Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/cipher_extra/internal.h
Line
Count
Source (jump to first uncovered line)
1
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
 * All rights reserved.
3
 *
4
 * This package is an SSL implementation written
5
 * by Eric Young (eay@cryptsoft.com).
6
 * The implementation was written so as to conform with Netscapes SSL.
7
 *
8
 * This library is free for commercial and non-commercial use as long as
9
 * the following conditions are aheared to.  The following conditions
10
 * apply to all code found in this distribution, be it the RC4, RSA,
11
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12
 * included with this distribution is covered by the same copyright terms
13
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
 *
15
 * Copyright remains Eric Young's, and as such any Copyright notices in
16
 * the code are not to be removed.
17
 * If this package is used in a product, Eric Young should be given attribution
18
 * as the author of the parts of the library used.
19
 * This can be in the form of a textual message at program startup or
20
 * in documentation (online or textual) provided with the package.
21
 *
22
 * Redistribution and use in source and binary forms, with or without
23
 * modification, are permitted provided that the following conditions
24
 * are met:
25
 * 1. Redistributions of source code must retain the copyright
26
 *    notice, this list of conditions and the following disclaimer.
27
 * 2. Redistributions in binary form must reproduce the above copyright
28
 *    notice, this list of conditions and the following disclaimer in the
29
 *    documentation and/or other materials provided with the distribution.
30
 * 3. All advertising materials mentioning features or use of this software
31
 *    must display the following acknowledgement:
32
 *    "This product includes cryptographic software written by
33
 *     Eric Young (eay@cryptsoft.com)"
34
 *    The word 'cryptographic' can be left out if the rouines from the library
35
 *    being used are not cryptographic related :-).
36
 * 4. If you include any Windows specific code (or a derivative thereof) from
37
 *    the apps directory (application code) you must include an acknowledgement:
38
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
 *
40
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
 * SUCH DAMAGE.
51
 *
52
 * The licence and distribution terms for any publically available version or
53
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
54
 * copied and put under another distribution licence
55
 * [including the GNU Public Licence.] */
56
57
#ifndef OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H
58
#define OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H
59
60
#include <assert.h>
61
#include <stdlib.h>
62
63
#include <openssl/base.h>
64
65
#include "../internal.h"
66
67
#if defined(__cplusplus)
68
extern "C" {
69
#endif
70
71
72
// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
73
// record in |in|. This decrypted record should not include any "decrypted"
74
// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
75
// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
76
// padding is valid and zero otherwise. It then sets |*out_len| to the length
77
// with the padding removed or |in_len| if invalid.
78
//
79
// If the function returns one, it runs in time independent of the contents of
80
// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
81
// |EVP_tls_cbc_copy_mac|'s precondition.
82
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
83
                               const uint8_t *in, size_t in_len,
84
                               size_t block_size, size_t mac_size);
85
86
// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
87
// |in_len| bytes of |in| to |out| in constant time (independent of the concrete
88
// value of |in_len|, which may vary within a 256-byte window). |in| must point
89
// to a buffer of |orig_len| bytes.
90
//
91
// On entry:
92
//   orig_len >= in_len >= md_size
93
//   md_size <= EVP_MAX_MD_SIZE
94
void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
95
                          size_t in_len, size_t orig_len);
96
97
// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
98
// which EVP_tls_cbc_digest_record supports.
99
int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
100
101
// EVP_sha1_final_with_secret_suffix computes the result of hashing |len| bytes
102
// from |in| to |ctx| and writes the resulting hash to |out|. |len| is treated
103
// as secret and must be at most |max_len|, which is treated as public. |in|
104
// must point to a buffer of at least |max_len| bytes. It returns one on success
105
// and zero if inputs are too long.
106
//
107
// This function is exported for unit tests.
108
OPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix(
109
    SHA_CTX *ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t *in, size_t len,
110
    size_t max_len);
111
112
// EVP_sha256_final_with_secret_suffix acts like
113
// |EVP_sha1_final_with_secret_suffix|, but for SHA-256.
114
//
115
// This function is exported for unit tests.
116
OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix(
117
    SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in,
118
    size_t len, size_t max_len);
119
120
// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
121
// record.
122
//
123
//   md: the hash function used in the HMAC.
124
//     EVP_tls_cbc_record_digest_supported must return true for this hash.
125
//   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
126
//   md_out_size: the number of output bytes is written here.
127
//   header: the 13-byte, TLS record header.
128
//   data: the record data itself
129
//   data_size: the secret, reported length of the data once the padding and MAC
130
//     have been removed.
131
//   data_plus_mac_plus_padding_size: the public length of the whole
132
//     record, including padding.
133
//
134
// On entry: by virtue of having been through one of the remove_padding
135
// functions, above, we know that data_plus_mac_size is large enough to contain
136
// a padding byte and MAC. (If the padding was invalid, it might contain the
137
// padding too. )
138
int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
139
                              size_t *md_out_size, const uint8_t header[13],
140
                              const uint8_t *data, size_t data_size,
141
                              size_t data_plus_mac_plus_padding_size,
142
                              const uint8_t *mac_secret,
143
                              unsigned mac_secret_length);
144
145
335
#define POLY1305_TAG_LEN 16
146
147
// For convenience (the x86_64 calling convention allows only six parameters in
148
// registers), the final parameter for the assembly functions is both an input
149
// and output parameter.
