | ||||||
| 253 | size_t inp_len, mask, j, i; | - | ||||||
| 254 | unsigned int res, maxpad, pad, bitlen; | - | ||||||
| 255 | int ret = 1; | - | ||||||
| 256 | union { | - | ||||||
| 257 | unsigned int u[SHA_LBLOCK]; | - | ||||||
| 258 | unsigned char c[SHA_CBLOCK]; | - | ||||||
| 259 | } | - | ||||||
| 260 | *data = (void *)key->md.data; | - | ||||||
| 261 | - | |||||||
| 262 | if ((key->aux.tls_aad[plen - 4] << 8 |
| 0 | ||||||
| 263 | key->aux.tls_aad[plen - 3]) >= TLS1_1_VERSION)
| 0 | ||||||
| 264 | iv = AES_BLOCK_SIZE; never executed: iv = 16; | 0 | ||||||
| 265 | - | |||||||
| 266 | if (len < (iv + SHA_DIGEST_LENGTH + 1))
| 0 | ||||||
| 267 | return 0; never executed: return 0; | 0 | ||||||
| 268 | - | |||||||
| 269 | /* omit explicit iv */ | - | ||||||
| 270 | out += iv; | - | ||||||
| 271 | len -= iv; | - | ||||||
| 272 | - | |||||||
| 273 | /* figure out payload length */ | - | ||||||
| 274 | pad = out[len - 1]; | - | ||||||
| 275 | maxpad = len - (SHA_DIGEST_LENGTH + 1); | - | ||||||
| 276 | maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); | - | ||||||
| 277 | maxpad &= 255; | - | ||||||
| 278 | - | |||||||
| 279 | ret &= constant_time_ge(maxpad, pad); | - | ||||||
| 280 | - | |||||||
| 281 | inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); | - | ||||||
| 282 | mask = (0 - ((inp_len - len) >> | - | ||||||
| 283 | (sizeof(inp_len) * 8 - 1))); | - | ||||||
| 284 | inp_len &= mask; | - | ||||||
| 285 | ret &= (int)mask; | - | ||||||
| 286 | - | |||||||
| 287 | key->aux.tls_aad[plen - 2] = inp_len >> 8; | - | ||||||
| 288 | key->aux.tls_aad[plen - 1] = inp_len; | - | ||||||
| 289 | - | |||||||
| 290 | /* calculate HMAC */ | - | ||||||
| 291 | key->md = key->head; | - | ||||||
| 292 | SHA1_Update(&key->md, key->aux.tls_aad, plen); | - | ||||||
| 293 | - | |||||||
| 294 | #if 1 | - | ||||||
| 295 | len -= SHA_DIGEST_LENGTH; /* amend mac */ | - | ||||||
| 296 | if (len >= (256 + SHA_CBLOCK)) {
| 0 | ||||||
| 297 | j = (len - (256 + SHA_CBLOCK)) & | - | ||||||
| 298 | (0 - SHA_CBLOCK); | - | ||||||
| 299 | j += SHA_CBLOCK - key->md.num; | - | ||||||
| 300 | SHA1_Update(&key->md, out, j); | - | ||||||
| 301 | out += j; | - | ||||||
| 302 | len -= j; | - | ||||||
| 303 | inp_len -= j; | - | ||||||
| 304 | } never executed: end of block | 0 | ||||||
| 305 | - | |||||||
| 306 | /* but pretend as if we hashed padded payload */ | - | ||||||
| 307 | bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ | - | ||||||
| 308 | #ifdef BSWAP | - | ||||||
| 309 | bitlen = BSWAP(bitlen); | - | ||||||
| 310 | #else | - | ||||||
| 311 | mac.c[0] = 0; | - | ||||||
| 312 | mac.c[1] = (unsigned char)(bitlen >> 16); | - | ||||||
| 313 | mac.c[2] = (unsigned char)(bitlen >> 8); | - | ||||||
| 314 | mac.c[3] = (unsigned char)bitlen; | - | ||||||
| 315 | bitlen = mac.u[0]; | - | ||||||
| 316 | #endif | - | ||||||
| 317 | - | |||||||
| 318 | pmac->u[0] = 0; | - | ||||||
| 319 | pmac->u[1] = 0; | - | ||||||
| 320 | pmac->u[2] = 0; | - | ||||||
| 321 | pmac->u[3] = 0; | - | ||||||
| 322 | pmac->u[4] = 0; | - | ||||||
| 323 | - | |||||||
| 324 | for (res = key->md.num, j = 0; j < len; j++) {
| 0 | ||||||
| 325 | size_t c = out[j]; | - | ||||||
| 326 | mask = (j - inp_len) >> (sizeof(j) * 8 - 8); | - | ||||||
