Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/evp/e_aes_cbc_hmac_sha1.c |
Source code | Switch to Preprocessed file |
Line | Source | Count | ||||||
---|---|---|---|---|---|---|---|---|
1 | /* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.14 2016/11/05 10:47:57 miod Exp $ */ | - | ||||||
2 | /* ==================================================================== | - | ||||||
3 | * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. | - | ||||||
4 | * | - | ||||||
5 | * Redistribution and use in source and binary forms, with or without | - | ||||||
6 | * modification, are permitted provided that the following conditions | - | ||||||
7 | * are met: | - | ||||||
8 | * | - | ||||||
9 | * 1. Redistributions of source code must retain the above copyright | - | ||||||
10 | * notice, this list of conditions and the following disclaimer. | - | ||||||
11 | * | - | ||||||
12 | * 2. Redistributions in binary form must reproduce the above copyright | - | ||||||
13 | * notice, this list of conditions and the following disclaimer in | - | ||||||
14 | * the documentation and/or other materials provided with the | - | ||||||
15 | * distribution. | - | ||||||
16 | * | - | ||||||
17 | * 3. All advertising materials mentioning features or use of this | - | ||||||
18 | * software must display the following acknowledgment: | - | ||||||
19 | * "This product includes software developed by the OpenSSL Project | - | ||||||
20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | - | ||||||
21 | * | - | ||||||
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | - | ||||||
23 | * endorse or promote products derived from this software without | - | ||||||
24 | * prior written permission. For written permission, please contact | - | ||||||
25 | * licensing@OpenSSL.org. | - | ||||||
26 | * | - | ||||||
27 | * 5. Products derived from this software may not be called "OpenSSL" | - | ||||||
28 | * nor may "OpenSSL" appear in their names without prior written | - | ||||||
29 | * permission of the OpenSSL Project. | - | ||||||
30 | * | - | ||||||
31 | * 6. Redistributions of any form whatsoever must retain the following | - | ||||||
32 | * acknowledgment: | - | ||||||
33 | * "This product includes software developed by the OpenSSL Project | - | ||||||
34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | - | ||||||
35 | * | - | ||||||
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | - | ||||||
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | - | ||||||
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | - | ||||||
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | - | ||||||
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | - | ||||||
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | - | ||||||
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | - | ||||||
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | - | ||||||
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | - | ||||||
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | - | ||||||
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | - | ||||||
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | - | ||||||
48 | * ==================================================================== | - | ||||||
49 | */ | - | ||||||
50 | - | |||||||
51 | #include <stdio.h> | - | ||||||
52 | #include <string.h> | - | ||||||
53 | - | |||||||
54 | #include <openssl/opensslconf.h> | - | ||||||
55 | - | |||||||
56 | #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) | - | ||||||
