kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
3469 Commits
12 Branches
38 MiB
Struktur: 4008c7a80d
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „4008c7a80d“
${ noResults }
boringssl/crypto/cipher/tls_cbc.c

tls_cbc.c 20 KiB
Originalformat Normale Ansicht Verlauf

Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove some easy obj.h dependencies. A lot of consumers of obj.h only want the NID values. Others didn't need it at all. This also removes some OBJ_nid2sn and OBJ_nid2ln calls in EVP error paths which isn't worth pulling a large table in for. BUG=chromium:499653 Change-Id: Id6dff578f993012e35b740a13b8e4f9c2edc0744 Reviewed-on: https://boringssl-review.googlesource.com/7563 Reviewed-by: David Benjamin <davidben@google.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Add missing internal includes. Partially fixes build with -Wmissing-prototypes -Wmissing-declarations. Change-Id: I51209c30f532899f57cfdd9a50cff0a8ee3da5b5 Signed-off-by: Piotr Sikora <piotrsikora@google.com> Reviewed-on: https://boringssl-review.googlesource.com/7512 Reviewed-by: David Benjamin <davidben@google.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Fix up EVP_tls_cbc_remove_padding's calling convention. The old one was rather confusing. Switch to returning 1/0 for whether the padding is publicly invalid and then add an output argument which returns a constant_time_eq-style boolean. Change-Id: Ieba89d352faf80e9bcea993b716f4b2df5439d4b Reviewed-on: https://boringssl-review.googlesource.com/10222 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Implement all TLS ciphers with stateful AEADs. The EVP_CIPHER codepath should no longer be used with TLS. It still exists for DTLS and SSLv3. The AEAD construction in TLS does not allow for variable-overhead AEADs, so stateful AEADs do not include the length in the ad parameter. Rather the AEADs internally append the unpadded length once it is known. EVP_aead_rc4_md5_tls is modified to account for this. Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The cipher tests are all moved into crypto/cipher/test because there's now a lot of them and they clutter the directory listing. In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs with a fixed IV component, and for AEADs which use a random nonce (for the explicit-IV CBC mode ciphers). The new implementation fixes a bug/quirk in stateless CBC mode ciphers where the fixed IV portion of the keyblock was generated regardless. This is at the end, so it's only relevant for EAP-TLS which generates a MSK from the end of the key block. Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334 Reviewed-on: https://boringssl-review.googlesource.com/2692 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Fix up EVP_tls_cbc_remove_padding's calling convention. The old one was rather confusing. Switch to returning 1/0 for whether the padding is publicly invalid and then add an output argument which returns a constant_time_eq-style boolean. Change-Id: Ieba89d352faf80e9bcea993b716f4b2df5439d4b Reviewed-on: https://boringssl-review.googlesource.com/10222 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replace CBC_MAC_ROTATE_IN_PLACE with an N lg N rotation. Really the only thing we should be doing with these ciphers is hastening their demise, but it was the weekend and this seemed like fun. EVP_tls_cbc_copy_mac needs to rotate a buffer by a secret amount. (It extracts the MAC, but rotated.) We have two codepaths for this. If CBC_MAC_ROTATE_IN_PLACE is defined (always on), we make some assumptions abuot cache lines, play games with volatile, and hope that doesn't leak anything. Otherwise, we do O(N^2) work to constant-time select the rotation incidences. But we can do O(N lg N). Rotate by powers of two and constant-time select by the offset's bit positions. (Handwaivy lower-bound: an array position has N possible values, so, armed with only a constant-time select, we need O(lg N) work to resolve it. There's N array positions, so O(N lg N).) A microbenchmark of EVP_tls_cbc_copy_mac shows this is 27% faster than the old one, but still 32% slower than the in-place version. in-place: Did 15724000 CopyFromMAC operations in 20000744us (786170.8 ops/sec) N^2: Did 8443000 CopyFromMAC operations in 20001582us (422116.6 ops/sec) N lg N: Did 10718000 CopyFromMAC operations in 20000763us (535879.6 ops/sec) This results in the following the CBC ciphers. I measured AES-128-CBC-SHA1 and AES-256-CBC-SHA384 which are, respectively, the cipher where the other bits are the fastest and the cipher where N is largest. in-place: Did 2634000 AES-128-CBC-SHA1 (16 bytes) open operations in 10000739us (263380.5 ops/sec): 4.2 MB/s Did 1424000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10002782us (142360.4 ops/sec): 192.2 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002460us (53086.9 ops/sec): 434.9 MB/s N^2: Did 2529000 AES-128-CBC-SHA1 (16 bytes) open operations in 10001474us (252862.7 ops/sec): 4.0 MB/s Did 1392000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10006659us (139107.4 ops/sec): 187.8 MB/s Did 528000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10001276us (52793.3 ops/sec): 432.5 MB/s N lg N: Did 2531000 AES-128-CBC-SHA1 (16 bytes) open operations in 10003057us (253022.7 ops/sec): 4.0 MB/s Did 1390000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10003287us (138954.3 ops/sec): 187.6 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002448us (53087.0 ops/sec): 434.9 MB/s in-place: Did 1249000 AES-256-CBC-SHA384 (16 bytes) open operations in 10001767us (124877.9 ops/sec): 2.0 MB/s Did 879000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10009244us (87818.8 ops/sec): 118.6 MB/s Did 344000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10025897us (34311.1 ops/sec): 281.1 MB/s N^2: Did 1072000 AES-256-CBC-SHA384 (16 bytes) open operations in 10008090us (107113.3 ops/sec): 