/src/boringssl/crypto/cipher/internal.h

Source (jump to first uncovered line)
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#ifndef OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H
#define OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H

#include <assert.h>
#include <stdlib.h>

#include <openssl/base.h>
#include <openssl/sha.h>

#include "../internal.h"

#if defined(__cplusplus)
extern "C" {
#endif


// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
// record in |in|. This decrypted record should not include any "decrypted"
// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
// padding is valid and zero otherwise. It then sets |*out_len| to the length
// with the padding removed or |in_len| if invalid.
//
// If the function returns one, it runs in time independent of the contents of
// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
// |EVP_tls_cbc_copy_mac|'s precondition.
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
                               const uint8_t *in, size_t in_len,
                               size_t block_size, size_t mac_size);

// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
// |in_len| bytes of |in| to |out| in constant time (independent of the concrete
// value of |in_len|, which may vary within a 256-byte window). |in| must point
// to a buffer of |orig_len| bytes.
//
// On entry:
//   orig_len >= in_len >= md_size
//   md_size <= EVP_MAX_MD_SIZE
void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
                          size_t in_len, size_t orig_len);

// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
// which EVP_tls_cbc_digest_record supports.
int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);

// EVP_sha1_final_with_secret_suffix computes the result of hashing |len| bytes
// from |in| to |ctx| and writes the resulting hash to |out|. |len| is treated
// as secret and must be at most |max_len|, which is treated as public. |in|
// must point to a buffer of at least |max_len| bytes. It returns one on success
// and zero if inputs are too long.
//
// This function is exported for unit tests.
OPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix(
    SHA_CTX *ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t *in, size_t len,
    size_t max_len);

// EVP_sha256_final_with_secret_suffix acts like
// |EVP_sha1_final_with_secret_suffix|, but for SHA-256.
//
// This function is exported for unit tests.
OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix(
    SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in,
    size_t len, size_t max_len);

// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
// record.
//
//   md: the hash function used in the HMAC.
//     EVP_tls_cbc_record_digest_supported must return true for this hash.
//   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
//   md_out_size: the number of output bytes is written here.
//   header: the 13-byte, TLS record header.
//   data: the record data itself
//   data_size: the secret, reported length of the data once the padding and MAC
//     have been removed.
//   data_plus_mac_plus_padding_size: the public length of the whole
//     record, including padding.
//
// On entry: by virtue of having been through one of the remove_padding
// functions, above, we know that data_plus_mac_size is large enough to contain
// a padding byte and MAC. (If the padding was invalid, it might contain the
// padding too. )
int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
                              size_t *md_out_size, const uint8_t header[13],
                              const uint8_t *data, size_t data_size,
                              size_t data_plus_mac_plus_padding_size,
                              const uint8_t *mac_secret,
                              unsigned mac_secret_length);

#define POLY1305_TAG_LEN 16

// For convenience (the x86_64 calling convention allows only six parameters in
// registers), the final parameter for the assembly functions is both an input
// and output parameter.
union chacha20_poly1305_open_data {
  struct {
    alignas(16) uint8_t key[32];
    uint32_t counter;
    uint8_t nonce[12];
  } in;
  struct {
    uint8_t tag[POLY1305_TAG_LEN];
  } out;
};

union chacha20_poly1305_seal_data {
  struct {
    alignas(16) uint8_t key[32];
    uint32_t counter;
    uint8_t nonce[12];
    const uint8_t *extra_ciphertext;
    size_t extra_ciphertext_len;
  } in;
  struct {
    uint8_t tag[POLY1305_TAG_LEN];
  } out;
};

#if (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \
    !defined(OPENSSL_NO_ASM)

static_assert(sizeof(union chacha20_poly1305_open_data) == 48,
              "wrong chacha20_poly1305_open_data size");
static_assert(sizeof(union chacha20_poly1305_seal_data) == 48 + 8 + 8,
              "wrong chacha20_poly1305_seal_data size");

inline int chacha20_poly1305_asm_capable(void) {
#if defined(OPENSSL_X86_64)
  return CRYPTO_is_SSE4_1_capable();
#elif defined(OPENSSL_AARCH64)
  return CRYPTO_is_NEON_capable();
#endif
}

// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts
// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
// Additional input parameters are passed in |aead_data->in|. On exit, it will
// write calculated tag value to |aead_data->out.tag|, which the caller must
// check.
#if defined(OPENSSL_X86_64)
extern void chacha20_poly1305_open_sse41(
    uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);
extern void chacha20_poly1305_open_avx2(
    uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);
inline void chacha20_poly1305_open(uint8_t *out_plaintext,
                                   const uint8_t *ciphertext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_open_data *data) {
  if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
    chacha20_poly1305_open_avx2(out_plaintext, ciphertext, plaintext_len, ad,
                                ad_len, data);
  } else {
    chacha20_poly1305_open_sse41(out_plaintext, ciphertext, plaintext_len, ad,
                                 ad_len, data);
  }
}
#else
extern void chacha20_poly1305_open(uint8_t *out_plaintext,
                                   const uint8_t *ciphertext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_open_data *data);
#endif

// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts
// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
// Additional input parameters are passed in |aead_data->in|. The calculated tag
// value is over the computed ciphertext concatenated with |extra_ciphertext|
// and written to |aead_data->out.tag|.
#if defined(OPENSSL_X86_64)
extern void chacha20_poly1305_seal_sse41(
    uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);
extern void chacha20_poly1305_seal_avx2(
    uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);
inline void chacha20_poly1305_seal(uint8_t *out_ciphertext,
                                   const uint8_t *plaintext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_seal_data *data) {
  if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
    chacha20_poly1305_seal_avx2(out_ciphertext, plaintext, plaintext_len, ad,
                                ad_len, data);
  } else {
    chacha20_poly1305_seal_sse41(out_ciphertext, plaintext, plaintext_len, ad,
                                 ad_len, data);
  }
}
#else
extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
                                   const uint8_t *plaintext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_seal_data *data);
#endif

#else

inline int chacha20_poly1305_asm_capable(void) { return 0; }

inline void chacha20_poly1305_open(uint8_t *out_plaintext,
                                   const uint8_t *ciphertext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_open_data *data) {
  abort();
}

inline void chacha20_poly1305_seal(uint8_t *out_ciphertext,
                                   const uint8_t *plaintext,
                                   size_t plaintext_len, const uint8_t *ad,
                                   size_t ad_len,
                                   union chacha20_poly1305_seal_data *data) {
  abort();
}
#endif


