/* ====================================================================
- * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
defined(_M_AMD64) || defined(_M_X64) || \
defined(__INTEL__) )
+#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
+# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
+#endif
+
extern unsigned int OPENSSL_ia32cap_P[2];
#define AESNI_CAPABLE (1<<(57-32))
SHA1_Update(c,ptr,res);
}
+#ifdef SHA1_Update
+#undef SHA1_Update
+#endif
#define SHA1_Update sha1_update
static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
sha_off = SHA_CBLOCK-key->md.num;
#endif
+ key->payload_length = NO_PAYLOAD_LENGTH;
+
if (len%AES_BLOCK_SIZE) return 0;
if (ctx->encrypt) {
&key->ks,ctx->iv,1);
}
} else {
- unsigned char mac[SHA_DIGEST_LENGTH];
+ union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
+ unsigned char c[SHA_DIGEST_LENGTH]; } mac;
/* decrypt HMAC|padding at once */
aesni_cbc_encrypt(in,out,len,
&key->ks,ctx->iv,0);
if (plen) { /* "TLS" mode of operation */
- /* figure out payload length */
- if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))
- return 0;
-
- len -= (out[len-1]+1+SHA_DIGEST_LENGTH);
+ size_t inp_len, mask, j, i;
+ unsigned int res, maxpad, pad, bitlen;
+ int ret = 1;
+ union { unsigned int u[SHA_LBLOCK];
+ unsigned char c[SHA_CBLOCK]; }
+ *data = (void *)key->md.data;
if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
- >= TLS1_1_VERSION) {
- len -= AES_BLOCK_SIZE;
+ >= TLS1_1_VERSION)
iv = AES_BLOCK_SIZE;
- }
- key->aux.tls_aad[plen-2] = len>>8;
- key->aux.tls_aad[plen-1] = len;
+ if (len<(iv+SHA_DIGEST_LENGTH+1))
+ return 0;
+
+ /* omit explicit iv */
+ out += iv;
+ len -= iv;
+
+ /* figure out payload length */
+ pad = out[len-1];
+ maxpad = len-(SHA_DIGEST_LENGTH+1);
+ maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+ maxpad &= 255;
+
+ inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+ mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+ inp_len &= mask;
+ ret &= (int)mask;
- /* calculate HMAC and verify it */
+ key->aux.tls_aad[plen-2] = inp_len>>8;
+ key->aux.tls_aad[plen-1] = inp_len;
+
+ /* calculate HMAC */
key->md = key->head;
SHA1_Update(&key->md,key->aux.tls_aad,plen);
- SHA1_Update(&key->md,out+iv,len);
- SHA1_Final(mac,&key->md);
+#if 1
+ len -= SHA_DIGEST_LENGTH; /* amend mac */
+ if (len>=(256+SHA_CBLOCK)) {
+ j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
+ j += SHA_CBLOCK-key->md.num;
+ SHA1_Update(&key->md,out,j);
+ out += j;
+ len -= j;
+ inp_len -= j;
+ }
+
+ /* but pretend as if we hashed padded payload */
+ bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */
+ mac.c[0] = 0;
+ mac.c[1] = (unsigned char)(bitlen>>16);
+ mac.c[2] = (unsigned char)(bitlen>>8);
+ mac.c[3] = (unsigned char)bitlen;
+ bitlen = mac.u[0];
+
+ mac.u[0]=0;
+ mac.u[1]=0;
+ mac.u[2]=0;
+ mac.u[3]=0;
+ mac.u[4]=0;
+
+ for (res=key->md.num, j=0;j<len;j++) {
+ size_t c = out[j];
+ mask = (j-inp_len)>>(sizeof(j)*8-8);
+ c &= mask;
+ c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
+ data->c[res++]=(unsigned char)c;
+
+ if (res!=SHA_CBLOCK) continue;
+
+ mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+ mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+ res=0;
+ }
+
+ for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
+
+ if (res>SHA_CBLOCK-8) {
+ mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+ mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+
+ memset(data,0,SHA_CBLOCK);
+ j+=64;
+ }
+ data->u[SHA_LBLOCK-1] = bitlen;
+ sha1_block_data_order(&key->md,data,1);
+ mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+
+#ifdef BSWAP
+ mac.u[0] = BSWAP(mac.u[0]);
+ mac.u[1] = BSWAP(mac.u[1]);
+ mac.u[2] = BSWAP(mac.u[2]);
+ mac.u[3] = BSWAP(mac.u[3]);
+ mac.u[4] = BSWAP(mac.u[4]);
+#else
+ for (i=0;i<5;i++) {
+ res = mac.u[i];
+ mac.c[4*i+0]=(unsigned char)(res>>24);