1.7 MB/s Did 780000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10007787us (77939.3 ops/sec): 105.2 MB/s Did 333000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10016332us (33245.7 ops/sec): 272.3 MB/s N lg N: Did 1168000 AES-256-CBC-SHA384 (16 bytes) open operations in 10007671us (116710.5 ops/sec): 1.9 MB/s Did 836000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10001536us (83587.2 ops/sec): 112.8 MB/s Did 339000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10018522us (33837.3 ops/sec): 277.2 MB/s TLS CBC performance isn't as important as it was before, and the costs aren't that high, so avoid making assumptions about cache lines. (If we care much about CBC open performance, we probably should get the malloc out of EVP_tls_cbc_digest_record at the end.) Change-Id: Ib8d8271be4b09e5635062cd3b039e1e96f0d9d3d Reviewed-on: https://boringssl-review.googlesource.com/11003 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Use Barrett reduction in CBC processing rather than tricks. Division isn't constant-time on Intel chips so the code was adding a large multiple of md_size to try and force the operation to always take the maximum amount of time. I'm less convinced, these days, that compilers aren't going to get smart enough to optimise that away so use Barrett reduction instead. Change-Id: Ib8c514192682a2fcb4b1fb7e7c6dd1301d9888d0 Reviewed-on: https://boringssl-review.googlesource.com/6906 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <alangley@gmail.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Use Barrett reduction in CBC processing rather than tricks. Division isn't constant-time on Intel chips so the code was adding a large multiple of md_size to try and force the operation to always take the maximum amount of time. I'm less convinced, these days, that compilers aren't going to get smart enough to optimise that away so use Barrett reduction instead. Change-Id: Ib8c514192682a2fcb4b1fb7e7c6dd1301d9888d0 Reviewed-on: https://boringssl-review.googlesource.com/6906 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <alangley@gmail.com>
vor 8 Jahren
Add a comment with an SMT verification of the Barrett reductions. Change-Id: I32dc13b16733fc09e53e3891ca68f51df6c1624c Reviewed-on: https://boringssl-review.googlesource.com/7850 Reviewed-by: David Benjamin <davidben@google.com>
vor 8 Jahren
Use Barrett reduction in CBC processing rather than tricks. Division isn't constant-time on Intel chips so the code was adding a large multiple of md_size to try and force the operation to always take the maximum amount of time. I'm less convinced, these days, that compilers aren't going to get smart enough to optimise that away so use Barrett reduction instead. Change-Id: Ib8c514192682a2fcb4b1fb7e7c6dd1301d9888d0 Reviewed-on: https://boringssl-review.googlesource.com/6906 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <alangley@gmail.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replace CBC_MAC_ROTATE_IN_PLACE with an N lg N rotation. Really the only thing we should be doing with these ciphers is hastening their demise, but it was the weekend and this seemed like fun. EVP_tls_cbc_copy_mac needs to rotate a buffer by a secret amount. (It extracts the MAC, but rotated.) We have two codepaths for this. If CBC_MAC_ROTATE_IN_PLACE is defined (always on), we make some assumptions abuot cache lines, play games with volatile, and hope that doesn't leak anything. Otherwise, we do O(N^2) work to constant-time select the rotation incidences. But we can do O(N lg N). Rotate by powers of two and constant-time select by the offset's bit positions. (Handwaivy lower-bound: an array position has N possible values, so, armed with only a constant-time select, we need O(lg N) work to resolve it. There's N array positions, so O(N lg N).) A microbenchmark of EVP_tls_cbc_copy_mac shows this is 27% faster than the old one, but still 32% slower than the in-place version. in-place: Did 15724000 CopyFromMAC operations in 20000744us (786170.8 ops/sec) N^2: Did 8443000 CopyFromMAC operations in 20001582us (422116.6 ops/sec) N lg N: Did 10718000 CopyFromMAC operations in 20000763us (535879.6 ops/sec) This results in the following the CBC ciphers. I measured AES-128-CBC-SHA1 and AES-256-CBC-SHA384 which are, respectively, the cipher where the other bits are the fastest and the cipher where N is largest. in-place: Did 2634000 AES-128-CBC-SHA1 (16 bytes) open operations in 10000739us (263380.5 ops/sec): 4.2 MB/s Did 1424000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10002782us (142360.4 ops/sec): 192.2 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002460us (53086.9 ops/sec): 434.9 MB/s N^2: Did 2529000 AES-128-CBC-SHA1 (16 bytes) open operations in 10001474us (252862.7 ops/sec): 4.0 MB/s Did 1392000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10006659us (139107.4 ops/sec): 187.8 MB/s Did 528000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10001276us (52793.3 ops/sec): 432.5 MB/s N lg N: Did 2531000 AES-128-CBC-SHA1 (16 bytes) open operations in 10003057us (253022.7 ops/sec): 4.0 MB/s Did 1390000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10003287us (138954.3 ops/sec): 187.6 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002448us (53087.0 ops/sec): 434.9 MB/s in-place: Did 1249000 AES-256-CBC-SHA384 (16 bytes) open operations in 10001767us (124877.9 ops/sec): 2.0 MB/s Did 879000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10009244us (87818.8 ops/sec): 118.6 MB/s Did 344000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10025897us (34311.1 ops/sec): 281.1 MB/s N^2: Did 1072000 AES-256-CBC-SHA384 (16 bytes) open operations in 10008090us (107113.3 ops/sec): 1.7 MB/s Did 780000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10007787us (77939.3 ops/sec): 105.2 MB/s Did 333000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10016332us (33245.7 ops/sec): 272.3 MB/s N lg N: Did 1168000 AES-256-CBC-SHA384 (16 bytes) open operations in 10007671us (116710.5 ops/sec): 1.9 MB/s Did 836000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10001536us (83587.2 ops/sec): 112.8 MB/s Did 339000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10018522us (33837.3 ops/sec): 277.2 MB/s TLS CBC performance isn't as important as it was before, and the costs aren't that high, so avoid making assumptions about cache lines. (If we care much about CBC open performance, we probably should get the malloc out of EVP_tls_cbc_digest_record at the end.) Change-Id: Ib8d8271be4b09e5635062cd3b039e1e96f0d9d3d Reviewed-on: https://boringssl-review.googlesource.com/11003 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replace CBC_MAC_ROTATE_IN_PLACE with an N lg N rotation. Really the only thing we should be doing with these ciphers is hastening their demise, but it was the weekend and this seemed like fun. EVP_tls_cbc_copy_mac needs to rotate a buffer by a secret amount. (It extracts the MAC, but rotated.) We have two codepaths for this. If CBC_MAC_ROTATE_IN_PLACE is defined (always on), we make some assumptions abuot cache lines, play games with volatile, and hope that doesn't leak anything. Otherwise, we do O(N^2) work to constant-time select the rotation incidences. But we can do O(N lg N). Rotate by powers of two and constant-time select by the offset's bit positions. (Handwaivy lower-bound: an array position has N possible values, so, armed with only a constant-time select, we need O(lg N) work to resolve it. There's N array positions, so O(N lg N).) A microbenchmark of EVP_tls_cbc_copy_mac shows this is 27% faster than the old one, but still 32% slower than the in-place version. in-place: Did 15724000 CopyFromMAC operations in 20000744us (786170.8 ops/sec) N^2: Did 8443000 CopyFromMAC operations in 20001582us (422116.6 ops/sec) N lg N: Did 10718000 CopyFromMAC operations in 20000763us (535879.6 ops/sec) This results in the following the CBC ciphers. I measured AES-128-CBC-SHA1 and AES-256-CBC-SHA384 which are, respectively, the cipher where the other bits are the fastest and the cipher where N is largest. in-place: Did 2634000 AES-128-CBC-SHA1 (16 bytes) open operations in 10000739us (263380.5 ops/sec): 4.2 MB/s Did 1424000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10002782us (142360.4 ops/sec): 192.2 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002460us (53086.9 ops/sec): 434.9 MB/s N^2: Did 2529000 AES-128-CBC-SHA1 (16 bytes) open operations in 10001474us (252862.7 ops/sec): 4.0 MB/s Did 1392000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10006659us (139107.4 ops/sec): 187.8 MB/s Did 528000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10001276us (52793.3 ops/sec): 432.5 MB/s N lg N: Did 2531000 AES-128-CBC-SHA1 (16 bytes) open operations in 10003057us (253022.7 ops/sec): 4.0 MB/s Did 1390000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10003287us (138954.3 ops/sec): 187.6 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002448us (53087.0 ops/sec): 434.9 MB/s in-place: Did 1249000 AES-256-CBC-SHA384 (16 bytes) open operations in 10001767us (124877.9 ops/sec): 2.0 MB/s Did 879000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10009244us (87818.8 ops/sec): 118.6 MB/s Did 344000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10025897us (34311.1 ops/sec): 281.1 MB/s N^2: Did 1072000 AES-256-CBC-SHA384 (16 bytes) open operations in 10008090us (107113.3 ops/sec): 1.7 MB/s Did 780000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10007787us (77939.3 ops/sec): 105.2 MB/s Did 333000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10016332us (33245.7 ops/sec): 272.3 MB/s N lg N: Did 1168000 AES-256-CBC-SHA384 (16 bytes) open operations in 10007671us (116710.5 ops/sec): 1.9 MB/s Did 836000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10001536us (83587.2 ops/sec): 112.8 MB/s Did 339000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10018522us (33837.3 ops/sec): 277.2 MB/s TLS CBC performance isn't as important as it was before, and the costs aren't that high, so avoid making assumptions about cache lines. (If we care much about CBC open performance, we probably should get the malloc out of EVP_tls_cbc_digest_record at the end.) Change-Id: Ib8d8271be4b09e5635062cd3b039e1e96f0d9d3d Reviewed-on: https://boringssl-review.googlesource.com/11003 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replace CBC_MAC_ROTATE_IN_PLACE with an N lg N rotation. Really the only thing we should be doing with these ciphers is hastening their demise, but it was the weekend and this seemed like fun. EVP_tls_cbc_copy_mac needs to rotate a buffer by a secret amount. (It extracts the MAC, but rotated.) We have two codepaths for this. If CBC_MAC_ROTATE_IN_PLACE is defined (always on), we make some assumptions abuot cache lines, play games with volatile, and hope that doesn't leak anything. Otherwise, we do O(N^2) work to constant-time select the rotation incidences. But we can do O(N lg N). Rotate by powers of two and constant-time select by the offset's bit positions. (Handwaivy lower-bound: an array position has N possible values, so, armed with only a constant-time select, we need O(lg N) work to resolve it. There's N array positions, so O(N lg N).) A microbenchmark of EVP_tls_cbc_copy_mac shows this is 27% faster than the old one, but still 32% slower than the in-place version. in-place: Did 15724000 CopyFromMAC operations in 20000744us (786170.8 ops/sec) N^2: Did 8443000 CopyFromMAC operations in 20001582us (422116.6 ops/sec) N lg N: Did 10718000 CopyFromMAC operations in 20000763us (535879.6 ops/sec) This results in the following the CBC ciphers. I measured AES-128-CBC-SHA1 and AES-256-CBC-SHA384 which are, respectively, the cipher where the other bits are the fastest and the cipher where