1 /* ====================================================================
2 * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * licensing@OpenSSL.org.
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
30 * 6. Redistributions of any form whatsoever must retain the following
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
50 #include <openssl/opensslconf.h>
55 #if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
57 #include <openssl/evp.h>
58 #include <openssl/objects.h>
59 #include <openssl/aes.h>
60 #include <openssl/sha.h>
63 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
64 #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
65 #define EVP_CTRL_AEAD_TLS1_AAD 0x16
66 #define EVP_CTRL_AEAD_SET_MAC_KEY 0x17
69 #if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
70 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0
73 #define TLS1_1_VERSION 0x0302
79 size_t payload_length
; /* AAD length in decrypt case */
82 unsigned char tls_aad
[16]; /* 13 used */
86 #define NO_PAYLOAD_LENGTH ((size_t)-1)
88 #if defined(AES_ASM) && ( \
89 defined(__x86_64) || defined(__x86_64__) || \
90 defined(_M_AMD64) || defined(_M_X64) || \
93 #if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
94 # define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
97 extern unsigned int OPENSSL_ia32cap_P
[2];
98 #define AESNI_CAPABLE (1<<(57-32))
100 int aesni_set_encrypt_key(const unsigned char *userKey
, int bits
,
102 int aesni_set_decrypt_key(const unsigned char *userKey
, int bits
,
105 void aesni_cbc_encrypt(const unsigned char *in
,
109 unsigned char *ivec
, int enc
);
111 void aesni_cbc_sha1_enc (const void *inp
, void *out
, size_t blocks
,
112 const AES_KEY
*key
, unsigned char iv
[16],
113 SHA_CTX
*ctx
,const void *in0
);
115 #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
117 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX
*ctx
,
118 const unsigned char *inkey
,
119 const unsigned char *iv
, int enc
)
121 EVP_AES_HMAC_SHA1
*key
= data(ctx
);
125 ret
=aesni_set_encrypt_key(inkey
,ctx
->key_len
*8,&key
->ks
);
127 ret
=aesni_set_decrypt_key(inkey
,ctx
->key_len
*8,&key
->ks
);
129 SHA1_Init(&key
->head
); /* handy when benchmarking */
130 key
->tail
= key
->head
;
133 key
->payload_length
= NO_PAYLOAD_LENGTH
;
138 #define STITCHED_CALL
140 #if !defined(STITCHED_CALL)
144 void sha1_block_data_order (void *c
,const void *p
,size_t len
);
146 static void sha1_update(SHA_CTX
*c
,const void *data
,size_t len
)
147 { const unsigned char *ptr
= data
;
150 if ((res
= c
->num
)) {
151 res
= SHA_CBLOCK
-res
;
152 if (len
<res
) res
=len
;
153 SHA1_Update (c
,ptr
,res
);
158 res
= len
% SHA_CBLOCK
;
162 sha1_block_data_order(c
,ptr
,len
/SHA_CBLOCK
);
167 if (c
->Nl
<(unsigned int)len
) c
->Nh
++;
171 SHA1_Update(c
,ptr
,res
);
177 #define SHA1_Update sha1_update
179 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
180 const unsigned char *in
, size_t len
)
182 EVP_AES_HMAC_SHA1
*key
= data(ctx
);