+ mac.c[4*i+1]=(unsigned char)(res>>16);
+ mac.c[4*i+2]=(unsigned char)(res>>8);
+ mac.c[4*i+3]=(unsigned char)res;
+ }
+#endif
+ len += SHA_DIGEST_LENGTH;
+#else
+ SHA1_Update(&key->md,out,inp_len);
+ res = key->md.num;
+ SHA1_Final(mac.c,&key->md);
+
+ {
+ unsigned int inp_blocks, pad_blocks;
+
+ /* but pretend as if we hashed padded payload */
+ inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+ res += (unsigned int)(len-inp_len);
+ pad_blocks = res / SHA_CBLOCK;
+ res %= SHA_CBLOCK;
+ pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+ for (;inp_blocks<pad_blocks;inp_blocks++)
+ sha1_block_data_order(&key->md,data,1);
+ }
+#endif
key->md = key->tail;
- SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);
- SHA1_Final(mac,&key->md);
+ SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
+ SHA1_Final(mac.c,&key->md);
- if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))
- return 0;
+ /* verify HMAC */
+ out += inp_len;
+ len -= inp_len;
+#if 1
+ {
+ unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
+ size_t off = out-p;
+ unsigned int c, cmask;
+
+ maxpad += SHA_DIGEST_LENGTH;
+ for (res=0,i=0,j=0;j<maxpad;j++) {
+ c = p[j];
+ cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
+ res |= (c^pad)&~cmask; /* ... and padding */
+ cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
+ res |= (c^mac.c[i])&cmask;
+ i += 1&cmask;
+ }
+ maxpad -= SHA_DIGEST_LENGTH;
+
+ res = 0-((0-res)>>(sizeof(res)*8-1));
+ ret &= (int)~res;
+ }
+#else
+ for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
+ res |= out[i]^mac.c[i];
+ res = 0-((0-res)>>(sizeof(res)*8-1));
+ ret &= (int)~res;
+
+ /* verify padding */
+ pad = (pad&~res) | (maxpad&res);
+ out = out+len-1-pad;
+ for (res=0,i=0;i<pad;i++)
+ res |= out[i]^pad;
+
+ res = (0-res)>>(sizeof(res)*8-1);
+ ret &= (int)~res;
+#endif
+ return ret;
} else {
SHA1_Update(&key->md,out,len);
}
}
- key->payload_length = NO_PAYLOAD_LENGTH;
-
return 1;
}
if (overhead > rec->length)
return 0;
+ /* We can always safely skip the explicit IV. We check at the beginning
+ * of this function that the record has at least enough space for the
+ * IV, MAC and padding length byte. (These can be checked in
+ * non-constant time because it's all public information.) So, if the
+ * padding was invalid, then we didn't change |rec->length| and this is
+ * safe. If the padding was valid then we know that we have at least
+ * overhead+padding_length bytes of space and so this is still safe
+ * because overhead accounts for the explicit IV. */
+ if (has_explicit_iv)
+ {
+ rec->data += block_size;
+ rec->input += block_size;
+ rec->length -= block_size;
+ }
+
padding_length = rec->data[rec->length-1];
/* NB: if compression is in operation the first packet may not be of
}
}
+ if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+ {
+ /* padding is already verified */
+ rec->length -= padding_length;
+ return 1;
+ }
+
good = constant_time_ge(rec->length, overhead+padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
rec->length -= padding_length;
rec->type |= padding_length<<8; /* kludge: pass padding length */
- /* We can always safely skip the explicit IV. We check at the beginning
- * of this function that the record has at least enough space for the
- * IV, MAC and padding length byte. (These can be checked in
- * non-constant time because it's all public information.) So, if the
- * padding was invalid, then we didn't change |rec->length| and this is
- * safe. If the padding was valid then we know that we have at least
- * overhead+padding_length bytes of space and so this is still safe
- * because overhead accounts for the explicit IV. */
- if (has_explicit_iv)
- {
- rec->data += block_size;
- rec->input += block_size;
- rec->length -= block_size;
- }
-
return (int)((good & 1) | (~good & -1));
}
projects / openssl.git / commitdiff