57 | - | |||||||
58 | #include <openssl/evp.h> | - | ||||||
59 | #include <openssl/objects.h> | - | ||||||
60 | #include <openssl/aes.h> | - | ||||||
61 | #include <openssl/sha.h> | - | ||||||
62 | #include "evp_locl.h" | - | ||||||
63 | #include "constant_time_locl.h" | - | ||||||
64 | - | |||||||
65 | #define TLS1_1_VERSION 0x0302 | - | ||||||
66 | - | |||||||
67 | typedef struct { | - | ||||||
68 | AES_KEY ks; | - | ||||||
69 | SHA_CTX head, tail, md; | - | ||||||
70 | size_t payload_length; /* AAD length in decrypt case */ | - | ||||||
71 | union { | - | ||||||
72 | unsigned int tls_ver; | - | ||||||
73 | unsigned char tls_aad[16]; /* 13 used */ | - | ||||||
74 | } aux; | - | ||||||
75 | } EVP_AES_HMAC_SHA1; | - | ||||||
76 | - | |||||||
77 | #define NO_PAYLOAD_LENGTH ((size_t)-1) | - | ||||||
78 | - | |||||||
79 | #if defined(AES_ASM) && ( \ | - | ||||||
80 | defined(__x86_64) || defined(__x86_64__) || \ | - | ||||||
81 | defined(_M_AMD64) || defined(_M_X64) || \ | - | ||||||
82 | defined(__INTEL__) ) | - | ||||||
83 | - | |||||||
84 | #include "x86_arch.h" | - | ||||||
85 | - | |||||||
86 | #if defined(__GNUC__) && __GNUC__>=2 | - | ||||||
87 | # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) | - | ||||||
88 | #endif | - | ||||||
89 | - | |||||||
90 | int aesni_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); | - | ||||||
91 | int aesni_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); | - | ||||||
92 | - | |||||||
93 | void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out, | - | ||||||
94 | size_t length, const AES_KEY *key, unsigned char *ivec, int enc); | - | ||||||
95 | - | |||||||
96 | void aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks, | - | ||||||
97 | const AES_KEY *key, unsigned char iv[16], SHA_CTX *ctx, const void *in0); | - | ||||||
98 | - | |||||||
99 | #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) | - | ||||||
100 | - | |||||||
101 | static int | - | ||||||
102 | aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *inkey, | - | ||||||
103 | const unsigned char *iv, int enc) | - | ||||||
104 | { | - | ||||||
105 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
106 | int ret; | - | ||||||
107 | - | |||||||
108 | if (enc)
| 0 | ||||||
109 | ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); never executed: ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks); | 0 | ||||||
110 | else | - | ||||||
111 | ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); never executed: ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks); | 0 | ||||||
112 | - | |||||||
113 | SHA1_Init(&key->head); /* handy when benchmarking */ | - | ||||||
114 | key->tail = key->head; | - | ||||||
115 | key->md = key->head; | - | ||||||
116 | - | |||||||
117 | key->payload_length = NO_PAYLOAD_LENGTH; | - | ||||||
118 | - | |||||||
119 | return ret < 0 ? 0 : 1; never executed: return ret < 0 ? 0 : 1;
| 0 | ||||||
120 | } | - | ||||||
121 | - | |||||||
122 | #define STITCHED_CALL | - | ||||||
123 | - | |||||||
124 | #if !defined(STITCHED_CALL) | - | ||||||
125 | #define aes_off 0 | - | ||||||
126 | #endif | - | ||||||
127 | - | |||||||
128 | void sha1_block_data_order (void *c, const void *p, size_t len); | - | ||||||
129 | - | |||||||
130 | static void | - | ||||||
131 | sha1_update(SHA_CTX *c, const void *data, size_t len) | - | ||||||
132 | { | - | ||||||
133 | const unsigned char *ptr = data; | - | ||||||
134 | size_t res; | - | ||||||
135 | - | |||||||
