From 0d2bfe52bb7e839f7bddcdb1160c335f2994df2f Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Mon, 6 Jan 2020 13:02:16 +1000 Subject: [PATCH] Add AES_CBC_HMAC_SHA ciphers to providers. Also Add ability for providers to dynamically exclude cipher algorithms. Cipher algorithms are only returned from providers if their capable() method is either NULL, or the method returns 1. This is mainly required for ciphers that only have hardware implementations. If there is no hardware support, then the algorithm needs to be not available. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10146) --- crypto/aes/build.info | 2 - crypto/evp/evp_enc.c | 85 +- doc/man7/provider-cipher.pod | 49 ++ include/crypto/aes_platform.h | 7 + include/openssl/core_names.h | 16 + providers/common/include/prov/provider_util.h | 12 + .../common/include/prov/providercommon.h | 2 + providers/common/provider_util.c | 14 + providers/defltprov.c | 317 +++---- providers/fips/fipsprov.c | 89 +- providers/implementations/ciphers/build.info | 6 +- .../ciphers/cipher_aes_cbc_hmac_sha.c | 345 ++++++++ .../ciphers/cipher_aes_cbc_hmac_sha.h | 65 ++ .../ciphers/cipher_aes_cbc_hmac_sha1_hw.c | 782 ++++++++++++++++ .../ciphers/cipher_aes_cbc_hmac_sha256_hw.c | 831 ++++++++++++++++++ .../include/prov/implementations.h | 4 + test/sslapitest.c | 100 +++ 17 files changed, 2529 insertions(+), 197 deletions(-) create mode 100644 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c create mode 100644 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h create mode 100644 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c create mode 100644 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c diff --git a/crypto/aes/build.info b/crypto/aes/build.info index 291bf2af9b..dc00df0cda 100644 --- a/crypto/aes/build.info +++ b/crypto/aes/build.info @@ -68,8 +68,6 @@ SOURCE[../../providers/libfips.a]=$COMMON DEFINE[../../libcrypto]=$AESDEF DEFINE[../../providers/libfips.a]=$AESDEF DEFINE[../../providers/libimplementations.a]=$AESDEF -# fipsprov.c needs access to AESNI. -DEFINE[../../providers/fips]=$AESDEF GENERATE[aes-ia64.s]=asm/aes-ia64.S diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 3896cff34d..c650addbd1 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -174,6 +174,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, case NID_aes_256_siv: case NID_aes_192_siv: case NID_aes_128_siv: + case NID_aes_256_cbc_hmac_sha256: + case NID_aes_128_cbc_hmac_sha256: + case NID_aes_256_cbc_hmac_sha1: + case NID_aes_128_cbc_hmac_sha1: case NID_id_aes256_wrap: case NID_id_aes256_wrap_pad: case NID_id_aes192_wrap: @@ -1086,7 +1090,9 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) int set_params = 1; size_t sz = arg; unsigned int i; - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + OSSL_PARAM params[4] = { + OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END + }; if (ctx == NULL || ctx->cipher == NULL) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET); @@ -1154,13 +1160,8 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ptr, sz); break; - case EVP_CTRL_AEAD_SET_MAC_KEY: - params[0] = - OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_MAC_KEY, - ptr, sz); - break; case EVP_CTRL_AEAD_TLS1_AAD: - /* This one does a set and a get - since it returns a padding size */ + /* This one does a set and a get - since it returns a size */ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, ptr, sz); @@ -1180,6 +1181,76 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, &sz); break; #endif /* OPENSSL_NO_RC2 */ +#if !defined(OPENSSL_NO_MULTIBLOCK) + case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE: + params[0] = OSSL_PARAM_construct_size_t( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, &sz); + ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return 0; + + params[0] = OSSL_PARAM_construct_size_t( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, &sz); + params[1] = OSSL_PARAM_construct_end(); + ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return 0; + return sz; + case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: { + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; + + if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM)) + return 0; + + params[0] = OSSL_PARAM_construct_octet_string( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, (void*)p->inp, p->len); + params[1] = OSSL_PARAM_construct_uint( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave); + ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return ret; + /* Retrieve the return values changed by the set */ + params[0] = OSSL_PARAM_construct_size_t( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, &sz); + params[1] = OSSL_PARAM_construct_uint( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave); + params[2] = OSSL_PARAM_construct_end(); + ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return 0; + return sz; + } + case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: { + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; + + params[0] = OSSL_PARAM_construct_octet_string( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, p->out, p->len); + + params[1] = OSSL_PARAM_construct_octet_string( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, (void*)p->inp, + p->len); + params[2] = OSSL_PARAM_construct_uint( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave); + ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return ret; + params[0] = OSSL_PARAM_construct_size_t( + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, &sz); + params[1] = OSSL_PARAM_construct_end(); + ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); + if (ret <= 0) + return 0; + return sz; + } +#endif /* OPENSSL_NO_MULTIBLOCK */ + case EVP_CTRL_AEAD_SET_MAC_KEY: + if (arg < 0) + return -1; + params[0] = OSSL_PARAM_construct_octet_string( + OSSL_CIPHER_PARAM_AEAD_MAC_KEY, ptr, sz); + break; } if (set_params) diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 5e64c0e196..7ad239bcb6 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -349,6 +349,55 @@ by AES SIV ciphers which disallow multiple operations by default. Setting "speed" to 1 allows another encrypt or decrypt operation to be performed. This is used for performance testing. +=item "tls1multi_enc" (B) + +Triggers a multiblock tls1 encrypt operation for a tls1 aware cipher that supports +sending 4 or 8 records in one go. +The cipher performs both the MAC and encrypt stages and constructs the record +headers itself. +"tls1multi_enc" supplies the output buffer for the encrypt operation, +"tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply +values to the encrypt operation. + +=item "tls1multi_enclen" (B) + +Get the total length of the record returned from the "tls1multi_enc" operation. + +=item "tls1multi_interleave" (B) + +Sets or gets the number of records being sent in one go for a tls1 multiblock +cipher operation (either 4 or 8 records). + +=item "tls1multi_encin" (B) + +Supplies the data to encrypt for a tls1 multiblock cipher operation. + +=item "tls1multi_maxsndfrag" (B) + +Sets the maximum send fragment size for a tls1 multiblock cipher operation. +It must be set before using "tls1multi_maxbufsz". +The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B. + +=item "tls1multi_maxbufsz" (B) + +Gets the maximum record length for a tls1 multiblock cipher operation. +The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B. + +=item "tls1multi_aad" (B) + +Sets the authenticated additional data used by a tls1 multiblock cipher operation. +The supplied data consists of 13 bytes of record data containing: +Bytes 0-7: The sequence number of the first record +Byte 8: The record type +Byte 9-10: The protocol version +Byte 11-12: Input length (Always 0) + +"tls1multi_interleave" must also be set for this operation. + +=item "tls1multi_aadpacklen" (B) + +Gets the result of running the "tls1multi_aad" operation. + =back =head1 RETURN VALUES diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index 483a1949ee..b478520cf8 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -121,6 +121,13 @@ void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # endif # endif /* OPENSSL_CPUID_OBJ */ +# if defined(AES_ASM) && ( \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64) ) +# define AES_CBC_HMAC_SHA_CAPABLE 1 +# define AESNI_CBC_HMAC_SHA_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) +# endif + # if defined(AES_ASM) && !defined(I386_ONLY) && ( \ ((defined(__i386) || defined(__i386__) || \ defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index e441ddf6c8..446af5fa8e 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -73,6 +73,22 @@ extern "C" { /* For passing the AlgorithmIdentifier parameter in DER form */ #define OSSL_CIPHER_PARAM_ALG_ID "alg_id_param" /* octet_string */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ + "tls1multi_maxsndfrag" /* uint */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE \ + "tls1multi_maxbufsz" /* size_t */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE \ + "tls1multi_interleave" /* uint */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD \ + "tls1multi_aad" /* octet_string */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN \ + "tls1multi_aadpacklen" /* uint */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC \ + "tls1multi_enc" /* octet_string */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN \ + "tls1multi_encin" /* octet_string */ +#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN \ + "tls1multi_enclen" /* size_t */ /* digest parameters */ #define OSSL_DIGEST_PARAM_XOFLEN "xoflen" /* size_t */ diff --git a/providers/common/include/prov/provider_util.h b/providers/common/include/prov/provider_util.h index 9925ac2b09..ca3550b3f7 100644 --- a/providers/common/include/prov/provider_util.h +++ b/providers/common/include/prov/provider_util.h @@ -101,3 +101,15 @@ int ossl_prov_macctx_load_from_params(EVP_MAC_CTX **macctx, const char *ciphername, const char *mdname, OPENSSL_CTX *ctx); + +typedef struct ag_capable_st { + OSSL_ALGORITHM alg; + int (*capable)(void); +} OSSL_ALGORITHM_CAPABLE; + +/* + * Dynamically select algorithms by calling a capable() method. + * If this method is NULL or the method returns 1 then the algorithm is added. + */ +void ossl_prov_cache_exported_algorithms(const OSSL_ALGORITHM_CAPABLE *in, + OSSL_ALGORITHM *out); diff --git a/providers/common/include/prov/providercommon.h b/providers/common/include/prov/providercommon.h index 569c08c0b1..995c685292 100644 --- a/providers/common/include/prov/providercommon.h +++ b/providers/common/include/prov/providercommon.h @@ -13,3 +13,5 @@ const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx); const char *ossl_prov_util_nid_to_name(int nid); +int cipher_capable_aes_cbc_hmac_sha1(void); +int cipher_capable_aes_cbc_hmac_sha256(void); diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index ef4396f432..504463df19 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -237,3 +237,17 @@ int ossl_prov_macctx_load_from_params(EVP_MAC_CTX **macctx, *macctx = NULL; return 0; } + +void ossl_prov_cache_exported_algorithms(const OSSL_ALGORITHM_CAPABLE *in, + OSSL_ALGORITHM *out) +{ + int i, j; + + if (out[0].algorithm_names == NULL) { + for (i = j = 0; in[i].alg.algorithm_names != NULL; ++i) { + if (in[i].capable == NULL || in[i].capable()) + out[j++] = in[i].alg; + } + out[j++] = in[i].alg; + } +} diff --git a/providers/defltprov.c b/providers/defltprov.c index 51cd2b9794..5c11b4a910 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -15,7 +15,13 @@ #include #include #include "prov/bio.h" +#include "prov/providercommon.h" #include "prov/implementations.h" +#include "prov/provider_util.h" +#include "internal/nelem.h" + +#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "default=yes", FUNC }, CHECK } +#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) /* Functions provided by the