| 327 | c &= mask; | - | ||||||
| 328 | c |= 0x80 & ~mask & | - | ||||||
| 329 | ~((inp_len - j) >> (sizeof(j) * 8 - 8)); | - | ||||||
| 330 | data->c[res++] = (unsigned char)c; | - | ||||||
| 331 | - | |||||||
| 332 | if (res != SHA_CBLOCK)
| 0 | ||||||
| 333 | continue; never executed: continue; | 0 | ||||||
| 334 | - | |||||||
| 335 | /* j is not incremented yet */ | - | ||||||
| 336 | mask = 0 - ((inp_len + 7 - j) >> | - | ||||||
| 337 | (sizeof(j) * 8 - 1)); | - | ||||||
| 338 | data->u[SHA_LBLOCK - 1] |= bitlen&mask; | - | ||||||
| 339 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
| 340 | mask &= 0 - ((j - inp_len - 72) >> | - | ||||||
| 341 | (sizeof(j) * 8 - 1)); | - | ||||||
| 342 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
| 343 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
| 344 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
| 345 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
| 346 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
| 347 | res = 0; | - | ||||||
| 348 | } never executed: end of block | 0 | ||||||
| 349 | - | |||||||
| 350 | for (i = res; i < SHA_CBLOCK; i++, j++)
| 0 | ||||||
| 351 | data->c[i] = 0; never executed: data->c[i] = 0; | 0 | ||||||
| 352 | - | |||||||
| 353 | if (res > SHA_CBLOCK - 8) {
| 0 | ||||||
| 354 | mask = 0 - ((inp_len + 8 - j) >> | - | ||||||
| 355 | (sizeof(j) * 8 - 1)); | - | ||||||
| 356 | data->u[SHA_LBLOCK - 1] |= bitlen & mask; | - | ||||||
| 357 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
| 358 | mask &= 0 - ((j - inp_len - 73) >> | - | ||||||
| 359 | (sizeof(j) * 8 - 1)); | - | ||||||
| 360 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
| 361 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
| 362 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
| 363 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
| 364 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
| 365 | - | |||||||
| 366 | memset(data, 0, SHA_CBLOCK); | - | ||||||
| 367 | j += 64; | - | ||||||
| 368 | } never executed: end of block | 0 | ||||||
| 369 | data->u[SHA_LBLOCK - 1] = bitlen; | - | ||||||
| 370 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
| 371 | mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); | - | ||||||
| 372 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
| 373 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
| 374 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
| 375 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
| 376 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
| 377 | - | |||||||
| 378 | #ifdef BSWAP | - | ||||||
| 379 | pmac->u[0] = BSWAP(pmac->u[0]); | - | ||||||
| 380 | pmac->u[1] = BSWAP(pmac->u[1]); | - | ||||||
| 381 | pmac->u[2] = BSWAP(pmac->u[2]); | - | ||||||
| 382 | pmac->u[3] = BSWAP(pmac->u[3]); | - | ||||||
| 383 | pmac->u[4] = BSWAP(pmac->u[4]); | - | ||||||
| 384 | #else | - | ||||||
| 385 | for (i = 0; i < 5; i++) { | - | ||||||
| 386 | res = pmac->u[i]; | - | ||||||
| 387 | pmac->c[4 * i + 0] = (unsigned char)(res >> 24); | - | ||||||
| 388 | pmac->c[4 * i + 1] = (unsigned char)(res >> 16); | - | ||||||
| 389 | pmac->c[4 * i + 2] = (unsigned char)(res >> 8); | - | ||||||
| 390 | pmac->c[4 * i + 3] = (unsigned char)res; | - | ||||||
| 391 | } | - | ||||||
| 392 | #endif | - | ||||||
| 393 | len += SHA_DIGEST_LENGTH; | - | ||||||
| 394 | #else | - | ||||||
| 395 | SHA1_Update(&key->md, out, inp_len); | - | ||||||
| 396 | res = key->md.num; | - | ||||||
| 397 | SHA1_Final(pmac->c, &key->md); | - | ||||||
| 398 | - | |||||||
| 399 | { | - | ||||||
| 400 | unsigned int inp_blocks, pad_blocks; | - | ||||||
| 401 | - | |||||||
| 402 | /* but pretend as if we hashed padded payload */ | - | ||||||
| 403 | inp_blocks = 1 + ((SHA_CBLOCK - 9 - res) >> | - | ||||||
| 404 | (sizeof(res) * 8 - 1)); | - | ||||||
| 405 | res += (unsigned int)(len - inp_len); | - | ||||||
| 406 | pad_blocks = res / SHA_CBLOCK; | - | ||||||
| 407 | res %= SHA_CBLOCK; | - | ||||||
| 408 | pad_blocks += 1 + ((SHA_CBLOCK - 9 - res) >> | - | ||||||
| 409 | (sizeof(res) * 8 - 1)); | - | ||||||
| 410 | for (; inp_blocks < pad_blocks; inp_blocks++) | - | ||||||
| 411 | sha1_block_data_order(&key->md, | - | ||||||
| 412 | data, 1); | - | ||||||
| 413 | } | - | ||||||
| 414 | #endif | - | ||||||
| 415 | key->md = key->tail; | - | ||||||
| 416 | SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH); | - | ||||||
| 417 | SHA1_Final(pmac->c, &key->md); | - | ||||||
| 418 | - | |||||||
| 419 | /* verify HMAC */ | - | ||||||
| 420 | out += inp_len; | - | ||||||
| 421 | len -= inp_len; | - | ||||||
| 422 | #if 1 | - | ||||||
| 423 | { | - | ||||||
| 424 | unsigned char *p = | - | ||||||
| 425 | out + len - 1 - maxpad - SHA_DIGEST_LENGTH; | - | ||||||
| 426 | size_t off = out - p; | - | ||||||
| 427 | unsigned int c, cmask; | - | ||||||
| 428 | - | |||||||
| 429 | maxpad += SHA_DIGEST_LENGTH; | - | ||||||
| 430 | for (res = 0, i = 0, j = 0; j < maxpad; j++) {
| 0 | ||||||
| 431 | c = p[j]; | - | ||||||
| 432 | cmask = ((int)(j - off - | - | ||||||
| 433 | SHA_DIGEST_LENGTH)) >> | - | ||||||
| 434 | (sizeof(int) * 8 - 1); | - | ||||||
| 435 | res |= (c ^ pad) & ~cmask; /* ... and padding */ | - | ||||||
| 436 | cmask &= ((int)(off - 1 - j)) >> | - | ||||||
| 437 | (sizeof(int) * 8 - 1); | - | ||||||
| 438 | res |= (c ^ pmac->c[i]) & cmask; | - | ||||||
| 439 | i += 1 & cmask; | - | ||||||
| 440 | } never executed: end of block | 0 | ||||||
| 441 | maxpad -= SHA_DIGEST_LENGTH; | - | ||||||
| 442 | - | |||||||
| 443 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); | - | ||||||
| 444 | ret &= (int)~res; | - | ||||||
| 445 | } | - | ||||||
| 446 | #else | - | ||||||
| 447 | for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++) | - | ||||||
| 448 | res |= out[i] ^ pmac->c[i]; | - | ||||||
| 449 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); | - | ||||||
| 450 | ret &= (int)~res; | - | ||||||
| 451 | - | |||||||
| 452 | /* verify padding */ | - | ||||||
| 453 | pad = (pad & ~res) | (maxpad & res); | - | ||||||
| 454 | out = out + len - 1 - pad; | - | ||||||
| 455 | for (res = 0, i = 0; i < pad; i++) | - | ||||||
| 456 | res |= out[i] ^ pad; | - | ||||||
| 457 | - | |||||||
| 458 | res = (0 - res) >> (sizeof(res) * 8 - 1); | - | ||||||
| 459 | ret &= (int)~res; | - | ||||||
| 460 | #endif | - | ||||||
| 461 | return ret; never executed: return ret; | 0 | ||||||
| 462 | } else { | - | ||||||
| 463 | SHA1_Update(&key->md, out, len); | - | ||||||
| 464 | } never executed: end of block | 0 | ||||||
| 465 | } | - | ||||||
| 466 | - | |||||||
| 467 | return 1; never executed: return 1; | 0 | ||||||
| 468 | } | - | ||||||
| 469 | - | |||||||
| 470 | static int | - | ||||||
| 471 | aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) | - | ||||||
| 472 | { | - | ||||||
| 473 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
| 474 | - | |||||||
| 475 | switch (type) { | - | ||||||
| 476 | case EVP_CTRL_AEAD_SET_MAC_KEY: never executed: case 0x17: | 0 | ||||||
| 477 | { | - | ||||||
| 478 | unsigned int i; | - | ||||||
| 479 | unsigned char hmac_key[64]; | - | ||||||
| 480 | - | |||||||
| 481 | memset(hmac_key, 0, sizeof(hmac_key)); | - | ||||||
| 482 | - | |||||||
| 483 | if (arg > (int)sizeof(hmac_key)) {
| 0 | ||||||
| 484 | SHA1_Init(&key->head); | - | ||||||
| 485 | SHA1_Update(&key->head, ptr, arg); | - | ||||||
| 486 | SHA1_Final(hmac_key, &key->head); | - | ||||||
| 487 | } else { never executed: end of block | 0 | ||||||
| 488 | memcpy(hmac_key, ptr, arg); | - | ||||||
| 489 | } never executed: end of block | 0 | ||||||
| 490 | - | |||||||
| 491 | for (i = 0; i < sizeof(hmac_key); i++)
| 0 | ||||||
| 492 | hmac_key[i] ^= 0x36; /* ipad */ never executed: hmac_key[i] ^= 0x36; | 0 | ||||||
| 493 | SHA1_Init(&key->head); | - | ||||||
| 494 | SHA1_Update(&key->head, hmac_key, sizeof(hmac_key)); | - | ||||||
| 495 | - | |||||||
| 496 | for (i = 0; i < sizeof(hmac_key); i++)
| 0 | ||||||
| 497 | hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ never executed: hmac_key[i] ^= 0x36 ^ 0x5c; | 0 | ||||||
| 498 | SHA1_Init(&key->tail); | - | ||||||
| 499 | SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key)); | - | ||||||
| 500 | - | |||||||
| 501 | explicit_bzero(hmac_key, sizeof(hmac_key)); | - | ||||||
| 502 | - | |||||||
| 503 | return 1; never executed: return 1; | 0 | ||||||
| 504 | } | - | ||||||
| 505 | case EVP_CTRL_AEAD_TLS1_AAD: never executed: case 0x16: | 0 | ||||||
| 506 | { | - | ||||||
| 507 | unsigned char *p = ptr; | - | ||||||
| 508 | unsigned int len = p[arg - 2] << 8 | p[arg - 1]; | - | ||||||
| 509 | - | |||||||
| 510 | if (ctx->encrypt) {
| 0 | ||||||
| 511 | key->payload_length = len; | - | ||||||
| 512 | if ((key->aux.tls_ver = p[arg - 4] << 8 |
| 0 | ||||||
| 513 | p[arg - 3]) >= TLS1_1_VERSION) {
| 0 | ||||||
| 514 | len -= AES_BLOCK_SIZE; | - | ||||||
| 515 | p[arg - 2] = len >> 8; | - | ||||||
| 516 | p[arg - 1] = len; | - | ||||||
| 517 | } never executed: end of block | 0 | ||||||
| 518 | key->md = key->head; | - | ||||||
| 519 | SHA1_Update(&key->md, p, arg); | - | ||||||
| 520 | - | |||||||
| 521 | return (int)(((len + SHA_DIGEST_LENGTH + never executed: return (int)(((len + 20 + 16) & -16) - len); | 0 | ||||||
| 522 | AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); never executed: return (int)(((len + 20 + 16) & -16) - len); | 0 | ||||||
| 523 | } else { | - | ||||||
| 524 | if (arg > 13)
| 0 | ||||||
| 525 | arg = 13; never executed: arg = 13; | 0 | ||||||
| 526 | memcpy(key->aux.tls_aad, ptr, arg); | - | ||||||
| 527 | key->payload_length = arg; | - | ||||||
| 528 | - | |||||||
| 529 | return SHA_DIGEST_LENGTH; never executed: return 20; | 0 | ||||||