136 | if ((res = c->num)) {
| 0 | ||||||
137 | res = SHA_CBLOCK - res; | - | ||||||
138 | if (len < res)
| 0 | ||||||
139 | res = len; never executed: res = len; | 0 | ||||||
140 | SHA1_Update(c, ptr, res); | - | ||||||
141 | ptr += res; | - | ||||||
142 | len -= res; | - | ||||||
143 | } never executed: end of block | 0 | ||||||
144 | - | |||||||
145 | res = len % SHA_CBLOCK; | - | ||||||
146 | len -= res; | - | ||||||
147 | - | |||||||
148 | if (len) {
| 0 | ||||||
149 | sha1_block_data_order(c, ptr, len / SHA_CBLOCK); | - | ||||||
150 | - | |||||||
151 | ptr += len; | - | ||||||
152 | c->Nh += len >> 29; | - | ||||||
153 | c->Nl += len <<= 3; | - | ||||||
154 | if (c->Nl < (unsigned int)len)
| 0 | ||||||
155 | c->Nh++; never executed: c->Nh++; | 0 | ||||||
156 | } never executed: end of block | 0 | ||||||
157 | - | |||||||
158 | if (res)
| 0 | ||||||
159 | SHA1_Update(c, ptr, res); never executed: SHA1_Update(c, ptr, res); | 0 | ||||||
160 | } never executed: end of block | 0 | ||||||
161 | - | |||||||
162 | #ifdef SHA1_Update | - | ||||||
163 | #undef SHA1_Update | - | ||||||
164 | #endif | - | ||||||
165 | #define SHA1_Update sha1_update | - | ||||||
166 | - | |||||||
167 | static int | - | ||||||
168 | aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | - | ||||||
169 | const unsigned char *in, size_t len) | - | ||||||
170 | { | - | ||||||
171 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
172 | unsigned int l; | - | ||||||
173 | size_t plen = key->payload_length, | - | ||||||
174 | iv = 0, /* explicit IV in TLS 1.1 and later */ | - | ||||||
175 | sha_off = 0; | - | ||||||
176 | #if defined(STITCHED_CALL) | - | ||||||
177 | size_t aes_off = 0, blocks; | - | ||||||
178 | - | |||||||
179 | sha_off = SHA_CBLOCK - key->md.num; | - | ||||||
180 | #endif | - | ||||||
181 | - | |||||||
182 | key->payload_length = NO_PAYLOAD_LENGTH; | - | ||||||
183 | - | |||||||
184 | if (len % AES_BLOCK_SIZE)
| 0 | ||||||
185 | return 0; never executed: return 0; | 0 | ||||||
186 | - | |||||||
187 | if (ctx->encrypt) {
| 0 | ||||||
188 | if (plen == NO_PAYLOAD_LENGTH)
| 0 | ||||||
189 | plen = len; never executed: plen = len; | 0 | ||||||
190 | else if (len != ((plen + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) &
| 0 | ||||||
191 | -AES_BLOCK_SIZE))
| 0 | ||||||
192 | return 0; never executed: return 0; | 0 | ||||||
193 | else if (key->aux.tls_ver >= TLS1_1_VERSION)
| 0 | ||||||
194 | iv = AES_BLOCK_SIZE; never executed: iv = 16; | 0 | ||||||
195 | - | |||||||
196 | #if defined(STITCHED_CALL) | - | ||||||
197 | if (plen > (sha_off + iv) &&
| 0 | ||||||
198 | (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) {
| 0 | ||||||
199 | SHA1_Update(&key->md, in + iv, sha_off); | - | ||||||
200 | - | |||||||
201 | aesni_cbc_sha1_enc(in, out, blocks, &key->ks, | - | ||||||
202 | ctx->iv, &key->md, in + iv + sha_off); | - | ||||||
203 | blocks *= SHA_CBLOCK; | - | ||||||
204 | aes_off += blocks; | - | ||||||
205 | sha_off += blocks; | - | ||||||
206 | key->md.Nh += blocks >> 29; | - | ||||||
207 | key->md.Nl += blocks <<= 3; | - | ||||||
208 | if (key->md.Nl < (unsigned int)blocks)
| 0 | ||||||
209 | key->md.Nh++; never executed: key->md.Nh++; | 0 | ||||||
210 | } else { never executed: end of block | 0 | ||||||
211 | sha_off = 0; | - | ||||||
212 | } never executed: end of block | 0 | ||||||
213 | #endif | - | ||||||
214 | sha_off += iv; | - | ||||||
215 | SHA1_Update(&key->md, in + sha_off, plen - sha_off); | - | ||||||
216 | - | |||||||
217 | if (plen != len) { /* "TLS" mode of operation */
| 0 | ||||||
218 | if (in != out)
| 0 | ||||||
219 | memcpy(out + aes_off, in + aes_off, never executed: memcpy(out + aes_off, in + aes_off, plen - aes_off); | 0 | ||||||
220 | plen - aes_off); never executed: memcpy(out + aes_off, in + aes_off, plen - aes_off); | 0 | ||||||
221 | - | |||||||
222 | /* calculate HMAC and append it to payload */ | - | ||||||
223 | SHA1_Final(out + plen, &key->md); | - | ||||||
224 | key->md = key->tail; | - | ||||||
225 | SHA1_Update(&key->md, out + plen, SHA_DIGEST_LENGTH); | - | ||||||
226 | SHA1_Final(out + plen, &key->md); | - | ||||||
227 | - | |||||||
228 | /* pad the payload|hmac */ | - | ||||||
229 | plen += SHA_DIGEST_LENGTH; | - | ||||||
230 | for (l = len - plen - 1; plen < len; plen++)
| 0 | ||||||
231 | out[plen] = l; never executed: out[plen] = l; | 0 | ||||||
232 | - | |||||||
233 | /* encrypt HMAC|padding at once */ | - | ||||||
234 | aesni_cbc_encrypt(out + aes_off, out + aes_off, | - | ||||||
235 | len - aes_off, &key->ks, ctx->iv, 1); | - | ||||||
236 | } else { never executed: end of block | 0 | ||||||
237 | aesni_cbc_encrypt(in + aes_off, out + aes_off, | - | ||||||
238 | len - aes_off, &key->ks, ctx->iv, 1); | - | ||||||
239 | } never executed: end of block | 0 | ||||||
240 | } else { | - | ||||||
241 | union { | - | ||||||
242 | unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; | - | ||||||
243 | unsigned char c[32 + SHA_DIGEST_LENGTH]; | - | ||||||
244 | } mac, *pmac; | - | ||||||
245 | - | |||||||
246 | /* arrange cache line alignment */ | - | ||||||
247 | pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); | - | ||||||
248 | - | |||||||
249 | /* decrypt HMAC|padding at once */ | - | ||||||
250 | aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); | - | ||||||
251 | - | |||||||
252 | if (plen) { /* "TLS" mode of operation */
| 0 | ||||||
253 | size_t inp_len, mask, j, i; | - | ||||||
254 | unsigned int res, maxpad, pad, bitlen; | - | ||||||
255 | int ret = 1; | - | ||||||
256 | union { | - | ||||||
257 | unsigned int u[SHA_LBLOCK]; | - | ||||||
258 | unsigned char c[SHA_CBLOCK]; | - | ||||||
259 | } | - | ||||||
260 | *data = (void *)key->md.data; | - | ||||||
261 | - | |||||||
262 | if ((key->aux.tls_aad[plen - 4] << 8 |
| 0 | ||||||
263 | key->aux.tls_aad[plen - 3]) >= TLS1_1_VERSION)
| 0 | ||||||
264 | iv = AES_BLOCK_SIZE; never executed: iv = 16; | 0 | ||||||
265 | - | |||||||
266 | if (len < (iv + SHA_DIGEST_LENGTH + 1))
| 0 | ||||||
267 | return 0; never executed: return 0; | 0 | ||||||
268 | - | |||||||
269 | /* omit explicit iv */ | - | ||||||
270 | out += iv; | - | ||||||
271 | len -= iv; | - | ||||||
272 | - | |||||||
273 | /* figure out payload length */ | - | ||||||
274 | pad = out[len - 1]; | - | ||||||
275 | maxpad = len - (SHA_DIGEST_LENGTH + 1); | - | ||||||
276 | maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); | - | ||||||
277 | maxpad &= 255; | - | ||||||
278 | - | |||||||
279 | ret &= constant_time_ge(maxpad, pad); | - | ||||||
280 | - | |||||||
281 | inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); | - | ||||||
282 | mask = (0 - ((inp_len - len) >> | - | ||||||
283 | (sizeof(inp_len) * 8 - 1))); | - | ||||||
284 | inp_len &= mask; | - | ||||||
285 | ret &= (int)mask; | - | ||||||
286 | - | |||||||
287 | key->aux.tls_aad[plen - 2] = inp_len >> 8; | - | ||||||
288 | key->aux.tls_aad[plen - 1] = inp_len; | - | ||||||
289 | - | |||||||
290 | /* calculate HMAC */ | - | ||||||
