X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fevp%2Fe_aes_cbc_hmac_sha256.c;h=72508c9851c6c13cbf2e096d8c08d7687b3354fa;hp=3ac59abc34da8b34ad76fed3605e5f9d7d59f792;hb=4dcff55c75f911ea190b57b94d9540f80a961a4f;hpb=70428eada9bc4cf31424d723d1f992baffeb0dfb diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 3ac59abc34..72508c9851 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -1,82 +1,31 @@ -/* ==================================================================== - * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. +/* + * Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ -#include +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" #include #include - - +#include #include #include #include #include #include -#include "modes_lcl.h" -#include "internal/constant_time_locl.h" -#include "internal/evp_int.h" - -#ifndef EVP_CIPH_FLAG_AEAD_CIPHER -# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 -# define EVP_CTRL_AEAD_TLS1_AAD 0x16 -# define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 -#endif - -#if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1) -# define EVP_CIPH_FLAG_DEFAULT_ASN1 0 -#endif - -#if !defined(EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) -# define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 -#endif - -#define TLS1_1_VERSION 0x0302 +#include "internal/cryptlib.h" +#include "crypto/modes.h" +#include "internal/constant_time.h" +#include "crypto/evp.h" typedef struct { AES_KEY ks; @@ -94,7 +43,6 @@ typedef struct { defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) ) -extern unsigned int OPENSSL_ia32cap_P[]; # define AESNI_CAPABLE (1<<(57-32)) int aesni_set_encrypt_key(const unsigned char *userKey, int bits, @@ -121,10 +69,9 @@ static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx, int ret; if (enc) - memset(&key->ks, 0, sizeof(key->ks.rd_key)), - ret = aesni_set_encrypt_key(inkey, - EVP_CIPHER_CTX_key_length(ctx) * 8, - &key->ks); + ret = aesni_set_encrypt_key(inkey, + EVP_CIPHER_CTX_key_length(ctx) * 8, + &key->ks); else ret = aesni_set_decrypt_key(inkey, EVP_CIPHER_CTX_key_length(ctx) * 8, @@ -183,7 +130,7 @@ static void sha256_update(SHA256_CTX *c, const void *data, size_t len) # endif # define SHA256_Update sha256_update -# if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK +# if !defined(OPENSSL_NO_MULTIBLOCK) typedef struct { unsigned int A[8], B[8], C[8], D[8], E[8], F[8], G[8], H[8]; @@ -510,10 +457,12 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, * to identify it and avoid stitch invocation. So that after we * establish that current CPU supports AVX, we even see if it's * either even XOP-capable Bulldozer-based or GenuineIntel one. + * But SHAEXT-capable go ahead... */ - if (OPENSSL_ia32cap_P[1] & (1 << (60 - 32)) && /* AVX? */ - ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */ - | (OPENSSL_ia32cap_P[0] & (1<<30))) && /* "Intel CPU"? */ + if (((OPENSSL_ia32cap_P[2] & (1 << 29)) || /* SHAEXT? */ + ((OPENSSL_ia32cap_P[1] & (1 << (60 - 32))) && /* AVX? */ + ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */ + | (OPENSSL_ia32cap_P[0] & (1 << 30))))) && /* "Intel CPU"? */ plen > (sha_off + iv) && (blocks = (plen - (sha_off + iv)) / SHA256_CBLOCK)) { SHA256_Update(&key->md, in + iv, sha_off); @@ -595,12 +544,17 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; - ret &= constant_time_ge(maxpad, pad); + mask = constant_time_ge(maxpad, pad); + ret &= mask; + /* + * If pad is invalid then we will fail the above test but we must + * continue anyway because we are in constant time code. However, + * we'll use the maxpad value instead of the supplied pad to make + * sure we perform well defined pointer arithmetic. + */ + pad = constant_time_select(mask, pad, maxpad); inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); - mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); - inp_len &= mask; - ret &= (int)mask; key->aux.tls_aad[plen - 2] = inp_len >> 8; key->aux.tls_aad[plen - 1] = inp_len; @@ -609,7 +563,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, key->md = key->head; SHA256_Update(&key->md, key->aux.tls_aad, plen); -# if 1 +# if 1 /* see original reference version in #else */ len -= SHA256_DIGEST_LENGTH; /* amend mac */ if (len >= (256 + SHA256_CBLOCK)) { j = (len - (256 + SHA256_CBLOCK)) & (0 - SHA256_CBLOCK); @@ -737,7 +691,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, for (; inp_blocks < pad_blocks; inp_blocks++) sha1_block_data_order(&key->md, data, 1); } -# endif +# endif /* pre-lucky-13 reference version of above */ key->md = key->tail; SHA256_Update(&key->md, pmac->c, SHA256_DIGEST_LENGTH); SHA256_Final(pmac->c, &key->md); @@ -745,7 +699,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, /* verify HMAC */ out += inp_len; len -= inp_len; -# if 1 +# if 1 /* see original reference version in #else */ { unsigned char *p = out + len - 1 - maxpad - SHA256_DIGEST_LENGTH; @@ -768,7 +722,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); ret &= (int)~res; } -# else +# else /* pre-lucky-13 reference version of above */ for (res = 0, i = 0; i < SHA256_DIGEST_LENGTH; i++) res |= out[i] ^ pmac->c[i]; res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1)); @@ -834,15 +788,19 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; if (arg != EVP_AEAD_TLS1_AAD_LEN) return -1; + len = p[arg - 2] << 8 | p[arg - 1]; + if (EVP_CIPHER_CTX_encrypting(ctx)) { key->payload_length = len; if ((key->aux.tls_ver = p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { + if (len < AES_BLOCK_SIZE) + return 0; len -= AES_BLOCK_SIZE; p[arg - 2] = len >> 8; p[arg - 1] = len; @@ -860,7 +818,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return SHA256_DIGEST_LENGTH; } } -# if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK +# if !defined(OPENSSL_NO_MULTIBLOCK) case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE: return (int)(5 + 16 + ((arg + 32 + 16) & -16)); case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: