1392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* ==================================================================== 204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. 3392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Redistribution and use in source and binary forms, with or without 5392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * modification, are permitted provided that the following conditions 6392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * are met: 7392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 8392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1. Redistributions of source code must retain the above copyright 9392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer. 10392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 11392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 2. Redistributions in binary form must reproduce the above copyright 12392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer in 13392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the documentation and/or other materials provided with the 14392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * distribution. 15392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 16392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 3. All advertising materials mentioning features or use of this 17392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * software must display the following acknowledgment: 18392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes software developed by the OpenSSL Project 19392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 20392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 21392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * endorse or promote products derived from this software without 23392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * prior written permission. For written permission, please contact 24392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * licensing@OpenSSL.org. 25392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 26392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 5. Products derived from this software may not be called "OpenSSL" 27392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * nor may "OpenSSL" appear in their names without prior written 28392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * permission of the OpenSSL Project. 29392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 30392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 6. Redistributions of any form whatsoever must retain the following 31392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * acknowledgment: 32392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes software developed by the OpenSSL Project 33392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 34392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 35392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OF THE POSSIBILITY OF SUCH DAMAGE. 47392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ==================================================================== 48392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */ 49392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 50392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/opensslconf.h> 51392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 52392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <stdio.h> 53392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <string.h> 54392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 55392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) 56392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 57392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/evp.h> 58392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/objects.h> 59392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/aes.h> 60392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/sha.h> 61392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include "evp_locl.h" 62392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 63392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef EVP_CIPH_FLAG_AEAD_CIPHER 64392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 65392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CTRL_AEAD_TLS1_AAD 0x16 66392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 67392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 68392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 69392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1) 70392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CIPH_FLAG_DEFAULT_ASN1 0 71392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 72392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 73392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define TLS1_1_VERSION 0x0302 74392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 75392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromtypedef struct 76392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 77392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY ks; 78392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA_CTX head,tail,md; 79392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t payload_length; /* AAD length in decrypt case */ 80392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom union { 81392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int tls_ver; 82392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char tls_aad[16]; /* 13 used */ 83392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } aux; 84392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } EVP_AES_HMAC_SHA1; 85392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 86a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom#define NO_PAYLOAD_LENGTH ((size_t)-1) 87a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom 88392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(AES_ASM) && ( \ 89392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(__x86_64) || defined(__x86_64__) || \ 90392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(_M_AMD64) || defined(_M_X64) || \ 91392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(__INTEL__) ) 92392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 9304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) 9404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) 9504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 9604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 97392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromextern unsigned int OPENSSL_ia32cap_P[2]; 98392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define AESNI_CAPABLE (1<<(57-32)) 99392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 100392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint aesni_set_encrypt_key(const unsigned char *userKey, int bits, 101392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY *key); 102392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint aesni_set_decrypt_key(const unsigned char *userKey, int bits, 103392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY *key); 104392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 105392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid aesni_cbc_encrypt(const unsigned char *in, 106392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *out, 107392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t length, 108392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const AES_KEY *key, 109392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *ivec, int enc); 110392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 111392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks, 112392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const AES_KEY *key, unsigned char iv[16], 113392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA_CTX *ctx,const void *in0); 114392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 115392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) 116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 118392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *inkey, 119392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *iv, int enc) 120392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 121392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 122392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int ret; 123392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 124392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (enc) 125392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks); 126392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 127392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks); 128392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 129392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); /* handy when benchmarking */ 130392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->tail = key->head; 131392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 132392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 133a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom key->payload_length = NO_PAYLOAD_LENGTH; 134392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 135392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return ret<0?0:1; 136392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 137392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 138392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define STITCHED_CALL 139392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 140392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(STITCHED_CALL) 141392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define aes_off 0 142392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 143392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 144392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid sha1_block_data_order (void *c,const void *p,size_t len); 145392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 146392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic void sha1_update(SHA_CTX *c,const void *data,size_t len) 147392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{ const unsigned char *ptr = data; 148392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t res; 149392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 150392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((res = c->num)) { 151392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom res = SHA_CBLOCK-res; 152392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len<res) res=len; 153392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update (c,ptr,res); 154392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ptr += res; 155392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= res; 156392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 157392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 158392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom res = len % SHA_CBLOCK; 159392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= res; 160392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 161392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len) { 162392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha1_block_data_order(c,ptr,len/SHA_CBLOCK); 163392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 164392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ptr += len; 165392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom c->Nh += len>>29; 166392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom c->Nl += len<<=3; 167392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (c->Nl<(unsigned int)len) c->Nh++; 168392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 169392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 170392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (res) 171392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(c,ptr,res); 172392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom} 173392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 17404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#ifdef SHA1_Update 17504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#undef SHA1_Update 17604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 177392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define SHA1_Update sha1_update 178392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 179392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 180392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *in, size_t len) 181392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 182392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 183392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int l; 184392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t plen = key->payload_length, 185392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = 0, /* explicit IV in TLS 1.1 and later */ 186392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = 0; 187392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(STITCHED_CALL) 188392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t aes_off = 0, 189392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom blocks; 190392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 191392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = SHA_CBLOCK-key->md.num; 192392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 193392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 19404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->payload_length = NO_PAYLOAD_LENGTH; 19504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 196392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len%AES_BLOCK_SIZE) return 0; 197392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 198392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ctx->encrypt) { 199a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom if (plen==NO_PAYLOAD_LENGTH) 200392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom plen = len; 201392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)) 202392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 0; 203392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (key->aux.tls_ver >= TLS1_1_VERSION) 204392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = AES_BLOCK_SIZE; 205392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 206392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(STITCHED_CALL) 207392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) { 208392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,in+iv,sha_off); 209392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 210392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_sha1_enc(in,out,blocks,&key->ks, 211392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ctx->iv,&key->md,in+iv+sha_off); 212392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom blocks *= SHA_CBLOCK; 213392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aes_off += blocks; 214392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off += blocks; 215392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md.Nh += blocks>>29; 216392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md.Nl += blocks<<=3; 217392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (key->md.Nl<(unsigned int)blocks) key->md.Nh++; 218392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 219392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = 0; 220392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 221392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 222392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off += iv; 223392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,in+sha_off,plen-sha_off); 224392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 225392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen!=len) { /* "TLS" mode of operation */ 226392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (in!=out) 227392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(out+aes_off,in+aes_off,plen-aes_off); 228392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 229392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* calculate HMAC and append it to payload */ 230392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(out+plen,&key->md); 231392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->tail; 232392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH); 233392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(out+plen,&key->md); 234392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 235392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* pad the payload|hmac */ 236392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom plen += SHA_DIGEST_LENGTH; 237392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (l=len-plen-1;plen<len;plen++) out[plen]=l; 238392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* encrypt HMAC|padding at once */ 239392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off, 240392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,1); 241392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 242392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off, 243392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,1); 244392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 245392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 24604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; 247eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac; 248eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom 249eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom /* arrange cache line alignment */ 250eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32)); 251392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 252392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* decrypt HMAC|padding at once */ 253392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(in,out,len, 254392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,0); 255392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 256392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen) { /* "TLS" mode of operation */ 25704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t inp_len, mask, j, i; 25804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int res, maxpad, pad, bitlen; 25904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom int ret = 1; 26004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom union { unsigned int u[SHA_LBLOCK]; 26104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned char c[SHA_CBLOCK]; } 26204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom *data = (void *)key->md.data; 263392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 264392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3]) 26504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom >= TLS1_1_VERSION) 266392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = AES_BLOCK_SIZE; 267392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 26804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (len<(iv+SHA_DIGEST_LENGTH+1)) 26904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom return 0; 27004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 27104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* omit explicit iv */ 27204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += iv; 27304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= iv; 27404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 27504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* figure out payload length */ 27604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad = out[len-1]; 27704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad = len-(SHA_DIGEST_LENGTH+1); 27804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8); 27904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad &= 255; 28004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 28104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len = len - (SHA_DIGEST_LENGTH+pad+1); 28204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1))); 28304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len &= mask; 28404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)mask; 285392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 28604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->aux.tls_aad[plen-2] = inp_len>>8; 28704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->aux.tls_aad[plen-1] = inp_len; 28804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 28904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* calculate