291 | key->md = key->head; | - | ||||||
292 | SHA1_Update(&key->md, key->aux.tls_aad, plen); | - | ||||||
293 | - | |||||||
294 | #if 1 | - | ||||||
295 | len -= SHA_DIGEST_LENGTH; /* amend mac */ | - | ||||||
296 | if (len >= (256 + SHA_CBLOCK)) {
| 0 | ||||||
297 | j = (len - (256 + SHA_CBLOCK)) & | - | ||||||
298 | (0 - SHA_CBLOCK); | - | ||||||
299 | j += SHA_CBLOCK - key->md.num; | - | ||||||
300 | SHA1_Update(&key->md, out, j); | - | ||||||
301 | out += j; | - | ||||||
302 | len -= j; | - | ||||||
303 | inp_len -= j; | - | ||||||
304 | } never executed: end of block | 0 | ||||||
305 | - | |||||||
306 | /* but pretend as if we hashed padded payload */ | - | ||||||
307 | bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */ | - | ||||||
308 | #ifdef BSWAP | - | ||||||
309 | bitlen = BSWAP(bitlen); | - | ||||||
310 | #else | - | ||||||
311 | mac.c[0] = 0; | - | ||||||
312 | mac.c[1] = (unsigned char)(bitlen >> 16); | - | ||||||
313 | mac.c[2] = (unsigned char)(bitlen >> 8); | - | ||||||
314 | mac.c[3] = (unsigned char)bitlen; | - | ||||||
315 | bitlen = mac.u[0]; | - | ||||||
316 | #endif | - | ||||||
317 | - | |||||||
318 | pmac->u[0] = 0; | - | ||||||
319 | pmac->u[1] = 0; | - | ||||||
320 | pmac->u[2] = 0; | - | ||||||
321 | pmac->u[3] = 0; | - | ||||||
322 | pmac->u[4] = 0; | - | ||||||
323 | - | |||||||
324 | for (res = key->md.num, j = 0; j < len; j++) {
| 0 | ||||||
325 | size_t c = out[j]; | - | ||||||
326 | mask = (j - inp_len) >> (sizeof(j) * 8 - 8); | - | ||||||
327 | c &= mask; | - | ||||||
328 | c |= 0x80 & ~mask & | - | ||||||
329 | ~((inp_len - j) >> (sizeof(j) * 8 - 8)); | - | ||||||
330 | data->c[res++] = (unsigned char)c; | - | ||||||
331 | - | |||||||
332 | if (res != SHA_CBLOCK)
| 0 | ||||||
333 | continue; never executed: continue; | 0 | ||||||
334 | - | |||||||
335 | /* j is not incremented yet */ | - | ||||||
336 | mask = 0 - ((inp_len + 7 - j) >> | - | ||||||
337 | (sizeof(j) * 8 - 1)); | - | ||||||
338 | data->u[SHA_LBLOCK - 1] |= bitlen&mask; | - | ||||||
339 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
340 | mask &= 0 - ((j - inp_len - 72) >> | - | ||||||
341 | (sizeof(j) * 8 - 1)); | - | ||||||
342 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
343 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
344 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
345 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
346 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
347 | res = 0; | - | ||||||
348 | } never executed: end of block | 0 | ||||||
349 | - | |||||||
350 | for (i = res; i < SHA_CBLOCK; i++, j++)
| 0 | ||||||
351 | data->c[i] = 0; never executed: data->c[i] = 0; | 0 | ||||||
352 | - | |||||||
353 | if (res > SHA_CBLOCK - 8) {
| 0 | ||||||
354 | mask = 0 - ((inp_len + 8 - j) >> | - | ||||||
355 | (sizeof(j) * 8 - 1)); | - | ||||||
356 | data->u[SHA_LBLOCK - 1] |= bitlen & mask; | - | ||||||
357 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
358 | mask &= 0 - ((j - inp_len - 73) >> | - | ||||||
359 | (sizeof(j) * 8 - 1)); | - | ||||||
360 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
361 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
362 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
363 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
364 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
365 | - | |||||||
366 | memset(data, 0, SHA_CBLOCK); | - | ||||||
367 | j += 64; | - | ||||||
368 | } never executed: end of block | 0 | ||||||