#if defined(__cplusplus)
}  // extern C
#endif

#endif  // OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H

Coverage Report

Created: 2025-08-28 06:59

Line	Count	Source (jump to first uncovered line)
1		// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#ifndef OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H
16		#define OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H
17
18		#include <assert.h>
19		#include <stdlib.h>
20
21		#include <openssl/base.h>
22		#include <openssl/sha.h>
23
24		#include "../internal.h"
25
26		#if defined(__cplusplus)
27		extern "C" {
28		#endif
29
30
31		// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
32		// record in \|in\|. This decrypted record should not include any "decrypted"
33		// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
34		// it returns one and sets \|*out_padding_ok\| to all ones (0xfff..f) if the
35		// padding is valid and zero otherwise. It then sets \|*out_len\| to the length
36		// with the padding removed or \|in_len\| if invalid.
37		//
38		// If the function returns one, it runs in time independent of the contents of
39		// \|in\|. It is also guaranteed that \|*out_len\| >= \|mac_size\|, satisfying
40		// \|EVP_tls_cbc_copy_mac\|'s precondition.
41		int EVP_tls_cbc_remove_padding(crypto_word_t out_padding_ok, size_t out_len,
42		const uint8_t *in, size_t in_len,
43		size_t block_size, size_t mac_size);
44
45		// EVP_tls_cbc_copy_mac copies \|md_size\| bytes from the end of the first
46		// \|in_len\| bytes of \|in\| to \|out\| in constant time (independent of the concrete
47		// value of \|in_len\|, which may vary within a 256-byte window). \|in\| must point
48		// to a buffer of \|orig_len\| bytes.
49		//
50		// On entry:
51		// orig_len >= in_len >= md_size
52		// md_size <= EVP_MAX_MD_SIZE
53		void EVP_tls_cbc_copy_mac(uint8_t out, size_t md_size, const uint8_t in,
54		size_t in_len, size_t orig_len);
55
56		// EVP_tls_cbc_record_digest_supported returns 1 iff \|md\| is a hash function
57		// which EVP_tls_cbc_digest_record supports.
58		int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
59
60		// EVP_sha1_final_with_secret_suffix computes the result of hashing \|len\| bytes
61		// from \|in\| to \|ctx\| and writes the resulting hash to \|out\|. \|len\| is treated
62		// as secret and must be at most \|max_len\|, which is treated as public. \|in\|
63		// must point to a buffer of at least \|max_len\| bytes. It returns one on success
64		// and zero if inputs are too long.
65		//
66		// This function is exported for unit tests.
67		OPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix(
68		SHA_CTX ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t in, size_t len,
69		size_t max_len);
70
71		// EVP_sha256_final_with_secret_suffix acts like
72		// \|EVP_sha1_final_with_secret_suffix\|, but for SHA-256.
73		//
74		// This function is exported for unit tests.
75		OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix(
76		SHA256_CTX ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t in,
77		size_t len, size_t max_len);
78
79		// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
80		// record.
81		//
82		// md: the hash function used in the HMAC.
83		// EVP_tls_cbc_record_digest_supported must return true for this hash.
84		// md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
85		// md_out_size: the number of output bytes is written here.
86		// header: the 13-byte, TLS record header.
87		// data: the record data itself
88		// data_size: the secret, reported length of the data once the padding and MAC
89		// have been removed.
90		// data_plus_mac_plus_padding_size: the public length of the whole
91		// record, including padding.
92		//
93		// On entry: by virtue of having been through one of the remove_padding
94		// functions, above, we know that data_plus_mac_size is large enough to contain
95		// a padding byte and MAC. (If the padding was invalid, it might contain the
96		// padding too. )
97		int EVP_tls_cbc_digest_record(const EVP_MD md, uint8_t md_out,
98		size_t *md_out_size, const uint8_t header[13],
99		const uint8_t *data, size_t data_size,
100		size_t data_plus_mac_plus_padding_size,
101		const uint8_t *mac_secret,
102		unsigned mac_secret_length);
103
104	41.5k	#define POLY1305_TAG_LEN 16
105
106		// For convenience (the x86_64 calling convention allows only six parameters in
107		// registers), the final parameter for the assembly functions is both an input
108		// and output parameter.
109		union chacha20_poly1305_open_data {
110		struct {
111		alignas(16) uint8_t key[32];
112		uint32_t counter;
113		uint8_t nonce[12];
114		} in;
115		struct {
116		uint8_t tag[POLY1305_TAG_LEN];