HMAC */ 290392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 291392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,key->aux.tls_aad,plen); 292392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 29304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if 1 29404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= SHA_DIGEST_LENGTH; /* amend mac */ 29504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (len>=(256+SHA_CBLOCK)) { 29604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK); 29704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j += SHA_CBLOCK-key->md.num; 29804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Update(&key->md,out,j); 29904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += j; 30004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= j; 30104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len -= j; 30204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 30304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 30404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* but pretend as if we hashed padded payload */ 30504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */ 306eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom#ifdef BSWAP 307eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom bitlen = BSWAP(bitlen); 308eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom#else 30904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[0] = 0; 31004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[1] = (unsigned char)(bitlen>>16); 31104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[2] = (unsigned char)(bitlen>>8); 31204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[3] = (unsigned char)bitlen; 31304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom bitlen = mac.u[0]; 314eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom#endif 31504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 316eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[0]=0; 317eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[1]=0; 318eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[2]=0; 319eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[3]=0; 320eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[4]=0; 32104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 32204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=key->md.num, j=0;j<len;j++) { 32304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t c = out[j]; 32404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = (j-inp_len)>>(sizeof(j)*8-8); 32504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c &= mask; 32604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8)); 32704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->c[res++]=(unsigned char)c; 32804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 32904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (res!=SHA_CBLOCK) continue; 33004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 331ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root /* j is not incremented yet */ 332ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); 33304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] |= bitlen&mask; 33404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 335ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); 336eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[0] |= key->md.h0 & mask; 337eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[1] |= key->md.h1 & mask; 338eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[2] |= key->md.h2 & mask; 339eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[3] |= key->md.h3 & mask; 340eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[4] |= key->md.h4 & mask; 34104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res=0; 34204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 34304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 34404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0; 34504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 34604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (res>SHA_CBLOCK-8) { 34704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); 34804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] |= bitlen&mask; 34904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 35004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); 351eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[0] |= key->md.h0 & mask; 352eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[1] |= key->md.h1 & mask; 353eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[2] |= key->md.h2 & mask; 354eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[3] |= key->md.h3 & mask; 355eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[4] |= key->md.h4 & mask; 35604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 35704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom memset(data,0,SHA_CBLOCK); 35804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j+=64; 35904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 36004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] = bitlen; 36104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 36204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1)); 363eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[0] |= key->md.h0 & mask; 364eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[1] |= key->md.h1 & mask; 365eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[2] |= key->md.h2 & mask; 366eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[3] |= key->md.h3 & mask; 367eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[4] |= key->md.h4 & mask; 36804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 36904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#ifdef BSWAP 370eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[0] = BSWAP(pmac->u[0]); 371eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[1] = BSWAP(pmac->u[1]); 372eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[2] = BSWAP(pmac->u[2]); 373eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[3] = BSWAP(pmac->u[3]); 374eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->u[4] = BSWAP(pmac->u[4]); 37504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 37604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (i=0;i<5;i++) { 377eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom res = pmac->u[i]; 378eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->c[4*i+0]=(unsigned char)(res>>24); 379eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->c[4*i+1]=(unsigned char)(res>>16); 380eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->c[4*i+2]=(unsigned char)(res>>8); 381eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom pmac->c[4*i+3]=(unsigned char)res; 38204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 38304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 38404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len += SHA_DIGEST_LENGTH; 38504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 38604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Update(&key->md,out,inp_len); 38704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = key->md.num; 388eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom SHA1_Final(pmac->c,&key->md); 38904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 39004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 39104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int inp_blocks, pad_blocks; 39204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 39304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* but pretend as if we hashed padded payload */ 39404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); 39504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res += (unsigned int)(len-inp_len); 39604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad_blocks = res / SHA_CBLOCK; 39704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res %= SHA_CBLOCK; 39804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); 39904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (;inp_blocks<pad_blocks;inp_blocks++) 40004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 40104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 40204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 403392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->tail; 404eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH); 405eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom SHA1_Final(pmac->c,&key->md); 40604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 40704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* verify HMAC */ 40804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += inp_len; 40904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= inp_len; 41004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if 1 41104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 41204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH; 41304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t off = out-p; 41404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int c, cmask; 41504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 41604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad += SHA_DIGEST_LENGTH; 41704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0,j=0;j<maxpad;j++) { 41804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c = p[j]; 41904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1); 42004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= (c^pad)&~cmask; /* ... and padding */ 42104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1); 422eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom res |= (c^pmac->c[i])&cmask; 42304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom i += 1&cmask; 42404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 42504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad -= SHA_DIGEST_LENGTH; 426392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 42704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = 0-((0-res)>>(sizeof(res)*8-1)); 42804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 42904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 43004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 