369 | data->u[SHA_LBLOCK - 1] = bitlen; | - | ||||||
370 | sha1_block_data_order(&key->md, data, 1); | - | ||||||
371 | mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); | - | ||||||
372 | pmac->u[0] |= key->md.h0 & mask; | - | ||||||
373 | pmac->u[1] |= key->md.h1 & mask; | - | ||||||
374 | pmac->u[2] |= key->md.h2 & mask; | - | ||||||
375 | pmac->u[3] |= key->md.h3 & mask; | - | ||||||
376 | pmac->u[4] |= key->md.h4 & mask; | - | ||||||
377 | - | |||||||
378 | #ifdef BSWAP | - | ||||||
379 | pmac->u[0] = BSWAP(pmac->u[0]); | - | ||||||
380 | pmac->u[1] = BSWAP(pmac->u[1]); | - | ||||||
381 | pmac->u[2] = BSWAP(pmac->u[2]); | - | ||||||
382 | pmac->u[3] = BSWAP(pmac->u[3]); | - | ||||||
383 | pmac->u[4] = BSWAP(pmac->u[4]); | - | ||||||
384 | #else | - | ||||||
385 | for (i = 0; i < 5; i++) { | - | ||||||
386 | res = pmac->u[i]; | - | ||||||
387 | pmac->c[4 * i + 0] = (unsigned char)(res >> 24); | - | ||||||
388 | pmac->c[4 * i + 1] = (unsigned char)(res >> 16); | - | ||||||
389 | pmac->c[4 * i + 2] = (unsigned char)(res >> 8); | - | ||||||
390 | pmac->c[4 * i + 3] = (unsigned char)res; | - | ||||||
391 | } | - | ||||||
392 | #endif | - | ||||||
393 | len += SHA_DIGEST_LENGTH; | - | ||||||
394 | #else | - | ||||||
395 | SHA1_Update(&key->md, out, inp_len); | - | ||||||
396 | res = key->md.num; | - | ||||||
397 | SHA1_Final(pmac->c, &key->md); | - | ||||||
398 | - | |||||||
399 | { | - | ||||||
400 | unsigned int inp_blocks, pad_blocks; | - | ||||||
401 | - | |||||||
402 | /* but pretend as if we hashed padded payload */ | - | ||||||
403 | inp_blocks = 1 + ((SHA_CBLOCK - 9 - res) >> | - | ||||||
404 | (sizeof(res) * 8 - 1)); | - | ||||||
405 | res += (unsigned int)(len - inp_len); | - | ||||||
406 | pad_blocks = res / SHA_CBLOCK; | - | ||||||
407 | res %= SHA_CBLOCK; | - | ||||||
408 | pad_blocks += 1 + ((SHA_CBLOCK - 9 - res) >> | - | ||||||
409 | (sizeof(res) * 8 - 1)); | - | ||||||
410 | for (; inp_blocks < pad_blocks; inp_blocks++) | - | ||||||
411 | sha1_block_data_order(&key->md, | - | ||||||
412 | data, 1); | - | ||||||
413 | } | - | ||||||
414 | #endif | - | ||||||
415 | key->md = key->tail; | - | ||||||
416 | SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH); | - | ||||||
417 | SHA1_Final(pmac->c, &key->md); | - | ||||||
418 | - | |||||||
419 | /* verify HMAC */ | - | ||||||
420 | out += inp_len; | - | ||||||
421 | len -= inp_len; | - | ||||||
422 | #if 1 | - | ||||||
423 | { | - | ||||||
424 | unsigned char *p = | - | ||||||
425 | out + len - 1 - maxpad - SHA_DIGEST_LENGTH; | - | ||||||
426 | size_t off = out - p; | - | ||||||
427 | unsigned int c, cmask; | - | ||||||
428 | - | |||||||
429 | maxpad += SHA_DIGEST_LENGTH; | - | ||||||
430 | for (res = 0, i = 0, j = 0; j < maxpad; j++) {
| 0 | ||||||
431 | c = p[j]; | - | ||||||
432 | cmask = ((int)(j - off - | - | ||||||
433 | SHA_DIGEST_LENGTH)) >> | - | ||||||
434 | (sizeof(int) * 8 - 1); | - | ||||||
435 | res |= (c ^ pad) & ~cmask; /* ... and padding */ | - | ||||||
436 | cmask &= ((int)(off - 1 - j)) >> | - | ||||||
437 | (sizeof(int) * 8 - 1); | - | ||||||
438 | res |= (c ^ pmac->c[i]) & cmask; | - | ||||||
439 | i += 1 & cmask; | - | ||||||
440 | } never executed: end of block | 0 | ||||||
441 | maxpad -= SHA_DIGEST_LENGTH; | - | ||||||
442 | - | |||||||
443 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); | - | ||||||
444 | ret &= (int)~res; | - | ||||||
445 | } | - | ||||||
446 | #else | - | ||||||
447 | for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++) | - | ||||||
448 | res |= out[i] ^ pmac->c[i]; | - | ||||||
449 | res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); | - | ||||||
450 | ret &= (int)~res; | - | ||||||
451 | - | |||||||
452 | /* verify padding */ | - | ||||||
453 | pad = (pad & ~res) | (maxpad & res); | - | ||||||
454 | out = out + len - 1 - pad; | - | ||||||
455 | for (res = 0, i = 0; i < pad; i++) | - | ||||||
456 | res |= out[i] ^ pad; | - | ||||||
457 | - | |||||||
458 | res = (0 - res) >> (sizeof(res) * 8 - 1); | - | ||||||
459 | ret &= (int)~res; | - | ||||||
460 | #endif | - | ||||||
461 | return ret; never executed: return ret; | 0 | ||||||
462 | } else { | - | ||||||
463 | SHA1_Update(&key->md, out, len); | - | ||||||
464 | } never executed: end of block | 0 | ||||||
465 | } | - | ||||||
466 | - | |||||||
467 | return 1; never executed: return 1; | 0 | ||||||
468 | } | - | ||||||
469 | - | |||||||
470 | static int | - | ||||||
471 | aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) | - | ||||||
472 | { | - | ||||||
473 | EVP_AES_HMAC_SHA1 *key = data(ctx); | - | ||||||
474 | - | |||||||
475 | switch (type) { | - | ||||||
476 | case EVP_CTRL_AEAD_SET_MAC_KEY: never executed: case 0x17: | 0 | ||||||
477 | { | - | ||||||
478 | unsigned int i; | - | ||||||
479 | unsigned char hmac_key[64]; | - | ||||||
480 | - | |||||||
481 | memset(hmac_key, 0, sizeof(hmac_key)); | - | ||||||
482 | - | |||||||
483 | if (arg > (int)sizeof(hmac_key)) {
| 0 | ||||||
484 | SHA1_Init(&key->head); | - | ||||||
485 | SHA1_Update(&key->head, ptr, arg); | - | ||||||
486 | SHA1_Final(hmac_key, &key->head); | - | ||||||
487 | } else { never executed: end of block | 0 | ||||||
488 | memcpy(hmac_key, ptr, arg); | - | ||||||
489 | } never executed: end of block | 0 | ||||||
490 | - | |||||||
491 | for (i = 0; i < sizeof(hmac_key); i++)
| 0 | ||||||
492 | hmac_key[i] ^= 0x36; /* ipad */ never executed: hmac_key[i] ^= 0x36; | 0 | ||||||
493 | SHA1_Init(&key->head); | - | ||||||
494 | SHA1_Update(&key->head, hmac_key, sizeof(hmac_key)); | - | ||||||
495 | - | |||||||
496 | for (i = 0; i < sizeof(hmac_key); i++)
| 0 | ||||||
497 | hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ never executed: hmac_key[i] ^= 0x36 ^ 0x5c; | 0 | ||||||
498 | SHA1_Init(&key->tail); | - | ||||||
499 | SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key)); | - | ||||||
500 | - | |||||||
501 | explicit_bzero(hmac_key, sizeof(hmac_key)); | - | ||||||
502 | - | |||||||
503 | return 1; never executed: return 1; | 0 | ||||||
504 | } | - | ||||||
505 | case EVP_CTRL_AEAD_TLS1_AAD: never executed: case 0x16: | 0 | ||||||
506 | { | - | ||||||
507 | unsigned char *p = ptr; | - | ||||||
508 | unsigned int len = p[arg - 2] << 8 | p[arg - 1]; | - | ||||||
509 | - | |||||||
510 | if (ctx->encrypt) {
| 0 | ||||||
511 | key->payload_length = len; | - | ||||||
512 | if ((key->aux.tls_ver = p[arg - 4] << 8 |
| 0 | ||||||
513 | p[arg - 3]) >= TLS1_1_VERSION) {
| 0 | ||||||
514 | len -= AES_BLOCK_SIZE; | - | ||||||
515 | p[arg - 2] = len >> 8; | - | ||||||
516 | p[arg - 1] = len; | - | ||||||
517 | } never executed: end of block | 0 | ||||||
518 | key->md = key->head; | - | ||||||
519 | SHA1_Update(&key->md, p, arg); | - | ||||||
520 | - | |||||||
521 | return (int)(((len + SHA_DIGEST_LENGTH + never executed: return (int)(((len + 20 + 16) & -16) - len); | 0 | ||||||
522 | AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); never executed: return (int)(((len + 20 + 16) & -16) - len); | 0 | ||||||