core */ static OSSL_core_gettable_params_fn *c_gettable_params = NULL; @@ -131,190 +137,196 @@ static const OSSL_ALGORITHM deflt_digests[] = { { NULL, NULL, NULL } }; -static const OSSL_ALGORITHM deflt_ciphers[] = { - { "AES-256-ECB", "default=yes", aes256ecb_functions }, - { "AES-192-ECB", "default=yes", aes192ecb_functions }, - { "AES-128-ECB", "default=yes", aes128ecb_functions }, - { "AES-256-CBC", "default=yes", aes256cbc_functions }, - { "AES-192-CBC", "default=yes", aes192cbc_functions }, - { "AES-128-CBC", "default=yes", aes128cbc_functions }, - { "AES-256-OFB", "default=yes", aes256ofb_functions }, - { "AES-192-OFB", "default=yes", aes192ofb_functions }, - { "AES-128-OFB", "default=yes", aes128ofb_functions }, - { "AES-256-CFB", "default=yes", aes256cfb_functions }, - { "AES-192-CFB", "default=yes", aes192cfb_functions }, - { "AES-128-CFB", "default=yes", aes128cfb_functions }, - { "AES-256-CFB1", "default=yes", aes256cfb1_functions }, - { "AES-192-CFB1", "default=yes", aes192cfb1_functions }, - { "AES-128-CFB1", "default=yes", aes128cfb1_functions }, - { "AES-256-CFB8", "default=yes", aes256cfb8_functions }, - { "AES-192-CFB8", "default=yes", aes192cfb8_functions }, - { "AES-128-CFB8", "default=yes", aes128cfb8_functions }, - { "AES-256-CTR", "default=yes", aes256ctr_functions }, - { "AES-192-CTR", "default=yes", aes192ctr_functions }, - { "AES-128-CTR", "default=yes", aes128ctr_functions }, - { "AES-256-XTS", "default=yes", aes256xts_functions }, - { "AES-128-XTS", "default=yes", aes128xts_functions }, +static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { + ALG("AES-256-ECB", aes256ecb_functions), + ALG("AES-192-ECB", aes192ecb_functions), + ALG("AES-128-ECB", aes128ecb_functions), + ALG("AES-256-CBC", aes256cbc_functions), + ALG("AES-192-CBC", aes192cbc_functions), + ALG("AES-128-CBC", aes128cbc_functions), + ALG("AES-256-OFB", aes256ofb_functions), + ALG("AES-192-OFB", aes192ofb_functions), + ALG("AES-128-OFB", aes128ofb_functions), + ALG("AES-256-CFB", aes256cfb_functions), + ALG("AES-192-CFB", aes192cfb_functions), + ALG("AES-128-CFB", aes128cfb_functions), + ALG("AES-256-CFB1", aes256cfb1_functions), + ALG("AES-192-CFB1", aes192cfb1_functions), + ALG("AES-128-CFB1", aes128cfb1_functions), + ALG("AES-256-CFB8", aes256cfb8_functions), + ALG("AES-192-CFB8", aes192cfb8_functions), + ALG("AES-128-CFB8", aes128cfb8_functions), + ALG("AES-256-CTR", aes256ctr_functions), + ALG("AES-192-CTR", aes192ctr_functions), + ALG("AES-128-CTR", aes128ctr_functions), + ALG("AES-256-XTS", aes256xts_functions), + ALG("AES-128-XTS", aes128xts_functions), #ifndef OPENSSL_NO_OCB - { "AES-256-OCB", "default=yes", aes256ocb_functions }, - { "AES-192-OCB", "default=yes", aes192ocb_functions }, - { "AES-128-OCB", "default=yes", aes128ocb_functions }, + ALG("AES-256-OCB", aes256ocb_functions), + ALG("AES-192-OCB", aes192ocb_functions), + ALG("AES-128-OCB", aes128ocb_functions), #endif /* OPENSSL_NO_OCB */ #ifndef OPENSSL_NO_SIV - { "AES-128-SIV", "default=yes", aes128siv_functions }, - { "AES-192-SIV", "default=yes", aes192siv_functions }, - { "AES-256-SIV", "default=yes", aes256siv_functions }, + ALG("AES-128-SIV", aes128siv_functions), + ALG("AES-192-SIV", aes192siv_functions), + ALG("AES-256-SIV", aes256siv_functions), #endif /* OPENSSL_NO_SIV */ - { "AES-256-GCM:id-aes256-GCM", "default=yes", aes256gcm_functions }, - { "AES-192-GCM:id-aes192-GCM", "default=yes", aes192gcm_functions }, - { "AES-128-GCM:id-aes128-GCM", "default=yes", aes128gcm_functions }, - { "AES-256-CCM:id-aes256-CCM", "default=yes", aes256ccm_functions }, - { "AES-192-CCM:id-aes192-CCM", "default=yes", aes192ccm_functions }, - { "AES-128-CCM:id-aes128-CCM", "default=yes", aes128ccm_functions }, - { "AES-256-WRAP:id-aes256-wrap:AES256-WRAP", "default=yes", - aes256wrap_functions }, - { "AES-192-WRAP:id-aes192-wrap:AES192-WRAP", "default=yes", - aes192wrap_functions }, - { "AES-128-WRAP:id-aes128-wrap:AES128-WRAP", "default=yes", - aes128wrap_functions }, - { "AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD", "default=yes", - aes256wrappad_functions }, - { "AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD", "default=yes", - aes192wrappad_functions }, - { "AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD", "default=yes", - aes128wrappad_functions }, + ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions), + ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions), + ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions), + ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions), + ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions), + ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions), + ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions), + ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions), + ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions), + ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD", + aes256wrappad_functions), + ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD", + aes192wrappad_functions), + ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD", + aes128wrappad_functions), + ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions, + cipher_capable_aes_cbc_hmac_sha1), + ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions, + cipher_capable_aes_cbc_hmac_sha1), + ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions, + cipher_capable_aes_cbc_hmac_sha256), + ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions, + cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_ARIA - { "ARIA-256-GCM", "default=yes", aria256gcm_functions }, - { "ARIA-192-GCM", "default=yes", aria192gcm_functions }, - { "ARIA-128-GCM", "default=yes", aria128gcm_functions }, - { "ARIA-256-CCM", "default=yes", aria256ccm_functions }, - { "ARIA-192-CCM", "default=yes", aria192ccm_functions }, - { "ARIA-128-CCM", "default=yes", aria128ccm_functions }, - { "ARIA-256-ECB", "default=yes", aria256ecb_functions }, - { "ARIA-192-ECB", "default=yes", aria192ecb_functions }, - { "ARIA-128-ECB", "default=yes", aria128ecb_functions }, - { "ARIA-256-CBC:ARIA256", "default=yes", aria256cbc_functions }, - { "ARIA-192-CBC:ARIA192", "default=yes", aria192cbc_functions }, - { "ARIA-128-CBC:ARIA128", "default=yes", aria128cbc_functions }, - { "ARIA-256-OFB", "default=yes", aria256ofb_functions }, - { "ARIA-192-OFB", "default=yes", aria192ofb_functions }, - { "ARIA-128-OFB", "default=yes", aria128ofb_functions }, - { "ARIA-256-CFB", "default=yes", aria256cfb_functions }, - { "ARIA-192-CFB", "default=yes", aria192cfb_functions }, - { "ARIA-128-CFB", "default=yes", aria128cfb_functions }, - { "ARIA-256-CFB1", "default=yes", aria256cfb1_functions }, - { "ARIA-192-CFB1", "default=yes", aria192cfb1_functions }, - { "ARIA-128-CFB1", "default=yes", aria128cfb1_functions }, - { "ARIA-256-CFB8", "default=yes", aria256cfb8_functions }, - { "ARIA-192-CFB8", "default=yes", aria192cfb8_functions }, - { "ARIA-128-CFB8", "default=yes", aria128cfb8_functions }, - { "ARIA-256-CTR", "default=yes", aria256ctr_functions }, - { "ARIA-192-CTR", "default=yes", aria192ctr_functions }, - { "ARIA-128-CTR", "default=yes", aria128ctr_functions }, + ALG("ARIA-256-GCM", aria256gcm_functions), + ALG("ARIA-192-GCM", aria192gcm_functions), + ALG("ARIA-128-GCM", aria128gcm_functions), + ALG("ARIA-256-CCM", aria256ccm_functions), + ALG("ARIA-192-CCM", aria192ccm_functions), + ALG("ARIA-128-CCM", aria128ccm_functions), + ALG("ARIA-256-ECB", aria256ecb_functions), + ALG("ARIA-192-ECB", aria192ecb_functions), + ALG("ARIA-128-ECB", aria128ecb_functions), + ALG("ARIA-256-CBC:ARIA256", aria256cbc_functions), + ALG("ARIA-192-CBC:ARIA192", aria192cbc_functions), + ALG("ARIA-128-CBC:ARIA128", aria128cbc_functions), + ALG("ARIA-256-OFB", aria256ofb_functions), + ALG("ARIA-192-OFB", aria192ofb_functions), + ALG("ARIA-128-OFB", aria128ofb_functions), + ALG("ARIA-256-CFB", aria256cfb_functions), + ALG("ARIA-192-CFB", aria192cfb_functions), + ALG("ARIA-128-CFB", aria128cfb_functions), + ALG("ARIA-256-CFB1", aria256cfb1_functions), + ALG("ARIA-192-CFB1", aria192cfb1_functions), + ALG("ARIA-128-CFB1", aria128cfb1_functions), + ALG("ARIA-256-CFB8", aria256cfb8_functions), + ALG("ARIA-192-CFB8", aria192cfb8_functions), + ALG("ARIA-128-CFB8", aria128cfb8_functions), + ALG("ARIA-256-CTR", aria256ctr_functions), + ALG("ARIA-192-CTR", aria192ctr_functions), + ALG("ARIA-128-CTR", aria128ctr_functions), #endif /* OPENSSL_NO_ARIA */ #ifndef OPENSSL_NO_CAMELLIA - { "CAMELLIA-256-ECB", "default=yes", camellia256ecb_functions }, - { "CAMELLIA-192-ECB", "default=yes", camellia192ecb_functions }, - { "CAMELLIA-128-ECB", "default=yes", camellia128ecb_functions }, - { "CAMELLIA-256-CBC:CAMELLIA256", "default=yes", camellia256cbc_functions }, - { "CAMELLIA-192-CBC:CAMELLIA192", "default=yes", camellia192cbc_functions }, - { "CAMELLIA-128-CBC:CAMELLIA128", "default=yes", camellia128cbc_functions }, - { "CAMELLIA-256-OFB", "default=yes", camellia256ofb_functions }, - { "CAMELLIA-192-OFB", "default=yes", camellia192ofb_functions }, - { "CAMELLIA-128-OFB", "default=yes", camellia128ofb_functions }, - { "CAMELLIA-256-CFB", "default=yes", camellia256cfb_functions }, - { "CAMELLIA-192-CFB", "default=yes", camellia192cfb_functions }, - { "CAMELLIA-128-CFB", "default=yes", camellia128cfb_functions }, - { "CAMELLIA-256-CFB1", "default=yes", camellia256cfb1_functions }, - { "CAMELLIA-192-CFB1", "default=yes", camellia192cfb1_functions }, - { "CAMELLIA-128-CFB1", "default=yes", camellia128cfb1_functions }, - { "CAMELLIA-256-CFB8", "default=yes", camellia256cfb8_functions }, - { "CAMELLIA-192-CFB8", "default=yes", camellia192cfb8_functions }, - { "CAMELLIA-128-CFB8", "default=yes", camellia128cfb8_functions }, - { "CAMELLIA-256-CTR", "default=yes", camellia256ctr_functions }, - { "CAMELLIA-192-CTR", "default=yes", camellia192ctr_functions }, - { "CAMELLIA-128-CTR", "default=yes", camellia128ctr_functions }, + ALG("CAMELLIA-256-ECB", camellia256ecb_functions), + ALG("CAMELLIA-192-ECB", camellia192ecb_functions), + ALG("CAMELLIA-128-ECB", camellia128ecb_functions), + ALG("CAMELLIA-256-CBC:CAMELLIA256", camellia256cbc_functions), + ALG("CAMELLIA-192-CBC:CAMELLIA192", camellia192cbc_functions), + ALG("CAMELLIA-128-CBC:CAMELLIA128", camellia128cbc_functions), + ALG("CAMELLIA-256-OFB", camellia256ofb_functions), + ALG("CAMELLIA-192-OFB", camellia192ofb_functions), + ALG("CAMELLIA-128-OFB", camellia128ofb_functions), + ALG("CAMELLIA-256-CFB", camellia256cfb_functions), + ALG("CAMELLIA-192-CFB", camellia192cfb_functions), + ALG("CAMELLIA-128-CFB", camellia128cfb_functions), + ALG("CAMELLIA-256-CFB1", camellia256cfb1_functions), + ALG("CAMELLIA-192-CFB1", camellia192cfb1_functions), + ALG("CAMELLIA-128-CFB1", camellia128cfb1_functions), + ALG("CAMELLIA-256-CFB8", camellia256cfb8_functions), + ALG("CAMELLIA-192-CFB8", camellia192cfb8_functions), + ALG("CAMELLIA-128-CFB8", camellia128cfb8_functions), + ALG("CAMELLIA-256-CTR", camellia256ctr_functions), + ALG("CAMELLIA-192-CTR", camellia192ctr_functions), + ALG("CAMELLIA-128-CTR", camellia128ctr_functions), #endif /* OPENSSL_NO_CAMELLIA */ #ifndef OPENSSL_NO_DES - { "DES-EDE3-ECB:DES-EDE3", "default=yes", tdes_ede3_ecb_functions }, - { "DES-EDE3-CBC:DES3", "default=yes", tdes_ede3_cbc_functions }, - { "DES-EDE3-OFB", "default=yes", tdes_ede3_ofb_functions }, - { "DES-EDE3-CFB", "default=yes", tdes_ede3_cfb_functions }, - { "DES-EDE3-CFB8", "default=yes", tdes_ede3_cfb8_functions }, - { "DES-EDE3-CFB1", "default=yes", tdes_ede3_cfb1_functions }, - { "DES-EDE-ECB:DES-EDE", "default=yes", tdes_ede2_ecb_functions }, - { "DES-EDE-CBC", "default=yes", tdes_ede2_cbc_functions }, - { "DES-EDE-OFB", "default=yes", tdes_ede2_ofb_functions }, - { "DES-EDE-CFB", "default=yes", tdes_ede2_cfb_functions }, - { "DESX-CBC:DESX", "default=yes", tdes_desx_cbc_functions }, - { "DES3-WRAP:id-smime-alg-CMS3DESwrap", "default=yes", tdes_wrap_cbc_functions }, - { "DES-ECB", "default=yes", des_ecb_functions }, - { "DES-CBC:DES", "default=yes", des_cbc_functions }, - { "DES-OFB", "default=yes", des_ofb64_functions }, - { "DES-CFB", "default=yes", des_cfb64_functions }, - { "DES-CFB1", "default=yes", des_cfb1_functions }, - { "DES-CFB8", "default=yes", des_cfb8_functions }, + ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions), + ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions), + ALG("DES-EDE3-OFB", tdes_ede3_ofb_functions), + ALG("DES-EDE3-CFB", tdes_ede3_cfb_functions), + ALG("DES-EDE3-CFB8", tdes_ede3_cfb8_functions), + ALG("DES-EDE3-CFB1", tdes_ede3_cfb1_functions), + ALG("DES-EDE-ECB:DES-EDE", tdes_ede2_ecb_functions), + ALG("DES-EDE-CBC", tdes_ede2_cbc_functions), + ALG("DES-EDE-OFB", tdes_ede2_ofb_functions), + ALG("DES-EDE-CFB", tdes_ede2_cfb_functions), + ALG("DESX-CBC:DESX", tdes_desx_cbc_functions), + ALG("DES3-WRAP:id-smime-alg-CMS3DESwrap", tdes_wrap_cbc_functions), + ALG("DES-ECB", des_ecb_functions), + ALG("DES-CBC:DES", des_cbc_functions), + ALG("DES-OFB", des_ofb64_functions), + ALG("DES-CFB", des_cfb64_functions), + ALG("DES-CFB1", des_cfb1_functions), + ALG("DES-CFB8", des_cfb8_functions), #endif /* OPENSSL_NO_DES */ #ifndef OPENSSL_NO_BF - { "BF-ECB", "default=yes", blowfish128ecb_functions }, - { "BF-CBC:BF:BLOWFISH", "default=yes", blowfish128cbc_functions }, - { "BF-OFB", "default=yes", blowfish64ofb64_functions }, - { "BF-CFB", "default=yes", blowfish64cfb64_functions }, + ALG("BF-ECB", blowfish128ecb_functions), + ALG("BF-CBC:BF:BLOWFISH", blowfish128cbc_functions), + ALG("BF-OFB", blowfish64ofb64_functions), + ALG("BF-CFB", blowfish64cfb64_functions), #endif /* OPENSSL_NO_BF */ #ifndef OPENSSL_NO_IDEA - { "IDEA-ECB", "default=yes", idea128ecb_functions }, - { "IDEA-CBC:IDEA", "default=yes", idea128cbc_functions }, - { "IDEA-OFB:IDEA-OFB64", "default=yes", idea128ofb64_functions }, - { "IDEA-CFB:IDEA-CFB64", "default=yes", idea128cfb64_functions }, + ALG("IDEA-ECB", idea128ecb_functions), + ALG("IDEA-CBC:IDEA", idea128cbc_functions), + ALG("IDEA-OFB:IDEA-OFB64", idea128ofb64_functions), + ALG("IDEA-CFB:IDEA-CFB64", idea128cfb64_functions), #endif /* OPENSSL_NO_IDEA */ #ifndef OPENSSL_NO_CAST - { "CAST5-ECB", "default=yes", cast5128ecb_functions }, - { "CAST5-CBC:CAST-CBC:CAST", "default=yes", cast5128cbc_functions }, - { "CAST5-OFB", "default=yes", cast564ofb64_functions }, - { "CAST5-CFB", "default=yes", cast564cfb64_functions }, + ALG("CAST5-ECB", cast5128ecb_functions), + ALG("CAST5-CBC:CAST-CBC:CAST", cast5128cbc_functions), + ALG("CAST5-OFB", cast564ofb64_functions), + ALG("CAST5-CFB", cast564cfb64_functions), #endif /* OPENSSL_NO_CAST */ #ifndef OPENSSL_NO_SEED - { "SEED-ECB", "default=yes", seed128ecb_functions }, - { "SEED-CBC:SEED", "default=yes", seed128cbc_functions }, - { "SEED-OFB:SEED-OFB128", "default=yes", seed128ofb128_functions }, - { "SEED-CFB:SEED-CFB128", "default=yes", seed128cfb128_functions }, + ALG("SEED-ECB", seed128ecb_functions), + ALG("SEED-CBC:SEED", seed128cbc_functions), + ALG("SEED-OFB:SEED-OFB128", seed128ofb128_functions), + ALG("SEED-CFB:SEED-CFB128", seed128cfb128_functions), #endif /* OPENSSL_NO_SEED */ #ifndef OPENSSL_NO_SM4 - { "SM4-ECB", "default=yes", sm4128ecb_functions }, - { "SM4-CBC:SM4", "default=yes", sm4128cbc_functions }, - { "SM4-CTR", "default=yes", sm4128ctr_functions }, - { "SM4-OFB:SM4-OFB128", "default=yes", sm4128ofb128_functions }, - { "SM4-CFB:SM4-CFB128", "default=yes", sm4128cfb128_functions }, + ALG("SM4-ECB", sm4128ecb_functions), + ALG("SM4-CBC:SM4", sm4128cbc_functions), + ALG("SM4-CTR", sm4128ctr_functions), + ALG("SM4-OFB:SM4-OFB128", sm4128ofb128_functions), + ALG("SM4-CFB:SM4-CFB128", sm4128cfb128_functions), #endif /* OPENSSL_NO_SM4 */ #ifndef OPENSSL_NO_RC4 - { "RC4", "default=yes", rc4128_functions }, - { "RC4-40", "default=yes", rc440_functions }, + ALG("RC4", rc4128_functions), + ALG("RC4-40", rc440_functions), # ifndef OPENSSL_NO_MD5 - { "RC4-HMAC-MD5", "default=yes", rc4_hmac_md5_functions }, + ALG("RC4-HMAC-MD5", rc4_hmac_md5_functions), # endif /* OPENSSL_NO_MD5 */ #endif /* OPENSSL_NO_RC4 */ #ifndef OPENSSL_NO_RC5 - { "RC5-ECB", "default=yes", rc5128ecb_functions }, - { "RC5-CBC", "default=yes", rc5128cbc_functions }, - { "RC5-OFB", "default=yes", rc5128ofb64_functions }, - { "RC5-CFB", "default=yes", rc5128cfb64_functions }, + ALG("RC5-ECB", rc5128ecb_functions), + ALG("RC5-CBC", rc5128cbc_functions), + ALG("RC5-OFB", rc5128ofb64_functions), + ALG("RC5-CFB", rc5128cfb64_functions), #endif /* OPENSSL_NO_RC5 */ #ifndef OPENSSL_NO_RC2 - { "RC2-ECB", "default=yes", rc2128ecb_functions }, - { "RC2-CBC", "default=yes", rc2128cbc_functions }, - { "RC2-40-CBC", "default=yes", rc240cbc_functions }, - { "RC2-64-CBC", "default=yes", rc264cbc_functions }, - { "RC2-CFB", "default=yes", rc2128cfb128_functions }, - { "RC2-OFB", "default=yes", rc2128ofb128_functions }, + ALG("RC2-ECB", rc2128ecb_functions), + ALG("RC2-CBC", rc2128cbc_functions), + ALG("RC2-40-CBC", rc240cbc_functions), + ALG("RC2-64-CBC", rc264cbc_functions), + ALG("RC2-CFB", rc2128cfb128_functions), + ALG("RC2-OFB", rc2128ofb128_functions), #endif /* OPENSSL_NO_RC2 */ #ifndef OPENSSL_NO_CHACHA - { "ChaCha20", "default=yes", chacha20_functions }, + ALG("ChaCha20", chacha20_functions), # ifndef OPENSSL_NO_POLY1305 - { "ChaCha20-Poly1305", "default=yes", chacha20_poly1305_functions }, + ALG("ChaCha20-Poly1305", chacha20_poly1305_functions), # endif /* OPENSSL_NO_POLY1305 */ #endif /* OPENSSL_NO_CHACHA */ - { NULL, NULL, NULL } + { { NULL, NULL, NULL }, NULL } }; +static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)]; static const OSSL_ALGORITHM deflt_macs[] = { #ifndef OPENSSL_NO_BLAKE2 @@ -432,7 +444,8 @@ static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov, case OSSL_OP_DIGEST: return deflt_digests; case OSSL_OP_CIPHER: - return deflt_ciphers; + ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers); + return exported_ciphers; case OSSL_OP_MAC: return deflt_macs; case OSSL_OP_KDF: diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 12c471f325..7afab78063 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -25,12 +25,17 @@ #include "internal/cryptlib.h" #include "internal/property.h" +#include "internal/nelem.h" #include "crypto/evp.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" +#include "prov/provider_util.h" #include "selftest.h" +#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "fips=yes", FUNC }, CHECK } +#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) + extern OSSL_core_thread_start_fn *c_thread_start; /* @@ -300,6 +305,14 @@ const char *ossl_prov_util_nid_to_name(int nid) return "DES-EDE3"; case NID_des_ede3_cbc: return "DES-EDE3-CBC"; + case NID_aes_256_cbc_hmac_sha256: + return "AES-256-CBC-HMAC-SHA256"; + case NID_aes_128_cbc_hmac_sha256: + return "AES-128-CBC-HMAC-SHA256"; + case NID_aes_256_cbc_hmac_sha1: + return "AES-256-CBC-HMAC-SHA1"; + case NID_aes_128_cbc_hmac_sha1: + return "AES-128-CBC-HMAC-SHA1"; default: break; } @@ -358,43 +371,49 @@ static const OSSL_ALGORITHM fips_digests[] = { { NULL, NULL, NULL } }; -static const OSSL_ALGORITHM fips_ciphers[] = { +static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { /* Our primary name[:ASN.1 OID name][:our older names] */ - { "AES-256-ECB", "fips=yes", aes256ecb_functions }, - { "AES-192-ECB", "fips=yes", aes192ecb_functions }, - { "AES-128-ECB", "fips=yes", aes128ecb_functions }, - { "AES-256-CBC", "fips=yes", aes256cbc_functions }, - { "AES-192-CBC", "fips=yes", aes192cbc_functions }, - { "AES-128-CBC", "fips=yes", aes128cbc_functions }, - { "AES-256-CTR", "fips=yes", aes256ctr_functions }, - { "AES-192-CTR", "fips=yes", aes192ctr_functions }, - { "AES-128-CTR", "fips=yes", aes128ctr_functions }, - { "AES-256-XTS", "fips=yes", aes256xts_functions }, - { "AES-128-XTS", "fips=yes", aes128xts_functions }, - { "AES-256-GCM:id-aes256-GCM", "fips=yes", aes256gcm_functions }, - { "AES-192-GCM:id-aes192-GCM", "fips=yes", aes192gcm_functions }, - { "AES-128-GCM:id-aes128-GCM", "fips=yes", aes128gcm_functions }, - { "AES-256-CCM:id-aes256-CCM", "fips=yes", aes256ccm_functions }, - { "AES-192-CCM:id-aes192-CCM", "fips=yes", aes192ccm_functions }, - { "AES-128-CCM:id-aes128-CCM", "fips=yes", aes128ccm_functions }, - { "AES-256-WRAP:id-aes256-wrap:AES256-WRAP", "fips=yes", - aes256wrap_functions }, - { "AES-192-WRAP:id-aes192-wrap:AES192-WRAP", "fips=yes", - aes192wrap_functions }, - { "AES-128-WRAP:id-aes128-wrap:AES128-WRAP", "fips=yes", - aes128wrap_functions }, - { "AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD", "fips=yes", - aes256wrappad_functions }, - { "AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD", "fips=yes", - aes192wrappad_functions }, - { "AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD", "fips=yes", - aes128wrappad_functions }, + ALG("AES-256-ECB", aes256ecb_functions), + ALG("AES-192-ECB", aes192ecb_functions), + ALG("AES-128-ECB", aes128ecb_functions), + ALG("AES-256-CBC", aes256cbc_functions), + ALG("AES-192-CBC", aes192cbc_functions), + ALG("AES-128-CBC", aes128cbc_functions), + ALG("AES-256-CTR", aes256ctr_functions), + ALG("AES-192-CTR", aes192ctr_functions), + ALG("AES-128-CTR", aes128ctr_functions), + ALG("AES-256-XTS", aes256xts_functions), + ALG("AES-128-XTS", aes128xts_functions), + ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions), + ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions), + ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions), + ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions), + ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions), + ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions), + ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions), + ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions), + ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions), + ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD", + aes256wrappad_functions), + ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD", + aes192wrappad_functions), + ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD", + aes128wrappad_functions), + ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions, + cipher_capable_aes_cbc_hmac_sha1), + ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions, + cipher_capable_aes_cbc_hmac_sha1), + ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions, + cipher_capable_aes_cbc_hmac_sha256), + ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions, + cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES - { "DES-EDE3-ECB:DES-EDE3", "fips=yes", tdes_ede3_ecb_functions }, - { "DES-EDE3-CBC:DES3", "fips=yes", tdes_ede3_cbc_functions }, + ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions), + ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions), #endif /* OPENSSL_NO_DES */ - { NULL, NULL, NULL } + { { NULL, NULL, NULL }, NULL } }; +static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)]; static const OSSL_ALGORITHM fips_macs[] = { #ifndef OPENSSL_NO_CMAC @@ -416,6 +435,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = { { NULL, NULL, NULL } }; + static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, int operation_id, int *no_cache) @@ -425,7 +445,8 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, case OSSL_OP_DIGEST: return fips_digests; case OSSL_OP_CIPHER: - return fips_ciphers; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); + return exported_fips_ciphers; case OSSL_OP_MAC: return fips_macs; case OSSL_OP_KDF: diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info index abc193bb1d..bff5a2d41f 100644 --- a/providers/implementations/ciphers/build.info +++ b/providers/implementations/ciphers/build.info @@ -40,7 +40,10 @@ SOURCE[$AES_GOAL]=\ cipher_aes_xts.c cipher_aes_xts_hw.c \ cipher_aes_gcm.c cipher_aes_gcm_hw.c \ cipher_aes_ccm.c cipher_aes_ccm_hw.c \ - cipher_aes_wrp.c + cipher_aes_wrp.c \ + cipher_aes_cbc_hmac_sha.c \ + cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c + # Extra code to satisfy the FIPS and non-FIPS separation. # When the AES-xxx-XTS moves to legacy, this can be removed. SOURCE[../../libfips.a]=cipher_aes_xts_fips.c @@ -129,4 +132,3 @@ IF[{- !