N is largest. in-place: Did 2634000 AES-128-CBC-SHA1 (16 bytes) open operations in 10000739us (263380.5 ops/sec): 4.2 MB/s Did 1424000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10002782us (142360.4 ops/sec): 192.2 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002460us (53086.9 ops/sec): 434.9 MB/s N^2: Did 2529000 AES-128-CBC-SHA1 (16 bytes) open operations in 10001474us (252862.7 ops/sec): 4.0 MB/s Did 1392000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10006659us (139107.4 ops/sec): 187.8 MB/s Did 528000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10001276us (52793.3 ops/sec): 432.5 MB/s N lg N: Did 2531000 AES-128-CBC-SHA1 (16 bytes) open operations in 10003057us (253022.7 ops/sec): 4.0 MB/s Did 1390000 AES-128-CBC-SHA1 (1350 bytes) open operations in 10003287us (138954.3 ops/sec): 187.6 MB/s Did 531000 AES-128-CBC-SHA1 (8192 bytes) open operations in 10002448us (53087.0 ops/sec): 434.9 MB/s in-place: Did 1249000 AES-256-CBC-SHA384 (16 bytes) open operations in 10001767us (124877.9 ops/sec): 2.0 MB/s Did 879000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10009244us (87818.8 ops/sec): 118.6 MB/s Did 344000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10025897us (34311.1 ops/sec): 281.1 MB/s N^2: Did 1072000 AES-256-CBC-SHA384 (16 bytes) open operations in 10008090us (107113.3 ops/sec): 1.7 MB/s Did 780000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10007787us (77939.3 ops/sec): 105.2 MB/s Did 333000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10016332us (33245.7 ops/sec): 272.3 MB/s N lg N: Did 1168000 AES-256-CBC-SHA384 (16 bytes) open operations in 10007671us (116710.5 ops/sec): 1.9 MB/s Did 836000 AES-256-CBC-SHA384 (1350 bytes) open operations in 10001536us (83587.2 ops/sec): 112.8 MB/s Did 339000 AES-256-CBC-SHA384 (8192 bytes) open operations in 10018522us (33837.3 ops/sec): 277.2 MB/s TLS CBC performance isn't as important as it was before, and the costs aren't that high, so avoid making assumptions about cache lines. (If we care much about CBC open performance, we probably should get the malloc out of EVP_tls_cbc_digest_record at the end.) Change-Id: Ib8d8271be4b09e5635062cd3b039e1e96f0d9d3d Reviewed-on: https://boringssl-review.googlesource.com/11003 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Fix up macros. Macros need a healthy dose of parentheses to avoid expression-level misparses. Most of this comes from the clang-tidy CL here: https://android-review.googlesource.com/c/235696/ Also switch most of the macros to use do { ... } while (0) to avoid all the excessive comma operators and statement-level misparses. Change-Id: I4c2ee51e347d2aa8c74a2d82de63838b03bbb0f9 Reviewed-on: https://boringssl-review.googlesource.com/11660 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Fix up macros. Macros need a healthy dose of parentheses to avoid expression-level misparses. Most of this comes from the clang-tidy CL here: https://android-review.googlesource.com/c/235696/ Also switch most of the macros to use do { ... } while (0) to avoid all the excessive comma operators and statement-level misparses. Change-Id: I4c2ee51e347d2aa8c74a2d82de63838b03bbb0f9 Reviewed-on: https://boringssl-review.googlesource.com/11660 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
vor 8 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Improve crypto/digest/md32_common.h mechanism. The documentation in md32_common.h is now (more) correct with respect to the most important details of the layout of |HASH_CTX|. The documentation explaining why sha512.c doesn't use md32_common.h is now more accurate as well. Before, the C implementations of HASH_BLOCK_DATA_ORDER took a pointer to the |HASH_CTX| and the assembly language implementations took a pointer to the hash state |h| member of |HASH_CTX|. (This worked because |h| is always the first member of |HASH_CTX|.) Now, the C implementations take a pointer directly to |h| too. The definitions of |MD4_CTX|, |MD5_CTX|, and |SHA1_CTX| were changed to be consistent with |SHA256_CTX| and |SHA512_CTX| in storing the hash state in an array. This will break source compatibility with any external code that accesses the hash state directly, but will not affect binary compatibility. The second parameter of |HASH_BLOCK_DATA_ORDER| is now of type |const uint8_t *|; previously it was |void *| and all implementations had a |uint8_t *data| variable to access it as an array of bytes. This change paves the way for future refactorings such as automatically generating the |*_Init| functions and/or sharing one I-U-F implementation across all digest algorithms. Change-Id: I6e9dd09ff057c67941021d324a4fa1d39f58b0db Reviewed-on: https://boringssl-review.googlesource.com/6405 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Drop SSLv3 parts of crypto/cipher/tls_cbc.c. CBC modes in SSLv3 are bust already with POODLE and we're moving away from it. Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the TLS-only AEADs. Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa Reviewed-on: https://boringssl-review.googlesource.com/2693 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Replicate s3_cbc.c under crypto/cipher/internal.h. These helper functions will be used in the implementation of the legacy CBC mode AEADs. The file is copied as-is and then modified to remove the dependency on ssl/. Notably explicit IV logic is removed (that's a side effect of how explicit IVs are currently implemented) and the padding length is returned directly rather than smuggled into rec->type. (Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.) The helpers are currently unused. Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db Reviewed-on: https://boringssl-review.googlesource.com/2691 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557 
  1. /* ====================================================================

