e_aes_cbc_hmac_sha1.c revision 04ef91b390dfcc6125913e2f2af502d23d7a5112
1392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* ==================================================================== 204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. 3392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Redistribution and use in source and binary forms, with or without 5392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * modification, are permitted provided that the following conditions 6392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * are met: 7392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 8392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1. Redistributions of source code must retain the above copyright 9392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer. 10392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 11392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 2. Redistributions in binary form must reproduce the above copyright 12392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer in 13392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the documentation and/or other materials provided with the 14392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * distribution. 15392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 16392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 3. All advertising materials mentioning features or use of this 17392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * software must display the following acknowledgment: 18392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes software developed by the OpenSSL Project 19392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 20392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 21392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * endorse or promote products derived from this software without 23392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * prior written permission. For written permission, please contact 24392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * licensing@OpenSSL.org. 25392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 26392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 5. Products derived from this software may not be called "OpenSSL" 27392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * nor may "OpenSSL" appear in their names without prior written 28392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * permission of the OpenSSL Project. 29392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 30392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 6. Redistributions of any form whatsoever must retain the following 31392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * acknowledgment: 32392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes software developed by the OpenSSL Project 33392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 34392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 35392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OF THE POSSIBILITY OF SUCH DAMAGE. 47392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ==================================================================== 48392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */ 49392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 50392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/opensslconf.h> 51392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 52392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <stdio.h> 53392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <string.h> 54392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 55392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1) 56392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 57392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/evp.h> 58392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/objects.h> 59392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/aes.h> 60392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/sha.h> 61392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include "evp_locl.h" 62392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 63392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef EVP_CIPH_FLAG_AEAD_CIPHER 64392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 65392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CTRL_AEAD_TLS1_AAD 0x16 66392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 67392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 68392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 69392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1) 70392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define EVP_CIPH_FLAG_DEFAULT_ASN1 0 71392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 72392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 73392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define TLS1_1_VERSION 0x0302 74392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 75392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromtypedef struct 76392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 77392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY ks; 78392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA_CTX head,tail,md; 79392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t payload_length; /* AAD length in decrypt case */ 80392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom union { 81392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int tls_ver; 82392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char tls_aad[16]; /* 13 used */ 83392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } aux; 84392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } EVP_AES_HMAC_SHA1; 85392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 86a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom#define NO_PAYLOAD_LENGTH ((size_t)-1) 87a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom 88392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(AES_ASM) && ( \ 89392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(__x86_64) || defined(__x86_64__) || \ 90392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(_M_AMD64) || defined(_M_X64) || \ 91392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom defined(__INTEL__) ) 92392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 9304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) 9404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) 9504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 9604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 97392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromextern unsigned int OPENSSL_ia32cap_P[2]; 98392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define AESNI_CAPABLE (1<<(57-32)) 99392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 100392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint aesni_set_encrypt_key(const unsigned char *userKey, int bits, 101392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY *key); 102392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint aesni_set_decrypt_key(const unsigned char *userKey, int bits, 103392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom AES_KEY *key); 104392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 105392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid aesni_cbc_encrypt(const unsigned char *in, 106392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *out, 107392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t length, 108392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const AES_KEY *key, 109392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *ivec, int enc); 110392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 111392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid aesni_cbc_sha1_enc (const void *inp, void *out, size_t blocks, 112392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const AES_KEY *key, unsigned char iv[16], 113392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA_CTX *ctx,const void *in0); 114392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 115392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) 116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 118392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *inkey, 119392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *iv, int enc) 120392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 121392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 122392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int ret; 123392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 124392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (enc) 125392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=aesni_set_encrypt_key(inkey,ctx->key_len*8,&key->ks); 126392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 127392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=aesni_set_decrypt_key(inkey,ctx->key_len*8,&key->ks); 128392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 129392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); /* handy when benchmarking */ 130392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->tail = key->head; 131392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 132392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 133a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom key->payload_length = NO_PAYLOAD_LENGTH; 134392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 135392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return ret<0?0:1; 136392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 137392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 138392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define STITCHED_CALL 139392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 140392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(STITCHED_CALL) 141392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define aes_off 0 142392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 143392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 144392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid sha1_block_data_order (void *c,const void *p,size_t len); 145392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 146392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic void sha1_update(SHA_CTX *c,const void *data,size_t len) 147392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{ const unsigned char *ptr = data; 148392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t res; 149392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 150392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((res = c->num)) { 151392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom res = SHA_CBLOCK-res; 152392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len<res) res=len; 153392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update (c,ptr,res); 154392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ptr += res; 155392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= res; 156392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 157392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 158392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom res = len % SHA_CBLOCK; 159392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= res; 160392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 161392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len) { 162392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha1_block_data_order(c,ptr,len/SHA_CBLOCK); 163392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 164392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ptr += len; 165392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom c->Nh += len>>29; 166392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom c->Nl += len<<=3; 167392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (c->Nl<(unsigned int)len) c->Nh++; 168392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 169392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 170392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (res) 171392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(c,ptr,res); 172392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom} 173392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 17404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#ifdef SHA1_Update 17504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#undef SHA1_Update 17604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 177392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#define SHA1_Update sha1_update 178392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 179392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 180392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *in, size_t len) 181392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 182392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 183392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int l; 184392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t plen = key->payload_length, 185392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = 0, /* explicit IV in TLS 1.1 and later */ 186392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = 0; 187392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(STITCHED_CALL) 188392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom size_t aes_off = 0, 189392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom blocks; 190392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 191392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = SHA_CBLOCK-key->md.num; 192392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 193392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 19404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->payload_length = NO_PAYLOAD_LENGTH; 19504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 196392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (len%AES_BLOCK_SIZE) return 0; 197392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 198392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ctx->encrypt) { 199a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom if (plen==NO_PAYLOAD_LENGTH) 200392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom plen = len; 201392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)) 202392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 0; 203392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (key->aux.tls_ver >= TLS1_1_VERSION) 204392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = AES_BLOCK_SIZE; 205392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 206392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if defined(STITCHED_CALL) 207392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen>(sha_off+iv) && (blocks=(plen-(sha_off+iv))/SHA_CBLOCK)) { 208392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,in+iv,sha_off); 209392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 210392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_sha1_enc(in,out,blocks,&key->ks, 211392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ctx->iv,&key->md,in+iv+sha_off); 212392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom blocks *= SHA_CBLOCK; 213392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aes_off += blocks; 214392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off += blocks; 215392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md.Nh += blocks>>29; 216392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md.Nl += blocks<<=3; 217392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (key->md.Nl<(unsigned int)blocks) key->md.Nh++; 218392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 219392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off = 0; 220392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 221392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 222392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sha_off += iv; 223392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,in+sha_off,plen-sha_off); 224392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 225392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen!=len) { /* "TLS" mode of operation */ 226392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (in!=out) 227392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(out+aes_off,in+aes_off,plen-aes_off); 228392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 229392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* calculate HMAC and append it to payload */ 230392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(out+plen,&key->md); 231392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->tail; 232392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,out+plen,SHA_DIGEST_LENGTH); 233392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(out+plen,&key->md); 234392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 235392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* pad the payload|hmac */ 236392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom plen += SHA_DIGEST_LENGTH; 237392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (l=len-plen-1;plen<len;plen++) out[plen]=l; 238392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* encrypt HMAC|padding at once */ 239392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(out+aes_off,out+aes_off,len-aes_off, 240392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,1); 241392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 242392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(in+aes_off,out+aes_off,len-aes_off, 243392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,1); 244392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 245392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 24604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; 24704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned char c[SHA_DIGEST_LENGTH]; } mac; 248392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 249392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* decrypt HMAC|padding at once */ 250392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_encrypt(in,out,len, 251392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &key->ks,ctx->iv,0); 252392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 253392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (plen) { /* "TLS" mode of operation */ 25404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t inp_len, mask, j, i; 25504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int res, maxpad, pad, bitlen; 25604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom int ret = 1; 25704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom union { unsigned int u[SHA_LBLOCK]; 25804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned char c[SHA_CBLOCK]; } 25904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom *data = (void *)key->md.data; 260392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 261392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3]) 26204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom >= TLS1_1_VERSION) 263392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom iv = AES_BLOCK_SIZE; 264392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 26504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (len<(iv+SHA_DIGEST_LENGTH+1)) 26604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom return 0; 26704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 26804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* omit explicit iv */ 26904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += iv; 27004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= iv; 27104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 27204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* figure out payload length */ 27304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad = out[len-1]; 27404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad = len-(SHA_DIGEST_LENGTH+1); 27504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8); 27604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad &= 255; 27704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 27804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len = len - (SHA_DIGEST_LENGTH+pad+1); 27904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1))); 28004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len &= mask; 28104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)mask; 282392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 28304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->aux.tls_aad[plen-2] = inp_len>>8; 28404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom key->aux.tls_aad[plen-1] = inp_len; 28504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 28604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* calculate