$disabled{chacha} -}] cipher_chacha20_poly1305.c cipher_chacha20_poly1305_hw.c ENDIF ENDIF - diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c new file mode 100644 index 0000000000..00b46c3f78 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -0,0 +1,345 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for AES_CBC_HMAC_SHA ciphers */ + + +#include "cipher_aes_cbc_hmac_sha.h" +#include "prov/implementations.h" + +#ifndef AES_CBC_HMAC_SHA_CAPABLE +# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \ +const OSSL_DISPATCH nm##kbits##sub##_functions[] = { \ + { 0, NULL } \ +}; +#else +# include "prov/providercommonerr.h" + +/* TODO(3.0) Figure out what flags are required */ +# define AES_CBC_HMAC_SHA_FLAGS (EVP_CIPH_CBC_MODE \ + | EVP_CIPH_FLAG_DEFAULT_ASN1 \ + | EVP_CIPH_FLAG_AEAD_CIPHER \ + | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) + +static OSSL_OP_cipher_freectx_fn aes_cbc_hmac_sha1_freectx; +static OSSL_OP_cipher_freectx_fn aes_cbc_hmac_sha256_freectx; +static OSSL_OP_cipher_get_ctx_params_fn aes_get_ctx_params; +static OSSL_OP_cipher_gettable_ctx_params_fn aes_gettable_ctx_params; +static OSSL_OP_cipher_set_ctx_params_fn aes_set_ctx_params; +static OSSL_OP_cipher_settable_ctx_params_fn aes_settable_ctx_params; +# define aes_gettable_params cipher_generic_gettable_params +# define aes_einit cipher_generic_einit +# define aes_dinit cipher_generic_dinit +# define aes_update cipher_generic_stream_update +# define aes_final cipher_generic_stream_final +# define aes_cipher cipher_generic_cipher + +static const OSSL_PARAM cipher_aes_known_settable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_MAC_KEY, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0), +# if !defined(OPENSSL_NO_MULTIBLOCK) + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, NULL), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, NULL), + OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, NULL, 0), +# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), + OSSL_PARAM_END +}; +const OSSL_PARAM *aes_settable_ctx_params(void) +{ + return cipher_aes_known_settable_ctx_params; +} + +static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_CIPHER_HW_AES_HMAC_SHA *hw = + (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; + const OSSL_PARAM *p, *p1, *pin; + int ret = 1; + + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_MAC_KEY); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_OCTET_STRING) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + hw->init_mac_key(ctx, p->data, p->data_size); + } + +# if !defined(OPENSSL_NO_MULTIBLOCK) + p = OSSL_PARAM_locate_const(params, + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT); + if (p != NULL + && !OSSL_PARAM_get_size_t(p, &ctx->multiblock_max_send_fragment)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + /* + * The inputs to tls1_multiblock_aad are: + * mb_param->inp + * mb_param->len + * mb_param->interleave + * The outputs of tls1_multiblock_aad are written to: + * ctx->multiblock_interleave + * ctx->multiblock_aad_packlen + */ + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD); + if (p != NULL) { + p1 = OSSL_PARAM_locate_const(params, + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); + if (p->data_type != OSSL_PARAM_OCTET_STRING + || p1 == NULL + || !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + mb_param.inp = p->data; + mb_param.len = p->data_size; + if (hw->tls1_multiblock_aad(vctx, &mb_param) <= 0) + return 0; + } + + /* + * The inputs to tls1_multiblock_encrypt are: + * mb_param->inp + * mb_param->len + * mb_param->interleave + * mb_param->out + * The outputs of tls1_multiblock_encrypt are: + * ctx->multiblock_encrypt_len + */ + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC); + if (p != NULL) { + p1 = OSSL_PARAM_locate_const(params, + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); + pin = OSSL_PARAM_locate_const(params, + OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN); + if (p->data_type != OSSL_PARAM_OCTET_STRING + || pin == NULL + || pin->data_type != OSSL_PARAM_OCTET_STRING + || p1 == NULL + || !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + mb_param.out = p->data; + mb_param.inp = pin->data; + mb_param.len = pin->data_size; + if (hw->tls1_multiblock_encrypt(vctx, &mb_param) <= 0) + return 0; + } +# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ + + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_OCTET_STRING) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + if (hw->set_tls1_aad(ctx, p->data, p->data_size) <= 0) + return 0; + } + + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); + if (p != NULL) { + size_t keylen; + + if (!OSSL_PARAM_get_size_t(p, &keylen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + if (ctx->base.keylen != keylen) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + } + return ret; +} + +static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_CIPHER_HW_AES_HMAC_SHA *hw = + (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw; + OSSL_PARAM *p; + +# if !defined(OPENSSL_NO_MULTIBLOCK) + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE); + if (p != NULL) { + size_t len = hw->tls1_multiblock_max_bufsize(ctx); + + if (!OSSL_PARAM_set_size_t(p, len)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + } + + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); + if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_interleave)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN); + if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_aad_packlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->multiblock_encrypt_len)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } +# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ + + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); + if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); + if (p != NULL + && !OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + return 1; +} + +static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = { +# if !defined(OPENSSL_NO_MULTIBLOCK) + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, NULL), + OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL), + OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, NULL), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, NULL), +# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), + OSSL_PARAM_END +}; +const OSSL_PARAM *aes_gettable_ctx_params(void) +{ + return cipher_aes_known_gettable_ctx_params; +} + +static void base_init(void *provctx, PROV_AES_HMAC_SHA_CTX *ctx, + const PROV_CIPHER_HW_AES_HMAC_SHA *meths, + size_t kbits, size_t blkbits, size_t ivbits, + uint64_t flags) +{ + cipher_generic_initkey(&ctx->base, kbits, blkbits, ivbits, + EVP_CIPH_CBC_MODE, flags, + &meths->base, provctx); + ctx->hw = (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->base.hw; +} + +static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits, + size_t blkbits, size_t ivbits, + uint64_t flags) +{ + PROV_AES_HMAC_SHA1_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); + + if (ctx != NULL) + base_init(provctx, &ctx->base_ctx, + PROV_CIPHER_HW_aes_cbc_hmac_sha1(), kbits, blkbits, + ivbits, flags); + return ctx; +} + +static void aes_cbc_hmac_sha1_freectx(void *vctx) +{ + PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + + if (ctx != NULL) + OPENSSL_clear_free(ctx, sizeof(ctx)); +} + +static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits, + size_t blkbits, size_t ivbits, + uint64_t flags) +{ + PROV_AES_HMAC_SHA256_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); + + if (ctx != NULL) + base_init(provctx, &ctx->base_ctx, + PROV_CIPHER_HW_aes_cbc_hmac_sha256(), kbits, blkbits, + ivbits, flags); + return ctx; +} + +static void aes_cbc_hmac_sha256_freectx(void *vctx) +{ + PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + + if (ctx != NULL) + OPENSSL_clear_free(ctx, sizeof(ctx)); +} + +# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \ +static OSSL_OP_cipher_newctx_fn nm##_##kbits##_##sub##_newctx; \ +static void *nm##_##kbits##_##sub##_newctx(void *provctx) \ +{ \ + return nm##_##sub##_newctx(provctx, kbits, blkbits, ivbits, flags); \ +} \ +static OSSL_OP_cipher_get_params_fn nm##_##kbits##_##sub##_get_params; \ +static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \ +{ \ + return cipher_generic_get_params(params, EVP_CIPH_CBC_MODE, \ + flags, kbits, blkbits, ivbits); \ +} \ +const OSSL_DISPATCH nm##kbits##sub##_functions[] = { \ + { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\ + { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \ + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \ + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \ + { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \ + { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))nm##_final }, \ + { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))nm##_cipher }, \ + { OSSL_FUNC_CIPHER_GET_PARAMS, \ + (void (*)(void))nm##_##kbits##_##sub##_get_params }, \ + { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ + (void (*)(void))nm##_gettable_params }, \ + { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ + (void (*)(void))nm##_get_ctx_params }, \ + { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ + (void (*)(void))nm##_gettable_ctx_params }, \ + { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ + (void (*)(void))nm##_set_ctx_params }, \ + { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ + (void (*)(void))nm##_settable_ctx_params }, \ + { 0, NULL } \ +}; + +#endif /* AES_CBC_HMAC_SHA_CAPABLE */ + +/* aes128cbc_hmac_sha1_functions */ +IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS) +/* aes256cbc_hmac_sha1_functions */ +IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS) +/* aes128cbc_hmac_sha256_functions */ +IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS) +/* aes256cbc_hmac_sha256_functions */ +IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS) diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h new file mode 100644 index 0000000000..86da791c49 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h @@ -0,0 +1,65 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "prov/ciphercommon.h" +#include "crypto/aes_platform.h" + +int cipher_capable_aes_cbc_hmac_sha1(void); +int cipher_capable_aes_cbc_hmac_sha256(void); + +#ifdef AES_CBC_HMAC_SHA_CAPABLE +# include +# include + +typedef struct prov_cipher_hw_aes_hmac_sha_ctx_st { + PROV_CIPHER_HW base; /* must be first */ + void (*init_mac_key)(void *ctx, const unsigned char *inkey, size_t inlen); + int (*set_tls1_aad)(void *ctx, unsigned char *aad_rec, int aad_len); +# if !defined(OPENSSL_NO_MULTIBLOCK) + int (*tls1_multiblock_max_bufsize)(void *ctx); + int (*tls1_multiblock_aad)( + void *vctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param); + int (*tls1_multiblock_encrypt)( + void *ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param); +# endif /* OPENSSL_NO_MULTIBLOCK) */ +} PROV_CIPHER_HW_AES_HMAC_SHA; + +typedef struct prov_aes_hmac_sha_ctx_st { + PROV_CIPHER_CTX base; + AES_KEY ks; + size_t payload_length; /* AAD length in decrypt case */ + union { + unsigned int tls_ver; + unsigned char tls_aad[16]; /* 13 used */ + } aux; + const PROV_CIPHER_HW_AES_HMAC_SHA *hw; + /* some value that are setup by set methods - that can be retrieved */ + unsigned int multiblock_interleave; + unsigned int multiblock_aad_packlen; + size_t multiblock_max_send_fragment; + size_t multiblock_encrypt_len; + size_t tls_aad_pad; +} PROV_AES_HMAC_SHA_CTX; + +typedef struct prov_aes_hmac_sha1_ctx_st { + PROV_AES_HMAC_SHA_CTX base_ctx; + SHA_CTX head, tail, md; +} PROV_AES_HMAC_SHA1_CTX; + +typedef struct prov_aes_hmac_sha256_ctx_st { + PROV_AES_HMAC_SHA_CTX base_ctx; + SHA256_CTX head, tail, md; +} PROV_AES_HMAC_SHA256_CTX; + +# define NO_PAYLOAD_LENGTH ((size_t)-1) + +const PROV_CIPHER_HW_AES_HMAC_SHA *PROV_CIPHER_HW_aes_cbc_hmac_sha1(void); +const PROV_CIPHER_HW_AES_HMAC_SHA *PROV_CIPHER_HW_aes_cbc_hmac_sha256(void); + +#endif /* AES_CBC_HMAC_SHA_CAPABLE */ diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c new file mode 100644 index 0000000000..125369d7ff --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c @@ -0,0 +1,782 @@ +/* + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cipher_aes_cbc_hmac_sha.h" + +#ifndef AES_CBC_HMAC_SHA_CAPABLE +int cipher_capable_aes_cbc_hmac_sha1(void) +{ + return 0; +} +#else + +# include "crypto/rand.h" +# include "crypto/evp.h" +# include "internal/constant_time.h" + +void sha1_block_data_order(void *c, const void *p, size_t len); +void aesni_cbc_sha1_enc(const void *inp, void *out, size_t blocks, + const AES_KEY *key, unsigned char iv[16], + SHA_CTX *ctx, const void *in0); + +int cipher_capable_aes_cbc_hmac_sha1(void) +{ + return AESNI_CBC_HMAC_SHA_CAPABLE; +} + +static int aesni_cbc_hmac_sha1_init_key(PROV_CIPHER_CTX *vctx, + const unsigned char *key, size_t keylen) +{ + int ret; + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA1_CTX *sctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + + if (ctx->base.enc) + ret = aesni_set_encrypt_key(key, keylen * 8, &ctx->ks); + else + ret = aesni_set_decrypt_key(key, keylen * 8, &ctx->ks); + + SHA1_Init(&sctx->head); /* handy when benchmarking */ + sctx->tail = sctx->head; + sctx->md = sctx->head; + + ctx->payload_length = NO_PAYLOAD_LENGTH; + + return ret < 0 ? 