  2.  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    openssl-core@openssl.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ====================================================================

  48.  *

  49.  * This product includes cryptographic software written by Eric Young

  50.  * (eay@cryptsoft.com).  This product includes software written by Tim

  51.  * Hudson (tjh@cryptsoft.com). */

  52. 

  53. #include <assert.h>

  54. #include <string.h>

  55. 

  56. #include <openssl/digest.h>

  57. #include <openssl/nid.h>

  58. #include <openssl/sha.h>

  59. 

  60. #include "../internal.h"

  61. #include "internal.h"

  62. 

  63. 

  64. /* TODO(davidben): unsigned should be size_t. The various constant_time

  65.  * functions need to be switched to size_t. */

  66. 

  67. /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length

  68.  * field. (SHA-384/512 have 128-bit length.) */

  69. #define MAX_HASH_BIT_COUNT_BYTES 16

  70. 

  71. /* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.

  72.  * Currently SHA-384/512 has a 128-byte block size and that's the largest

  73.  * supported by TLS.) */

  74. #define MAX_HASH_BLOCK_SIZE 128

  75. 

  76. int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,

  77.                                const uint8_t *in, unsigned in_len,

  78.                                unsigned block_size, unsigned mac_size) {

  79.   unsigned padding_length, good, to_check, i;

  80.   const unsigned overhead = 1 /* padding length byte */ + mac_size;

  81. 

  82.   /* These lengths are all public so we can test them in non-constant time. */

  83.   if (overhead > in_len) {

  84.     return 0;

  85.   }

  86. 

  87.   padding_length = in[in_len - 1];

  88. 

  89.   good = constant_time_ge(in_len, overhead + padding_length);

  90.   /* The padding consists of a length byte at the end of the record and

  91.    * then that many bytes of padding, all with the same value as the

  92.    * length byte. Thus, with the length byte included, there are i+1

  93.    * bytes of padding.

  94.    *

  95.    * We can't check just |padding_length+1| bytes because that leaks

  96.    * decrypted information. Therefore we always have to check the maximum

  97.    * amount of padding possible. (Again, the length of the record is

  98.    * public information so we can use it.) */

  99.   to_check = 256; /* maximum amount of padding, inc length byte. */

  100.   if (to_check > in_len) {

  101.     to_check = in_len;

  102.   }

  103. 

  104.   for (i = 0; i < to_check; i++) {

  105.     uint8_t mask = constant_time_ge_8(padding_length, i);

  106.     uint8_t b = in[in_len - 1 - i];

  107.     /* The final |padding_length+1| bytes should all have the value

  108.      * |padding_length|. Therefore the XOR should be zero. */

  109.     good &= ~(mask & (padding_length ^ b));

  110.   }

  111. 

  112.   /* If any of the final |padding_length+1| bytes had the wrong value,

  113.    * one or more of the lower eight bits of |good| will be cleared. */

  114.   good = constant_time_eq(0xff, good & 0xff);

  115. 

  116.   /* Always treat |padding_length| as zero on error. If, assuming block size of

  117.    * 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16

  118.    * and returned -1, distinguishing good MAC and bad padding from bad MAC and

  119.    * bad padding would give POODLE's padding oracle. */

  120.   padding_length = good & (padding_length + 1);

  121.   *out_len = in_len - padding_length;

  122.   *out_padding_ok = good;

  123.   return 1;

  124. }

  125. 

  126. void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,

  127.                           const uint8_t *in, unsigned in_len,

  128.                           unsigned orig_len) {

  129.   uint8_t rotated_mac1[EVP_MAX_MD_SIZE], rotated_mac2[EVP_MAX_MD_SIZE];

  130.   uint8_t *rotated_mac = rotated_mac1;

  131.   uint8_t *rotated_mac_tmp = rotated_mac2;

  132. 

  133.   /* mac_end is the index of |in| just after the end of the MAC. */

  134.   unsigned mac_end = in_len;

  135.   unsigned mac_start = mac_end - md_size;

  136.   /* scan_start contains the number of bytes that we can ignore because

  137.    * the MAC's position can only vary by 255 bytes. */

  138.   unsigned scan_start = 0;

  139.   unsigned i, j;

  140.   unsigned rotate_offset;

  141. 

  142.   assert(orig_len >= in_len);

  143.   assert(in_len >= md_size);

  144.   assert(md_size <= EVP_MAX_MD_SIZE);

  145. 

  146.   /* This information is public so it's safe to branch based on it. */

  147.   if (orig_len > md_size + 255 + 1) {

  148.     scan_start = orig_len - (md_size + 255 + 1);

  149.   }

  150. 

  151.   /* Ideally the next statement would be:

  152.    *

  153.    *   rotate_offset = (mac_start - scan_start) % md_size;

  154.    *

  155.    * However, division is not a constant-time operation (at least on Intel

  156.    * chips). Thus we enumerate the possible values of md_size and handle each

  157.    * separately. The value of |md_size| is public information (it's determined

  158.    * by the cipher suite in the ServerHello) so our timing can vary based on

  159.    * its value. */

  160. 

  161.   rotate_offset = mac_start - scan_start;

  162.   /* rotate_offset can be, at most, 255 (bytes of padding) + 1 (padding length)

  163.    * + md_size = 256 + 48 (since SHA-384 is the largest hash) = 304. */

  164.   assert(rotate_offset <= 304);

  165. 

  166.   /* Below is an SMT-LIB2 verification that the Barrett reductions below are

  167.    * correct within this range:

  168.    *

  169.    * (define-fun barrett (

  170.    *     (x (_ BitVec 32))

  171.    *     (mul (_ BitVec 32))

  172.    *     (shift (_ BitVec 32))

  173.    *     (divisor (_ BitVec 32)) ) (_ BitVec 32)

  174.    *   (let ((q (bvsub x (bvmul divisor (bvlshr (bvmul x mul) shift))) ))

  175.    *     (ite (bvuge q divisor)

  176.    *       (bvsub q divisor)

  177.    *       q)))

  178.    *

  179.    * (declare-fun x () (_ BitVec 32))

  180.    *

  181.    * (assert (or

  182.    *   (let (

  183.    *     (divisor (_ bv20 32))

  184.    *     (mul (_ bv25 32))

  185.    *     (shift (_ bv9 32))

  186.    *     (limit (_ bv853 32)))

  187.    *

  188.    *     (and (bvule x limit) (not (= (bvurem x divisor)

  189.    *                                  (barrett x mul shift divisor)))))

  190.    *

  191.    *   (let (

  192.    *     (divisor (_ bv48 32))

  193.    *     (mul (_ bv10 32))

  194.    *     (shift (_ bv9 32))

  195.    *     (limit (_ bv768 32)))

  196.    *

  197.    *     (and (bvule x limit) (not (= (bvurem x divisor)

  198.    *                                  (barrett x mul shift divisor)))))

  199.    * ))

  200.    *

  201.    * (check-sat)

  202.    * (get-model)

  203.    */

  204. 

  205.   if (md_size == 16) {

  206.     rotate_offset &= 15;

  207.   } else if (md_size == 20) {

  208.     /* 1/20 is approximated as 25/512 and then Barrett reduction is used.

  209.      * Analytically, this is correct for 0 <= rotate_offset <= 853. */

  210.     unsigned q = (rotate_offset * 25) >> 9;

  211.     rotate_offset -= q * 20;

  212.     rotate_offset -=

  213.         constant_time_select(constant_time_ge(rotate_offset, 20), 20, 0);

  214.   } else if (md_size == 32) {

  215.     rotate_offset &= 31;

  216.   } else if (md_size == 48) {

  217.     /* 1/48 is approximated as 10/512 and then Barrett reduction is used.

  218.      * Analytically, this is correct for 0 <= rotate_offset <= 768. */

  219.     unsigned q = (rotate_offset * 10) >> 9;

  220.     rotate_offset -= q * 48;

  221.     rotate_offset -=

  222.         constant_time_select(constant_time_ge(rotate_offset, 48), 48, 0);

  223.   } else {

  224.     /* This should be impossible therefore this path doesn't run in constant

  225.      * time. */

  226.     assert(0);

  227.     rotate_offset = rotate_offset % md_size;

  228.   }

  229. 

  230.   memset(rotated_mac, 0, md_size);

  231.   for (i = scan_start, j = 0; i < orig_len; i++) {

  232.     uint8_t mac_started = constant_time_ge_8(i, mac_start);

  233.     uint8_t mac_ended = constant_time_ge_8(i, mac_end);

  234.     uint8_t b = in[i];

  235.     rotated_mac[j++] |= b & mac_started & ~mac_ended;

  236.     j &= constant_time_lt(j, md_size);

  237.   }

  238. 

  239.   /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit

  240.    * position. */

  241.   for (unsigned offset = 1; offset < md_size;

  242.        offset <<= 1, rotate_offset >>= 1) {

  243.     /* Rotate by |offset| iff the corresponding bit is set in

  244.      * |rotate_offset|, placing the result in |rotated_mac_tmp|. */

  245.     const uint8_t skip_rotate = (rotate_offset & 1) - 1;

  246.     for (i = 0, j = offset; i < md_size; i++, j++) {

  247.       if (j >= md_size) {

  248.         j -= md_size;

  249.       }

  250.       rotated_mac_tmp[i] =

  251.           constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);

  252.     }

  253. 

  254.     /* Swap pointers so |rotated_mac| contains the (possibly) rotated value.

  255.      * Note the number of iterations and thus the identity of these pointers is

  256.      * public information. */

  257.     uint8_t *tmp = rotated_mac;

  258.     rotated_mac = rotated_mac_tmp;

  259.     rotated_mac_tmp = tmp;

  260.   }

  261. 

  262.   memcpy(out, rotated_mac, md_size);

  263. }

  264. 

  265. /* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in

  266.  * big-endian order. The value of p is advanced by four. */

  267. #define u32toBE(n, p)                \

  268.   do {                               \

  269.     *((p)++) = (uint8_t)((n) >> 24); \

  270.     *((p)++) = (uint8_t)((n) >> 16); \

  271.     *((p)++) = (uint8_t)((n) >> 8);  \

  272.     *((p)++) = (uint8_t)((n));       \

  273.   } while (0)

  274. 

  275. /* u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in

  276.  * big-endian order. The value of p is advanced by eight. */

  277. #define u64toBE(n, p)                \

  278.   do {                               \

  279.     *((p)++) = (uint8_t)((n) >> 56); \

  280.     *((p)++) = (uint8_t)((n) >> 48); \

  281.     *((p)++) = (uint8_t)((n) >> 40); \

  282.     *((p)++) = (uint8_t)((n) >> 32); \

  283.     *((p)++) = (uint8_t)((n) >> 24); \

  284.     *((p)++) = (uint8_t)((n) >> 16); \

  285.     *((p)++) = (uint8_t)((n) >> 8);  \

  286.     *((p)++) = (uint8_t)((n));       \

  287.   } while (0)

  288. 

  289. /* These functions serialize the state of a hash and thus perform the standard

  290.  * "final" operation without adding the padding and length that such a function

  291.  * typically does. */

  292. static void tls1_sha1_final_raw(void *ctx, uint8_t *md_out) {

  293.   SHA_CTX *sha1 = ctx;

  294.   u32toBE(sha1->h[0], md_out);

  295.   u32toBE(sha1->h[1], md_out);

  296.   u32toBE(sha1->h[2], md_out);

  297.   u32toBE(sha1->h[3], md_out);

  298.   u32toBE(sha1->h[4], md_out);

  299. }

  300. #define LARGEST_DIGEST_CTX SHA_CTX

  301. 

  302. static void tls1_sha256_final_raw(void *ctx, uint8_t *md_out) {

  303.   SHA256_CTX *sha256 = ctx;

  304.   unsigned i;

  305. 

  306.   for (i = 0; i < 8; i++) {

  307.     u32toBE(sha256->h[i], md_out);

  308.   }

  309. }

  310. #undef  LARGEST_DIGEST_CTX

  311. #define LARGEST_DIGEST_CTX SHA256_CTX

  312. 

  313. static void tls1_sha512_final_raw(void *ctx, uint8_t *md_out) {

  314.   SHA512_CTX *sha512 = ctx;

  315.   unsigned i;

  316. 

  317.   for (i = 0; i < 8; i++) {

  318.     u64toBE(sha512->h[i], md_out);

  319.   }

  320. }

  321. #undef  LARGEST_DIGEST_CTX

  322. #define LARGEST_DIGEST_CTX SHA512_CTX

  323. 

  324. int EVP_tls_cbc_record_digest_supported(const EVP_MD *md) {

  325.   switch (EVP_MD_type(md)) {

  326.     case NID_sha1:

  327.     case NID_sha256:

  328.     case NID_sha384:

  329.       return 1;

  330. 

  331.     default:

  332.       return 0;

  333.   }

  334. }

  335. 

  336. int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,

  337.                               size_t *md_out_size, const uint8_t header[13],

  338.                               const uint8_t *data, size_t data_plus_mac_size,

  339.                               size_t data_plus_mac_plus_padding_size,

  340.                               const uint8_t *mac_secret,

  341.                               unsigned mac_secret_length) {

  342.   union {

  343.     double align;

  344.     uint8_t c[sizeof(LARGEST_DIGEST_CTX)];

  345.   } md_state;

  346.   void (*md_final_raw)(void *ctx, uint8_t *md_out);

  347.   void (*md_transform)(void *ctx, const uint8_t *block);

  348.   unsigned md_size, md_block_size = 64;

  349.   unsigned len, max_mac_bytes, num_blocks, num_starting_blocks, k,

  350.            mac_end_offset, c, index_a, index_b;

  351.   unsigned int bits; /* at most 18 bits */

  352.   uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];

  353.   /* hmac_pad is the masked HMAC key. */

  354.   uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];

  355.   uint8_t first_block[MAX_HASH_BLOCK_SIZE];

  356.   uint8_t mac_out[EVP_MAX_MD_SIZE];

  357.   unsigned i, j, md_out_size_u;

  358.   EVP_MD_CTX md_ctx;

  359.   /* mdLengthSize is the number of bytes in the length field that terminates

  360.   * the hash. */

  361.   unsigned md_length_size = 8;

  362. 

  363.   /* This is a, hopefully redundant, check that allows us to forget about

  364.    * many possible overflows later in this function. */

  365.   assert(data_plus_mac_plus_padding_size < 1024 * 1024);

  366. 

  367.   switch (EVP_MD_type(md)) {

  368.     case NID_sha1:

  369.       SHA1_Init((SHA_CTX *)md_state.c);

  370.       md_final_raw = tls1_sha1_final_raw;

  371.       md_transform =

  372.           (void (*)(void *ctx, const uint8_t *block))SHA1_Transform;

  373.       md_size = 20;

  374.       break;

  375. 

  376.     case NID_sha256:

  377.       SHA256_Init((SHA256_CTX *)md_state.c);

  378.       md_final_raw = tls1_sha256_final_raw;

  379.       md_transform =

  380.           (void (*)(void *ctx, const uint8_t *block))SHA256_Transform;

  381.       md_size = 32;

  382.       break;

  383. 

  384.     case NID_sha384:

  385.       SHA384_Init((SHA512_CTX *)md_state.c);

  386.       md_final_raw = tls1_sha512_final_raw;

  387.       md_transform =

  388.           (void (*)(void *ctx, const uint8_t *block))SHA512_Transform;

  389.       md_size = 384 / 8;

  390.       md_block_size = 128;

  391.       md_length_size = 16;

  392.       break;

  393. 

  394.     default:

  395.       /* EVP_tls_cbc_record_digest_supported should have been called first to

  396.        * check that the hash function is supported. */

  397.       assert(0);

  398.       *md_out_size = 0;

  399.       return 0;

  400.   }

  401. 

  402.   assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);

  403.   assert(md_block_size <= MAX_HASH_BLOCK_SIZE);

  404.   assert(md_size <= EVP_MAX_MD_SIZE);

  405. 

  406.   static const unsigned kHeaderLength = 13;

  407. 

  408.   /* kVarianceBlocks is the number of blocks of the hash that we have to

  409.    * calculate in constant time because they could be altered by the

  410.    * padding value.

  411.    *

  412.    * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not

  413.    * required to be minimal. Therefore we say that the final six blocks

  414.    * can vary based on the padding. */

  415.   static const unsigned kVarianceBlocks = 6;

  416. 

  417.   /* From now on we're dealing with the MAC, which conceptually has 13

  418.    * bytes of `header' before the start of the data. */

  419.   len = data_plus_mac_plus_padding_size + kHeaderLength;

  420.   /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including

  421.   * |header|, assuming that there's no padding. */

  422.   max_mac_bytes = len - md_size - 1;

  423.   /* num_blocks is the maximum number of hash blocks. */

  424.   num_blocks =

  425.       (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;

  426.   /* In order to calculate the MAC in constant time we have to handle

  427.    * the final blocks specially because the padding value could cause the

  428.    * end to appear somewhere in the final |kVarianceBlocks| blocks and we

  429.    * can't leak where. However, |num_starting_blocks| worth of data can

  430.    * be hashed right away because no padding value can affect whether

  431.    * they are plaintext. */

  432.   num_starting_blocks = 0;

  433.   /* k is the starting byte offset into the conceptual header||data where

  434.    * we start processing. */

  435.   k = 0;

  436.   /* mac_end_offset is the index just past the end of the data to be

  437.    * MACed. */

  438.   mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;

  439.   /* c is the index of the 0x80 byte in the final hash block that

  440.    * contains application data. */

  441.   c = mac_end_offset % md_block_size;

  442.   /* index_a is the hash block number that contains the 0x80 terminating

  443.    * value. */

  444.   index_a = mac_end_offset / md_block_size;

  445.   /* index_b is the hash block number that contains the 64-bit hash

  446.    * length, in bits. */

  447.   index_b = (mac_end_offset + md_length_size) / md_block_size;

  448.   /* bits is the hash-length in bits. It includes the additional hash

  449.    * block for the masked HMAC key. */

  450. 

  451.   if (num_blocks > kVarianceBlocks) {

  452.     num_starting_blocks = num_blocks - kVarianceBlocks;

  453.     k = md_block_size * num_starting_blocks;

  454.   }

  455. 

  456.   bits = 8 * mac_end_offset;

  457. 

  458.   /* Compute the initial HMAC block. */

  459.   bits += 8 * md_block_size;

  460.   memset(hmac_pad, 0, md_block_size);

  461.   assert(mac_secret_length <= sizeof(hmac_pad));

  462.   memcpy(hmac_pad, mac_secret, mac_secret_length);

  463.   for (i = 0; i < md_block_size; i++) {

  464.     hmac_pad[i] ^= 0x36;

  465.   }

  466. 

  467.   md_transform(md_state.c, hmac_pad);

  468. 

  469.   memset(length_bytes, 0, md_length_size - 4);

  470.   length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);

  471.   length_bytes[md_length_size - 3] = (uint8_t)(bits >> 16);

  472.   length_bytes[md_length_size - 2] = (uint8_t)(bits >> 8);

  473.   length_bytes[md_length_size - 1] = (uint8_t)bits;

  474. 

  475.   if (k > 0) {

  476.     /* k is a multiple of md_block_size. */

  477.     memcpy(first_block, header, 13);

  478.     memcpy(first_block + 13, data, md_block_size - 13);

  479.     md_transform(md_state.c, first_block);

  480.     for (i = 1; i < k / md_block_size; i++) {

  481.       md_transform(md_state.c, data + md_block_size * i - 13);

  482.     }

  483.   }

  484. 

  485.   memset(mac_out, 0, sizeof(mac_out));

  486. 

  487.   /* We now process the final hash blocks. For each block, we construct

  488.    * it in constant time. If the |i==index_a| then we'll include the 0x80

  489.    * bytes and zero pad etc. For each block we selectively copy it, in

  490.    * constant time, to |mac_out|. */

  491.   for (i = num_starting_blocks; i <= num_starting_blocks + kVarianceBlocks;

  492.        i++) {

  493.     uint8_t block[MAX_HASH_BLOCK_SIZE];

  494.     uint8_t is_block_a = constant_time_eq_8(i, index_a);

  495.     uint8_t is_block_b = constant_time_eq_8(i, index_b);

  496.     for (j = 0; j < md_block_size; j++) {

  497.       uint8_t b = 0, is_past_c, is_past_cp1;

  498.       if (k < kHeaderLength) {

  499.         b = header[k];

  500.       } else if (k < data_plus_mac_plus_padding_size + kHeaderLength) {

  501.         b = data[k - kHeaderLength];

  502.       }

  503.       k++;

  504. 

  505.       is_past_c = is_block_a & constant_time_ge_8(j, c);

  506.       is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);

  507.       /* If this is the block containing the end of the

  508.        * application data, and we are at the offset for the

  509.        * 0x80 value, then overwrite b with 0x80. */

  510.       b = constant_time_select_8(is_past_c, 0x80, b);

  511.       /* If this the the block containing the end of the

  512.        * application data and we're past the 0x80 value then

  513.        * just write zero. */

  514.       b = b & ~is_past_cp1;

  515.       /* If this is index_b (the final block), but not

  516.        * index_a (the end of the data), then the 64-bit

  517.        * length didn't fit into index_a and we're having to

  518.        * add an extra block of zeros. */

  519.       b &= ~is_block_b | is_block_a;

  520. 

  521.       /* The final bytes of one of the blocks contains the

  522.        * length. */

  523.       if (j >= md_block_size - md_length_size) {

  524.         /* If this is index_b, write a length byte. */

  525.         b = constant_time_select_8(

  526.             is_block_b, length_bytes[j - (md_block_size - md_length_size)], b);

  527.       }

  528.       block[j] = b;

  529.     }

  530. 

  531.     md_transform(md_state.c, block);

  532.     md_final_raw(md_state.c, block);

  533.     /* If this is index_b, copy the hash value to |mac_out|. */

  534.     for (j = 0; j < md_size; j++) {

  535.       mac_out[j] |= block[j] & is_block_b;

  536.     }

  537.   }

  538. 

  539.   EVP_MD_CTX_init(&md_ctx);

  540.   if (!EVP_DigestInit_ex(&md_ctx, md, NULL /* engine */)) {

  541.     EVP_MD_CTX_cleanup(&md_ctx);

  542.     return 0;

  543.   }

  544. 

  545.   /* Complete the HMAC in the standard manner. */

  546.   for (i = 0; i < md_block_size; i++) {

  547.     hmac_pad[i] ^= 0x6a;

  548.   }

  549. 

  550.   EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);

  551.   EVP_DigestUpdate(&md_ctx, mac_out, md_size);

  552.   EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);

  553.   *md_out_size = md_out_size_u;

  554.   EVP_MD_CTX_cleanup(&md_ctx);

  555. 

  556.   return 1;

  557. }