184 size_t plen
= key
->payload_length
,
185 iv
= 0, /* explicit IV in TLS 1.1 and later */
187 #if defined(STITCHED_CALL)
191 sha_off
= SHA_CBLOCK
-key
->md
.num
;
194 key
->payload_length
= NO_PAYLOAD_LENGTH
;
196 if (len
%AES_BLOCK_SIZE
) return 0;
199 if (plen
==NO_PAYLOAD_LENGTH
)
201 else if (len
!=((plen
+SHA_DIGEST_LENGTH
+AES_BLOCK_SIZE
)&-AES_BLOCK_SIZE
))
203 else if (key
->aux
.tls_ver
>= TLS1_1_VERSION
)
206 #if defined(STITCHED_CALL)
207 if (plen
>(sha_off
+iv
) && (blocks
=(plen
-(sha_off
+iv
))/SHA_CBLOCK
)) {
208 SHA1_Update(&key
->md
,in
+iv
,sha_off
);
210 aesni_cbc_sha1_enc(in
,out
,blocks
,&key
->ks
,
211 ctx
->iv
,&key
->md
,in
+iv
+sha_off
);
212 blocks
*= SHA_CBLOCK
;
215 key
->md
.Nh
+= blocks
>>29;
216 key
->md
.Nl
+= blocks
<<=3;
217 if (key
->md
.Nl
<(unsigned int)blocks
) key
->md
.Nh
++;
223 SHA1_Update(&key
->md
,in
+sha_off
,plen
-sha_off
);
225 if (plen
!=len
) { /* "TLS" mode of operation */
227 memcpy(out
+aes_off
,in
+aes_off
,plen
-aes_off
);
229 /* calculate HMAC and append it to payload */
230 SHA1_Final(out
+plen
,&key
->md
);
232 SHA1_Update(&key
->md
,out
+plen
,SHA_DIGEST_LENGTH
);
233 SHA1_Final(out
+plen
,&key
->md
);
235 /* pad the payload|hmac */
236 plen
+= SHA_DIGEST_LENGTH
;
237 for (l
=len
-plen
-1;plen
<len
;plen
++) out
[plen
]=l
;
238 /* encrypt HMAC|padding at once */
239 aesni_cbc_encrypt(out
+aes_off
,out
+aes_off
,len
-aes_off
,
242 aesni_cbc_encrypt(in
+aes_off
,out
+aes_off
,len
-aes_off
,
246 union { unsigned int u
[SHA_DIGEST_LENGTH
/sizeof(unsigned int)];
247 unsigned char c
[32+SHA_DIGEST_LENGTH
]; } mac
, *pmac
;
249 /* arrange cache line alignment */
250 pmac
= (void *)(((size_t)mac
.c
+31)&((size_t)0-32));
252 /* decrypt HMAC|padding at once */
253 aesni_cbc_encrypt(in
,out
,len
,
256 if (plen
) { /* "TLS" mode of operation */
257 size_t inp_len
, mask
, j
, i
;
258 unsigned int res
, maxpad
, pad
, bitlen
;
260 union { unsigned int u
[SHA_LBLOCK
];
261 unsigned char c
[SHA_CBLOCK
]; }
262 *data
= (void *)key
->md
.data
;
264 if ((key
->aux
.tls_aad
[plen
-4]<<8|key
->aux
.tls_aad
[plen
-3])
268 if (len
<(iv
+SHA_DIGEST_LENGTH
+1))
271 /* omit explicit iv */
275 /* figure out payload length */
277 maxpad
= len
-(SHA_DIGEST_LENGTH
+1);
278 maxpad
|= (255-maxpad
)>>(sizeof(maxpad
)*8-8);
281 inp_len
= len
- (SHA_DIGEST_LENGTH
+pad
+1);
282 mask
= (0-((inp_len
-len
)>>(sizeof(inp_len
)*8-1)));
286 key
->aux
.tls_aad
[plen
-2] = inp_len
>>8;
287 key
->aux
.tls_aad
[plen
-1] = inp_len
;
291 SHA1_Update(&key
->md
,key
->aux
.tls_aad
,plen
);
294 len
-= SHA_DIGEST_LENGTH
; /* amend mac */
295 if (len
>=(256+SHA_CBLOCK
)) {
296 j
= (len
-(256+SHA_CBLOCK
))&(0-SHA_CBLOCK
);
297 j
+= SHA_CBLOCK
-key
->md
.num
;
298 SHA1_Update(&key
->md
,out
,j
);
304 /* but pretend as if we hashed padded payload */
305 bitlen
= key
->md
.Nl
+(inp_len
<<3); /* at most 18 bits */
307 bitlen
= BSWAP(bitlen
);
310 mac
.c
[1] = (unsigned char)(bitlen
>>16);
311 mac
.c
[2] = (unsigned char)(bitlen