| 530 | } | - | ||||||
| 531 | } | - | ||||||
| 532 | default: never executed: default: | 0 | ||||||
| 533 | return -1; never executed: return -1; | 0 | ||||||
| 534 | } | - | ||||||
| 535 | } | - | ||||||
| 536 | - | |||||||
| 537 | static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { | - | ||||||
| 538 | #ifdef NID_aes_128_cbc_hmac_sha1 | - | ||||||
| 539 | .nid = NID_aes_128_cbc_hmac_sha1, | - | ||||||
| 540 | #else | - | ||||||
| 541 | .nid = NID_undef, | - | ||||||
| 542 | #endif | - | ||||||
| 543 | .block_size = 16, | - | ||||||
| 544 | .key_len = 16, | - | ||||||
| 545 | .iv_len = 16, | - | ||||||
| 546 | .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | | - | ||||||
| 547 | EVP_CIPH_FLAG_AEAD_CIPHER, | - | ||||||
| 548 | .init = aesni_cbc_hmac_sha1_init_key, | - | ||||||
| 549 | .do_cipher = aesni_cbc_hmac_sha1_cipher, | - | ||||||
| 550 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), | - | ||||||
| 551 | .ctrl = aesni_cbc_hmac_sha1_ctrl | - | ||||||
| 552 | }; | - | ||||||
| 553 | - | |||||||
| 554 | static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { | - | ||||||
| 555 | #ifdef NID_aes_256_cbc_hmac_sha1 | - | ||||||
| 556 | .nid = NID_aes_256_cbc_hmac_sha1, | - | ||||||
| 557 | #else | - | ||||||
| 558 | .nid = NID_undef, | - | ||||||
| 559 | #endif | - | ||||||
| 560 | .block_size = 16, | - | ||||||
| 561 | .key_len = 32, | - | ||||||
| 562 | .iv_len = 16, | - | ||||||
| 563 | .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | | - | ||||||
| 564 | EVP_CIPH_FLAG_AEAD_CIPHER, | - | ||||||
| 565 | .init = aesni_cbc_hmac_sha1_init_key, | - | ||||||
| 566 | .do_cipher = aesni_cbc_hmac_sha1_cipher, | - | ||||||
| 567 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), | - | ||||||
| 568 | .ctrl = aesni_cbc_hmac_sha1_ctrl | - | ||||||
| 569 | }; | - | ||||||
| 570 | - | |||||||
| 571 | const EVP_CIPHER * | - | ||||||
| 572 | EVP_aes_128_cbc_hmac_sha1(void) | - | ||||||
| 573 | { | - | ||||||
| 574 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ? executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) ;Executed by:
| 0-625 | ||||||
| 575 | &aesni_128_cbc_hmac_sha1_cipher : NULL; executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) ;Executed by:
| 625 | ||||||
| 576 | } | - | ||||||
| 577 | - | |||||||
| 578 | const EVP_CIPHER * | - | ||||||
| 579 | EVP_aes_256_cbc_hmac_sha1(void) | - | ||||||
| 580 | { | - | ||||||
| 581 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ? executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) ;Executed by:
| 0-625 | ||||||
| 582 | &aesni_256_cbc_hmac_sha1_cipher : NULL; executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) ;Executed by:
| 625 | ||||||
| 583 | } | - | ||||||
| 584 | #else | - | ||||||
| 585 | const EVP_CIPHER * | - | ||||||
| 586 | EVP_aes_128_cbc_hmac_sha1(void) | - | ||||||
| 587 | { | - | ||||||
| 588 | return NULL; | - | ||||||
| 589 | } | - | ||||||
| 590 | - | |||||||
| 591 | const EVP_CIPHER * | - | ||||||
| 592 | EVP_aes_256_cbc_hmac_sha1(void) | - | ||||||
| 593 | { | - | ||||||
| 594 | return NULL; | - | ||||||
| 595 | } | - | ||||||
| 596 | #endif | - | ||||||
| 597 | #endif | - | ||||||
| Source code | Switch to Preprocessed file |