117		} out;
118		};
119
120		union chacha20_poly1305_seal_data {
121		struct {
122		alignas(16) uint8_t key[32];
123		uint32_t counter;
124		uint8_t nonce[12];
125		const uint8_t *extra_ciphertext;
126		size_t extra_ciphertext_len;
127		} in;
128		struct {
129		uint8_t tag[POLY1305_TAG_LEN];
130		} out;
131		};
132
133		#if (defined(OPENSSL_X86_64) \|\| defined(OPENSSL_AARCH64)) && \
134		!defined(OPENSSL_NO_ASM)
135
136		static_assert(sizeof(union chacha20_poly1305_open_data) == 48,
137		"wrong chacha20_poly1305_open_data size");
138		static_assert(sizeof(union chacha20_poly1305_seal_data) == 48 + 8 + 8,
139		"wrong chacha20_poly1305_seal_data size");
140
141	1.45k	inline int chacha20_poly1305_asm_capable(void) {
142	1.45k	#if defined(OPENSSL_X86_64)
143	1.45k	return CRYPTO_is_SSE4_1_capable();
144		#elif defined(OPENSSL_AARCH64)
145		return CRYPTO_is_NEON_capable();
146		#endif
147	1.45k	}
148
149		// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts
150		// \|plaintext_len\| bytes from \|ciphertext\| and writes them to \|out_plaintext\|.
151		// Additional input parameters are passed in \|aead_data->in\|. On exit, it will
152		// write calculated tag value to \|aead_data->out.tag\|, which the caller must
153		// check.
154		#if defined(OPENSSL_X86_64)
155		extern void chacha20_poly1305_open_sse41(
156		uint8_t out_plaintext, const uint8_t ciphertext, size_t plaintext_len,
157		const uint8_t ad, size_t ad_len, union chacha20_poly1305_open_data data);
158		extern void chacha20_poly1305_open_avx2(
159		uint8_t out_plaintext, const uint8_t ciphertext, size_t plaintext_len,
160		const uint8_t ad, size_t ad_len, union chacha20_poly1305_open_data data);
161		inline void chacha20_poly1305_open(uint8_t *out_plaintext,
162		const uint8_t *ciphertext,
163		size_t plaintext_len, const uint8_t *ad,
164		size_t ad_len,
165	1.05k	union chacha20_poly1305_open_data *data) {
166	1.05k	if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
167	1.05k	chacha20_poly1305_open_avx2(out_plaintext, ciphertext, plaintext_len, ad,
168	1.05k	ad_len, data);
169	1.05k	} else {
170	0	chacha20_poly1305_open_sse41(out_plaintext, ciphertext, plaintext_len, ad,
171	0	ad_len, data);
172	0	}
173	1.05k	}
174		#else
175		extern void chacha20_poly1305_open(uint8_t *out_plaintext,
176		const uint8_t *ciphertext,
177		size_t plaintext_len, const uint8_t *ad,
178		size_t ad_len,
179		union chacha20_poly1305_open_data *data);
180		#endif
181
182		// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts
183		// \|plaintext_len\| bytes from \|plaintext\| and writes them to \|out_ciphertext\|.
184		// Additional input parameters are passed in \|aead_data->in\|. The calculated tag
185		// value is over the computed ciphertext concatenated with \|extra_ciphertext\|
186		// and written to \|aead_data->out.tag\|.
187		#if defined(OPENSSL_X86_64)
188		extern void chacha20_poly1305_seal_sse41(
189		uint8_t out_ciphertext, const uint8_t plaintext, size_t plaintext_len,
190		const uint8_t ad, size_t ad_len, union chacha20_poly1305_seal_data data);
191		extern void chacha20_poly1305_seal_avx2(
192		uint8_t out_ciphertext, const uint8_t plaintext, size_t plaintext_len,
193		const uint8_t ad, size_t ad_len, union chacha20_poly1305_seal_data data);
194		inline void chacha20_poly1305_seal(uint8_t *out_ciphertext,
195		const uint8_t *plaintext,
196		size_t plaintext_len, const uint8_t *ad,
197		size_t ad_len,
198	403	union chacha20_poly1305_seal_data *data) {
199	403	if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
200	403	chacha20_poly1305_seal_avx2(out_ciphertext, plaintext, plaintext_len, ad,
201	403	ad_len, data);
202	403	} else {
203	0	chacha20_poly1305_seal_sse41(out_ciphertext, plaintext, plaintext_len, ad,
204	0	ad_len, data);
205	0	}
206	403	}
207		#else
208		extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
209		const uint8_t *plaintext,
210		size_t plaintext_len, const uint8_t *ad,
211		size_t ad_len,
212		union chacha20_poly1305_seal_data *data);
213		#endif
214
215		#else
216
217		inline int chacha20_poly1305_asm_capable(void) { return 0; }
218
219		inline void chacha20_poly1305_open(uint8_t *out_plaintext,
220		const uint8_t *ciphertext,
221		size_t plaintext_len, const uint8_t *ad,
222		size_t ad_len,
223		union chacha20_poly1305_open_data *data) {
224		abort();
225		}
226
227		inline void chacha20_poly1305_seal(uint8_t *out_ciphertext,
228		const uint8_t *plaintext,
229		size_t plaintext_len, const uint8_t *ad,
230		size_t ad_len,
231		union chacha20_poly1305_seal_data *data) {
232		abort();
233		}
234		#endif
235
236
237		#if defined(__cplusplus)
238		} // extern C
239		#endif
240
241		#endif // OPENSSL_HEADER_CRYPTO_CIPHER_INTERNAL_H