>>8);
312 mac
.c
[3] = (unsigned char)bitlen
;
322 for (res
=key
->md
.num
, j
=0;j
<len
;j
++) {
324 mask
= (j
-inp_len
)>>(sizeof(j
)*8-8);
326 c
|= 0x80&~mask
&~((inp_len
-j
)>>(sizeof(j
)*8-8));
327 data
->c
[res
++]=(unsigned char)c
;
329 if (res
!=SHA_CBLOCK
) continue;
331 mask
= 0-((inp_len
+8-j
)>>(sizeof(j
)*8-1));
332 data
->u
[SHA_LBLOCK
-1] |= bitlen
&mask
;
333 sha1_block_data_order(&key
->md
,data
,1);
334 mask
&= 0-((j
-inp_len
-73)>>(sizeof(j
)*8-1));
335 pmac
->u
[0] |= key
->md
.h0
& mask
;
336 pmac
->u
[1] |= key
->md
.h1
& mask
;
337 pmac
->u
[2] |= key
->md
.h2
& mask
;
338 pmac
->u
[3] |= key
->md
.h3
& mask
;
339 pmac
->u
[4] |= key
->md
.h4
& mask
;
343 for(i
=res
;i
<SHA_CBLOCK
;i
++,j
++) data
->c
[i
]=0;
345 if (res
>SHA_CBLOCK
-8) {
346 mask
= 0-((inp_len
+8-j
)>>(sizeof(j
)*8-1));
347 data
->u
[SHA_LBLOCK
-1] |= bitlen
&mask
;
348 sha1_block_data_order(&key
->md
,data
,1);
349 mask
&= 0-((j
-inp_len
-73)>>(sizeof(j
)*8-1));
350 pmac
->u
[0] |= key
->md
.h0
& mask
;
351 pmac
->u
[1] |= key
->md
.h1
& mask
;
352 pmac
->u
[2] |= key
->md
.h2
& mask
;
353 pmac
->u
[3] |= key
->md
.h3
& mask
;
354 pmac
->u
[4] |= key
->md
.h4
& mask
;
356 memset(data
,0,SHA_CBLOCK
);
359 data
->u
[SHA_LBLOCK
-1] = bitlen
;
360 sha1_block_data_order(&key
->md
,data
,1);
361 mask
= 0-((j
-inp_len
-73)>>(sizeof(j
)*8-1));
362 pmac
->u
[0] |= key
->md
.h0
& mask
;
363 pmac
->u
[1] |= key
->md
.h1
& mask
;
364 pmac
->u
[2] |= key
->md
.h2
& mask
;
365 pmac
->u
[3] |= key
->md
.h3
& mask
;
366 pmac
->u
[4] |= key
->md
.h4
& mask
;
369 pmac
->u
[0] = BSWAP(pmac
->u
[0]);
370 pmac
->u
[1] = BSWAP(pmac
->u
[1]);
371 pmac
->u
[2] = BSWAP(pmac
->u
[2]);
372 pmac
->u
[3] = BSWAP(pmac
->u
[3]);
373 pmac
->u
[4] = BSWAP(pmac
->u
[4]);
377 pmac
->c
[4*i
+0]=(unsigned char)(res
>>24);
378 pmac
->c
[4*i
+1]=(unsigned char)(res
>>16);
379 pmac
->c
[4*i
+2]=(unsigned char)(res
>>8);
380 pmac
->c
[4*i
+3]=(unsigned char)res
;
383 len
+= SHA_DIGEST_LENGTH
;
385 SHA1_Update(&key
->md
,out
,inp_len
);
387 SHA1_Final(pmac
->c
,&key
->md
);
390 unsigned int inp_blocks
, pad_blocks
;
392 /* but pretend as if we hashed padded payload */
393 inp_blocks
= 1+((SHA_CBLOCK
-9-res
)>>(sizeof(res
)*8-1));
394 res
+= (unsigned int)(len
-inp_len
);
395 pad_blocks
= res
/ SHA_CBLOCK
;
397 pad_blocks
+= 1+((SHA_CBLOCK
-9-res
)>>(sizeof(res
)*8-1));
398 for (;inp_blocks
<pad_blocks
;inp_blocks
++)
399 sha1_block_data_order(&key
->md
,data
,1);
403 SHA1_Update(&key
->md
,pmac
->c
,SHA_DIGEST_LENGTH
);
404 SHA1_Final(pmac
->c
,&key
->md
);
411 unsigned char *p
= out
+len
-1-maxpad
-SHA_DIGEST_LENGTH
;
413 unsigned int c
, cmask
;
415 maxpad
+= SHA_DIGEST_LENGTH
;
416 for (res
=0,i
=0,j
=0;j
<maxpad
;j
++) {
418 cmask
= ((int)(j
-off
-SHA_DIGEST_LENGTH
))>>(sizeof(int)*8-1);
419 res
|= (c
^pad
)&~cmask
; /* ... and padding */
420 cmask
&= ((int)(off
-1-j
))>>(sizeof(int)*8-1);
421 res
|= (c
^pmac
->c
[i
])&cmask
;
424 maxpad
-= SHA_DIGEST_LENGTH
;
426 res
= 0-((0-res
)>>(sizeof(res
)*8-1));
430 for (res
=0,i
=0;i
<SHA_DIGEST_LENGTH
;i
++)
431 res
|= out
[i
]^pmac
->c
[i
];
432 res
= 0-((0-res
)>>(sizeof(res
)*8-1));
436 pad
= (pad
&~res
) | (maxpad
&res
);
438 for (res
=0,i
=0;i
<pad
;i
++)
441 res
= (0-res
)>>(sizeof(res
)*8-1);
446 SHA1_Update(&key
->md
,out
,len
);
453 static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX
*ctx
, int type
, int arg
, void *ptr
)
455 EVP_AES_HMAC_SHA1
*key
= data(ctx
);
459 case EVP_CTRL_AEAD_SET_MAC_KEY
:
462 unsigned char hmac_key
[64];
464 memset (hmac_key
,0,sizeof(hmac_key
));
466 if (arg
> (int)sizeof(hmac_key
)) {
467 SHA1_Init(&key
->head
);
468 SHA1_Update(&key
->head
,ptr
,arg
);
469 SHA1_Final(hmac_key
,&key
->head
);
471 memcpy(hmac_key
,ptr
,arg
);
474 for (i
=0;i
<sizeof(hmac_key
);i
++)
475 hmac_key
[i
] ^= 0x36; /* ipad */
476 SHA1_Init(&key
->head
);
477 SHA1_Update(&key
->head
,hmac_key
,sizeof(hmac_key
));
479 for (i
=0;i
<sizeof(hmac_key
);i
++)
480 hmac_key
[i
] ^= 0x36^0x5c; /* opad */
481 SHA1_Init(&key
->tail
);
482 SHA1_Update(&key
->tail
,hmac_key
,sizeof(hmac_key
));
484 OPENSSL_cleanse(hmac_key
,sizeof(hmac_key
));
488 case EVP_CTRL_AEAD_TLS1_AAD
:
490 unsigned char *p
=ptr
;
491 unsigned int len
=p
[arg
-2]<<8|p
[arg
-1];
495 key
->payload_length
= len
;
496 if ((key
->aux
.tls_ver
=p
[arg
-4]<<8|p
[arg
-3]) >= TLS1_1_VERSION
) {
497 len
-= AES_BLOCK_SIZE
;
502 SHA1_Update(&key
->md
,p
,arg
);
504 return (int)(((len
+SHA_DIGEST_LENGTH
+AES_BLOCK_SIZE
)&-AES_BLOCK_SIZE
)
509 if (arg
>13) arg
= 13;
510 memcpy(key
->aux
.tls_aad
,ptr
,arg
);
511 key
->payload_length
= arg
;
513 return SHA_DIGEST_LENGTH
;
521 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher
=
523 #ifdef NID_aes_128_cbc_hmac_sha1
524 NID_aes_128_cbc_hmac_sha1
,
529 EVP_CIPH_CBC_MODE
|EVP_CIPH_FLAG_DEFAULT_ASN1
|EVP_CIPH_FLAG_AEAD_CIPHER
,
530 aesni_cbc_hmac_sha1_init_key
,
531 aesni_cbc_hmac_sha1_cipher
,
533 sizeof(EVP_AES_HMAC_SHA1
),
534 EVP_CIPH_FLAG_DEFAULT_ASN1
?NULL
:EVP_CIPHER_set_asn1_iv
,
535 EVP_CIPH_FLAG_DEFAULT_ASN1
?NULL
:EVP_CIPHER_get_asn1_iv
,
536 aesni_cbc_hmac_sha1_ctrl
,
540 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher
=
542 #ifdef NID_aes_256_cbc_hmac_sha1
543 NID_aes_256_cbc_hmac_sha1
,
548 EVP_CIPH_CBC_MODE
|EVP_CIPH_FLAG_DEFAULT_ASN1
|EVP_CIPH_FLAG_AEAD_CIPHER
,
549 aesni_cbc_hmac_sha1_init_key
,
550 aesni_cbc_hmac_sha1_cipher
,
552 sizeof(EVP_AES_HMAC_SHA1
),
553 EVP_CIPH_FLAG_DEFAULT_ASN1
?NULL
:EVP_CIPHER_set_asn1_iv
,
554 EVP_CIPH_FLAG_DEFAULT_ASN1
?NULL
:EVP_CIPHER_get_asn1_iv
,
555 aesni_cbc_hmac_sha1_ctrl
,
559 const EVP_CIPHER
*EVP_aes_128_cbc_hmac_sha1(void)
561 return(OPENSSL_ia32cap_P
[1]&AESNI_CAPABLE
?
562 &aesni_128_cbc_hmac_sha1_cipher
:NULL
);
565 const EVP_CIPHER
*EVP_aes_256_cbc_hmac_sha1(void)
567 return(OPENSSL_ia32cap_P
[1]&AESNI_CAPABLE
?
568 &aesni_256_cbc_hmac_sha1_cipher
:NULL
);
571 const EVP_CIPHER
*EVP_aes_128_cbc_hmac_sha1(void)
575 const EVP_CIPHER
*EVP_aes_256_cbc_hmac_sha1(void)