From a69c0a1be5c619a74c02fcef05be6142d4700f62 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Tue, 8 Oct 2013 23:39:26 +0200 Subject: [PATCH] evp/e_aes_cbc_hmac_sha*.c: harmonize names, fix bugs. --- crypto/evp/e_aes_cbc_hmac_sha1.c | 90 +++++++++++++++++------------- crypto/evp/e_aes_cbc_hmac_sha256.c | 88 +++++++++++++++++------------ 2 files changed, 103 insertions(+), 75 deletions(-) diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 583fe8cc48..15e96386b1 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -71,8 +71,8 @@ #define EVP_CIPH_FLAG_DEFAULT_ASN1 0 #endif -#if !defined(EVP_CIPH_FLAG_TLS11_MULTI_BLOCK) -#define EVP_CIPH_FLAG_TLS11_MULTI_BLOCK 0 +#if !defined(EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) +#define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 #endif #define TLS1_1_VERSION 0x0302 @@ -95,7 +95,7 @@ typedef struct defined(_M_AMD64) || defined(_M_X64) || \ defined(__INTEL__) ) -extern unsigned int OPENSSL_ia32cap_P[2]; +extern unsigned int OPENSSL_ia32cap_P[3]; #define AESNI_CAPABLE (1<<(57-32)) int aesni_set_encrypt_key(const unsigned char *userKey, int bits, @@ -177,7 +177,7 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len) #endif #define SHA1_Update sha1_update -#if EVP_CIPH_FLAG_TLS11_MULTI_BLOCK +#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK typedef struct { unsigned int A[8],B[8],C[8],D[8],E[8]; } SHA1_MB_CTX; typedef struct { const unsigned char *ptr; int blocks; } HASH_DESC; @@ -185,11 +185,11 @@ typedef struct { const unsigned char *ptr; int blocks; } HASH_DESC; void sha1_multi_block(SHA1_MB_CTX *,const HASH_DESC *,int); typedef struct { const unsigned char *inp; unsigned char *out; - int blocks; double iv[2]; } CIPH_DESC; + int blocks; u64 iv[2]; } CIPH_DESC; void aesni_multi_cbc_encrypt(CIPH_DESC *,void *,int); -static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, +static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, unsigned char *out, const unsigned char *inp, size_t inp_len, int n4x) /* n4x is 1 or 2 */ { @@ -202,6 +202,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, SHA1_MB_CTX *ctx; unsigned int frag, last, packlen, i, x4=4*n4x; size_t ret = 0; + u8 *IVs; ctx = (SHA1_MB_CTX *)(storage+32-((size_t)storage%32)); /* align */ @@ -228,21 +229,21 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, #if defined(BSWAP8) blocks[i].q[0] = BSWAP8(BSWAP8(*(u64*)key->md.data)+i); #else - blocks[i].c[7] += key->md.data[7]+i; + blocks[i].c[7] += ((u8*)key->md.data)[7]+i; if (blocks[i].c[7] < i) { int j; for (j=6;j>=0;j--) { - if (blocks[i].c[j]=key->md.data[j]+1) break; + if (blocks[i].c[j]=((u8*)key->md.data)[j]+1) break; } } #endif - blocks[i].c[8] = key->md.data[8]; - blocks[i].c[9] = key->md.data[9]; - blocks[i].c[10] = key->md.data[10]; + blocks[i].c[8] = ((u8*)key->md.data)[8]; + blocks[i].c[9] = ((u8*)key->md.data)[9]; + blocks[i].c[10] = ((u8*)key->md.data)[10]; /* fix length */ - blocks[i].c[11] = (unsigned char)(len>>8); - blocks[i].c[12] = (unsigned char)(len); + blocks[i].c[11] = (u8)(len>>8); + blocks[i].c[12] = (u8)(len); memcpy(blocks[i].c+13,hash_d[i].ptr,64-13); hash_d[i].ptr += 64-13; @@ -252,7 +253,9 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, edges[i].blocks = 1; } + /* hash 13-byte headers and first 64-13 bytes of inputs */ sha1_multi_block(ctx,edges,n4x); + /* hash bulk inputs */ sha1_multi_block(ctx,hash_d,n4x); memset(blocks,0,sizeof(blocks)); @@ -276,6 +279,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, edges[i].ptr = blocks[i].c; } + /* hash input tails and finalize */ sha1_multi_block(ctx,edges,n4x); memset(blocks,0,sizeof(blocks)); @@ -291,6 +295,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, edges[i].blocks = 1; } + /* finalize MACs */ sha1_multi_block(ctx,edges,n4x); packlen = 5+16+((frag+20+16)&-16); @@ -298,6 +303,8 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, out += (packlen<<(1+n4x))-packlen; inp += (frag<<(1+n4x))-frag; + RAND_bytes((IVs=blocks[0].c),16*x4); /* ask for IVs in bulk */ + for (i=x4-1;;i--) { unsigned int len = (i==(x4-1)?last:frag), pad, j; unsigned char *out0 = out; @@ -308,42 +315,49 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, memmove(out,inp,len); out += len; - inp -= frag; + /* write MAC */ ((u32 *)out)[0] = BSWAP4(ctx->A[i]); ((u32 *)out)[1] = BSWAP4(ctx->B[i]); ((u32 *)out)[2] = BSWAP4(ctx->C[i]); ((u32 *)out)[3] = BSWAP4(ctx->D[i]); ((u32 *)out)[4] = BSWAP4(ctx->E[i]); out += 20; - len += 20+16; + len += 20; + /* pad */ pad = 15-len%16; for (j=0;j<=pad;j++) *(out++) = pad; len += pad+1; ciph_d[i].blocks = len/16; + len += 16; /* account for explicit iv */ /* arrange header */ - out0[0] = key->md.data[8]; - out0[1] = key->md.data[9]; - out0[2] = key->md.data[10]; - out0[3] = (unsigned char)(len>>8); - out0[4] = (unsigned char)(len); + out0[0] = ((u8*)key->md.data)[8]; + out0[1] = ((u8*)key->md.data)[9]; + out0[2] = ((u8*)key->md.data)[10]; + out0[3] = (u8)(len>>8); + out0[4] = (u8)(len); /* explicit iv */ - RAND_bytes((u8 *)ciph_d[i].iv, 16); - memcpy(&out[5], ciph_d[i].iv, 16); + memcpy(ciph_d[i].iv, IVs, 16); + memcpy(&out0[5], IVs, 16); ret += len+5; if (i==0) break; out = out0-packlen; + inp -= frag; + IVs += 16; } aesni_multi_cbc_encrypt(ciph_d,&key->ks,n4x); + OPENSSL_cleanse(blocks,sizeof(blocks)); + OPENSSL_cleanse(ctx,sizeof(*ctx)); + return ret; } #endif @@ -686,15 +700,15 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void return SHA_DIGEST_LENGTH; } } -#if EVP_EVP_CIPH_FLAG_TLS11_MULTI_BLOCK - case EVP_CTRL_TLS11_MULTI_BLOCK_AAD: +#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK + case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: { - EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *param = - (EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *)ptr; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; unsigned int n4x=1, x4; unsigned int frag, last, packlen, inp_len; - if (arginp[11]<<8|param->inp[12]; @@ -702,10 +716,10 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void { if ((param->inp[9]<<8|param->inp[10]) < TLS1_1_VERSION) return -1; - - if (inp_len<2048) return -1; /* too short */ - if (inp_len>=6144) n4x=2; + if (inp_len<4096) return 0; /* too short */ + + if (OPENSSL_ia32cap_P[2]&(1<<5)) n4x=2; /* AVX2 */ key->md = key->head; SHA1_Update(&key->md,param->inp,13); @@ -720,7 +734,7 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void } packlen = 5+16+((frag+20+16)&-16); - packlen = (packlen<<(1+n4x))-packlen; + packlen = (packlen<interleave = x4; @@ -730,15 +744,15 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void else return -1; /* not yet */ } - case EVP_CTRL_TLS11_MULTI_BLOCK_ENCRYPT: + case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: { - EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *param = - (EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *)ptr; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; - return tls11_multi_block_encrypt(key,param->out,param->inp, + return (int)tls1_1_multi_block_encrypt(key,param->out,param->inp, param->len,param->interleave/4); } - case EVP_CTRL_TLS11_MULTI_BLOCK_DECRYPT: + case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: #endif default: return -1; @@ -754,7 +768,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = #endif 16,16,16, EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1| - EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS11_MULTI_BLOCK, + EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, @@ -774,7 +788,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = #endif 16,32,16, EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1| - EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS11_MULTI_BLOCK, + EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 7d03abc1a6..602bfa9ce0 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -71,8 +71,8 @@ #define EVP_CIPH_FLAG_DEFAULT_ASN1 0 #endif -#if !defined(EVP_CIPH_FLAG_TLS11_MULTI_BLOCK) -#define EVP_CIPH_FLAG_TLS11_MULTI_BLOCK 0 +#if !defined(EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) +#define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 #endif #define TLS1_1_VERSION 0x0302 @@ -178,7 +178,7 @@ static void sha256_update(SHA256_CTX *c,const void *data,size_t len) #endif #define SHA256_Update sha256_update -#if EVP_CIPH_FLAG_TLS11_MULTI_BLOCK +#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK typedef struct { unsigned int A[8],B[8],C[8],D[8],E[8],F[8],G[8],H[8]; } SHA256_MB_CTX; typedef struct { const unsigned char *ptr; int blocks; } HASH_DESC; @@ -186,11 +186,11 @@ typedef struct { const unsigned char *ptr; int blocks; } HASH_DESC; void sha256_multi_block(SHA256_MB_CTX *,const HASH_DESC *,int); typedef struct { const unsigned char *inp; unsigned char *out; - int blocks; double iv[2]; } CIPH_DESC; + int blocks; u64 iv[2]; } CIPH_DESC; void aesni_multi_cbc_encrypt(CIPH_DESC *,void *,int); -static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, +static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, unsigned char *out, const unsigned char *inp, size_t inp_len, int n4x) /* n4x is 1 or 2 */ { @@ -203,6 +203,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, SHA256_MB_CTX *ctx; unsigned int frag, last, packlen, i, x4=4*n4x; size_t ret = 0; + u8 *IVs; ctx = (SHA256_MB_CTX *)(storage+32-((size_t)storage%32)); /* align */ @@ -232,21 +233,21 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, #if defined(BSWAP8) blocks[i].q[0] = BSWAP8(BSWAP8(*(u64*)key->md.data)+i); #else - blocks[i].c[7] += key->md.data[7]+i; + blocks[i].c[7] += ((u8*)key->md.data)[7]+i; if (blocks[i].c[7] < i) { int j; for (j=6;j>=0;j--) { - if (blocks[i].c[j]=key->md.data[j]+1) break; + if (blocks[i].c[j]=((u8*)key->md.data)[j]+1) break; } } #endif - blocks[i].c[8] = key->md.data[8]; - blocks[i].c[9] = key->md.data[9]; - blocks[i].c[10] = key->md.data[10]; + blocks[i].c[8] = ((u8*)key->md.data)[8]; + blocks[i].c[9] = ((u8*)key->md.data)[9]; + blocks[i].c[10] = ((u8*)key->md.data)[10]; /* fix length */ - blocks[i].c[11] = (unsigned char)(len>>8); - blocks[i].c[12] = (unsigned char)(len); + blocks[i].c[11] = (u8)(len>>8); + blocks[i].c[12] = (u8)(len); memcpy(blocks[i].c+13,hash_d[i].ptr,64-13); hash_d[i].ptr += 64-13; @@ -256,7 +257,9 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, edges[i].blocks = 1; } + /* hash 13-byte headers and first 64-13 bytes of inputs */ sha256_multi_block(ctx,edges,n4x); + /* hash bulk inputs */ sha256_multi_block(ctx,hash_d,n4x); memset(blocks,0,sizeof(blocks)); @@ -280,6 +283,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, edges[i].ptr = blocks[i].c; } + /* hash input tails and finalize */ sha256_multi_block(ctx,edges,n4x); memset(blocks,0,sizeof(blocks)); @@ -298,6 +302,7 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, edges[i].blocks = 1; } + /* finalize MACs */ sha256_multi_block(ctx,edges,n4x); packlen = 5+16+((frag+32+16)&-16); @@ -305,6 +310,8 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, out += (packlen<<(1+n4x))-packlen; inp += (frag<<(1+n4x))-frag; + RAND_bytes((IVs=blocks[0].c),16*x4); /* ask for IVs in bulk */ + for (i=x4-1;;i--) { unsigned int len = (i==(x4-1)?last:frag), pad, j; unsigned char *out0 = out; @@ -315,8 +322,8 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, memmove(out,inp,len); out += len; - inp -= frag; + /* write MAC */ ((u32 *)out)[0] = BSWAP4(ctx->A[i]); ((u32 *)out)[1] = BSWAP4(ctx->B[i]); ((u32 *)out)[2] = BSWAP4(ctx->C[i]); @@ -326,34 +333,41 @@ static size_t tls11_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, ((u32 *)out)[6] = BSWAP4(ctx->G[i]); ((u32 *)out)[7] = BSWAP4(ctx->H[i]); out += 32; - len += 32+16; + len += 32; + /* pad */ pad = 15-len%16; for (j=0;j<=pad;j++) *(out++) = pad; len += pad+1; ciph_d[i].blocks = len/16; + len += 16; /* account for explicit iv */ /* arrange header */ - out0[0] = key->md.data[8]; - out0[1] = key->md.data[9]; - out0[2] = key->md.data[10]; - out0[3] = (unsigned char)(len>>8); - out0[4] = (unsigned char)(len); + out0[0] = ((u8*)key->md.data)[8]; + out0[1] = ((u8*)key->md.data)[9]; + out0[2] = ((u8*)key->md.data)[10]; + out0[3] = (u8)(len>>8); + out0[4] = (u8)(len); /* explicit iv */ - RAND_bytes((u8 *)ciph_d[i].iv, 16); - memcpy(&out[5], ciph_d[i].iv, 16); + memcpy(ciph_d[i].iv, IVs, 16); + memcpy(&out0[5], IVs, 16); ret += len+5; if (i==0) break; out = out0-packlen; + inp -= frag; + IVs += 16; } aesni_multi_cbc_encrypt(ciph_d,&key->ks,n4x); + OPENSSL_cleanse(blocks,sizeof(blocks)); + OPENSSL_cleanse(ctx,sizeof(*ctx)); + return ret; } #endif @@ -713,15 +727,15 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, vo return SHA256_DIGEST_LENGTH; } } -#if EVP_EVP_CIPH_FLAG_TLS11_MULTI_BLOCK - case EVP_CTRL_TLS11_MULTI_BLOCK_AAD: +#if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK + case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: { - EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *param = - (EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *)ptr; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; unsigned int n4x=1, x4; unsigned int frag, last, packlen, inp_len; - if (arginp[11]<<8|param->inp[12]; @@ -729,10 +743,10 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, vo { if ((param->inp[9]<<8|param->inp[10]) < TLS1_1_VERSION) return -1; - - if (inp_len<2048) return -1; /* too short */ - if (inp_len>=6144) n4x=2; + if (inp_len<2048) return 0; /* too short */ + + if (OPENSSL_ia32cap_P[2]&(1<<5)) n4x=2; /* AVX2 */ key->md = key->head; SHA256_Update(&key->md,param->inp,13); @@ -747,7 +761,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, vo } packlen = 5+16+((frag+32+16)&-16); - packlen = (packlen<<(1+n4x))-packlen; + packlen = (packlen<interleave = x4; @@ -757,15 +771,15 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, vo else return -1; /* not yet */ } - case EVP_CTRL_TLS11_MULTI_BLOCK_ENCRYPT: + case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: { - EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *param = - (EVP_CTRL_TLS11_MULTI_BLOCK_PARAM *)ptr; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *param = + (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr; - return tls11_multi_block_encrypt(key,param->out,param->inp, + return (int)tls1_1_multi_block_encrypt(key,param->out,param->inp, param->len,param->interleave/4); } - case EVP_CTRL_TLS11_MULTI_BLOCK_DECRYPT: + case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: #endif default: return -1; @@ -781,7 +795,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = #endif 16,16,16, EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1| - EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS11_MULTI_BLOCK, + EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, @@ -801,7 +815,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = #endif 16,32,16, EVP_CIPH_CBC_MODE|EVP_CIPH_FLAG_DEFAULT_ASN1| - EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS11_MULTI_BLOCK, + EVP_CIPH_FLAG_AEAD_CIPHER|EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, -- 2.25.1