43104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++) 432eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom res |= out[i]^pmac->c[i]; 43304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = 0-((0-res)>>(sizeof(res)*8-1)); 43404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 43504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 43604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* verify padding */ 43704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad = (pad&~res) | (maxpad&res); 43804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out = out+len-1-pad; 43904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0;i<pad;i++) 44004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= out[i]^pad; 44104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 44204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = (0-res)>>(sizeof(res)*8-1); 44304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 44404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 44504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom return ret; 446392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 447392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,out,len); 448392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 449392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 450392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 451392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 1; 452392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 453392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 454392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) 455392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 456392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 457392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 458392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom switch (type) 459392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 460392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom case EVP_CTRL_AEAD_SET_MAC_KEY: 461392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 462392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int i; 463392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char hmac_key[64]; 464392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 465392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memset (hmac_key,0,sizeof(hmac_key)); 466392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 467392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (arg > (int)sizeof(hmac_key)) { 468392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); 469392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->head,ptr,arg); 470392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(hmac_key,&key->head); 471392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 472392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(hmac_key,ptr,arg); 473392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 474392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 475392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (i=0;i<sizeof(hmac_key);i++) 476392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom hmac_key[i] ^= 0x36; /* ipad */ 477392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); 478392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->head,hmac_key,sizeof(hmac_key)); 479392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 480392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (i=0;i<sizeof(hmac_key);i++) 481392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom hmac_key[i] ^= 0x36^0x5c; /* opad */ 482392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->tail); 483392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key)); 48404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 48504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom OPENSSL_cleanse(hmac_key,sizeof(hmac_key)); 486392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 487392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 1; 488392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 489392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom case EVP_CTRL_AEAD_TLS1_AAD: 490392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 491392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *p=ptr; 492392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int len=p[arg-2]<<8|p[arg-1]; 493392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 494392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ctx->encrypt) 495392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 496392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->payload_length = len; 497392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) { 498392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= AES_BLOCK_SIZE; 499392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p[arg-2] = len>>8; 500392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p[arg-1] = len; 501392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 502392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 503392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,p,arg); 504392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 505392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE) 506392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom - len); 507392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 508392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 509392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 510392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (arg>13) arg = 13; 511392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(key->aux.tls_aad,ptr,arg); 512392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->payload_length = arg; 513392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 514392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return SHA_DIGEST_LENGTH; 515392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 516392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 517392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom default: 518392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 519392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 520392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 521392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 522392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = 523392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 524392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef NID_aes_128_cbc_hmac_sha1 525392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_aes_128_cbc_hmac_sha1, 526392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 527392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_undef, 528392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 529392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 16,16,16, 530392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER, 531392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_init_key, 532392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_cipher, 533392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL, 534392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sizeof(EVP_AES_HMAC_SHA1), 535392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv, 536392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv, 537392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_ctrl, 538392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL 539392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom }; 540392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 541392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = 542392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 543392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef NID_aes_256_cbc_hmac_sha1 544392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_aes_256_cbc_hmac_sha1, 545392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 546392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_undef, 547392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 548392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 16,32,16, 549392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER, 550392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_init_key, 551392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_cipher, 552392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL, 553392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sizeof(EVP_AES_HMAC_SHA1), 554392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv, 555392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv, 556392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_ctrl, 557392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL 558392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom }; 559392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 560392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 561392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 562392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE? 563392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &aesni_128_cbc_hmac_sha1_cipher:NULL); 564392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 565392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 566392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 567392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 568392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE? 569392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &aesni_256_cbc_hmac_sha1_cipher:NULL); 570392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 571392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 572392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 573392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 574392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return NULL; 575392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 576392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 577392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 578392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return NULL; 579392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 580392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 581392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 582