0 : 1; +} + +static void sha1_update(SHA_CTX *c, const void *data, size_t len) +{ + const unsigned char *ptr = data; + size_t res; + + if ((res = c->num)) { + res = SHA_CBLOCK - res; + if (len < res) + res = len; + SHA1_Update(c, ptr, res); + ptr += res; + len -= res; + } + + res = len % SHA_CBLOCK; + len -= res; + + if (len) { + sha1_block_data_order(c, ptr, len / SHA_CBLOCK); + + ptr += len; + c->Nh += len >> 29; + c->Nl += len <<= 3; + if (c->Nl < (unsigned int)len) + c->Nh++; + } + + if (res) + SHA1_Update(c, ptr, res); +} + +# if !defined(OPENSSL_NO_MULTIBLOCK) + +typedef struct { + unsigned int A[8], B[8], C[8], D[8], E[8]; +} SHA1_MB_CTX; + +typedef struct { + const unsigned char *ptr; + int blocks; +} HASH_DESC; + +typedef struct { + const unsigned char *inp; + unsigned char *out; + int blocks; + u64 iv[2]; +} CIPH_DESC; + +void sha1_multi_block(SHA1_MB_CTX *, const HASH_DESC *, int); +void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); + +static size_t tls1_multi_block_encrypt(void *vctx, + unsigned char *out, + const unsigned char *inp, + size_t inp_len, int n4x) +{ /* n4x is 1 or 2 */ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA1_CTX *sctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + HASH_DESC hash_d[8], edges[8]; + CIPH_DESC ciph_d[8]; + unsigned char storage[sizeof(SHA1_MB_CTX) + 32]; + union { + u64 q[16]; + u32 d[32]; + u8 c[128]; + } blocks[8]; + SHA1_MB_CTX *mctx; + unsigned int frag, last, packlen, i; + unsigned int x4 = 4 * n4x, minblocks, processed = 0; + size_t ret = 0; + u8 *IVs; +# if defined(BSWAP8) + u64 seqnum; +# endif + + /* ask for IVs in bulk */ + if (rand_bytes_ex(ctx->base.libctx, (IVs = blocks[0].c), 16 * x4) <= 0) + return 0; + + mctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */ + + frag = (unsigned int)inp_len >> (1 + n4x); + last = (unsigned int)inp_len + frag - (frag << (1 + n4x)); + if (last > frag && ((last + 13 + 9) % 64) < (x4 - 1)) { + frag++; + last -= x4 - 1; + } + + packlen = 5 + 16 + ((frag + 20 + 16) & -16); + + /* populate descriptors with pointers and IVs */ + hash_d[0].ptr = inp; + ciph_d[0].inp = inp; + /* 5+16 is place for header and explicit IV */ + ciph_d[0].out = out + 5 + 16; + memcpy(ciph_d[0].out - 16, IVs, 16); + memcpy(ciph_d[0].iv, IVs, 16); + IVs += 16; + + for (i = 1; i < x4; i++) { + ciph_d[i].inp = hash_d[i].ptr = hash_d[i - 1].ptr + frag; + ciph_d[i].out = ciph_d[i - 1].out + packlen; + memcpy(ciph_d[i].out - 16, IVs, 16); + memcpy(ciph_d[i].iv, IVs, 16); + IVs += 16; + } + +# if defined(BSWAP8) + memcpy(blocks[0].c, sctx->md.data, 8); + seqnum = BSWAP8(blocks[0].q[0]); +# endif + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag); +# if !defined(BSWAP8) + unsigned int carry, j; +# endif + + mctx->A[i] = sctx->md.h0; + mctx->B[i] = sctx->md.h1; + mctx->C[i] = sctx->md.h2; + mctx->D[i] = sctx->md.h3; + mctx->E[i] = sctx->md.h4; + + /* fix seqnum */ +# if defined(BSWAP8) + blocks[i].q[0] = BSWAP8(seqnum + i); +# else + for (carry = i, j = 8; j--;) { + blocks[i].c[j] = ((u8 *)sctx->md.data)[j] + carry; + carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1); + } +# endif + blocks[i].c[8] = ((u8 *)sctx->md.data)[8]; + blocks[i].c[9] = ((u8 *)sctx->md.data)[9]; + blocks[i].c[10] = ((u8 *)sctx->md.data)[10]; + /* fix length */ + blocks[i].c[11] = (u8)(len >> 8); + blocks[i].c[12] = (u8)(len); + + memcpy(blocks[i].c + 13, hash_d[i].ptr, 64 - 13); + hash_d[i].ptr += 64 - 13; + hash_d[i].blocks = (len - (64 - 13)) / 64; + + edges[i].ptr = blocks[i].c; + edges[i].blocks = 1; + } + + /* hash 13-byte headers and first 64-13 bytes of inputs */ + sha1_multi_block(mctx, edges, n4x); + /* hash bulk inputs */ +# define MAXCHUNKSIZE 2048 +# if MAXCHUNKSIZE%64 +# error "MAXCHUNKSIZE is not divisible by 64" +# elif MAXCHUNKSIZE + /* + * goal is to minimize pressure on L1 cache by moving in shorter steps, + * so that hashed data is still in the cache by the time we encrypt it + */ + minblocks = ((frag <= last ? frag : last) - (64 - 13)) / 64; + if (minblocks > MAXCHUNKSIZE / 64) { + for (i = 0; i < x4; i++) { + edges[i].ptr = hash_d[i].ptr; + edges[i].blocks = MAXCHUNKSIZE / 64; + ciph_d[i].blocks = MAXCHUNKSIZE / 16; + } + do { + sha1_multi_block(mctx, edges, n4x); + aesni_multi_cbc_encrypt(ciph_d, &ctx->ks, n4x); + + for (i = 0; i < x4; i++) { + edges[i].ptr = hash_d[i].ptr += MAXCHUNKSIZE; + hash_d[i].blocks -= MAXCHUNKSIZE / 64; + edges[i].blocks = MAXCHUNKSIZE / 64; + ciph_d[i].inp += MAXCHUNKSIZE; + ciph_d[i].out += MAXCHUNKSIZE; + ciph_d[i].blocks = MAXCHUNKSIZE / 16; + memcpy(ciph_d[i].iv, ciph_d[i].out - 16, 16); + } + processed += MAXCHUNKSIZE; + minblocks -= MAXCHUNKSIZE / 64; + } while (minblocks > MAXCHUNKSIZE / 64); + } +# endif +# undef MAXCHUNKSIZE + sha1_multi_block(mctx, hash_d, n4x); + + memset(blocks, 0, sizeof(blocks)); + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag), + off = hash_d[i].blocks * 64; + const unsigned char *ptr = hash_d[i].ptr + off; + + off = (len - processed) - (64 - 13) - off; /* remainder actually */ + memcpy(blocks[i].c, ptr, off); + blocks[i].c[off] = 0x80; + len += 64 + 13; /* 64 is HMAC header */ + len *= 8; /* convert to bits */ + if (off < (64 - 8)) { +# ifdef BSWAP4 + blocks[i].d[15] = BSWAP4(len); +# else + PUTU32(blocks[i].c + 60, len); +# endif + edges[i].blocks = 1; + } else { +# ifdef BSWAP4 + blocks[i].d[31] = BSWAP4(len); +# else + PUTU32(blocks[i].c + 124, len); +# endif + edges[i].blocks = 2; + } + edges[i].ptr = blocks[i].c; + } + + /* hash input tails and finalize */ + sha1_multi_block(mctx, edges, n4x); + + memset(blocks, 0, sizeof(blocks)); + for (i = 0; i < x4; i++) { +# ifdef BSWAP4 + blocks[i].d[0] = BSWAP4(mctx->A[i]); + mctx->A[i] = sctx->tail.h0; + blocks[i].d[1] = BSWAP4(mctx->B[i]); + mctx->B[i] = sctx->tail.h1; + blocks[i].d[2] = BSWAP4(mctx->C[i]); + mctx->C[i] = sctx->tail.h2; + blocks[i].d[3] = BSWAP4(mctx->D[i]); + mctx->D[i] = sctx->tail.h3; + blocks[i].d[4] = BSWAP4(mctx->E[i]); + mctx->E[i] = sctx->tail.h4; + blocks[i].c[20] = 0x80; + blocks[i].d[15] = BSWAP4((64 + 20) * 8); +# else + PUTU32(blocks[i].c + 0, mctx->A[i]); + mctx->A[i] = sctx->tail.h0; + PUTU32(blocks[i].c + 4, mctx->B[i]); + mctx->B[i] = sctx->tail.h1; + PUTU32(blocks[i].c + 8, mctx->C[i]); + mctx->C[i] = sctx->tail.h2; + PUTU32(blocks[i].c + 12, mctx->D[i]); + mctx->D[i] = sctx->tail.h3; + PUTU32(blocks[i].c + 16, mctx->E[i]); + mctx->E[i] = sctx->tail.h4; + blocks[i].c[20] = 0x80; + PUTU32(blocks[i].c + 60, (64 + 20) * 8); +# endif /* BSWAP */ + edges[i].ptr = blocks[i].c; + edges[i].blocks = 1; + } + + /* finalize MACs */ + sha1_multi_block(mctx, edges, n4x); + + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag), pad, j; + unsigned char *out0 = out; + + memcpy(ciph_d[i].out, ciph_d[i].inp, len - processed); + ciph_d[i].inp = ciph_d[i].out; + + out += 5 + 16 + len; + + /* write MAC */ + PUTU32(out + 0, mctx->A[i]); + PUTU32(out + 4, mctx->B[i]); + PUTU32(out + 8, mctx->C[i]); + PUTU32(out + 12, mctx->D[i]); + PUTU32(out + 16, mctx->E[i]); + out += 20; + len += 20; + + /* pad */ + pad = 15 - len % 16; + for (j = 0; j <= pad; j++) + *(out++) = pad; + len += pad + 1; + + ciph_d[i].blocks = (len - processed) / 16; + len += 16; /* account for explicit iv */ + + /* arrange header */ + out0[0] = ((u8 *)sctx->md.data)[8]; + out0[1] = ((u8 *)sctx->md.data)[9]; + out0[2] = ((u8 *)sctx->md.data)[10]; + out0[3] = (u8)(len >> 8); + out0[4] = (u8)(len); + + ret += len + 5; + inp += frag; + } + + aesni_multi_cbc_encrypt(ciph_d, &ctx->ks, n4x); + + OPENSSL_cleanse(blocks, sizeof(blocks)); + OPENSSL_cleanse(mctx, sizeof(*mctx)); + + ctx->multiblock_encrypt_len = ret; + return ret; +} +# endif /* OPENSSL_NO_MULTIBLOCK */ + +static int aesni_cbc_hmac_sha1_cipher(PROV_CIPHER_CTX *vctx, + unsigned char *out, + const unsigned char *in, size_t len) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA1_CTX *sctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + unsigned int l; + size_t plen = ctx->payload_length; + size_t iv = 0; /* explicit IV in TLS 1.1 and later */ + size_t aes_off = 0, blocks; + size_t sha_off = SHA_CBLOCK - sctx->md.num; + + ctx->payload_length = NO_PAYLOAD_LENGTH; + + if (len % AES_BLOCK_SIZE) + return 0; + + if (ctx->base.enc) { + if (plen == NO_PAYLOAD_LENGTH) + plen = len; + else if (len != + ((plen + SHA_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) + return 0; + else if (ctx->aux.tls_ver >= TLS1_1_VERSION) + iv = AES_BLOCK_SIZE; + + if (plen > (sha_off + iv) + && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) { + sha1_update(&sctx->md, in + iv, sha_off); + + aesni_cbc_sha1_enc(in, out, blocks, &ctx->ks, ctx->base.iv, + &sctx->md, in + iv + sha_off); + blocks *= SHA_CBLOCK; + aes_off += blocks; + sha_off += blocks; + sctx->md.Nh += blocks >> 29; + sctx->md.Nl += blocks <<= 3; + if (sctx->md.Nl < (unsigned int)blocks) + sctx->md.Nh++; + } else { + sha_off = 0; + } + sha_off += iv; + sha1_update(&sctx->md, in + sha_off, plen - sha_off); + + if (plen != len) { /* "TLS" mode of operation */ + if (in != out) + memcpy(out + aes_off, in + aes_off, plen - aes_off); + + /* calculate HMAC and append it to payload */ + SHA1_Final(out + plen, &sctx->md); + sctx->md = sctx->tail; + sha1_update(&sctx->md, out + plen, SHA_DIGEST_LENGTH); + SHA1_Final(out + plen, &sctx->md); + + /* pad the payload|hmac */ + plen += SHA_DIGEST_LENGTH; + for (l = len - plen - 1; plen < len; plen++) + out[plen] = l; + /* encrypt HMAC|padding at once */ + aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off, + &ctx->ks, ctx->base.iv, 1); + } else { + aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off, + &ctx->ks, ctx->base.iv, 1); + } + } else { + union { + unsigned int u[SHA_DIGEST_LENGTH / sizeof(unsigned int)]; + unsigned char c[32 + SHA_DIGEST_LENGTH]; + } mac, *pmac; + + /* arrange cache line alignment */ + pmac = (void *)(((size_t)mac.c + 31) & ((size_t)0 - 32)); + + if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ + size_t inp_len, mask, j, i; + unsigned int res, maxpad, pad, bitlen; + int ret = 1; + union { + unsigned int u[SHA_LBLOCK]; + unsigned char c[SHA_CBLOCK]; + } *data = (void *)sctx->md.data; + + if ((ctx->aux.tls_aad[plen - 4] << 8 | ctx->aux.tls_aad[plen - 3]) + >= TLS1_1_VERSION) { + if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1)) + return 0; + + /* omit explicit iv */ + memcpy(ctx->base.iv, in, AES_BLOCK_SIZE); + + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + len -= AES_BLOCK_SIZE; + } else if (len < (SHA_DIGEST_LENGTH + 1)) + return 0; + + /* decrypt HMAC|padding at once */ + aesni_cbc_encrypt(in, out, len, &ctx->ks, ctx->base.iv, 0); + + /* figure out payload length */ + pad = out[len - 1]; + maxpad = len - (SHA_DIGEST_LENGTH + 1); + maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); + maxpad &= 255; + + mask = constant_time_ge(maxpad, pad); + ret &= mask; + /* + * If pad is invalid then we will fail the above test but we must + * continue anyway because we are in constant time code. However, + * we'll use the maxpad value instead of the supplied pad to make + * sure we perform well defined pointer arithmetic. + */ + pad = constant_time_select(mask, pad, maxpad); + + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); + + ctx->aux.tls_aad[plen - 2] = inp_len >> 8; + ctx->aux.tls_aad[plen - 1] = inp_len; + + /* calculate HMAC */ + sctx->md = sctx->head; + sha1_update(&sctx->md, ctx->aux.tls_aad, plen); + + /* code containing lucky-13 fix */ + len -= SHA_DIGEST_LENGTH; /* amend mac */ + if (len >= (256 + SHA_CBLOCK)) { + j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK); + j += SHA_CBLOCK - sctx->md.num; + sha1_update(&sctx->md, out, j); + out += j; + len -= j; + inp_len -= j; + } + + /* but pretend as if we hashed padded payload */ + bitlen = sctx->md.Nl + (inp_len << 3); /* at most 18 bits */ +# ifdef BSWAP4 + bitlen = BSWAP4(bitlen); +# else + mac.c[0] = 0; + mac.c[1] = (unsigned char)(bitlen >> 16); + mac.c[2] = (unsigned char)(bitlen >> 8); + mac.c[3] = (unsigned char)bitlen; + bitlen = mac.u[0]; +# endif /* BSWAP */ + + pmac->u[0] = 0; + pmac->u[1] = 0; + pmac->u[2] = 0; + pmac->u[3] = 0; + pmac->u[4] = 0; + + for (res = sctx->md.num, j = 0; j < len; j++) { + size_t c = out[j]; + mask = (j - inp_len) >> (sizeof(j) * 8 - 8); + c &= mask; + c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8)); + data->c[res++] = (unsigned char)c; + + if (res != SHA_CBLOCK) + continue; + + /* j is not incremented yet */ + mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1)); + data->u[SHA_LBLOCK - 1] |= bitlen & mask; + sha1_block_data_order(&sctx->md, data, 1); + mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h0 & mask; + pmac->u[1] |= sctx->md.h1 & mask; + pmac->u[2] |= sctx->md.h2 & mask; + pmac->u[3] |= sctx->md.h3 & mask; + pmac->u[4] |= sctx->md.h4 & mask; + res = 0; + } + + for (i = res; i < SHA_CBLOCK; i++, j++) + data->c[i] = 0; + + if (res > SHA_CBLOCK - 8) { + mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1)); + data->u[SHA_LBLOCK - 1] |= bitlen & mask; + sha1_block_data_order(&sctx->md, data, 1); + mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h0 & mask; + pmac->u[1] |= sctx->md.h1 & mask; + pmac->u[2] |= sctx->md.h2 & mask; + pmac->u[3] |= sctx->md.h3 & mask; + pmac->u[4] |= sctx->md.h4 & mask; + + memset(data, 0, SHA_CBLOCK); + j += 64; + } + data->u[SHA_LBLOCK - 1] = bitlen; + sha1_block_data_order(&sctx->md, data, 1); + mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h0 & mask; + pmac->u[1] |= sctx->md.h1 & mask; + pmac->u[2] |= sctx->md.h2 & mask; + pmac->u[3] |= sctx->md.h3 & mask; + pmac->u[4] |= sctx->md.h4 & mask; + +# ifdef BSWAP4 + pmac->u[0] = BSWAP4(pmac->u[0]); + pmac->u[1] = BSWAP4(pmac->u[1]); + pmac->u[2] = BSWAP4(pmac->u[2]); + pmac->u[3] = BSWAP4(pmac->u[3]); + pmac->u[4] = BSWAP4(pmac->u[4]); +# else + for (i = 0; i < 5; i++) { + res = pmac->u[i]; + pmac->c[4 * i + 0] = (unsigned char)(res >> 24); + pmac->c[4 * i + 1] = (unsigned char)(res >> 16); + pmac->c[4 * i + 2] = (unsigned char)(res >> 8); + pmac->c[4 * i + 3] = (unsigned char)res; + } +# endif /* BSWAP4 */ + len += SHA_DIGEST_LENGTH; + sctx->md = sctx->tail; + sha1_update(&sctx->md, pmac->c, SHA_DIGEST_LENGTH); + SHA1_Final(pmac->c, &sctx->md); + + /* verify HMAC */ + out += inp_len; + len -= inp_len; + /* version of code with lucky-13 fix */ + { + unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH; + size_t off = out - p; + unsigned int c, cmask; + + maxpad += SHA_DIGEST_LENGTH; + for (res = 0, i = 0, j = 0; j < maxpad; j++) { + c = p[j]; + cmask = + ((int)(j - off - SHA_DIGEST_LENGTH)) >> (sizeof(int) * + 8 - 1); + res |= (c ^ pad) & ~cmask; /* ... and padding */ + cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1); + res |= (c ^ pmac->c[i]) & cmask; + i += 1 & cmask; + } + maxpad -= SHA_DIGEST_LENGTH; + + res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); + ret &= (int)~res; + } + return ret; + } else { + /* decrypt HMAC|padding at once */ + aesni_cbc_encrypt(in, out, len, &ctx->ks, ctx->base.iv, 0); + sha1_update(&sctx->md, out, len); + } + } + + return 1; +} + +/* EVP_CTRL_AEAD_SET_MAC_KEY */ +static void aesni_cbc_hmac_sha1_set_mac_key(void *vctx, + const unsigned char *mac, size_t len) +{ + PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + unsigned int i; + unsigned char hmac_key[64]; + + memset(hmac_key, 0, sizeof(hmac_key)); + + if (len > (int)sizeof(hmac_key)) { + SHA1_Init(&ctx->head); + sha1_update(&ctx->head, mac, len); + SHA1_Final(hmac_key, &ctx->head); + } else { + memcpy(hmac_key, mac, len); + } + + for (i = 0; i < sizeof(hmac_key); i++) + hmac_key[i] ^= 0x36; /* ipad */ + SHA1_Init(&ctx->head); + sha1_update(&ctx->head, hmac_key, sizeof(hmac_key)); + + for (i = 0; i < sizeof(hmac_key); i++) + hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ + SHA1_Init(&ctx->tail); + sha1_update(&ctx->tail, hmac_key, sizeof(hmac_key)); + + OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); +} + +/* EVP_CTRL_AEAD_TLS1_AAD */ +static int aesni_cbc_hmac_sha1_set_tls1_aad(void *vctx, + unsigned char *aad_rec, int aad_len) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA1_CTX *sctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + unsigned char *p = aad_rec; + unsigned int len; + + if (aad_len != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[aad_len - 2] << 8 | p[aad_len - 1]; + + if (ctx->base.enc) { + ctx->payload_length = len; + if ((ctx->aux.tls_ver = + p[aad_len - 4] << 8 | p[aad_len - 3]) >= TLS1_1_VERSION) { + if (len < AES_BLOCK_SIZE) + return 0; + len -= AES_BLOCK_SIZE; + p[aad_len - 2] = len >> 8; + p[aad_len - 1] = len; + } + sctx->md = sctx->head; + sha1_update(&sctx->md, p, aad_len); + ctx->tls_aad_pad = (int)(((len + SHA_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) + - len); + return 1; + } else { + memcpy(ctx->aux.tls_aad, aad_rec, aad_len); + ctx->payload_length = aad_len; + ctx->tls_aad_pad = SHA_DIGEST_LENGTH; + return 1; + } +} + +# if !defined(OPENSSL_NO_MULTIBLOCK) + +/* EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE */ +static int aesni_cbc_hmac_sha1_tls1_multiblock_max_bufsize(void *vctx) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + + OPENSSL_assert(ctx->multiblock_max_send_fragment != 0); + return (int)(5 + 16 + + (((int)ctx->multiblock_max_send_fragment + 20 + 16) & -16)); +} + +/* EVP_CTRL_TLS1_1_MULTIBLOCK_AAD */ +static int aesni_cbc_hmac_sha1_tls1_multiblock_aad( + void *vctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA1_CTX *sctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; + unsigned int n4x = 1, x4; + unsigned int frag, last, packlen, inp_len; + + inp_len = param->inp[11] << 8 | param->inp[12]; + ctx->multiblock_interleave = param->interleave; + + if (ctx->base.enc) { + if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION) + return -1; + + if (inp_len) { + if (inp_len < 4096) + return 0; /* too short */ + + if (inp_len >= 8192 && OPENSSL_ia32cap_P[2] & (1 << 5)) + n4x = 2; /* AVX2 */ + } else if ((n4x = param->interleave / 4) && n4x <= 2) + inp_len = param->len; + else + return -1; + + sctx->md = sctx->head; + sha1_update(&sctx->md, param->inp, 13); + + x4 = 4 * n4x; + n4x += 1; + + frag = inp_len >> n4x; + last = inp_len + frag - (frag << n4x); + if (last > frag && ((last + 13 + 9) % 64 < (x4 - 1))) { + frag++; + last -= x4 - 1; + } + + packlen = 5 + 16 + ((frag + 20 + 16) & -16); + packlen = (packlen << n4x) - packlen; + packlen += 5 + 16 + ((last + 20 + 16) & -16); + + param->interleave = x4; + /* The returned values used by get need to be stored */ + ctx->multiblock_interleave = x4; + ctx->multiblock_aad_packlen = packlen; + return 1; + } + return -1; /* not yet */ +} + +/* EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT */ +static int aesni_cbc_hmac_sha1_tls1_multiblock_encrypt( + void *ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param) +{ + return (int)tls1_multi_block_encrypt(ctx, param->out, + param->inp, param->len, + param->interleave / 4); +} + +#endif /* OPENSSL_NO_MULTIBLOCK */ + +static const PROV_CIPHER_HW_AES_HMAC_SHA cipher_hw_aes_hmac_sha1 = { + { + aesni_cbc_hmac_sha1_init_key, + aesni_cbc_hmac_sha1_cipher + }, + aesni_cbc_hmac_sha1_set_mac_key, + aesni_cbc_hmac_sha1_set_tls1_aad, +# if !defined(OPENSSL_NO_MULTIBLOCK) + aesni_cbc_hmac_sha1_tls1_multiblock_max_bufsize, + aesni_cbc_hmac_sha1_tls1_multiblock_aad, + aesni_cbc_hmac_sha1_tls1_multiblock_encrypt +# endif +}; + +const PROV_CIPHER_HW_AES_HMAC_SHA *PROV_CIPHER_HW_aes_cbc_hmac_sha1(void) +{ + return &cipher_hw_aes_hmac_sha1; +} + +#endif /* AES_CBC_HMAC_SHA_CAPABLE */ diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c new file mode 100644 index 0000000000..4352476264 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c @@ -0,0 +1,831 @@ +/* + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cipher_aes_cbc_hmac_sha.h" + +#ifndef AES_CBC_HMAC_SHA_CAPABLE +int cipher_capable_aes_cbc_hmac_sha256(void) +{ + return 0; +} +#else + +# include "crypto/rand.h" +# include "crypto/evp.h" +# include "internal/constant_time.h" + +void sha256_block_data_order(void *c, const void *p, size_t len); +int aesni_cbc_sha256_enc(const void *inp, void *out, size_t blocks, + const AES_KEY *key, unsigned char iv[16], + SHA256_CTX *ctx, const void *in0); + +int cipher_capable_aes_cbc_hmac_sha256(void) +{ + return AESNI_CBC_HMAC_SHA_CAPABLE + && aesni_cbc_sha256_enc(NULL, NULL, 0, NULL, NULL, NULL, NULL); +} + +static int aesni_cbc_hmac_sha256_init_key(PROV_CIPHER_CTX *vctx, + const unsigned char *key, + size_t keylen) +{ + int ret; + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA256_CTX *sctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + + if (ctx->base.enc) + ret = aesni_set_encrypt_key(key, ctx->base.keylen * 8, &ctx->ks); + else + ret = aesni_set_decrypt_key(key, ctx->base.keylen * 8, &ctx->ks); + + SHA256_Init(&sctx->head); /* handy when benchmarking */ + sctx->tail = sctx->head; + sctx->md = sctx->head; + + ctx->payload_length = NO_PAYLOAD_LENGTH; + + return ret < 0 ? 0 : 1; +} + +void sha256_block_data_order(void *c, const void *p, size_t len); + +static void sha256_update(SHA256_CTX *c, const void *data, size_t len) +{ + const unsigned char *ptr = data; + size_t res; + + if ((res = c->num)) { + res = SHA256_CBLOCK - res; + if (len < res) + res = len; + SHA256_Update(c, ptr, res); + ptr += res; + len -= res; + } + + res = len % SHA256_CBLOCK; + len -= res; + + if (len) { + sha256_block_data_order(c, ptr, len / SHA256_CBLOCK); + + ptr += len; + c->Nh += len >> 29; + c->Nl += len <<= 3; + if (c->Nl < (unsigned int)len) + c->Nh++; + } + + if (res) + SHA256_Update(c, ptr, res); +} + +# if !defined(OPENSSL_NO_MULTIBLOCK) + +typedef struct { + unsigned int A[8], B[8], C[8], D[8], E[8], F[8], G[8], H[8]; +} SHA256_MB_CTX; + +typedef struct { + const unsigned char *ptr; + int blocks; +} HASH_DESC; + +typedef struct { + const unsigned char *inp; + unsigned char *out; + int blocks; + u64 iv[2]; +} CIPH_DESC; + +void sha256_multi_block(SHA256_MB_CTX *, const HASH_DESC *, int); +void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); + +static size_t tls1_multi_block_encrypt(void *vctx, + unsigned char *out, + const unsigned char *inp, + size_t inp_len, int n4x) +{ /* n4x is 1 or 2 */ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA256_CTX *sctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + HASH_DESC hash_d[8], edges[8]; + CIPH_DESC ciph_d[8]; + unsigned char storage[sizeof(SHA256_MB_CTX) + 32]; + union { + u64 q[16]; + u32 d[32]; + u8 c[128]; + } blocks[8]; + SHA256_MB_CTX *mctx; + unsigned int frag, last, packlen, i; + unsigned int x4 = 4 * n4x, minblocks, processed = 0; + size_t ret = 0; + u8 *IVs; +# if defined(BSWAP8) + u64 seqnum; +# endif + + /* ask for IVs in bulk */ + if (rand_bytes_ex(ctx->base.libctx, (IVs = blocks[0].c), 16 * x4) <= 0) + return 0; + + mctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */ + + frag = (unsigned int)inp_len >> (1 + n4x); + last = (unsigned int)inp_len + frag - (frag << (1 + n4x)); + if (last > frag && ((last + 13 + 9) % 64) < (x4 - 1)) { + frag++; + last -= x4 - 1; + } + + packlen = 5 + 16 + ((frag + 32 + 16) & -16); + + /* populate descriptors with pointers and IVs */ + hash_d[0].ptr = inp; + ciph_d[0].inp = inp; + /* 5+16 is place for header and explicit IV */ + ciph_d[0].out = out + 5 + 16; + memcpy(ciph_d[0].out - 16, IVs, 16); + memcpy(ciph_d[0].iv, IVs, 16); + IVs += 16; + + for (i = 1; i < x4; i++) { + ciph_d[i].inp = hash_d[i].ptr = hash_d[i - 1].ptr + frag; + ciph_d[i].out = ciph_d[i - 1].out + packlen; + memcpy(ciph_d[i].out - 16, IVs, 16); + memcpy(ciph_d[i].iv, IVs, 16); + IVs += 16; + } + +# if defined(BSWAP8) + memcpy(blocks[0].c, sctx->md.data, 8); + seqnum = BSWAP8(blocks[0].q[0]); +# endif + + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag); +# if !defined(BSWAP8) + unsigned int carry, j; +# endif + + mctx->A[i] = sctx->md.h[0]; + mctx->B[i] = sctx->md.h[1]; + mctx->C[i] = sctx->md.h[2]; + mctx->D[i] = sctx->md.h[3]; + mctx->E[i] = sctx->md.h[4]; + mctx->F[i] = sctx->md.h[5]; + mctx->G[i] = sctx->md.h[6]; + mctx->H[i] = sctx->md.h[7]; + + /* fix seqnum */ +# if defined(BSWAP8) + blocks[i].q[0] = BSWAP8(seqnum + i); +# else + for (carry = i, j = 8; j--;) { + blocks[i].c[j] = ((u8 *)sctx->md.data)[j] + carry; + carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1); + } +# endif + blocks[i].c[8] = ((u8 *)sctx->md.data)[8]; + blocks[i].c[9] = ((u8 *)sctx->md.data)[9]; + blocks[i].c[10] = ((u8 *)sctx->md.data)[10]; + /* fix length */ + blocks[i].c[11] = (u8)(len >> 8); + blocks[i].c[12] = (u8)(len); + + memcpy(blocks[i].c + 13, hash_d[i].ptr, 64 - 13); + hash_d[i].ptr += 64 - 13; + hash_d[i].blocks = (len - (64 - 13)) / 64; + + edges[i].ptr = blocks[i].c; + edges[i].blocks = 1; + } + + /* hash 13-byte headers and first 64-13 bytes of inputs */ + sha256_multi_block(mctx, edges, n4x); + /* hash bulk inputs */ +# define MAXCHUNKSIZE 2048 +# if MAXCHUNKSIZE%64 +# error "MAXCHUNKSIZE is not divisible by 64" +# elif MAXCHUNKSIZE + /* + * goal is to minimize pressure on L1 cache by moving in shorter steps, + * so that hashed data is still in the cache by the time we encrypt it + */ + minblocks = ((frag <= last ? frag : last) - (64 - 13)) / 64; + if (minblocks > MAXCHUNKSIZE / 64) { + for (i = 0; i < x4; i++) { + edges[i].ptr = hash_d[i].ptr; + edges[i].blocks = MAXCHUNKSIZE / 64; + ciph_d[i].blocks = MAXCHUNKSIZE / 16; + } + do { + sha256_multi_block(mctx, edges, n4x); + aesni_multi_cbc_encrypt(ciph_d, &ctx->ks, n4x); + + for (i = 0; i < x4; i++) { + edges[i].ptr = hash_d[i].ptr += MAXCHUNKSIZE; + hash_d[i].blocks -= MAXCHUNKSIZE / 64; + edges[i].blocks = MAXCHUNKSIZE / 64; + ciph_d[i].inp += MAXCHUNKSIZE; + ciph_d[i].out += MAXCHUNKSIZE; + ciph_d[i].blocks = MAXCHUNKSIZE / 16; + memcpy(ciph_d[i].iv, ciph_d[i].out - 16, 16); + } + processed += MAXCHUNKSIZE; + minblocks -= MAXCHUNKSIZE / 64; + } while (minblocks > MAXCHUNKSIZE / 64); + } +# endif +# undef MAXCHUNKSIZE + sha256_multi_block(mctx, hash_d, n4x); + + memset(blocks, 0, sizeof(blocks)); + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag), + off = hash_d[i].blocks * 64; + const unsigned char *ptr = hash_d[i].ptr + off; + + off = (len - processed) - (64 - 13) - off; /* remainder actually */ + memcpy(blocks[i].c, ptr, off); + blocks[i].c[off] = 0x80; + len += 64 + 13; /* 64 is HMAC header */ + len *= 8; /* convert to bits */ + if (off < (64 - 8)) { +# ifdef BSWAP4 + blocks[i].d[15] = BSWAP4(len); +# else + PUTU32(blocks[i].c + 60, len); +# endif + edges[i].blocks = 1; + } else { +# ifdef BSWAP4 + blocks[i].d[31] = BSWAP4(len); +# else + PUTU32(blocks[i].c + 124, len); +# endif + edges[i].blocks = 2; + } + edges[i].ptr = blocks[i].c; + } + + /* hash input tails and finalize */ + sha256_multi_block(mctx, edges, n4x); + + memset(blocks, 0, sizeof(blocks)); + for (i = 0; i < x4; i++) { +# ifdef BSWAP4 + blocks[i].d[0] = BSWAP4(mctx->A[i]); + mctx->A[i] = sctx->tail.h[0]; + blocks[i].d[1] = BSWAP4(mctx->B[i]); + mctx->B[i] = sctx->tail.h[1]; + blocks[i].d[2] = BSWAP4(mctx->C[i]); + mctx->C[i] = sctx->tail.h[2]; + blocks[i].d[3] = BSWAP4(mctx->D[i]); + mctx->D[i] = sctx->tail.h[3]; + blocks[i].d[4] = BSWAP4(mctx->E[i]); + mctx->E[i] = sctx->tail.h[4]; + blocks[i].d[5] = BSWAP4(mctx->F[i]); + mctx->F[i] = sctx->tail.h[5]; + blocks[i].d[6] = BSWAP4(mctx->G[i]); + mctx->G[i] = sctx->tail.h[6]; + blocks[i].d[7] = BSWAP4(mctx->H[i]); + mctx->H[i] = sctx->tail.h[7]; + blocks[i].c[32] = 0x80; + blocks[i].d[15] = BSWAP4((64 + 32) * 8); +# else + PUTU32(blocks[i].c + 0, mctx->A[i]); + mctx->A[i] = sctx->tail.h[0]; + PUTU32(blocks[i].c + 4, mctx->B[i]); + mctx->B[i] = sctx->tail.h[1]; + PUTU32(blocks[i].c + 8, mctx->C[i]); + mctx->C[i] = sctx->tail.h[2]; + PUTU32(blocks[i].c + 12, mctx->D[i]); + mctx->D[i] = sctx->tail.h[3]; + PUTU32(blocks[i].c + 16, mctx->E[i]); + mctx->E[i] = sctx->tail.h[4]; + PUTU32(blocks[i].c + 20, mctx->F[i]); + mctx->F[i] = sctx->tail.h[5]; + PUTU32(blocks[i].c + 24, mctx->G[i]); + mctx->G[i] = sctx->tail.h[6]; + PUTU32(blocks[i].c + 28, mctx->H[i]); + mctx->H[i] = sctx->tail.h[7]; + blocks[i].c[32] = 0x80; + PUTU32(blocks[i].c + 60, (64 + 32) * 8); +# endif /* BSWAP */ + edges[i].ptr = blocks[i].c; + edges[i].blocks = 1; + } + + /* finalize MACs */ + sha256_multi_block(mctx, edges, n4x); + + for (i = 0; i < x4; i++) { + unsigned int len = (i == (x4 - 1) ? last : frag), pad, j; + unsigned char *out0 = out; + + memcpy(ciph_d[i].out, ciph_d[i].inp, len - processed); + ciph_d[i].inp = ciph_d[i].out; + + out += 5 + 16 + len; + + /* write MAC */ + PUTU32(out + 0, mctx->A[i]); + PUTU32(out + 4, mctx->B[i]); + PUTU32(out + 8, mctx->C[i]); + PUTU32(out + 12, mctx->D[i]); + PUTU32(out + 16, mctx->E[i]); + PUTU32(out + 20, mctx->F[i]); + PUTU32(out + 24, mctx->G[i]); + PUTU32(out + 28, mctx->H[i]); + out += 32; + len += 32; + + /* pad */ + pad = 15 - len % 16; + for (j = 0; j <= pad; j++) + *(out++) = pad; + len += pad + 1; + + ciph_d[i].blocks = (len - processed) / 16; + len += 16; /* account for explicit iv */ + + /* arrange header */ + out0[0] = ((u8 *)sctx->md.data)[8]; + out0[1] = ((u8 *)sctx->md.data)[9]; + out0[2] = ((u8 *)sctx->md.data)[10]; + out0[3] = (u8)(len >> 8); + out0[4] = (u8)(len); + + ret += len + 5; + inp += frag; + } + + aesni_multi_cbc_encrypt(ciph_d, &ctx->ks, n4x); + + OPENSSL_cleanse(blocks, sizeof(blocks)); + OPENSSL_cleanse(mctx, sizeof(*mctx)); + + ctx->multiblock_encrypt_len = ret; + return ret; +} +# endif /* !OPENSSL_NO_MULTIBLOCK */ + +static int aesni_cbc_hmac_sha256_cipher(PROV_CIPHER_CTX *vctx, + unsigned char *out, + const unsigned char *in, size_t len) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA256_CTX *sctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + unsigned int l; + size_t plen = ctx->payload_length; + size_t iv = 0; /* explicit IV in TLS 1.1 and * later */ + size_t aes_off = 0, blocks; + size_t sha_off = SHA256_CBLOCK - sctx->md.num; + + ctx->payload_length = NO_PAYLOAD_LENGTH; + + if (len % AES_BLOCK_SIZE) + return 0; + + if (ctx->base.enc) { + if (plen == NO_PAYLOAD_LENGTH) + plen = len; + else if (len != + ((plen + SHA256_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)) + return 0; + else if (ctx->aux.tls_ver >= TLS1_1_VERSION) + iv = AES_BLOCK_SIZE; + + /* + * Assembly stitch handles AVX-capable processors, but its + * performance is not optimal on AMD Jaguar, ~40% worse, for + * unknown reasons. Incidentally processor in question supports + * AVX, but not AMD-specific XOP extension, which can be used + * to identify it and avoid stitch invocation. So that after we + * establish that current CPU supports AVX, we even see if it's + * either even XOP-capable Bulldozer-based or GenuineIntel one. + * But SHAEXT-capable go ahead... + */ + if (((OPENSSL_ia32cap_P[2] & (1 << 29)) || /* SHAEXT? */ + ((OPENSSL_ia32cap_P[1] & (1 << (60 - 32))) && /* AVX? */ + ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */ + | (OPENSSL_ia32cap_P[0] & (1 << 30))))) && /* "Intel CPU"? */ + plen > (sha_off + iv) && + (blocks = (plen - (sha_off + iv)) / SHA256_CBLOCK)) { + sha256_update(&sctx->md, in + iv, sha_off); + + (void)aesni_cbc_sha256_enc(in, out, blocks, &ctx->ks, + ctx->base.iv, + &sctx->md, in + iv + sha_off); + blocks *= SHA256_CBLOCK; + aes_off += blocks; + sha_off += blocks; + sctx->md.Nh += blocks >> 29; + sctx->md.Nl += blocks <<= 3; + if (sctx->md.Nl < (unsigned int)blocks) + sctx->md.Nh++; + } else { + sha_off = 0; + } + sha_off += iv; + sha256_update(&sctx->md, in + sha_off, plen - sha_off); + + if (plen != len) { /* "TLS" mode of operation */ + if (in != out) + memcpy(out + aes_off, in + aes_off, plen - aes_off); + + /* calculate HMAC and append it to payload */ + SHA256_Final(out + plen, &sctx->md); + sctx->md = sctx->tail; + sha256_update(&sctx->md, out + plen, SHA256_DIGEST_LENGTH); + SHA256_Final(out + plen, &sctx->md); + + /* pad the payload|hmac */ + plen += SHA256_DIGEST_LENGTH; + for (l = len - plen - 1; plen < len; plen++) + out[plen] = l; + /* encrypt HMAC|padding at once */ + aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off, + &ctx->ks, ctx->base.iv, 1); + } else { + aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off, + &ctx->ks, ctx->base.iv, 1); + } + } else { + union { + unsigned int u[SHA256_DIGEST_LENGTH / sizeof(unsigned int)]; + unsigned char c[64 + SHA256_DIGEST_LENGTH]; + } mac, *pmac; + + /* arrange cache line alignment */ + pmac = (void *)(((size_t)mac.c + 63) & ((size_t)0 - 64)); + + /* decrypt HMAC|padding at once */ + aesni_cbc_encrypt(in, out, len, &ctx->ks, + ctx->base.iv, 0); + + if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ + size_t inp_len, mask, j, i; + unsigned int res, maxpad, pad, bitlen; + int ret = 1; + union { + unsigned int u[SHA_LBLOCK]; + unsigned char c[SHA256_CBLOCK]; + } *data = (void *)sctx->md.data; + + if ((ctx->aux.tls_aad[plen - 4] << 8 | ctx->aux.tls_aad[plen - 3]) + >= TLS1_1_VERSION) + iv = AES_BLOCK_SIZE; + + if (len < (iv + SHA256_DIGEST_LENGTH + 1)) + return 0; + + /* omit explicit iv */ + out += iv; + len -= iv; + + /* figure out payload length */ + pad = out[len - 1]; + maxpad = len - (SHA256_DIGEST_LENGTH + 1); + maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); + maxpad &= 255; + + mask = constant_time_ge(maxpad, pad); + ret &= mask; + /* + * If pad is invalid then we will fail the above test but we must + * continue anyway because we are in constant time code. However, + * we'll use the maxpad value instead of the supplied pad to make + * sure we perform well defined pointer arithmetic. + */ + pad = constant_time_select(mask, pad, maxpad); + + inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); + + ctx->aux.tls_aad[plen - 2] = inp_len >> 8; + ctx->aux.tls_aad[plen - 1] = inp_len; + + /* calculate HMAC */ + sctx->md = sctx->head; + sha256_update(&sctx->md, ctx->aux.tls_aad, plen); + + /* code with lucky-13 fix */ + len -= SHA256_DIGEST_LENGTH; /* amend mac */ + if (len >= (256 + SHA256_CBLOCK)) { + j = (len - (256 + SHA256_CBLOCK)) & (0 - SHA256_CBLOCK); + j += SHA256_CBLOCK - sctx->md.num; + sha256_update(&sctx->md, out, j); + out += j; + len -= j; + inp_len -= j; + } + + /* but pretend as if we hashed padded payload */ + bitlen = sctx->md.Nl + (inp_len << 3); /* at most 18 bits */ +# ifdef BSWAP4 + bitlen = BSWAP4(bitlen); +# else + mac.c[0] = 0; + mac.c[1] = (unsigned char)(bitlen >> 16); + mac.c[2] = (unsigned char)(bitlen >> 8); + mac.c[3] = (unsigned char)bitlen; + bitlen = mac.u[0]; +# endif /* BSWAP */ + + pmac->u[0] = 0; + pmac->u[1] = 0; + pmac->u[2] = 0; + pmac->u[3] = 0; + pmac->u[4] = 0; + pmac->u[5] = 0; + pmac->u[6] = 0; + pmac->u[7] = 0; + + for (res = sctx->md.num, j = 0; j < len; j++) { + size_t c = out[j]; + mask = (j - inp_len) >> (sizeof(j) * 8 - 8); + c &= mask; + c |= 0x80 & ~mask & ~((inp_len - j) >> (sizeof(j) * 8 - 8)); + data->c[res++] = (unsigned char)c; + + if (res != SHA256_CBLOCK) + continue; + + /* j is not incremented yet */ + mask = 0 - ((inp_len + 7 - j) >> (sizeof(j) * 8 - 1)); + data->u[SHA_LBLOCK - 1] |= bitlen & mask; + sha256_block_data_order(&sctx->md, data, 1); + mask &= 0 - ((j - inp_len - 72) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h[0] & mask; + pmac->u[1] |= sctx->md.h[1] & mask; + pmac->u[2] |= sctx->md.h[2] & mask; + pmac->u[3] |= sctx->md.h[3] & mask; + pmac->u[4] |= sctx->md.h[4] & mask; + pmac->u[5] |= sctx->md.h[5] & mask; + pmac->u[6] |= sctx->md.h[6] & mask; + pmac->u[7] |= sctx->md.h[7] & mask; + res = 0; + } + + for (i = res; i < SHA256_CBLOCK; i++, j++) + data->c[i] = 0; + + if (res > SHA256_CBLOCK - 8) { + mask = 0 - ((inp_len + 8 - j) >> (sizeof(j) * 8 - 1)); + data->u[SHA_LBLOCK - 1] |= bitlen & mask; + sha256_block_data_order(&sctx->md, data, 1); + mask &= 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h[0] & mask; + pmac->u[1] |= sctx->md.h[1] & mask; + pmac->u[2] |= sctx->md.h[2] & mask; + pmac->u[3] |= sctx->md.h[3] & mask; + pmac->u[4] |= sctx->md.h[4] & mask; + pmac->u[5] |= sctx->md.h[5] & mask; + pmac->u[6] |= sctx->md.h[6] & mask; + pmac->u[7] |= sctx->md.h[7] & mask; + + memset(data, 0, SHA256_CBLOCK); + j += 64; + } + data->u[SHA_LBLOCK - 1] = bitlen; + sha256_block_data_order(&sctx->md, data, 1); + mask = 0 - ((j - inp_len - 73) >> (sizeof(j) * 8 - 1)); + pmac->u[0] |= sctx->md.h[0] & mask; + pmac->u[1] |= sctx->md.h[1] & mask; + pmac->u[2] |= sctx->md.h[2] & mask; + pmac->u[3] |= sctx->md.h[3] & mask; + pmac->u[4] |= sctx->md.h[4] & mask; + pmac->u[5] |= sctx->md.h[5] & mask; + pmac->u[6] |= sctx->md.h[6] & mask; + pmac->u[7] |= sctx->md.h[7] & mask; + +# ifdef BSWAP4 + pmac->u[0] = BSWAP4(pmac->u[0]); + pmac->u[1] = BSWAP4(pmac->u[1]); + pmac->u[2] = BSWAP4(pmac->u[2]); + pmac->u[3] = BSWAP4(pmac->u[3]); + pmac->u[4] = BSWAP4(pmac->u[4]); + pmac->u[5] = BSWAP4(pmac->u[5]); + pmac->u[6] = BSWAP4(pmac->u[6]); + pmac->u[7] = BSWAP4(pmac->u[7]); +# else + for (i = 0; i < 8; i++) { + res = pmac->u[i]; + pmac->c[4 * i + 0] = (unsigned char)(res >> 24); + pmac->c[4 * i + 1] = (unsigned char)(res >> 16); + pmac->c[4 * i + 2] = (unsigned char)(res >> 8); + pmac->c[4 * i + 3] = (unsigned char)res; + } +# endif /* BSWAP */ + len += SHA256_DIGEST_LENGTH; + sctx->md = sctx->tail; + sha256_update(&sctx->md, pmac->c, SHA256_DIGEST_LENGTH); + SHA256_Final(pmac->c, &sctx->md); + + /* verify HMAC */ + out += inp_len; + len -= inp_len; + /* code containing lucky-13 fix */ + { + unsigned char *p = + out + len - 1 - maxpad - SHA256_DIGEST_LENGTH; + size_t off = out - p; + unsigned int c, cmask; + + maxpad += SHA256_DIGEST_LENGTH; + for (res = 0, i = 0, j = 0; j < maxpad; j++) { + c = p[j]; + cmask = + ((int)(j - off - SHA256_DIGEST_LENGTH)) >> + (sizeof(int) * 8 - 1); + res |= (c ^ pad) & ~cmask; /* ... and padding */ + cmask &= ((int)(off - 1 - j)) >> (sizeof(int) * 8 - 1); + res |= (c ^ pmac->c[i]) & cmask; + i += 1 & cmask; + } + maxpad -= SHA256_DIGEST_LENGTH; + + res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); + ret &= (int)~res; + } + return ret; + } else { + sha256_update(&sctx->md, out, len); + } + } + + return 1; +} + +/* EVP_CTRL_AEAD_SET_MAC_KEY */ +static void aesni_cbc_hmac_sha256_set_mac_key(void *vctx, + const unsigned char *mackey, + size_t len) +{ + PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + unsigned int i; + unsigned char hmac_key[64]; + + memset(hmac_key, 0, sizeof(hmac_key)); + + if (len > sizeof(hmac_key)) { + SHA256_Init(&ctx->head); + sha256_update(&ctx->head, mackey, len); + SHA256_Final(hmac_key, &ctx->head); + } else { + memcpy(hmac_key, mackey, len); + } + + for (i = 0; i < sizeof(hmac_key); i++) + hmac_key[i] ^= 0x36; /* ipad */ + SHA256_Init(&ctx->head); + sha256_update(&ctx->head, hmac_key, sizeof(hmac_key)); + + for (i = 0; i < sizeof(hmac_key); i++) + hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ + SHA256_Init(&ctx->tail); + sha256_update(&ctx->tail, hmac_key, sizeof(hmac_key)); + + OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); +} + +/* EVP_CTRL_AEAD_TLS1_AAD */ +static int aesni_cbc_hmac_sha256_set_tls1_aad(void *vctx, + unsigned char *aad_rec, int aad_len) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA256_CTX *sctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + unsigned char *p = aad_rec; + unsigned int len; + + if (aad_len != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[aad_len - 2] << 8 | p[aad_len - 1]; + + if (ctx->base.enc) { + ctx->payload_length = len; + if ((ctx->aux.tls_ver = + p[aad_len - 4] << 8 | p[aad_len - 3]) >= TLS1_1_VERSION) { + if (len < AES_BLOCK_SIZE) + return 0; + len -= AES_BLOCK_SIZE; + p[aad_len] = len >> 8; + p[aad_len - 1] = len; + } + sctx->md = sctx->head; + sha256_update(&sctx->md, p, aad_len); + ctx->tls_aad_pad = (int)(((len + SHA256_DIGEST_LENGTH + + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) + - len); + return 1; + } else { + memcpy(ctx->aux.tls_aad, p, aad_len); + ctx->payload_length = aad_len; + ctx->tls_aad_pad = SHA256_DIGEST_LENGTH; + return 1; + } +} + +# if !defined(OPENSSL_NO_MULTIBLOCK) +/* EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE */ +static int aesni_cbc_hmac_sha256_tls1_multiblock_max_bufsize( + void *vctx) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + + OPENSSL_assert(ctx->multiblock_max_send_fragment != 0); + return (int)(5 + 16 + + (((int)ctx->multiblock_max_send_fragment + 32 + 16) & -16)); +} + +/* EVP_CTRL_TLS1_1_MULTIBLOCK_AAD */ +static int aesni_cbc_hmac_sha256_tls1_multiblock_aad( + void *vctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param) +{ + PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; + PROV_AES_HMAC_SHA256_CTX *sctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; + unsigned int n4x = 1, x4; + unsigned int frag, last, packlen, inp_len; + + inp_len = param->inp[11] << 8 | param->inp[12]; + + if (ctx->base.enc) { + if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION) + return -1; + + if (inp_len) { + if (inp_len < 4096) + return 0; /* too short */ + + if (inp_len >= 8192 && OPENSSL_ia32cap_P[2] & (1 << 5)) + n4x = 2; /* AVX2 */ + } else if ((n4x = param->interleave / 4) && n4x <= 2) + inp_len = param->len; + else + return -1; + + sctx->md = sctx->head; + sha256_update(&sctx->md, param->inp, 13); + + x4 = 4 * n4x; + n4x += 1; + + frag = inp_len >> n4x; + last = inp_len + frag - (frag << n4x); + if (last > frag && ((last + 13 + 9) % 64 < (x4 - 1))) { + frag++; + last -= x4 - 1; + } + + packlen = 5 + 16 + ((frag + 32 + 16) & -16); + packlen = (packlen << n4x) - packlen; + packlen += 5 + 16 + ((last + 32 + 16) & -16); + + param->interleave = x4; + /* The returned values used by get need to be stored */ + ctx->multiblock_interleave = x4; + ctx->multiblock_aad_packlen = packlen; + return 1; + } + return -1; /* not yet */ +} + +/* EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT */ +static int aesni_cbc_hmac_sha256_tls1_multiblock_encrypt( + void *ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param) +{ + return (int)tls1_multi_block_encrypt(ctx, param->out, + param->inp, param->len, + param->interleave / 4); +} +#endif + +static const PROV_CIPHER_HW_AES_HMAC_SHA cipher_hw_aes_hmac_sha256 = { + { + aesni_cbc_hmac_sha256_init_key, + aesni_cbc_hmac_sha256_cipher + }, + aesni_cbc_hmac_sha256_set_mac_key, + aesni_cbc_hmac_sha256_set_tls1_aad, +# if !defined(OPENSSL_NO_MULTIBLOCK) + aesni_cbc_hmac_sha256_tls1_multiblock_max_bufsize, + aesni_cbc_hmac_sha256_tls1_multiblock_aad, + aesni_cbc_hmac_sha256_tls1_multiblock_encrypt +# endif +}; + +const PROV_CIPHER_HW_AES_HMAC_SHA *PROV_CIPHER_HW_aes_cbc_hmac_sha256(void) +{ + return &cipher_hw_aes_hmac_sha256; +} + +#endif /* AES_CBC_HMAC_SHA_CAPABLE */ diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 75c20a096e..ed44d68a5a 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -75,6 +75,10 @@ extern const OSSL_DISPATCH aes128wrap_functions[]; extern const OSSL_DISPATCH aes256wrappad_functions[]; extern const OSSL_DISPATCH aes192wrappad_functions[]; extern const OSSL_DISPATCH aes128wrappad_functions[]; +extern const OSSL_DISPATCH aes256cbc_hmac_sha1_functions[]; +extern const OSSL_DISPATCH aes128cbc_hmac_sha1_functions[]; +extern const OSSL_DISPATCH aes256cbc_hmac_sha256_functions[]; +extern const OSSL_DISPATCH aes128cbc_hmac_sha256_functions[]; #ifndef OPENSSL_NO_ARIA extern const OSSL_DISPATCH aria256gcm_functions[]; diff --git a/test/sslapitest.c b/test/sslapitest.c index 46e490a417..4993f16f4c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -6820,6 +6820,103 @@ static int test_ca_names(int tst) return testresult; } +#ifndef OPENSSL_NO_TLS1_2 +static const char *multiblock_cipherlist_data[]= +{ + "AES128-SHA", + "AES128-SHA256", + "AES256-SHA", + "AES256-SHA256", +}; + +/* Reduce the fragment size - so the multiblock test buffer can be small */ +# define MULTIBLOCK_FRAGSIZE 512 + +static int test_multiblock_write(int test_index) +{ + static const char *fetchable_ciphers[]= + { + "AES-128-CBC-HMAC-SHA1", + "AES-128-CBC-HMAC-SHA256", + "AES-256-CBC-HMAC-SHA1", + "AES-256-CBC-HMAC-SHA256" + }; + const char *cipherlist = multiblock_cipherlist_data[test_index]; + const SSL_METHOD *smeth = TLS_server_method(); + const SSL_METHOD *cmeth = TLS_client_method(); + int min_version = TLS1_VERSION; + int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + /* + * Choose a buffer large enough to perform a multi-block operation + * i.e: write_len >= 4 * frag_size + * 9 * is chosen so that multiple multiblocks are used + some leftover. + */ + unsigned char msg[MULTIBLOCK_FRAGSIZE * 9]; + unsigned char buf[sizeof(msg)], *p = buf; + size_t readbytes, written, len; + EVP_CIPHER *ciph = NULL; + + /* + * Check if the cipher exists before attempting to use it since it only has + * a hardware specific implementation. + */ + ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], ""); + if (ciph == NULL) { + TEST_skip("Multiblock cipher is not available for %s", cipherlist); + return 1; + } + EVP_CIPHER_free(ciph); + + /* Set up a buffer with some data that will be sent to the client */ + RAND_bytes(msg, sizeof(msg)); + + if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* settings to force it to use AES-CBC-HMAC_SHA */ + SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC); + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written)) + || !TEST_size_t_eq(written, sizeof(msg))) + goto end; + + len = written; + while (len > 0) { + if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes))) + goto end; + p += readbytes; + len -= readbytes; + } + if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf))) + goto end; + + testresult = 1; +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} +#endif /* OPENSSL_NO_TLS1_2 */ OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n") @@ -6968,6 +7065,9 @@ int setup_tests(void) ADD_ALL_TESTS(test_cert_cb, 6); ADD_ALL_TESTS(test_client_cert_cb, 2); ADD_ALL_TESTS(test_ca_names, 3); +#ifndef OPENSSL_NO_TLS1_2 + ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); +#endif return 1; } -- 2.25.1