HMAC */ 287392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 288392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,key->aux.tls_aad,plen); 289392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 29004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if 1 29104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= SHA_DIGEST_LENGTH; /* amend mac */ 29204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (len>=(256+SHA_CBLOCK)) { 29304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK); 29404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j += SHA_CBLOCK-key->md.num; 29504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Update(&key->md,out,j); 29604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += j; 29704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= j; 29804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_len -= j; 29904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 30004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 30104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* but pretend as if we hashed padded payload */ 30204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */ 30304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[0] = 0; 30404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[1] = (unsigned char)(bitlen>>16); 30504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[2] = (unsigned char)(bitlen>>8); 30604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[3] = (unsigned char)bitlen; 30704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom bitlen = mac.u[0]; 30804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 30904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[0]=0; 31004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[1]=0; 31104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[2]=0; 31204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[3]=0; 31304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[4]=0; 31404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 31504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=key->md.num, j=0;j<len;j++) { 31604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t c = out[j]; 31704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = (j-inp_len)>>(sizeof(j)*8-8); 31804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c &= mask; 31904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8)); 32004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->c[res++]=(unsigned char)c; 32104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 32204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (res!=SHA_CBLOCK) continue; 32304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 32404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); 32504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] |= bitlen&mask; 32604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 32704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); 32804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[0] |= key->md.h0 & mask; 32904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[1] |= key->md.h1 & mask; 33004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[2] |= key->md.h2 & mask; 33104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[3] |= key->md.h3 & mask; 33204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[4] |= key->md.h4 & mask; 33304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res=0; 33404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 33504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 33604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0; 33704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 33804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (res>SHA_CBLOCK-8) { 33904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); 34004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] |= bitlen&mask; 34104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 34204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); 34304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[0] |= key->md.h0 & mask; 34404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[1] |= key->md.h1 & mask; 34504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[2] |= key->md.h2 & mask; 34604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[3] |= key->md.h3 & mask; 34704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[4] |= key->md.h4 & mask; 34804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 34904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom memset(data,0,SHA_CBLOCK); 35004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom j+=64; 35104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 35204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom data->u[SHA_LBLOCK-1] = bitlen; 35304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 35404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1)); 35504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[0] |= key->md.h0 & mask; 35604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[1] |= key->md.h1 & mask; 35704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[2] |= key->md.h2 & mask; 35804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[3] |= key->md.h3 & mask; 35904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[4] |= key->md.h4 & mask; 36004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 36104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#ifdef BSWAP 36204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[0] = BSWAP(mac.u[0]); 36304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[1] = BSWAP(mac.u[1]); 36404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[2] = BSWAP(mac.u[2]); 36504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[3] = BSWAP(mac.u[3]); 36604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.u[4] = BSWAP(mac.u[4]); 36704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 36804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (i=0;i<5;i++) { 36904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = mac.u[i]; 37004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[4*i+0]=(unsigned char)(res>>24); 37104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[4*i+1]=(unsigned char)(res>>16); 37204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[4*i+2]=(unsigned char)(res>>8); 37304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom mac.c[4*i+3]=(unsigned char)res; 37404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 37504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 37604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len += SHA_DIGEST_LENGTH; 37704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 37804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Update(&key->md,out,inp_len); 37904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = key->md.num; 38004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Final(mac.c,&key->md); 38104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 38204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 38304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int inp_blocks, pad_blocks; 38404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 38504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* but pretend as if we hashed padded payload */ 38604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); 38704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res += (unsigned int)(len-inp_len); 38804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad_blocks = res / SHA_CBLOCK; 38904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res %= SHA_CBLOCK; 39004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); 39104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (;inp_blocks<pad_blocks;inp_blocks++) 39204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom sha1_block_data_order(&key->md,data,1); 39304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 39404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 395392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->tail; 39604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH); 39704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SHA1_Final(mac.c,&key->md); 39804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 39904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* verify HMAC */ 40004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out += inp_len; 40104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom len -= inp_len; 40204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#if 1 40304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 40404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH; 40504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom size_t off = out-p; 40604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom unsigned int c, cmask; 40704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 40804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad += SHA_DIGEST_LENGTH; 40904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0,j=0;j<maxpad;j++) { 41004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom c = p[j]; 41104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1); 41204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= (c^pad)&~cmask; /* ... and padding */ 41304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1); 41404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= (c^mac.c[i])&cmask; 41504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom i += 1&cmask; 41604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 41704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom maxpad -= SHA_DIGEST_LENGTH; 418392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 41904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = 0-((0-res)>>(sizeof(res)*8-1)); 42004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 42104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 42204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#else 42304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++) 42404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= out[i]^mac.c[i]; 42504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = 0-((0-res)>>(sizeof(res)*8-1)); 42604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 42704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 42804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* verify