150
union chacha20_poly1305_open_data {
151
  struct {
152
    alignas(16) uint8_t key[32];
153
    uint32_t counter;
154
    uint8_t nonce[12];
155
  } in;
156
  struct {
157
    uint8_t tag[POLY1305_TAG_LEN];
158
  } out;
159
};
160
161
union chacha20_poly1305_seal_data {
162
  struct {
163
    alignas(16) uint8_t key[32];
164
    uint32_t counter;
165
    uint8_t nonce[12];
166
    const uint8_t *extra_ciphertext;
167
    size_t extra_ciphertext_len;
168
  } in;
169
  struct {
170
    uint8_t tag[POLY1305_TAG_LEN];
171
  } out;
172
};
173
174
#if (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) &&  \
175
    !defined(OPENSSL_NO_ASM)
176
177
static_assert(sizeof(union chacha20_poly1305_open_data) == 48,
178
              "wrong chacha20_poly1305_open_data size");
179
static_assert(sizeof(union chacha20_poly1305_seal_data) == 48 + 8 + 8,
180
              "wrong chacha20_poly1305_seal_data size");
181
182
OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) {
183
#if defined(OPENSSL_X86_64)
184
  return CRYPTO_is_SSE4_1_capable();
185
#elif defined(OPENSSL_AARCH64)
186
  return CRYPTO_is_NEON_capable();
187
#endif
188
}
189
190
// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts
191
// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
192
// Additional input parameters are passed in |aead_data->in|. On exit, it will
193
// write calculated tag value to |aead_data->out.tag|, which the caller must
194
// check.
195
#if defined(OPENSSL_X86_64)
196
extern void chacha20_poly1305_open_nohw(
197
    uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,
198
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);
199
extern void chacha20_poly1305_open_avx2(
200
    uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,
201
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);
202
OPENSSL_INLINE void chacha20_poly1305_open(uint8_t *out_plaintext,
203
                                   const uint8_t *ciphertext,
204
                                   size_t plaintext_len, const uint8_t *ad,
205
                                   size_t ad_len,
206
20
                                   union chacha20_poly1305_open_data *data) {
207
20
  if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
208
20
    chacha20_poly1305_open_avx2(out_plaintext, ciphertext, plaintext_len, ad,
209
20
                                ad_len, data);
210
20
  } else {
211
0
    chacha20_poly1305_open_nohw(out_plaintext, ciphertext, plaintext_len, ad,
212
0
                                ad_len, data);
213
0
  }
214
20
}
215
#else
216
extern void chacha20_poly1305_open(uint8_t *out_plaintext,
217
                                   const uint8_t *ciphertext,
218
                                   size_t plaintext_len, const uint8_t *ad,
219
                                   size_t ad_len,
220
                                   union chacha20_poly1305_open_data *data);
221
#endif
222
223
// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts
224
// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
225
// Additional input parameters are passed in |aead_data->in|. The calculated tag
226
// value is over the computed ciphertext concatenated with |extra_ciphertext|
227
// and written to |aead_data->out.tag|.
228
#if defined(OPENSSL_X86_64)
229
extern void chacha20_poly1305_seal_nohw(
230
    uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,
231
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);
232
extern void chacha20_poly1305_seal_avx2(
233
    uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,
234
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);
235
OPENSSL_INLINE void chacha20_poly1305_seal(
236
    uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,
237
    const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data) {
238
  if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {
239
    chacha20_poly1305_seal_avx2(out_ciphertext, plaintext, plaintext_len, ad,
240
                                ad_len, data);
241
  } else {
242
    chacha20_poly1305_seal_nohw(out_ciphertext, plaintext, plaintext_len, ad,
243
                                ad_len, data);
244
  }
245
}
246
#else
247
extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
248
                                   const uint8_t *plaintext,
249
                                   size_t plaintext_len, const uint8_t *ad,
250
                                   size_t ad_len,
251
                                   union chacha20_poly1305_seal_data *data);
252
#endif
253
254
#else
255
256
172
OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { return 0; }
e_chacha20poly1305.c:chacha20_poly1305_asm_capable
Line
Count
Source
256
172
OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { return 0; }
Unexecuted instantiation: e_des.c:chacha20_poly1305_asm_capable
Unexecuted instantiation: e_tls.c:chacha20_poly1305_asm_capable
Unexecuted instantiation: tls_cbc.c:chacha20_poly1305_asm_capable
257
258
OPENSSL_INLINE void chacha20_poly1305_open(uint8_t *out_plaintext,
259
                                   const uint8_t *ciphertext,
260
                                   size_t plaintext_len, const uint8_t *ad,
261
                                   size_t ad_len,
262
0
                                   union chacha20_poly1305_open_data *data) {
263
0
  abort();
264
0
}
Unexecuted instantiation: e_des.c:chacha20_poly1305_open
Unexecuted instantiation: e_tls.c:chacha20_poly1305_open
Unexecuted instantiation: tls_cbc.c:chacha20_poly1305_open
265
266
OPENSSL_INLINE void chacha20_poly1305_seal(uint8_t *out_ciphertext,
267
                                   const uint8_t *plaintext,
268
                                   size_t plaintext_len, const uint8_t *ad,
269
                                   size_t ad_len,
270
0
                                   union chacha20_poly1305_seal_data *data) {
271
0
  abort();
272
0
}
Unexecuted instantiation: e_chacha20poly1305.c:chacha20_poly1305_seal
Unexecuted instantiation: e_des.c:chacha20_poly1305_seal
Unexecuted instantiation: e_tls.c:chacha20_poly1305_seal
Unexecuted instantiation: tls_cbc.c:chacha20_poly1305_seal
273
#endif
274
275
276
#if defined(__cplusplus)
277
}  // extern C
278
#endif
279
280
#endif  // OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H