523 | } else { | - | ||||||
524 | if (arg > 13)
| 0 | ||||||
525 | arg = 13; never executed: arg = 13; | 0 | ||||||
526 | memcpy(key->aux.tls_aad, ptr, arg); | - | ||||||
527 | key->payload_length = arg; | - | ||||||
528 | - | |||||||
529 | return SHA_DIGEST_LENGTH; never executed: return 20; | 0 | ||||||
530 | } | - | ||||||
531 | } | - | ||||||
532 | default: never executed: default: | 0 | ||||||
533 | return -1; never executed: return -1; | 0 | ||||||
534 | } | - | ||||||
535 | } | - | ||||||
536 | - | |||||||
537 | static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { | - | ||||||
538 | #ifdef NID_aes_128_cbc_hmac_sha1 | - | ||||||
539 | .nid = NID_aes_128_cbc_hmac_sha1, | - | ||||||
540 | #else | - | ||||||
541 | .nid = NID_undef, | - | ||||||
542 | #endif | - | ||||||
543 | .block_size = 16, | - | ||||||
544 | .key_len = 16, | - | ||||||
545 | .iv_len = 16, | - | ||||||
546 | .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | | - | ||||||
547 | EVP_CIPH_FLAG_AEAD_CIPHER, | - | ||||||
548 | .init = aesni_cbc_hmac_sha1_init_key, | - | ||||||
549 | .do_cipher = aesni_cbc_hmac_sha1_cipher, | - | ||||||
550 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), | - | ||||||
551 | .ctrl = aesni_cbc_hmac_sha1_ctrl | - | ||||||
552 | }; | - | ||||||
553 | - | |||||||
554 | static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { | - | ||||||
555 | #ifdef NID_aes_256_cbc_hmac_sha1 | - | ||||||
556 | .nid = NID_aes_256_cbc_hmac_sha1, | - | ||||||
557 | #else | - | ||||||
558 | .nid = NID_undef, | - | ||||||
559 | #endif | - | ||||||
560 | .block_size = 16, | - | ||||||
561 | .key_len = 32, | - | ||||||
562 | .iv_len = 16, | - | ||||||
563 | .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | | - | ||||||
564 | EVP_CIPH_FLAG_AEAD_CIPHER, | - | ||||||
565 | .init = aesni_cbc_hmac_sha1_init_key, | - | ||||||
566 | .do_cipher = aesni_cbc_hmac_sha1_cipher, | - | ||||||
567 | .ctx_size = sizeof(EVP_AES_HMAC_SHA1), | - | ||||||
568 | .ctrl = aesni_cbc_hmac_sha1_ctrl | - | ||||||
569 | }; | - | ||||||
570 | - | |||||||
571 | const EVP_CIPHER * | - | ||||||
572 | EVP_aes_128_cbc_hmac_sha1(void) | - | ||||||
573 | { | - | ||||||
574 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ? executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) ; Executed by:
| 0-625 | ||||||
575 | &aesni_128_cbc_hmac_sha1_cipher : NULL; executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_128_cbc_hmac_sha1_cipher : ((void *)0) ; Executed by:
| 625 | ||||||
576 | } | - | ||||||
577 | - | |||||||
578 | const EVP_CIPHER * | - | ||||||
579 | EVP_aes_256_cbc_hmac_sha1(void) | - | ||||||
580 | { | - | ||||||
581 | return (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI) ? executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) ; Executed by:
| 0-625 | ||||||
582 | &aesni_256_cbc_hmac_sha1_cipher : NULL; executed 625 times by 33 tests: return (OPENSSL_cpu_caps() & (1ULL << (32 + 25))) ? &aesni_256_cbc_hmac_sha1_cipher : ((void *)0) ; Executed by:
| 625 | ||||||
583 | } | - | ||||||
584 | #else | - | ||||||
585 | const EVP_CIPHER * | - | ||||||
586 | EVP_aes_128_cbc_hmac_sha1(void) | - | ||||||
587 | { | - | ||||||
588 | return NULL; | - | ||||||
589 | } | - | ||||||
590 | - | |||||||
591 | const EVP_CIPHER * | - | ||||||
592 | EVP_aes_256_cbc_hmac_sha1(void) | - | ||||||
593 | { | - | ||||||
594 | return NULL; | - | ||||||
595 | } | - | ||||||
596 | #endif | - | ||||||
597 | #endif | - | ||||||
Source code | Switch to Preprocessed file |