padding */ 42904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom pad = (pad&~res) | (maxpad&res); 43004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom out = out+len-1-pad; 43104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom for (res=0,i=0;i<pad;i++) 43204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res |= out[i]^pad; 43304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 43404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom res = (0-res)>>(sizeof(res)*8-1); 43504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom ret &= (int)~res; 43604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom#endif 43704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom return ret; 438392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 439392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,out,len); 440392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 441392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 442392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 443392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 1; 444392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 445392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 446392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) 447392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 448392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_AES_HMAC_SHA1 *key = data(ctx); 449392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 450392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom switch (type) 451392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 452392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom case EVP_CTRL_AEAD_SET_MAC_KEY: 453392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 454392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int i; 455392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char hmac_key[64]; 456392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 457392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memset (hmac_key,0,sizeof(hmac_key)); 458392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 459392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (arg > (int)sizeof(hmac_key)) { 460392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); 461392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->head,ptr,arg); 462392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Final(hmac_key,&key->head); 463392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } else { 464392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(hmac_key,ptr,arg); 465392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 466392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 467392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (i=0;i<sizeof(hmac_key);i++) 468392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom hmac_key[i] ^= 0x36; /* ipad */ 469392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->head); 470392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->head,hmac_key,sizeof(hmac_key)); 471392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 472392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for (i=0;i<sizeof(hmac_key);i++) 473392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom hmac_key[i] ^= 0x36^0x5c; /* opad */ 474392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Init(&key->tail); 475392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key)); 47604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 47704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom OPENSSL_cleanse(hmac_key,sizeof(hmac_key)); 478392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 479392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return 1; 480392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 481392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom case EVP_CTRL_AEAD_TLS1_AAD: 482392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 483392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned char *p=ptr; 484392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom unsigned int len=p[arg-2]<<8|p[arg-1]; 485392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 486392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ctx->encrypt) 487392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 488392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->payload_length = len; 489392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((key->aux.tls_ver=p[arg-4]<<8|p[arg-3]) >= TLS1_1_VERSION) { 490392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom len -= AES_BLOCK_SIZE; 491392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p[arg-2] = len>>8; 492392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p[arg-1] = len; 493392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 494392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->md = key->head; 495392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SHA1_Update(&key->md,p,arg); 496392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 497392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return (int)(((len+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE) 498392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom - len); 499392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 500392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 501392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 502392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (arg>13) arg = 13; 503392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom memcpy(key->aux.tls_aad,ptr,arg); 504392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom key->payload_length = arg; 505392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 506392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return SHA_DIGEST_LENGTH; 507392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 508392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 509392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom default: 510392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 511392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 512392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 513392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 514392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = 515392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 516392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef NID_aes_128_cbc_hmac_sha1 517392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_aes_128_cbc_hmac_sha1, 518392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 519392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_undef, 520392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 521392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 16,16,16, 522392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER, 523392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_init_key, 524392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_cipher, 525392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL, 526392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sizeof(EVP_AES_HMAC_SHA1), 527392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv, 528392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv, 529392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_ctrl, 530392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL 531392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom }; 532392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 533392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = 534392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 535392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef NID_aes_256_cbc_hmac_sha1 536392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_aes_256_cbc_hmac_sha1, 537392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 538392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NID_undef, 539392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 540392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 16,32,16, 541392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_AEAD_CIPHER, 542392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_init_key, 543392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_cipher, 544392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL, 545392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sizeof(EVP_AES_HMAC_SHA1), 546392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_set_asn1_iv, 547392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_CIPH_FLAG_DEFAULT_ASN1?NULL:EVP_CIPHER_get_asn1_iv, 548392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom aesni_cbc_hmac_sha1_ctrl, 549392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom NULL 550392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom }; 551392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 552392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 553392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 554392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE? 555392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &aesni_128_cbc_hmac_sha1_cipher:NULL); 556392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 557392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 558392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 559392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 560392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(OPENSSL_ia32cap_P[1]&AESNI_CAPABLE? 561392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom &aesni_256_cbc_hmac_sha1_cipher:NULL); 562392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 563392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#else 564392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void) 565392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 566392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return NULL; 567392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 568392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromconst EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void) 569392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 570392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return NULL; 571392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 572392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 573392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 574